CVE-2023-20006: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2023-20006) was discovered in the hardware-based SSL/TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series Appliances. The vulnerability was first published on June 7, 2023, and affects certain releases of Cisco ASA Software and Cisco FTD Software running on Cisco Firepower 2100 Series Appliances that are configured for SSL/TLS (Cisco Advisory).

The vulnerability stems from an implementation error within the cryptographic functions for SSL/TLS traffic processing when they are offloaded to the hardware. It has been assigned a CVSS v3.1 base score of 8.6 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is classified under CWE-681 (Incorrect Conversion between Numeric Types). For Cisco ASA Software, any SSL/TLS connection terminated on the device could be used to exploit this vulnerability, including management traffic and Remote Access VPN. For Cisco FTD Software, the affected feature set is limited to SSL Decrypt Policies and Remote Access VPN (Cisco Advisory, NVD).

A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. The attacker could cause an unexpected error in the hardware-based cryptography engine, which would force the device to reload (Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available. Customers can verify if their device is affected by using the command 'show asp table socket | include SSL|DTLS' - if the command returns output, the device is vulnerable. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software (Cisco Advisory).