Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Software-Based SSL/TLS Denial of Service Vulnerability
CVE number = CVE-2021-34783
A vulnerability in the software-based SSL/TLS message handler of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
This vulnerability is due to insufficient validation of SSL/TLS messages when the device performs software-based SSL/TLS decryption. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
Note: Datagram TLS (DTLS) messages cannot be used to exploit this vulnerability.
Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.
Vulnerable Products
This vulnerability affects Cisco devices if they are running the following Cisco software releases under the following conditions:
| Cisco Software | Affected Releases | Vulnerability Details |
|---|---|---|
| ASA Software | 9.16.1 and 9.16.1.28 | If affected devices are configured to process inbound SSL/TLS message, they are vulnerable to crafted SSL/TLS message that are sent to the device. |
| FTD Software | 7.0.0 and 7.0.01 | |
| FTD Software | 6.3.0 and later, but earlier than the first fixed release | If affected devices are configured with an active SSL Decryption Policy, they are vulnerable to crafted SSL/TLS message that are sent through the device. |
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
Determine Whether a Device Could Process Inbound SSL or TLS Messages
To verify whether a device that is running Cisco ASA Software or Cisco FTD Software could process inbound SSL or TLS messages, use the show asp table socket | include SSL command and verify that it returns output. When this command returns any output, the device is vulnerable. When this command returns empty output, the device is not affected by the vulnerability described in this advisory. The following example shows the output of the show asp table socket | include SSL command from a device that is vulnerable:
# show asp table socket | include SSL
SSL 0005aa68 LISTEN 192.168.4.1:443 0.0.0.0:*
SSL 0018f7a8 LISTEN 192.168.4.1:8443 0.0.0.0:*
Determine Whether an SSL Decryption Policy Is Enabled
There are two methods for determining whether an SSL decryption policy is enabled:
Option 1: Use the CLI
Use the show ssl-policy-config CLI command to verify whether an SSL decryption policy is enabled on a device. The following example shows the output of the show ssl-policy-config command on a device that does not have an SSL policy configured and is not vulnerable:
> show ssl-policy-config
SSL policy not yet applied.
Any other output returned by the show ssl-policy-config command indicates that an SSL policy is configured and the device is affected by the vulnerability described in this advisory.
For more information about the show ssl-policy-config command, see the Cisco Firepower Threat Defense Command Reference.
Option 2: Use the GUI
To determine whether an SSL decryption policy is enabled on a device, check the appropriate policy:
- For devices managed by Firepower Management Center (FMC):
Policies > Access Control > SSL - For devices managed by Firepower Device Manager (FDM):
Policies > SSL Decryption
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-decrypt-dos-BMxYjm8M
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.