CVE-2020-3305 Overview
A vulnerability in the implementation of the Border Gateway Protocol (BGP) module in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of certain BGP packets. An attacker could exploit this vulnerability by sending a crafted BGP packet. A successful exploit could allow the attacker to cause a DoS condition on the affected device.
Critical Impact
Unauthenticated remote attackers can disrupt network security infrastructure by causing Cisco ASA and FTD devices to become unresponsive, potentially leaving networks unprotected.
Affected Products
- Cisco Adaptive Security Appliance (ASA) Software
- Cisco Firepower Threat Defense (FTD) Software
- Cisco ASA 5505, 5510, 5512-x, 5515-x, 5520, 5525-x, 5550, 5555-x, 5580, 5585-x Hardware Appliances
Discovery Timeline
- 2020-05-06 - CVE-2020-3305 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-3305
Vulnerability Analysis
This vulnerability resides in the BGP module implementation within Cisco ASA and FTD software. The flaw allows an unauthenticated attacker to remotely trigger a denial of service condition by sending specially crafted BGP packets to the affected device. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), indicating that the improper processing of malformed BGP packets leads to resource exhaustion or device crash.
The attack can be executed over the network without requiring any authentication or user interaction, making it particularly dangerous for exposed network perimeter devices. Since these devices serve as critical security infrastructure protecting enterprise networks, a successful DoS attack could leave organizations temporarily without firewall protection.
Root Cause
The root cause of CVE-2020-3305 is incorrect processing of certain BGP packets within the BGP module. When the vulnerable software receives a specially crafted BGP packet, the improper input validation causes uncontrolled resource consumption (CWE-400), leading to device instability or crash. The BGP implementation fails to properly validate or handle malformed packet structures, allowing attackers to trigger the DoS condition.
Attack Vector
The attack vector for this vulnerability is network-based, requiring the attacker to have network connectivity to the target device on BGP ports. The attacker sends specially crafted BGP packets to the vulnerable Cisco ASA or FTD device. No authentication is required, and no user interaction is necessary for successful exploitation. The attacker must be able to reach the BGP service running on the target device, which typically operates on TCP port 179.
When the malformed BGP packet is processed by the vulnerable module, it triggers improper resource handling that results in device disruption. For detailed technical information about the vulnerability and exploitation scenarios, refer to the Cisco Security Advisory.
Detection Methods for CVE-2020-3305
Indicators of Compromise
- Unexpected device reloads or crashes on Cisco ASA or FTD appliances
- Abnormal BGP packet traffic patterns targeting TCP port 179
- System logs indicating BGP module errors or crashes
- Network connectivity disruptions coinciding with unusual BGP activity
Detection Strategies
- Monitor BGP session logs for unexpected terminations or anomalous packet processing errors
- Implement network intrusion detection rules to identify malformed BGP packets
- Configure syslog alerts for device reload events and BGP-related error messages
- Review traffic patterns on TCP port 179 for unusual volumes or sources
Monitoring Recommendations
- Enable comprehensive logging on Cisco ASA and FTD devices to capture BGP module events
- Deploy network monitoring tools to track BGP session stability and detect anomalies
- Establish baseline metrics for BGP traffic patterns to identify deviations
- Implement real-time alerting for device availability and BGP service status
How to Mitigate CVE-2020-3305
Immediate Actions Required
- Review the Cisco Security Advisory for your specific software version
- Apply vendor-provided security patches as soon as possible
- Restrict BGP peering to trusted IP addresses using access control lists
- Implement rate limiting on BGP connections where possible
Patch Information
Cisco has released software updates to address this vulnerability. Organizations should consult the Cisco Security Advisory cisco-sa-asa-dos-P43GCE5j for specific fixed software versions and upgrade guidance. The advisory provides detailed information about affected versions and corresponding patches for both Cisco ASA Software and Cisco Firepower Threat Defense Software.
Workarounds
- Implement strict access control lists (ACLs) to restrict BGP connections to known, trusted peer IP addresses only
- Consider disabling BGP functionality if not required for your deployment
- Use control plane protection (CoPP) policies to rate-limit BGP traffic to the device
- Deploy network segmentation to limit exposure of BGP services to untrusted networks
# Example ACL to restrict BGP connections to trusted peers
access-list bgp-filter extended permit tcp host <trusted-peer-ip> host <local-bgp-ip> eq 179
access-list bgp-filter extended permit tcp host <local-bgp-ip> eq 179 host <trusted-peer-ip>
access-list bgp-filter extended deny tcp any any eq 179
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
