Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-20339

CVE-2024-20339: Cisco Firepower Threat Defense DoS Flaw

CVE-2024-20339 is a denial of service vulnerability in Cisco Firepower Threat Defense Software that allows remote attackers to crash devices via TLS traffic. This article covers technical details, affected systems, and mitigations.

Published:

CVE-2024-20339 Overview

CVE-2024-20339 is a denial of service (DoS) vulnerability in the Transport Layer Security (TLS) processing feature of Cisco Firepower Threat Defense (FTD) Software for the Cisco Firepower 2100 Series. An unauthenticated, remote attacker can trigger a device reload by sending crafted TLS traffic over IPv4 through an affected device. The flaw is tracked as a NULL pointer dereference issue [CWE-476] and impacts availability of traffic flowing to and through the firewall.

Critical Impact

Remote unauthenticated attackers can force affected Firepower 2100 Series devices to reload, disrupting all traffic passing through the firewall and creating a network-wide outage.

Affected Products

  • Cisco Firepower Threat Defense Software versions 6.2.3 through 6.2.3.18
  • Cisco Firepower Threat Defense Software versions 6.4.0 through 7.2.5.2
  • Cisco Firepower Threat Defense Software versions 7.3.0 through 7.3.1.2 (Firepower 2100 Series)

Discovery Timeline

  • 2024-10-23 - CVE-2024-20339 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-20339

Vulnerability Analysis

The vulnerability resides in the TLS traffic processing path of Cisco FTD Software running on Firepower 2100 Series appliances. When the device inspects certain TLS traffic transiting over IPv4, a code path dereferences a NULL pointer, causing the process to crash and the appliance to reload. Because the FTD software provides inline traffic inspection, the reload interrupts all forwarded traffic. The EPSS score is 0.716%, placing this issue in the 49th percentile for likelihood of exploitation.

Root Cause

The defect is classified as a NULL Pointer Dereference [CWE-476] in the TLS processing subsystem. Specific TLS packet structures reach code that assumes a pointer is initialized when it is not. Dereferencing that pointer produces an unrecoverable fault, forcing the device to restart.

Attack Vector

Exploitation requires no authentication and no user interaction. An attacker sends specifically crafted TLS traffic over IPv4 through the affected firewall. The traffic does not need to terminate on the device itself; transit traffic subject to TLS inspection triggers the flaw. Successful exploitation causes a device reload and denial of service condition. See the Cisco Security Advisory: TLS DoS for the vendor's technical description.

Detection Methods for CVE-2024-20339

Indicators of Compromise

  • Unexpected reload events on Firepower 2100 Series appliances with crash dumps referencing the TLS inspection process (snort or lina crash logs).
  • Recurring loss of throughput correlated with inbound IPv4 TLS flows from a common source.
  • Syslog messages indicating traceback or process restart shortly after receiving TLS traffic.

Detection Strategies

  • Monitor FTD device availability metrics and SNMP sysUpTime for unexpected resets across the Firepower 2100 fleet.
  • Correlate crash reports from Cisco Firepower Management Center (FMC) with the timestamps of external TLS connection attempts.
  • Enable and review Cisco ERP Alert ERP-75300 telemetry for matching failure signatures.

Monitoring Recommendations

  • Alert on repeated FTD process crashes or unplanned reboots within short time windows.
  • Track anomalous volumes of IPv4 TLS handshakes directed at or through Firepower 2100 devices.
  • Aggregate firewall syslog and crash telemetry into a centralized SIEM for cross-device correlation.

How to Mitigate CVE-2024-20339

Immediate Actions Required

  • Inventory all Cisco Firepower 2100 Series appliances and confirm which FTD Software version they run.
  • Apply the fixed FTD Software release identified in the Cisco advisory as soon as maintenance windows allow.
  • Restrict exposure of the management and data interfaces to trusted networks where feasible.

Patch Information

Cisco has published fixed software releases in the Cisco Security Advisory cisco-sa-ftd-tls-dos-QXYE5Ufy. Administrators should upgrade FTD Software on Firepower 2100 Series appliances to a release listed as fixed in the advisory. Cisco has not published workarounds for this issue.

Workarounds

  • No vendor workarounds are available; upgrading to a fixed FTD release is required.
  • Where immediate patching is not possible, consider using access control policies to limit untrusted IPv4 TLS traffic through affected devices.
  • Consult the Cisco ERP Alert ERP-75300 for the current remediation guidance.
bash
# Verify FTD Software version before and after upgrade
show version

# From FMC CLI, confirm managed device software levels
show managers

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.