NewsSecurity Vulnerabilities

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Software-Based SSL/TLS Denial of Service Vulnerability

CVE number = CVE-2021-34783

A vulnerability in the software-based SSL/TLS message handler of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

This vulnerability is due to insufficient validation of SSL/TLS messages when the device performs software-based SSL/TLS decryption. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Note: Datagram TLS (DTLS) messages cannot be used to exploit this vulnerability.

Cisco has released software updates that address this vulnerability.

There are no workarounds that address this vulnerability.

Vulnerable Products

This vulnerability affects Cisco devices if they are running the following Cisco software releases under the following conditions:

Cisco SoftwareAffected ReleasesVulnerability Details
ASA Software9.16.1 and 9.16.1.28If affected devices are configured to process inbound SSL/TLS message, they are vulnerable to crafted SSL/TLS message that are sent to the device.
FTD Software7.0.0 and 7.0.01
FTD Software6.3.0 and later, but earlier than the first fixed releaseIf affected devices are configured with an active SSL Decryption Policy, they are vulnerable to crafted SSL/TLS message that are sent through the device.

For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.

Determine Whether a Device Could Process Inbound SSL or TLS Messages

To verify whether a device that is running Cisco ASA Software or Cisco FTD Software could process inbound SSL or TLS messages, use the show asp table socket | include SSL command and verify that it returns output. When this command returns any output, the device is vulnerable. When this command returns empty output, the device is not affected by the vulnerability described in this advisory. The following example shows the output of the show asp table socket | include SSL command from a device that is vulnerable:

# show asp table socket | include SSL
SSL 0005aa68 LISTEN 192.168.4.1:443 0.0.0.0:*
SSL 0018f7a8 LISTEN 192.168.4.1:8443 0.0.0.0:*

Determine Whether an SSL Decryption Policy Is Enabled

There are two methods for determining whether an SSL decryption policy is enabled:

Option 1: Use the CLI

Use the show ssl-policy-config CLI command to verify whether an SSL decryption policy is enabled on a device. The following example shows the output of the show ssl-policy-config command on a device that does not have an SSL policy configured and is not vulnerable:

> show ssl-policy-config
SSL policy not yet applied.

Any other output returned by the show ssl-policy-config command indicates that an SSL policy is configured and the device is affected by the vulnerability described in this advisory.

For more information about the show ssl-policy-config command, see the Cisco Firepower Threat Defense Command Reference.

Option 2: Use the GUI

To determine whether an SSL decryption policy is enabled on a device, check the appropriate policy:

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-decrypt-dos-BMxYjm8M

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.