CVE-2023-20083
📋 TL;DR
A vulnerability in Cisco Firepower Threat Defense (FTD) Software's ICMPv6 inspection with Snort 2 allows remote attackers to cause 100% CPU usage via crafted ICMPv6 packets, resulting in a denial of service that stops all traffic processing. Only FTD devices using Snort 2 detection engine with ICMPv6 inspection enabled are affected. Management traffic remains unaffected during exploitation.
💻 Affected Systems
- Cisco Firepower Threat Defense (FTD) Software
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete traffic processing halt requiring device or Snort engine restart to recover, causing extended network downtime.
Likely Case
Temporary DoS condition affecting data plane traffic until manual intervention restores service.
If Mitigated
Minimal impact if ICMPv6 inspection is disabled or Snort 3 is used instead.
🎯 Exploit Status
Exploitation requires sending crafted ICMPv6 packets through the device, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.5, 7.0.9, 6.7.0.15 or later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-icmpv6-dos-4eMkLuN
Restart Required: Yes
Instructions:
1. Download appropriate FTD software version from Cisco. 2. Deploy update via FMC or CLI. 3. Restart affected devices after patching.
🔧 Temporary Workarounds
Disable ICMPv6 Inspection
allTemporarily disable ICMPv6 inspection in Snort 2 configuration to prevent exploitation.
configure terminal
policy-map type inspect_dns preset_dns_map
parameters
no inspect icmpv6
Migrate to Snort 3
allSwitch from Snort 2 to Snort 3 detection engine which is not vulnerable.
configure terminal
snort-engine snort3
🧯 If You Can't Patch
- Implement network ACLs to block ICMPv6 traffic from untrusted sources
- Monitor CPU usage spikes and have restart procedures ready for affected devices
🔍 How to Verify
Check if Vulnerable:
Check FTD version with 'show version' and verify ICMPv6 inspection is enabled in Snort 2 configuration.Check Version:
show version | include VersionVerify Fix Applied:
Verify version is 7.2.5, 7.0.9, 6.7.0.15 or later using 'show version' command.📡 Detection & Monitoring
Log Indicators:
- CPU utilization spikes to 100%
- Snort 2 process crashes or high resource usage
- Traffic processing failures
Network Indicators:
- Unusual ICMPv6 traffic patterns
- Crafted ICMPv6 packets with malformed headers
SIEM Query:
source="ftd" AND (cpu_utilization>=95 OR process="snort2" AND status="failed")