Cisco Patches High-Risk Flaw in ASA, FTD Software

Cisco on Thursday released patches for a high severity vulnerability in the Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, warning that exploitation could lead to crippling denial-of-service attacks.

In an advisory that carries a ‘high-severity’ rating, Cisco said the software cryptography module of both ASA and FTD software is affected by a vulnerability exploitable by either a remote authenticated attacker or an unauthenticated attacker in a man-in-the-middle position.

By causing an unexpected reload of a vulnerable device, the attacker could cause a denial-of-service (DoS) condition.

The issue resides in a logic error in the manner in which specific decryption errors are handled in the software cryptography module. By sending malicious packets over an established IPsec connection, an attacker could cause device crashes, forcing it to reload.

“Successful exploitation of this vulnerability would not cause a compromise of any encrypted data,” according to the Cisco advisory.

The issue was identified in Cisco ASA software release 9.16.1 and FTD software release 7.0.0 and affects Firepower 2100 Series, Firepower NGFW Virtual, and Adaptive Security Virtual Appliance (ASAv) that are running a vulnerable software version, if specific configuration parameters exist on the device.

According to Cisco, there are no workarounds available to mitigate the vulnerability, but patches are already available to fix it. Cisco said it was not aware of the vulnerability being exploited in attacks.

Cisco’s ASA software is the core operating system for the Cisco ASA family. The Cisco Firepower FTD combines ASA and Cisco Firepower capabilities in a hardware and software inclusive system.

Related: Cisco Patches High Severity Vulnerabilities in BPA, WSA

Related: XSS Vulnerability in Cisco Security Products Exploited in the Wild

Related: Cisco Smart Install Protocol Still Abused in Attacks, 5 Years After First Warning