CVE-2021-40117: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

CVE-2021-40117 is a vulnerability discovered in the SSL/TLS message handler for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The vulnerability was first published on October 27, 2021, and was found during internal security testing by Sanmith Prakash of Cisco (Cisco Advisory). The vulnerability affects devices running vulnerable releases of Cisco ASA Software or Cisco FTD Software that have AnyConnect or WebVPN configured.

The vulnerability exists due to improper processing of incoming SSL/TLS packets. It received a CVSS Base Score of 8.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-400 (Uncontrolled Resource Consumption) (NVD).

A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The impact specifically involves causing the affected device to reload, resulting in a service disruption (Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available. For ASA Software, fixed versions include 9.8.4.40, 9.12.4.26, 9.14.3.9, and 9.15.1.17. For FTD Software, fixed versions include 6.2.3.17, 6.4.0.13, 6.6.5, and 6.7.0.3. Users of earlier versions are advised to migrate to a supported release that includes the fix (Cisco Advisory).