A vulnerability of medium severity, recognized as CVE-2023-20042, with a CVSS rating of 6.8, was discovered within the AnyConnect SSL VPN function of Cisco Adaptive Safety Equipment (ASA) Software program and Cisco Firepower Risk Defence (FTD) Software program.
This vulnerability may doubtlessly allow an unauthenticated, distant attacker to trigger a denial of service (DoS) situation.
Software program patches from Cisco have been made accessible to repair this difficulty. There are not any workarounds that tackle this vulnerability.
Particulars of the Cisco AnyConnect SSL VPN Flaw
An implementation difficulty within the SSL/TLS session dealing with process, which may stop the discharge of a session handler beneath sure circumstances, is the reason for the vulnerability found.
Patch Supervisor Plus, our all-around patching answer, presents automated patch deployment for Home windows, macOS, and Linux endpoints, together with patching assist for 950+ third-party updates throughout 850+ third occasion purposes..
An attacker would possibly use this vulnerability to extend the probability of session handler leaks by sending crafted SSL/TLS visitors to a compromised machine.
“A profitable exploit may enable the attacker to ultimately deplete the accessible session handler pool, stopping new periods from being established and inflicting a DoS situation,” Cisco mentioned in its advisory.
Affected Merchandise
Cisco said that this flaw impacted Cisco ASA and FTD software program that had been configured for AnyConnect SSL/TLS VPN connections.
Indicators of Compromise
In response to Cisco, the command reveals SSL objects could also be used to establish the presence of leaking session handlers. A excessive and rising quantity within the SSL: energetic counter means that periods are being leaked.
As said within the advisory, Cisco recommends that affected customers apply software program updates as early as potential. Cisco confirmed that there are not any workarounds that tackle this vulnerability.
Defend vulnerabilities utilizing Patch Supervisor Plus to patch over 850 third-party purposes shortly. Strive a Free Trial to make sure 100% safety.