CVE-2024-20402 - Vulnerability Details

A vulnerability in the SSL VPN feature for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to a logic error in memory management when the device is handling SSL VPN connections. An attacker could exploit this vulnerability by sending crafted SSL/TLS packets to the SSL VPN server of the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Cisco	Adaptive Security Appliance Firepower Threat Defense Software

No data.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-dos-hOnB9pH4

History

Thu, 24 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco adaptive Security Appliance Cisco firepower Threat Defense Software
CPEs		cpe:2.3:a:cisco:firepower_threat_defense_software:::::::: cpe:2.3:h:cisco:adaptive_security_appliance::::::::
Vendors & Products		Cisco Cisco adaptive Security Appliance Cisco firepower Threat Defense Software
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 23 Oct 2024 17:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the SSL VPN feature for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to a logic error in memory management when the device is handling SSL VPN connections. An attacker could exploit this vulnerability by sending crafted SSL/TLS packets to the SSL VPN server of the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
Weaknesses		CWE-788
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-dos-hOnB9pH4
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2024-10-23T17:35:43.314Z

Updated: 2024-10-24T16:16:53.323Z

Reserved: 2023-11-08T15:08:07.660Z

Link: CVE-2024-20402

Vulnrichment

Updated: 2024-10-24T16:16:44.834Z

NVD

Status : Awaiting Analysis

Published: 2024-10-23T18:15:07.930

Modified: 2024-10-25T12:56:36.827

Link: CVE-2024-20402

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object