CVE-2024-20407: 
Cisco Firepower Threat Defense (FTD) vulnerability analysis and mitigation

A vulnerability (CVE-2024-20407) has been identified in the interaction between the TCP Intercept feature and the Snort 3 detection engine on Cisco Firepower Threat Defense (FTD) Software. This vulnerability, discovered during the resolution of a Cisco TAC support case and disclosed on October 23, 2024, could allow an unauthenticated, remote attacker to bypass configured policies on affected systems. Notably, devices configured with Snort 2 are not affected by this vulnerability (Cisco Advisory).

The vulnerability stems from a logic error in handling embryonic (half-open) TCP connections. It has been assigned a CVSS base score of 5.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N. The vulnerability is specifically associated with CWE-399 (Resource Management Errors). The default value for embryonic connections is 0 (unlimited connections), and deployments with this default configuration are considered not vulnerable (Cisco Advisory).

A successful exploitation of this vulnerability could allow unintended traffic to enter the network protected by the affected device. This bypass of configured policies could potentially compromise the security posture of the protected network (Cisco Advisory).

Cisco has released software updates that address this vulnerability. Additionally, a workaround is available by turning off pkt-decode-optimization using the 'no asp inspect-dp pkt-decode-optimization' FTD CLI command. However, customers should evaluate the applicability and effectiveness of this workaround in their environment as it may impact network functionality or performance (Cisco Advisory).