CVE-2024-20494

Q: What is the severity of CVE-2024-20494?

CVE-2024-20494 has a CVSS score of 8.6 (HIGH). A TLS 1.3 handshake vulnerability in Cisco ASA and FTD software allows unauthenticated remote attackers to trigger a device reload, causing denial of service. This affects organizations using affected Cisco firewall/VPN appliances with TLS 1.3 enabled. The vulnerability can also disrupt VPN HostScan and software upgrade functionality.

8.6 HIGH

Denial of Service

📋 TL;DR

A TLS 1.3 handshake vulnerability in Cisco ASA and FTD software allows unauthenticated remote attackers to trigger a device reload, causing denial of service. This affects organizations using affected Cisco firewall/VPN appliances with TLS 1.3 enabled. The vulnerability can also disrupt VPN HostScan and software upgrade functionality.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software

Versions: Multiple versions - see Cisco advisory for specific affected releases

Operating Systems: Cisco ASA OS, Cisco FTD OS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when TLS 1.3 is enabled on listening sockets. Default configurations may not have TLS 1.3 enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network outage as firewalls reload, disrupting all traffic through affected devices and potentially causing cascading failures in dependent systems.

🟠

Likely Case

Intermittent service disruptions as devices reload, impacting VPN connectivity and network availability until devices restart.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though service interruptions may still occur during exploitation attempts.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely without authentication via TLS 1.3-enabled listening sockets exposed to the internet.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires TLS 1.3 connectivity to affected devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted TLS 1.3 packets to vulnerable listening sockets. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Cisco advisory for fixed versions specific to each release train

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-tls-CWY6zXB

Restart Required: Yes

Instructions:

1. Review Cisco advisory for fixed versions. 2. Download appropriate firmware from Cisco Software Center. 3. Backup current configuration. 4. Apply firmware update following Cisco upgrade procedures. 5. Verify successful upgrade and functionality.

🔧 Temporary Workarounds

Disable TLS 1.3

all

Disable TLS 1.3 on all listening sockets to prevent exploitation

ssl cipher tlsv1.2 disable
no ssl cipher tlsv1.3 enable

Restrict TLS 1.3 Access

all

Apply access control lists to limit TLS 1.3 connections to trusted sources only

access-list TLS_ACL extended permit tls any trusted_hosts
access-group TLS_ACL in interface outside

🧯 If You Can't Patch

Disable TLS 1.3 on all affected devices immediately
Implement network segmentation to restrict access to TLS 1.3-enabled interfaces

🔍 How to Verify

Check if Vulnerable:

Check if TLS 1.3 is enabled: 'show run ssl' or 'show run | include tlsv1.3' and verify running vulnerable version via 'show version'

Check Version:

show version | include Version

Verify Fix Applied:

Verify upgraded to fixed version: 'show version' and confirm TLS 1.3 configuration matches security requirements

📡 Detection & Monitoring

Log Indicators:

Unexpected device reloads
TLS handshake failures
VPN HostScan communication errors
ASDM upgrade failures

Network Indicators:

Abnormal TLS 1.3 traffic patterns
Multiple connection attempts to TLS ports
Device becoming unresponsive

SIEM Query:

source="cisco-asa" AND (event_type="reload" OR message="%ASA-6-302013" OR message="%ASA-3-710003")

📊 Metadata

CVE ID: CVE-2024-20494

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-1287

Published: October 23, 2024

Last Updated: August 1, 2025

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-tls-CWY6zXB Mitigation,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable TLS 1.3

Restrict TLS 1.3 Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities