CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:N/I:N/A:C
EPSS
Percentile
53.2%
A vulnerability in the VPN authentication code that handles parsing of the username from the certificate on the Cisco ASA firewall could allow an unauthenticated, remote attacker to cause a reload of the affected device.
The vulnerability is due to parallel processing of a large number of Internet Key Exchange (IKE) requests for which username-from-cert is configured. An attacker could exploit this vulnerability by sending a large number of IKE requests when the affected device is configured with the username-from-cert command. An exploit could allow the attacker to cause a reload of the affected device, leading to a denial of service (DoS) condition.
Cisco has confirmed the vulnerability in a security notice and released software updates.
To exploit this vulnerability, an attacker must send a large number of IKE requests to a targeted device, which may reside on trusted, internal networks that the attacker would likely need to access. This access requirement decreases the likelihood of a successful exploit. In addition, the targeted device must be configured with the username-from-cert command.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | adaptive_security_appliance_software | 8.4 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.1 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.1:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.2 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.2:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.1.3 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.1.3:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.1.11 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.1.11:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.2.8 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.2.8:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.3 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.3:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.3.8 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.3.8:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.3.9 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.3.9:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.4 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.4:*:*:*:*:*:*:* |