Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2023-20177

Improper Clearing of Heap Memory Before Release ('Heap Inspection')

Published: Nov 01, 2023 | Modified: Nov 21, 2024
CVSS 3.x
4
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2023-20177
CWEhttps://cwe.mitre.org/data/definitions/244.html

A vulnerability in the SSL file policy implementation of Cisco Firepower Threat Defense (FTD) Software that occurs when the SSL/TLS connection is configured with a URL Category and the Snort 3 detection engine could allow an unauthenticated, remote attacker to cause the Snort 3 detection engine to unexpectedly restart. This vulnerability exists because a logic error occurs when a Snort 3 detection engine inspects an SSL/TLS connection that has either a URL Category configured on the SSL file policy or a URL Category configured on an access control policy with TLS server identity discovery enabled. Under specific, time-based constraints, an attacker could exploit this vulnerability by sending a crafted SSL/TLS connection through an affected device. A successful exploit could allow the attacker to trigger an unexpected reload of the Snort 3 detection engine, resulting in either a bypass or denial of service (DoS) condition, depending on device configuration. The Snort 3 detection engine will restart automatically. No manual intervention is required.

Weakness

Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

Affected Software

Name Vendor Start Version End Version
Firepower_threat_defense Cisco 7.0.0 (including) 7.0.0 (including)
Firepower_threat_defense Cisco 7.0.0.1 (including) 7.0.0.1 (including)
Firepower_threat_defense Cisco 7.0.1 (including) 7.0.1 (including)
Firepower_threat_defense Cisco 7.0.1.1 (including) 7.0.1.1 (including)
Firepower_threat_defense Cisco 7.0.2 (including) 7.0.2 (including)
Firepower_threat_defense Cisco 7.0.2.1 (including) 7.0.2.1 (including)
Firepower_threat_defense Cisco 7.0.3 (including) 7.0.3 (including)
Firepower_threat_defense Cisco 7.0.4 (including) 7.0.4 (including)
Firepower_threat_defense Cisco 7.0.5 (including) 7.0.5 (including)
Firepower_threat_defense Cisco 7.1.0 (including) 7.1.0 (including)
Firepower_threat_defense Cisco 7.1.0.1 (including) 7.1.0.1 (including)
Firepower_threat_defense Cisco 7.1.0.2 (including) 7.1.0.2 (including)
Firepower_threat_defense Cisco 7.1.0.3 (including) 7.1.0.3 (including)
Firepower_threat_defense Cisco 7.2.0 (including) 7.2.0 (including)
Firepower_threat_defense Cisco 7.2.0.1 (including) 7.2.0.1 (including)
Firepower_threat_defense Cisco 7.2.1 (including) 7.2.1 (including)
Firepower_threat_defense Cisco 7.2.2 (including) 7.2.2 (including)
Firepower_threat_defense Cisco 7.2.3 (including) 7.2.3 (including)
Firepower_threat_defense Cisco 7.3.0 (including) 7.3.0 (including)
Firepower_threat_defense Cisco 7.3.1 (including) 7.3.1 (including)
Firepower_threat_defense Cisco 7.3.1.1 (including) 7.3.1.1 (including)

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use