Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability [CVE-2024-20353]

CVE number = CVE-2024-20353

A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.

This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.

Determine Whether an ASA or FTD Device Is Affected

To determine whether a device that is running Cisco ASA Software or FTD Software is affected, use the show asp table socket | include SSL command and look for an SSL listen socket on any TCP port. If a socket is present in the output, the device should be considered vulnerable. The following example shows the output for a Cisco ASA device with two SSL listen sockets on TCP port 443 and TCP port 8443:

ciscoasa#  show asp table socket | include SSL
SSL       00185038  LISTEN     172.16.0.250:443    0.0.0.0:*
SSL       00188638  LISTEN      10.0.0.250:8443    0.0.0.0:*   

Cisco has released software updates that address this vulnerability.

There are no workarounds that address this vulnerability.

This Cisco advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2