First published: Wed Oct 27 2021(Updated: )
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) implementation of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to trigger a denial of service (DoS) condition on an affected device. This vulnerability is due to improper control of a resource. An attacker with the ability to spoof a trusted IKEv2 site-to-site VPN peer and in possession of valid IKEv2 credentials for that peer could exploit this vulnerability by sending malformed, authenticated IKEv2 messages to an affected device. A successful exploit could allow the attacker to trigger a reload of the device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ikev2-dos-g4cmrr7C This advisory is part of the October 2021 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: October 2021 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.
Credit: This vulnerability was found by Santosh Krishnamurthy Cisco during internal security testing
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco ASA Software | =9.16<9.16.2=9.15<9.15.1.17>=9.13<=9.14<9.14.3.9>=9.9=9.10<=9.12<9.12.4.30=9.8<9.8.4.40 | 9.16.2 9.15.1.17 9.14.3.9 9.12.4.30 9.8.4.40 |
Cisco FTD Software | >=6.5.0=6.6.0<=6.7.0<6.7.0.3 (Jan 2022)>=6.2.2 and earlier=6.2.3=6.3.0<=6.4.0<6.4.0.13 (Nov 2021) | 6.7.0.3 (Jan 2022) 6.4.0.13 (Nov 2021) |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this Cisco ASA and FTD vulnerability is cisco-sa-asaftd-ikev2-dos-g4cmrr7C.
The severity rating of cisco-sa-asaftd-ikev2-dos-g4cmrr7C is medium (5.3).
The affected software for cisco-sa-asaftd-ikev2-dos-g4cmrr7C are Cisco ASA Software versions 9.8.4.40 to 9.16.2 and Cisco FTD Software versions 6.2.2 and earlier, 6.3.0 to 6.7.0.3.
An authenticated, remote attacker can exploit this vulnerability by triggering a denial of service (DoS) condition on an affected device.
To fix the cisco-sa-asaftd-ikev2-dos-g4cmrr7C vulnerability, upgrade to the recommended software versions: Cisco ASA Software 9.16.2, 9.15.1.17, 9.14.3.9, 9.12.4.30, or 9.8.4.40, and Cisco FTD Software 6.7.0.3 (Jan 2022) or 6.4.0.13 (Nov 2021).