CVE-2023-20177: 
Cisco Firepower Threat Defense (FTD) vulnerability analysis and mitigation

A vulnerability (CVE-2023-20177) was discovered in the SSL file policy implementation of Cisco Firepower Threat Defense (FTD) Software when configured with SSL/TLS connection using URL Category and Snort 3 detection engine. The vulnerability was disclosed on November 1, 2023, affecting Cisco FTD Software running Snort 3 with specific SSL policy or access control policy configurations (Cisco Advisory).

The vulnerability exists due to a logic error that occurs when the Snort 3 detection engine inspects an SSL/TLS connection with either a URL Category configured on the SSL file policy or a URL Category configured on an access control policy with TLS server identity discovery enabled. The vulnerability has been assigned a CVSS Base Score of 4.0 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L) (Cisco Advisory).

A successful exploit could allow an attacker to trigger an unexpected reload of the Snort 3 detection engine, resulting in either a bypass or denial of service (DoS) condition, depending on device configuration. The Snort 3 detection engine will restart automatically without manual intervention (Cisco Advisory).

Cisco has provided several mitigation options: 1) Revert to Snort 2, 2) Remove URL category configuration from SSL policy, or 3) Disable TLS Server Identity Discovery while keeping URL categories configured. For devices staying on Snort 3, both access control policy and SSL policy must be checked to ensure the device is not affected (Cisco Advisory).