CVE-2022-20795

Published: Apr 21, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

A vulnerability in the implementation of the Datagram TLS (DTLS) protocol in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause high CPU utilization, resulting in a denial of service (DoS) condition. This vulnerability is due to suboptimal processing that occurs when establishing a DTLS tunnel as part of an AnyConnect SSL VPN connection. An attacker could exploit this vulnerability by sending a steady stream of crafted DTLS traffic to an affected device. A successful exploit could allow the attacker to exhaust resources on the affected VPN headend device. This could cause existing DTLS tunnels to stop passing traffic and prevent new DTLS tunnels from establishing, resulting in a DoS condition. Note: When the attack traffic stops, the device recovers gracefully.

Affected (4)

Products: Cisco: Adaptive Security Appliance, Adaptive Security Appliance Software, Firepower Threat Defense

Cisco

3 products

Adaptive Security Appliance

Adaptive Security Appliance Software

Firepower Threat Defense

Configuration A

2 vulnerable · 9 platform

Vulnerable Software	Affected Versions
Cisco Adaptive Security Appliance	Up to 9.16.3
Cisco Adaptive Security Appliance Software	From 9.17.0 to 9.17.1.9

Running on/with	Platform Versions
Cisco Asa 5505	All versions
Cisco Asa 5512 X	All versions
Cisco Asa 5515 X	All versions
Cisco Asa 5525 X	All versions
Cisco Asa 5545 X	All versions
Cisco Asa 5555 X	All versions
Cisco Asa 5580	All versions
Cisco Asa 5585 X	All versions
Cisco Asa For Nexus 1000v	All versions

Configuration B

2 vulnerable · 17 platform

Vulnerable Software	Affected Versions
Cisco Firepower Threat Defense	Up to 7.0.1
Cisco Firepower Threat Defense	From 7.1.0.0 to 7.1.0.1

Running on/with	Platform Versions
Cisco Firepower 1010	All versions
Cisco Firepower 1120	All versions
Cisco Firepower 1140	All versions
Cisco Firepower 1150	All versions
Cisco Firepower 2110	All versions
Cisco Firepower 2120	All versions
Cisco Firepower 2130	All versions
Cisco Firepower 2140	All versions
Cisco Firepower 4110	All versions
Cisco Firepower 4112	All versions
Cisco Firepower 4115	All versions
Cisco Firepower 4120	All versions
Cisco Firepower 4125	All versions
Cisco Firepower 4140	All versions
Cisco Firepower 4145	All versions
Cisco Firepower 4150	All versions
Cisco Firepower 9300	All versions

Related CWEs

CWE-345

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vpndtls-dos-TunzLEV

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vpndtls-dos-TunzLEV

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.