ID

VAR-202010-1016


CVE

CVE-2020-3373


TITLE

Cisco Adaptive Security Appliance  Software and  Cisco Firepower Threat Defense  Software vulnerability regarding lack of memory release after expiration

Trust: 0.8

sources: JVNDB: JVNDB-2020-012648

DESCRIPTION

A vulnerability in the IP fragment-handling implementation of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device. This memory leak could prevent traffic from being processed through the device, resulting in a denial of service (DoS) condition. The vulnerability is due to improper error handling when specific failures occur during IP fragment reassembly. An attacker could exploit this vulnerability by sending crafted, fragmented IP traffic to a targeted device. A successful exploit could allow the attacker to continuously consume memory on the affected device and eventually impact traffic, resulting in a DoS condition. The device could require a manual reboot to recover from the DoS condition. Note: This vulnerability applies to both IP Version 4 (IPv4) and IP Version 6 (IPv6) traffic. The platform provides features such as highly secure access to data and network resources

Trust: 1.8

sources: NVD: CVE-2020-3373 // JVNDB: JVNDB-2020-012648 // VULHUB: VHN-181498 // VULMON: CVE-2020-3373

AFFECTED PRODUCTS

vendor:ciscomodel:adaptive security appliance softwarescope:eqversion:9.8.4.25

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:eqversion:9.12.4.3

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:eqversion:9.12.4.2

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:eqversion:6.6.0.1

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:eqversion:9.8.4.22

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:eqversion:9.13.1.12

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:eqversion:9.14.1.15

Trust: 1.0

vendor:シスコシステムズmodel:cisco adaptive security appliance ソフトウェアscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco firepower threat defense ソフトウェアscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-012648 // NVD: CVE-2020-3373

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3373
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3373
value: HIGH

Trust: 1.0

NVD: CVE-2020-3373
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202010-1146
value: HIGH

Trust: 0.6

VULHUB: VHN-181498
value: HIGH

Trust: 0.1

VULMON: CVE-2020-3373
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-3373
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-181498
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3373
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 4.0
version: 3.1

Trust: 2.0

NVD: CVE-2020-3373
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181498 // VULMON: CVE-2020-3373 // JVNDB: JVNDB-2020-012648 // CNNVD: CNNVD-202010-1146 // NVD: CVE-2020-3373 // NVD: CVE-2020-3373

PROBLEMTYPE DATA

problemtype:CWE-401

Trust: 1.1

problemtype:CWE-400

Trust: 1.0

problemtype:Lack of free memory after expiration (CWE-401) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-181498 // JVNDB: JVNDB-2020-012648 // NVD: CVE-2020-3373

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-1146

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202010-1146

PATCH

title:cisco-sa-asaftd-frag-memleak-mCtqdP9nurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-frag-memleak-mCtqdP9n

Trust: 0.8

sources: JVNDB: JVNDB-2020-012648

EXTERNAL IDS

db:NVDid:CVE-2020-3373

Trust: 2.6

db:JVNDBid:JVNDB-2020-012648

Trust: 0.8

db:CNNVDid:CNNVD-202010-1146

Trust: 0.7

db:AUSCERTid:ESB-2020.3642.3

Trust: 0.6

db:AUSCERTid:ESB-2020.3642

Trust: 0.6

db:NSFOCUSid:50232

Trust: 0.6

db:CNVDid:CNVD-2021-44683

Trust: 0.1

db:VULHUBid:VHN-181498

Trust: 0.1

db:VULMONid:CVE-2020-3373

Trust: 0.1

sources: VULHUB: VHN-181498 // VULMON: CVE-2020-3373 // JVNDB: JVNDB-2020-012648 // CNNVD: CNNVD-202010-1146 // NVD: CVE-2020-3373

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-asaftd-frag-memleak-mctqdp9n

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2020-3373

Trust: 1.4

url:https://vigilance.fr/vulnerability/cisco-asa-software-memory-leak-via-ip-fragment-33668

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3642.3

Trust: 0.6

url:http://www.nsfocus.net/vulndb/50232

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3642/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/401.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-181498 // VULMON: CVE-2020-3373 // JVNDB: JVNDB-2020-012648 // CNNVD: CNNVD-202010-1146 // NVD: CVE-2020-3373

SOURCES

db:VULHUBid:VHN-181498
db:VULMONid:CVE-2020-3373
db:JVNDBid:JVNDB-2020-012648
db:CNNVDid:CNNVD-202010-1146
db:NVDid:CVE-2020-3373

LAST UPDATE DATE

2024-08-14T13:54:28.456000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181498date:2020-10-29T00:00:00
db:VULMONid:CVE-2020-3373date:2020-10-29T00:00:00
db:JVNDBid:JVNDB-2020-012648date:2021-05-20T06:08:00
db:CNNVDid:CNNVD-202010-1146date:2021-06-30T00:00:00
db:NVDid:CVE-2020-3373date:2023-11-07T03:22:38.810

SOURCES RELEASE DATE

db:VULHUBid:VHN-181498date:2020-10-21T00:00:00
db:VULMONid:CVE-2020-3373date:2020-10-21T00:00:00
db:JVNDBid:JVNDB-2020-012648date:2021-05-20T00:00:00
db:CNNVDid:CNNVD-202010-1146date:2020-10-21T00:00:00
db:NVDid:CVE-2020-3373date:2020-10-21T19:15:15.903