CVE-2020-3191

Name of the Vulnerable Software and Affected Versions Cisco Adaptive Security Appliance (ASA) Software (affected versions not specified) Cisco Firepower Threat Defense (FTD) Software (affected versions not specified)

Description The issue is related to improper length validation of a field in an IPv6 DNS packet, which could allow an unauthenticated, remote attacker to cause the device to unexpectedly reload, resulting in a denial of service (DoS) condition. This can be achieved by sending a crafted DNS query over IPv6. The vulnerability is specific to DNS over IPv6 traffic only.

Recommendations For Cisco Adaptive Security Appliance (ASA) Software, consider disabling DNS over IPv6 packet processing until a patch is available. For Cisco Firepower Threat Defense (FTD) Software, restrict access to DNS over IPv6 traffic to minimize the risk of exploitation. As a temporary workaround, consider configuring the device to limit the impact of a denial of service (DoS) condition. At the moment, there is no information about a newer version that contains a fix for this vulnerability.