CVE-2024-20494 Overview
CVE-2024-20494 is a high-severity denial of service vulnerability affecting the Transport Layer Security (TLS) cryptography functionality in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The flaw stems from improper data validation during the TLS 1.3 handshake. An unauthenticated, remote attacker can send a crafted TLS 1.3 packet to a TLS 1.3-enabled listening socket and force the device to reload. The vulnerability also impacts device integrity by causing VPN HostScan communication failures or file transfer failures when ASA is upgraded using Cisco Adaptive Security Device Manager (ASDM). The weakness is tracked under [CWE-1287] (Improper Validation of Specified Type of Input).
Critical Impact
Unauthenticated remote attackers can crash and reload affected Cisco ASA and FTD devices over the network, disrupting perimeter security and VPN services.
Affected Products
- Cisco Adaptive Security Appliance (ASA) Software versions 9.19.1 through 9.19.1.31
- Cisco Adaptive Security Appliance (ASA) Software versions 9.20.1 through 9.20.3
- Cisco Firepower Threat Defense (FTD) Software versions 7.3.0 through 7.4.2
Discovery Timeline
- 2024-10-23 - CVE-2024-20494 published to NVD
- 2025-08-01 - Last updated in NVD database
Technical Details for CVE-2024-20494
Vulnerability Analysis
The vulnerability resides in the TLS cryptography stack of Cisco ASA and FTD Software. Affected devices fail to properly validate input data received during the TLS 1.3 handshake phase. When the device parses a malformed handshake message, the validation logic does not enforce expected type or structural constraints, classified as [CWE-1287]. The result is an unexpected device reload, terminating all active sessions traversing the firewall.
The attack scope extends beyond availability. Cisco notes that exploitation can also disrupt VPN HostScan communications and break file transfers during ASA upgrades performed through ASDM. This affects administrative integrity in addition to service uptime.
Root Cause
The root cause is improper validation of specified input types within the TLS 1.3 handshake parser. The code path that processes handshake records does not reject all malformed structures before they reach downstream cryptographic routines, leading to an unrecoverable state and a forced reload.
Attack Vector
Exploitation requires only network reachability to a TLS 1.3-enabled listening socket on the device. No authentication and no user interaction are needed. An attacker sends a single crafted TLS 1.3 packet to the listening service, such as the WebVPN or management interface, and the device reloads. The vulnerability does not require pre-existing session state, making it trivially repeatable against exposed appliances.
No public proof-of-concept exploit code or in-the-wild exploitation has been reported. Refer to the Cisco Security Advisory for additional technical detail.
Detection Methods for CVE-2024-20494
Indicators of Compromise
- Unexpected device reloads or crash dumps on ASA or FTD appliances correlated with inbound TLS 1.3 traffic
- VPN HostScan communication failures occurring without configuration changes
- File transfer failures during ASA upgrades initiated through ASDM
- Repeated traceback entries in device logs referencing the TLS handshake or cryptography subsystem
Detection Strategies
- Correlate device reload events with preceding TLS 1.3 handshake records from external sources
- Monitor SNMP traps and syslog messages for %ASA-1- reload and crash indicators tied to the SSL/TLS process
- Inspect NetFlow or firewall logs for short-lived TLS 1.3 connections originating from a single source immediately before a reload
Monitoring Recommendations
- Forward ASA and FTD syslog to a centralized SIEM and alert on unscheduled reloads
- Track availability of TLS-enabled services such as AnyConnect and WebVPN with active uptime probes
- Baseline normal TLS 1.3 handshake error rates and alert on deviations from external addresses
How to Mitigate CVE-2024-20494
Immediate Actions Required
- Inventory all Cisco ASA and FTD devices and identify those running affected versions in the 9.19, 9.20, 7.3, and 7.4 branches
- Apply the fixed software releases identified in the Cisco Security Advisory
- Restrict network exposure of TLS 1.3-enabled listening sockets to trusted management networks where feasible
- Review crash and reload history to determine whether prior unexplained reloads align with this vulnerability
Patch Information
Cisco has released fixed software for both ASA and FTD. Administrators should consult the official Cisco Security Advisory cisco-sa-asa-tls-CWY6zXB to identify the appropriate fixed release for each deployed train. No workarounds that fully eliminate the vulnerability are provided by Cisco; patching is the supported remediation.
Workarounds
- Cisco has not published a complete workaround; upgrading to a fixed release is the only supported remediation
- Where immediate patching is not possible, limit exposure of TLS 1.3 listeners through access control lists restricting source addresses
- Consider temporarily disabling externally facing TLS 1.3-enabled services that are not business-critical until the patch is applied
# Example: restrict access to the management/WebVPN interface using an access list
access-list MGMT_RESTRICT extended permit tcp host <trusted_admin_ip> interface outside eq 443
access-list MGMT_RESTRICT extended deny tcp any interface outside eq 443
access-group MGMT_RESTRICT in interface outside
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
