Cisco ASA SSL/TLS Handler DoS via Improper Error Handling
CVE-2020-27124 Published on November 18, 2024

Cisco Adaptive Security Appliance Software SSL/TLS Denial of Service Vulnerability
A vulnerability in the SSL/TLS handler of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause the affected device to reload unexpectedly, leading to a denial of service (DoS) condition. The vulnerability is due to improper error handling on established SSL/TLS connections. An attacker could exploit this vulnerability by establishing an SSL/TLS connection with the affected device and then sending a malicious SSL/TLS message within that connection. A successful exploit could allow the attacker to cause the device to reload.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

NVD

Vulnerability Analysis

CVE-2020-27124 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

Use of Uninitialized Variable

The code uses a variable that has not been initialized, leading to unpredictable or unintended results. In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code.


Products Associated with CVE-2020-27124

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-27124 are published in these products:

Cisco Adaptive Security Appliance Software
 
Cisco Adaptive Security Appliance
 

Affected Versions

Cisco Adaptive Security Appliance (ASA) Software: cisco adaptive_security_appliance:

Exploit Probability

EPSS
1.77%
Percentile
82.35%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.