CVE-2024-20494

Summary

A vulnerability in the TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper data validation during the TLS 1.3 handshake. An attacker could exploit this vulnerability by sending a crafted TLS 1.3 packet to an affected system through a TLS 1.3-enabled listening socket. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. Note: This vulnerability can also impact the integrity of a device by causing VPN HostScan communication failures or file transfer failures when Cisco ASA Software is upgraded using Cisco Adaptive Security Device Manager (ASDM).

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Adaptive Security Appliance (ASA) Software9.19.1affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.19.1.5affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.19.1.9affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.19.1.12affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.19.1.18affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.19.1.22affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.19.1.24affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.19.1.27affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.19.1.28affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.19.1.31affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.20.1affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.20.1.5affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.20.2affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.20.2.10affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.20.2.21affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.20.2.22affected
CiscoCisco Adaptive Security Appliance (ASA) Software9.20.3affected
CiscoCisco Firepower Threat Defense Software7.3.0affected
CiscoCisco Firepower Threat Defense Software7.3.1affected
CiscoCisco Firepower Threat Defense Software7.3.1.1affected
CiscoCisco Firepower Threat Defense Software7.3.1.2affected
CiscoCisco Firepower Threat Defense Software7.4.0affected
CiscoCisco Firepower Threat Defense Software7.4.1affected
CiscoCisco Firepower Threat Defense Software7.4.1.1affected
CiscoCisco Firepower Threat Defense Software7.4.2affected

Weaknesses

  • CWE-1287: Improper Validation of Specified Type of Input

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References