CVE-2023-20086

Q: What is the severity of CVE-2023-20086?

CVE-2023-20086 has a CVSS score of 8.6 (HIGH). An unauthenticated remote attacker can send crafted ICMPv6 messages to Cisco ASA or FTD devices with IPv6 enabled, causing the device to reload and creating a denial of service condition. This affects organizations using vulnerable Cisco firewall products with IPv6 enabled.

8.6 HIGH

Denial of Service

📋 TL;DR

An unauthenticated remote attacker can send crafted ICMPv6 messages to Cisco ASA or FTD devices with IPv6 enabled, causing the device to reload and creating a denial of service condition. This affects organizations using vulnerable Cisco firewall products with IPv6 enabled.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software

Versions: Multiple versions - see Cisco advisory for specific affected versions

Operating Systems: Cisco ASA OS, Cisco FTD OS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if IPv6 is enabled on the device

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network outage as firewall devices reload, disrupting all traffic passing through them

🟠

Likely Case

Intermittent service disruptions as devices reload, causing connectivity issues for users and services

🟢

If Mitigated

No impact if IPv6 is disabled or devices are patched

🌐 Internet-Facing: HIGH - Attackers can exploit from anywhere on the internet if IPv6 is enabled and exposed

🏢 Internal Only: MEDIUM - Internal attackers could still cause DoS but requires network access

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted ICMPv6 packets to vulnerable devices

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions available - see Cisco advisory for specific versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-icmpv6-t5TzqwNd

Restart Required: Yes

Instructions:

1. Check current ASA/FTD version. 2. Download appropriate fixed version from Cisco. 3. Apply patch following Cisco upgrade procedures. 4. Reboot device.

🔧 Temporary Workarounds

Disable IPv6

all

Disable IPv6 functionality on affected devices to prevent exploitation

no ipv6 enable
no ipv6 address

ICMPv6 Rate Limiting

all

Implement rate limiting for ICMPv6 messages to reduce attack surface

icmp rate-limit unreachable 100

🧯 If You Can't Patch

Disable IPv6 on all vulnerable devices immediately
Implement network segmentation to isolate vulnerable devices from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check device version and compare against Cisco advisory. Verify if IPv6 is enabled with 'show ipv6 interface'

Check Version:

show version | include Version

Verify Fix Applied:

Verify device is running fixed version from Cisco advisory and test IPv6 functionality

📡 Detection & Monitoring

Log Indicators:

Unexpected device reloads
High volume of ICMPv6 traffic
System crash logs

Network Indicators:

Unusual ICMPv6 traffic patterns to firewall devices
Spike in ICMPv6 packets

SIEM Query:

source="firewall" AND (event="reload" OR event="crash") OR protocol="ICMPv6" AND bytes>1000

📊 Metadata

CVE ID: CVE-2023-20086

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-248

Published: November 1, 2023

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco