CVE-2020-3572 Overview
A vulnerability in the SSL/TLS session handler of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a memory leak when closing SSL/TLS connections in a specific state. An attacker could exploit this vulnerability by establishing several SSL/TLS sessions and ensuring they are closed under certain conditions. A successful exploit could allow the attacker to exhaust memory resources in the affected device, which would prevent it from processing new SSL/TLS connections, resulting in a DoS. Manual intervention is required to recover an affected device.
Critical Impact
Successful exploitation leads to memory exhaustion on Cisco ASA and FTD devices, preventing new SSL/TLS connections and requiring manual intervention to restore service availability.
Affected Products
- Cisco Adaptive Security Appliance (ASA) Software
- Cisco Firepower Threat Defense (FTD) Software
- Cisco Adaptive Security Appliance Software
Discovery Timeline
- October 21, 2020 - CVE-2020-3572 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-3572
Vulnerability Analysis
This vulnerability resides in the SSL/TLS session handler component of Cisco ASA and FTD Software. The flaw is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-401 (Missing Release of Memory after Effective Lifetime), indicating improper memory management during SSL/TLS session termination. The attack can be conducted remotely over the network without requiring authentication or user interaction.
When SSL/TLS connections are closed under specific conditions, the affected software fails to properly release allocated memory resources. This memory leak accumulates with each improperly terminated connection, gradually depleting the device's available memory pool.
Root Cause
The root cause of this vulnerability is a memory leak triggered when SSL/TLS connections are closed in a specific state. The SSL/TLS session handler fails to properly deallocate memory resources associated with terminated connections, leading to progressive memory exhaustion. This improper memory management (CWE-401) results in uncontrolled resource consumption (CWE-400) that can render the device unable to process legitimate traffic.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without authentication. The attack methodology involves:
- Connection Establishment: The attacker initiates multiple SSL/TLS sessions with the target Cisco ASA or FTD device
- Controlled Termination: Sessions are intentionally closed under specific conditions that trigger the memory leak
- Resource Exhaustion: Repeated exploitation depletes memory resources on the affected device
- Denial of Service: The device becomes unable to process new SSL/TLS connections, effectively denying service to legitimate users
The vulnerability requires no special privileges or user interaction, making it highly accessible to potential attackers. Manual intervention is required to recover the affected device after successful exploitation.
Detection Methods for CVE-2020-3572
Indicators of Compromise
- Unusual increase in SSL/TLS connection attempts followed by rapid terminations
- Progressive memory utilization increase on Cisco ASA or FTD devices without corresponding traffic growth
- Device logs showing memory allocation warnings or errors in SSL/TLS handler components
- Degraded device performance or inability to establish new SSL/TLS connections
Detection Strategies
- Monitor memory utilization trends on Cisco ASA and FTD devices using SNMP or built-in monitoring tools
- Configure alerts for memory thresholds approaching critical levels on affected security appliances
- Analyze connection logs for patterns of repeated SSL/TLS session establishment and rapid termination from single sources
- Implement network flow analysis to detect anomalous SSL/TLS connection patterns targeting the device
Monitoring Recommendations
- Enable syslog monitoring for memory-related warnings on affected Cisco devices
- Establish baseline memory usage patterns to identify anomalous consumption
- Configure automated alerts when memory utilization exceeds defined thresholds
- Review connection statistics periodically to identify potential exploitation attempts
How to Mitigate CVE-2020-3572
Immediate Actions Required
- Apply the security patches provided by Cisco for affected ASA and FTD software versions
- Review the Cisco Security Advisory for specific version guidance
- Implement rate limiting for SSL/TLS connections where feasible to slow potential exploitation
- Monitor device memory utilization closely until patches can be applied
Patch Information
Cisco has released security updates to address this vulnerability. Administrators should consult the Cisco Security Advisory cisco-sa-asa-ftd-tcp-dos-N3DMnU4T to identify the appropriate fixed software release for their deployment. The advisory provides detailed information on affected versions and upgrade paths.
Workarounds
- Implement connection rate limiting at network perimeter devices to reduce potential attack surface
- Configure connection limits per source IP address where supported
- Ensure network monitoring is in place to detect and alert on memory exhaustion conditions
- Establish procedures for manual device recovery in case of successful exploitation
# Verify current ASA software version
show version
# Monitor memory utilization for anomalies
show memory detail
# Review SSL/TLS connection statistics
show ssl cache statistics
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
