CVE-2024-20494

Name of the Vulnerable Software and Affected Versions: Cisco Adaptive Security Appliance (ASA) Software (affected versions not specified) Cisco Firepower Threat Defense (FTD) Software (affected versions not specified)

Description: A vulnerability in the TLS cryptography functionality could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This issue is due to improper data validation during the TLS 1.3 handshake. An attacker could exploit this by sending a crafted TLS 1.3 packet to an affected system through a TLS 1.3-enabled listening socket, such as "/api/v1/login" or "/users/{id}", using vulnerable parameters like username or password. The vulnerability can also impact the integrity of a device by causing VPN HostScan communication failures or file transfer failures when Cisco ASA Software is upgraded using Cisco Adaptive Security Device Manager (ASDM).

Recommendations: For Cisco Adaptive Security Appliance (ASA) Software, consider disabling the TLS 1.3 handshake functionality until a patch is available. For Cisco Firepower Threat Defense (FTD) Software, restrict access to the TLS 1.3-enabled listening socket to minimize the risk of exploitation. As a temporary workaround, consider disabling the checkPassword() function or similar vulnerable functions until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.