A vulnerability in the packet processing functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to inefficient memory management. An attacker could exploit this vulnerability by sending a high rate of IPv4 or IPv6 traffic through an affected device. This traffic would need to match a configured block action in an access control policy. An exploit could allow the attacker to cause a memory exhaustion condition on the affected device, which would result in a DoS for traffic transiting the device, as well as sluggish performance of the management interface. Once the flood is stopped, performance should return to previous states.
Weakness
The product does not properly control the allocation and maintenance of a limited resource.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Firepower_threat_defense | Cisco | 6.2.3 (including) | 6.2.3.16 (excluding) |
| Firepower_threat_defense | Cisco | 6.3.0 (including) | 6.3.0.6 (excluding) |
| Firepower_threat_defense | Cisco | 6.4.0 (including) | 6.4.0.9 (excluding) |
Potential Mitigations
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/147.html
- https://cwe.mitre.org/data/definitions/227.html
- https://cwe.mitre.org/data/definitions/492.html