NewsSecurity Vulnerabilities

Cisco Firepower Threat Defense Software SSH Connections Denial of Service Vulnerability [CVE-2021-34781]

CVE number – CVE-2021-34781

A vulnerability in the processing of SSH connections for multi-instance deployments of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.

This vulnerability is due to a lack of proper error handling when an SSH session fails to be established. An attacker could exploit this vulnerability by sending a high rate of crafted SSH connections to the instance. A successful exploit could allow the attacker to cause resource exhaustion, which causes a DoS condition on the affected device. The device must be manually reloaded to recover.

Cisco has released software updates that address this vulnerability.

There are no workarounds that address this vulnerability.

Vulnerable Products

This vulnerability affects devices if they are running a vulnerable release of Cisco FTD Software that is configured for multi-instance operation. Multi-instance configuration support was introduced in Cisco FTD Software Release 6.3.0; earlier releases are not affected by this multi-instance vulnerability.

The only Cisco FTD Software platforms that support multi-instance operation are the following:

  • Firepower 4100 Series Security Appliances
  • Firepower 9300 Series Security Appliances

Note: Affected devices are vulnerable only when accessed from an IP address in the configured SSH command range. The SSH service is enabled by default on all devices that run Cisco FTD Software.

For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.

Determine the Device Configuration

To determine whether a device is providing multi-instance services, log in to the Cisco FXOS CLI and use the show app-instance command within the ssa scope. If the Deploy Type field has a value of Container, application instances are present and the device is vulnerable. The following example shows the command output for a vulnerable device:

firepower# scope ssa
firepower /ssa # show app-instance

App NameIdentifierSlot IDAdmin StateOper StateRunning VersionStartup VersionDeploy TypeTurbo ModeProfile NameCluster StateCluster Role
—–——-—————–——-——-———–—–——-——-
ftdftd11EnabledOnline6.2.3.146.2.3.14NativeNoNot ApplicableNone
ftdftd2-12EnabledOnline6.4.0.46.4.0.4ContainerNomidNot Applicable

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-rUDseW3r

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.