Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Denial of Service Vulnerability [CVE-2022-20745]
CVE number – CVE-2022-20745
A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
This vulnerability is due to improper input validation when parsing HTTPS requests. An attacker could exploit this vulnerability by sending a crafted HTTPS request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
Determine the ASA Software Configuration
To determine whether the software has a vulnerable feature configured, use the show running-config CLI command. In the following table, the left column lists the Cisco ASA Software features that are vulnerable. The right column indicates the basic configuration for each feature from the show running-config CLI command. If a device is running a vulnerable release and has one of these features configured, it is vulnerable.
| Cisco ASA Feature | Vulnerable Configuration |
|---|---|
| AnyConnect Internet Key Exchange Version 2 Remote Access (with client services) | crypto ikev2 enable client-services port |
| AnyConnect SSL VPN | webvpn enable |
| Clientless SSL VPN | webvpn enable |
Determine the FTD Software Configuration
To determine whether the software has a vulnerable feature configured, use the show running-config CLI command. In the following table, the left column lists the Cisco FTD Software features that are vulnerable. The right column indicates the basic configuration for each feature from the show running-config CLI command. If a device is running a vulnerable release and has one of these features configured, it is vulnerable.
| Cisco FTD Feature | Vulnerable Configuration |
|---|---|
| AnyConnect Internet Key Exchange Version 2 Remote Access (with client services)1,2 | crypto ikev2 enable client-services port |
| AnyConnect SSL VPN1,2 | webvpn enable |
1. Remote Access VPN features were introduced in Cisco FTD Software Release 6.2.2.
2. Remote Access VPN features are enabled by using Devices > VPN > Remote Access in Cisco Firepower Management Center (FMC) or by using Device > Remote Access VPN in Cisco Firepower Device Manager (FDM).
This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software with a vulnerable remote access VPN configuration.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-tzPSYern
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.