Cisco Adaptive Security Virtual Appliance (ASAv) and Cisco Secure Firewall Threat Defense Virtual (FTDv) - Memory Allocation with Excessive Size Value (CVE-2024-20260)

A vulnerability in the VPN and management web servers of the Cisco Adaptive Security Virtual Appliance (ASAv) and Cisco Secure Firewall Threat Defense Virtual (FTDv), formerly Cisco Firepower Threat Defense Virtual, platforms could allow an unauthenticated, remote attacker to cause the virtual devices to run out of system memory, which could cause SSL VPN connection processing to slow down and eventually cease all together.

This vulnerability is due to a lack of proper memory management for new incoming SSL/TLS connections on the virtual platforms. An attacker could exploit this vulnerability by sending a large number of new incoming SSL/TLS connections to the targeted virtual platform.

A successful exploit could allow the attacker to deplete system memory, resulting in a denial of service (DoS) condition. The memory could be reclaimed slowly if the attack traffic is stopped, but a manual reload may be required to restore operations quickly.

Affected Products:

This vulnerability affects Cisco ASAv and FTDv if they have a feature configured that causes the device to process SSL/TLS messages. These features include, but are not limited to, the following:

• SSL VPN

• HTTP server used for the management interface

Note: Only the virtual Cisco ASA and FTD platforms are affected by this vulnerability.

Affected Versions:

• Cisco does not always explicitly list affected and fixed release versions publicly to customers as is normal for most other vendors. Where this is the case, to help customers determine their exposure to vulnerabilities in Cisco products, Cisco provides the Cisco Software Checker, available at https://sec.cloudapps.cisco.com/security/center/softwarechecker.x

Official Updates and Remediation Guidance:

Cisco has released free software updates that address the vulnerability described in this advisory. Customers are always advised to update to the latest version.

Temporary Mitigation & Workarounds:

There are no workarounds that address this vulnerability.

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftdvirtual-dos-MuenGnYR