CVE-2023-20042 Overview
A vulnerability in the AnyConnect SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an implementation error within the SSL/TLS session handling process that can prevent the release of a session handler under specific conditions. An attacker could exploit this vulnerability by sending crafted SSL/TLS traffic to an affected device, increasing the probability of session handler leaks. A successful exploit could allow the attacker to eventually deplete the available session handler pool, preventing new sessions from being established and causing a DoS condition.
Critical Impact
Remote attackers can exhaust the session handler pool on Cisco ASA and FTD devices without authentication, completely preventing legitimate VPN users from establishing new connections and disrupting enterprise remote access capabilities.
Affected Products
- Cisco Adaptive Security Appliance (ASA) Software versions 9.16.x, 9.17.x, 9.18.x, and 9.19.x
- Cisco Firepower Threat Defense (FTD) Software versions 7.0.x, 7.1.x, 7.2.x, and 7.3.x
- Devices with AnyConnect SSL VPN feature enabled
Discovery Timeline
- November 1, 2023 - CVE-2023-20042 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-20042
Vulnerability Analysis
This vulnerability (CWE-404: Improper Resource Shutdown or Release) stems from a flaw in how Cisco ASA and FTD software manages SSL/TLS session handlers within the AnyConnect SSL VPN feature. Under specific conditions during the SSL/TLS handshake process, session handlers are not properly released back to the resource pool, leading to a resource leak condition.
The attack is particularly concerning because it requires no authentication and can be executed remotely over the network. The vulnerability affects the changed scope, meaning the impact extends beyond the vulnerable component itself—while the ASA/FTD device's availability is compromised, there is no direct impact on confidentiality or integrity of data.
The resource exhaustion attack is cumulative in nature. Each crafted SSL/TLS connection has a probability of triggering a session handler leak. Over time, repeated exploitation attempts gradually deplete the finite pool of available session handlers until the device can no longer accept new VPN connections.
Root Cause
The root cause is an implementation error in the SSL/TLS session handling process. The session handler cleanup logic fails to execute under certain edge-case conditions during the SSL/TLS session lifecycle. When specific patterns of SSL/TLS traffic are processed, the code path responsible for releasing session handlers back to the available pool is bypassed, resulting in orphaned session handler objects that consume system resources indefinitely until the device is rebooted or the service is restarted.
Attack Vector
The attack vector is network-based and requires the attacker to send specially crafted SSL/TLS traffic to the AnyConnect SSL VPN interface of an affected device. The attack can be executed as follows:
- The attacker identifies a target device running vulnerable versions of Cisco ASA or FTD software with AnyConnect SSL VPN enabled
- The attacker initiates SSL/TLS connections with crafted parameters designed to trigger the session handler leak condition
- Each successful exploitation attempt leaks one or more session handlers from the available pool
- The attacker repeats the process until the session handler pool is exhausted
- Once depleted, legitimate users are unable to establish new VPN sessions, resulting in denial of service
The attack does not require valid credentials and can be launched by any entity capable of reaching the SSL VPN interface over the network.
Detection Methods for CVE-2023-20042
Indicators of Compromise
- Gradual decrease in available session handler resources on ASA/FTD devices
- Increasing number of failed VPN connection attempts from legitimate users
- Unusual volume of SSL/TLS handshake traffic to the AnyConnect VPN interface
- System logs indicating session handler pool exhaustion or resource allocation failures
Detection Strategies
- Monitor session handler utilization metrics on ASA/FTD devices using show resource usage commands
- Configure SNMP traps or syslog alerts for VPN subsystem resource threshold violations
- Implement network traffic analysis to detect anomalous patterns of SSL/TLS connection attempts
- Deploy intrusion detection signatures to identify crafted SSL/TLS traffic patterns associated with this vulnerability
Monitoring Recommendations
- Establish baseline metrics for normal session handler utilization and alert on significant deviations
- Enable detailed logging for the SSL VPN subsystem to capture connection attempt metadata
- Monitor VPN user complaints and service desk tickets for patterns indicating connectivity issues
- Correlate session handler depletion events with source IP addresses to identify potential attackers
How to Mitigate CVE-2023-20042
Immediate Actions Required
- Review the Cisco Security Advisory for affected version details and fixed releases
- Plan and schedule upgrades to patched software versions during maintenance windows
- Monitor session handler resource utilization on affected devices for signs of active exploitation
- Consider implementing rate limiting on SSL VPN connections as a temporary mitigation measure
Patch Information
Cisco has released security updates to address this vulnerability. Administrators should consult the Cisco Security Advisory (cisco-sa-asaftd-ssl-dos-kxG8mpUA) for specific fixed version information for their deployment. The advisory provides detailed upgrade paths for both ASA Software and FTD Software across all affected version trains.
For Cisco ASA Software, affected versions include 9.16.1 through 9.16.4.9, 9.17.1 through 9.17.1.20, 9.18.1 through 9.18.2.7, and 9.19.1. For Cisco FTD Software, affected versions span 7.0.0 through 7.0.5, 7.1.0 through 7.1.0.3, 7.2.0 through 7.2.3, and 7.3.0 through 7.3.1.1.
Workarounds
- There are no complete workarounds for this vulnerability; software upgrades are required for full remediation
- Implement access control lists (ACLs) to restrict SSL VPN access to trusted IP ranges where feasible
- Configure connection rate limiting to slow down potential exploitation attempts
- Enable Control Plane Policing (CoPP) to protect device resources from volumetric attacks
# Example: Configure connection rate limiting on ASA (adjust values based on environment)
class-map type inspect vpn-rate-limit
match access-group anyconnect-acl
policy-map type inspect vpn-policy
class vpn-rate-limit
set connection conn-max 100
set connection per-client-max 5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
