CVE-2017-12244

Name of the Vulnerable Software and Affected Versions Cisco Firepower System Software versions 6.0 and later

Description A vulnerability in the detection engine parsing of IPv6 packets could allow an unauthenticated, remote attacker to cause high CPU utilization or a denial of service (DoS) condition because the Snort process restarts unexpectedly. The issue is due to improper input validation of the fields in the IPv6 extension header packet. An attacker could exploit this by sending a malicious IPv6 packet to the detection engine on the targeted device, potentially causing a DoS condition if the Snort process restarts and traffic inspection is bypassed or traffic is dropped. This vulnerability is specific to IPv6 traffic only.

Recommendations For Cisco Firepower System Software versions 6.0 and later, consider disabling IPv6 traffic inspection until a patch is available to prevent exploitation of this vulnerability. Restrict access to the detection engine to minimize the risk of exploitation. Avoid using file action policies that may trigger the vulnerability until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.