CVE-2020-3577
📋 TL;DR
A vulnerability in Cisco Firepower Threat Defense (FTD) Software allows an unauthenticated adjacent attacker to cause denial of service by sending malicious Ethernet frames. This affects devices with interfaces configured as Inline Pair or in Passive mode, potentially filling the /ngfw partition or causing process crashes. Network administrators using affected FTD configurations are at risk.
💻 Affected Systems
- Cisco Firepower Threat Defense (FTD) Software
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Device becomes completely inaccessible (including console login) and requires manual intervention by Cisco TAC to recover, potentially causing extended network downtime.
Likely Case
Device reloads due to process crash, causing temporary service disruption until automatic reboot completes.
If Mitigated
No impact if device is not configured with Inline Pair or Passive mode interfaces, or if patched.
🎯 Exploit Status
Exploitation requires adjacent network access but no authentication. Attack involves sending specially crafted Ethernet frames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.0.10, 6.5.0, 6.6.1, 6.7.0 or later
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-inline-dos-nXqUyEqM
Restart Required: Yes
Instructions:
1. Download appropriate FTD software version from Cisco Software Center. 2. Upload to FTD device. 3. Install update via CLI or FMC. 4. Reboot device after installation completes.
🔧 Temporary Workarounds
Reconfigure interfaces
allChange affected interfaces from Inline Pair or Passive mode to Routed mode
configure network
interface <interface_name>
no inline-tap
no passive
exit
exit
🧯 If You Can't Patch
- Reconfigure all interfaces from Inline Pair or Passive mode to Routed mode
- Implement network segmentation to limit adjacent access to affected devices
🔍 How to Verify
Check if Vulnerable:
Check FTD version and interface configuration: show version | include Version, show interfaceCheck Version:
show version | include VersionVerify Fix Applied:
Verify version is 6.4.0.10, 6.5.0, 6.6.1, 6.7.0 or later: show version | include Version📡 Detection & Monitoring
Log Indicators:
- Unexpected device reloads
- /ngfw partition full errors
- Process crash logs
- High memory/disk usage alerts
Network Indicators:
- Malformed Ethernet frames targeting FTD devices
- Unusual traffic patterns to inline/passive interfaces
SIEM Query:
source="ftd" AND ("reload" OR "crash" OR "partition full" OR "/ngfw")