Santosh Krishnamurthy

**Name of the Vulnerable Software and Affected Versions** Cisco IOS XE versions (affected versions not specified) Cisco Firepower Threat Defense (FTD) versions (affected versions not specified) Cisco IOS XE SD-WAN versions (affected versions not specified) **Description** The issue is related to improper memory resource management in the Snort detection engine when processing ICMP traffic. This could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device by sending a series of ICMP packets. A successful exploit could allow the attacker to exhaust resources on the affected device, causing it to reload. **Recommendations** For Cisco IOS XE, update to a version that includes the fix for the improper memory resource management issue. For Cisco Firepower Threat Defense (FTD), consider disabling the Snort detection engine until a patch is available. For Cisco IOS XE SD-WAN, restrict access to the affected device to minimize the risk of exploitation until a fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Adaptive Security Appliance (ASA) Software (affected versions not specified) Cisco Firepower Threat Defense (FTD) Software (affected versions not specified) **Description** The issue is related to the Internet Key Exchange Version 2 (IKEv2) implementation, which is affected by improper control of a resource, potentially allowing an authenticated, remote attacker to trigger a denial of service (DoS) condition on an affected device. An attacker with the ability to spoof a trusted IKEv2 site-to-site VPN peer and in possession of valid IKEv2 credentials for that peer could exploit this by sending malformed, authenticated IKEv2 messages to an affected device. A successful exploit could allow the attacker to trigger a reload of the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Firepower Threat Defense (FTD) versions (affected versions not specified) Cisco Catalyst versions (affected versions not specified) Cisco ISR versions (affected versions not specified) Cisco ISA versions (affected versions not specified) Cisco ISRv versions (affected versions not specified) **Description** The issue is related to a vulnerability in the Snort detection engine of multiple Cisco products. This vulnerability could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP due to incorrect handling of specific HTTP header parameters, such as `HTTP header parameters`. An attacker could exploit this by sending crafted HTTP packets through an affected device, potentially allowing them to bypass a configured file policy for HTTP packets and deliver a malicious payload. **Recommendations** For Cisco Firepower Threat Defense (FTD), update the Snort detection engine to a version that includes the fix for this issue. For Cisco Catalyst, apply the recommended security configuration changes to mitigate the risk of exploitation. For Cisco ISR, restrict access to the affected HTTP endpoints until a patch is available. For Cisco ISA, consider disabling the Snort detection engine temporarily as a workaround until a fix is applied. For Cisco ISRv, avoid using vulnerable HTTP header parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Firepower Threat Defense (FTD) versions (affected versions not specified) Cisco Catalyst versions (affected versions not specified) Cisco ISR versions (affected versions not specified) Cisco ISA versions (affected versions not specified) Cisco ISRv versions (affected versions not specified) **Description** The vulnerability is related to the Snort detection engine and is due to incorrect handling of specific HTTP header parameters. This could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP and deliver a malicious payload. An attacker could exploit this vulnerability by sending crafted HTTP packets through an affected device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Adaptive Security Appliance versions prior to the fixed version Cisco Firepower Threat Defense versions prior to the fixed version **Description** The issue is related to an uncontrolled resource consumption in the software of Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense. It could allow a remote attacker to cause a denial of service condition by sending specially crafted fragmented IP traffic to the targeted device. This is due to improper error handling during IP fragment reassembly, which could lead to a memory leak, preventing traffic from being processed and resulting in a denial of service condition. The device may require a manual reboot to recover. The vulnerability affects both IP Version 4 and IP Version 6 traffic. **Recommendations** For Cisco Adaptive Security Appliance versions prior to the fixed version, update to the fixed release to resolve the issue. For Cisco Firepower Threat Defense versions prior to the fixed version, update to the fixed release to resolve the issue. As a temporary workaround, consider restricting access to the device to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cisco Firepower Threat Defense (FTD) Software (affected versions not specified) **Description** The issue is related to a lack of sufficient memory management protections under heavy SNMP polling loads in the Simple Network Management Protocol (SNMP) input packet processor. An attacker could exploit this by sending a high rate of SNMP requests to the SNMP daemon through the management interface, causing the SNMP daemon process to consume a large amount of system memory over time. This could lead to an unexpected device restart, resulting in a denial of service (DoS) condition. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Adaptive Security Appliance (ASA) Software (affected versions not specified) Cisco Firepower Threat Defense (FTD) Software (affected versions not specified) **Description** A vulnerability in the Open Shortest Path First (OSPF) implementation could allow an unauthenticated, remote attacker to cause the reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to improper memory protection mechanisms while processing certain OSPF packets. An attacker could exploit this vulnerability by sending a series of malformed OSPF packets in a short period of time to an affected device. A successful exploit could allow the attacker to cause a reload of the affected device, resulting in a DoS condition for client traffic that is traversing the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.