CVE-2024-20494: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2024-20494) has been identified in the TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. This vulnerability, discovered by Ilkin Gasimov of Cisco during internal security testing, was disclosed on October 23, 2024. The vulnerability affects systems running ASA Software and FTD Software that have an SSL listening socket and are configured to allow the TLS 1.3 protocol (Cisco Advisory).

The vulnerability (CVE-2024-20494) is caused by improper data validation during the TLS 1.3 handshake. It has been assigned a CVSS base score of 8.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. The vulnerability is classified under CWE-1287 (Improper Validation of Specified Type of Input) (Cisco Advisory, NVD).

A successful exploitation of this vulnerability can result in a denial of service (DoS) condition by causing the device to reload unexpectedly. Additionally, the vulnerability can impact device integrity by causing VPN HostScan communication failures or file transfer failures when Cisco ASA Software is upgraded using Cisco Adaptive Security Device Manager (ASDM) (Cisco Advisory).

Cisco has released software updates that address this vulnerability. As a workaround, administrators can disable TLS 1.3 using the ssl server-max-version command on devices running compatible software versions. The ssl server-max-version CLI command is supported as of Cisco ASA Software releases 9.19.1.24 and 9.20.2 and Cisco FTD Software Release 7.4.1 (Cisco Advisory).