Cisco ASA/FTD TLS 1.3 DoS Unauth Remote Reload
CVE-2024-20494 Published on October 23, 2024
A vulnerability in the TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper data validation during the TLS 1.3 handshake. An attacker could exploit this vulnerability by sending a crafted TLS 1.3 packet to an affected system through a TLS 1.3-enabled listening socket. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. Note: This vulnerability can also impact the integrity of a device by causing VPN HostScan communication failures or file transfer failures when Cisco ASA Software is upgraded using Cisco Adaptive Security Device Manager (ASDM).
Vulnerability Analysis
CVE-2024-20494 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Products Associated with CVE-2024-20494
stack.watch emails you whenever new vulnerabilities are published in Cisco Adaptive Security Appliance Software or Cisco Firepower Threat Defense. Just hit a watch button to start following.
Affected Versions
Cisco Adaptive Security Appliance (ASA) Software:- Version 9.19.1 is affected.
- Version 9.19.1.5 is affected.
- Version 9.19.1.9 is affected.
- Version 9.19.1.12 is affected.
- Version 9.19.1.18 is affected.
- Version 9.19.1.22 is affected.
- Version 9.19.1.24 is affected.
- Version 9.19.1.27 is affected.
- Version 9.19.1.28 is affected.
- Version 9.19.1.31 is affected.
- Version 9.20.1 is affected.
- Version 9.20.1.5 is affected.
- Version 9.20.2 is affected.
- Version 9.20.2.10 is affected.
- Version 9.20.2.21 is affected.
- Version 9.20.2.22 is affected.
- Version 9.20.3 is affected.
- Version 7.3.0 is affected.
- Version 7.3.1 is affected.
- Version 7.3.1.1 is affected.
- Version 7.3.1.2 is affected.
- Version 7.4.0 is affected.
- Version 7.4.1 is affected.
- Version 7.4.1.1 is affected.
- Version 7.4.2 is affected.
- Version 9.19.1 is affected.
- Version 9.19.1.5 is affected.
- Version 9.19.1.9 is affected.
- Version 9.19.1.12 is affected.
- Version 9.19.1.18 is affected.
- Version 9.19.1.22 is affected.
- Version 9.19.1.24 is affected.
- Version 9.19.1.27 is affected.
- Version 9.19.1.28 is affected.
- Version 9.19.1.31 is affected.
- Version 9.20.1 is affected.
- Version 9.20.1.5 is affected.
- Version 9.20.2 is affected.
- Version 9.20.2.10 is affected.
- Version 9.20.2.21 is affected.
- Version 9.20.2.22 is affected.
- Version 9.20.3 is affected.
- Version 7.3.0 is affected.
- Version 7.3.1 is affected.
- Version 7.3.1.1 is affected.
- Version 7.3.1.2 is affected.
- Version 7.4.0 is affected.
- Version 7.4.1 is affected.
- Version 7.4.1.1 is affected.
- Version 7.4.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.