CVE-2024-20353
Published: 24 April 2024
Summary
CVE-2024-20353 is a high-severity Infinite Loop (CWE-835) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-20353 affects the management and VPN web servers in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The flaw stems from incomplete error checking during HTTP header parsing and carries a CVSS 3.1 score of 8.6. Successful exploitation triggers an unexpected device reload and resulting denial-of-service condition.
An unauthenticated remote attacker can trigger the vulnerability by sending a single crafted HTTP request to either web server interface. No authentication or user interaction is required, and the attack can be launched over the network with low complexity, allowing an adversary to interrupt device operation and availability.
The Cisco Security Advisory and CISA Known Exploited Vulnerabilities catalog both list the issue, confirming that affected customers should apply the fixes published in the vendor advisory. The vulnerability has also been linked to the ArcaneDoor espionage campaign that targeted perimeter network devices.
EPSS scores rose from a low baseline to a recorded peak of 0.2445 (current value 0.1883), indicating emerging exploitation interest after public disclosure and warranting renewed attention from defenders.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-18068
Vulnerability details
A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial…
more
of service (DoS) condition. This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.
- CWE(s)
- KEV Date Added
- 24 April 2024
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of HTTP header inputs to reject malformed requests before they trigger the parsing flaw and reload.
Explicitly mandates protections that prevent crafted remote requests from producing a denial-of-service reload on the exposed web servers.
Restricts network exposure of the management and VPN web servers so that unauthenticated attackers cannot reach the vulnerable HTTP header parser.