Vulnslist

find the latest Cisco vulnerabilities

Multiple Cisco Products Snort TCP Fast Open File Policy Bypass Vulnerability

cisco-sa-snort-tfo-bypass-MmzZrtes · Medium · Published · Updated

Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it is contained at least partially within the TFO connection handshake. An attacker could exploit this vulnerability by sending crafted TFO packets with an HTTP payload through an affected device. A successful exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious payload. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-tfo-bypass-MmzZrtes

Cisco advisory ·CSAF JSON

Workarounds

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Cisco FTD Software Release 6.7.0
For Cisco FTD Software Release 6.7.0, as a workaround when the Snort 3 configuration option is enabled, an administrator may enable built-in rule 129:2 in the intrusion policy and set the action to Drop instead of Alert.

Use the following steps to verify that the Snort 3 configuration option is enabled. For more details, see the Switching Between Snort 2 and Snort 3 https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html#id_120089 section of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.7.

Log in to the Admin Portal for the FTD deployment.
Navigate to Policies > Intrusion.
Look for the Snort Version line above the table. The current version is the first number in the complete version number. For example, 2.9.17-95 is a Snort 2 version.

Use the following steps to enable rule 129:2. For more details, see the Changing Intrusion Rule Actions (Snort 3) https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html#Cisco_Task_in_List_GUI.dita_54aef253-02ab-4044-88ea-cea05249686d section of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.7.

Log in to the Admin Portal for the FTD deployment.
Navigate to Policies > Intrusion.
Choose any system-provided policy, such as Balanced Security and Connectivity.
Search for rule 129:2.
Check the check box next to the rule to enable it.
Choose Drop from the Action drop-down list.
Add the intrusion policy to a rule in Access control policy.

CVEsCVE-2021-1224
Cisco Bug IDsCSCvt43136, CSCvu88532
CVSS ScoreBase 5.8
Base 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Product Names From Source
Cisco UTD SNORT IPS Engine Software, Cisco Firepower Threat Defense Software 6.2.3, Cisco Firepower Threat Defense Software 6.2.3.1, Cisco Firepower Threat Defense Software 6.2.3.2, Cisco Firepower Threat Defense Software 6.2.3.3, Cisco Firepower Threat Defense Software 6.2.3.4, Cisco Firepower Threat Defense Software 6.2.3.5, Cisco Firepower Threat Defense Software 6.2.3.6, Cisco Firepower Threat Defense Software 6.2.3.7, Cisco Firepower Threat Defense Software 6.2.3.8, Cisco Firepower Threat Defense Software 6.2.3.10, Cisco Firepower Threat Defense Software 6.2.3.11, Cisco Firepower Threat Defense Software 6.2.3.9, Cisco Firepower Threat Defense Software 6.2.3.12, Cisco Firepower Threat Defense Software 6.2.3.13, Cisco Firepower Threat Defense Software 6.2.3.14, Cisco Firepower Threat Defense Software 6.2.3.15, Cisco Firepower Threat Defense Software 6.2.3.16, Cisco Firepower Threat Defense Software 6.6.0, Cisco Firepower Threat Defense Software 6.6.0.1, Cisco Firepower Threat Defense Software 6.6.1, Cisco Firepower Threat Defense Software 6.6.3, Cisco Firepower Threat Defense Software 6.4.0, Cisco Firepower Threat Defense Software 6.4.0.1, Cisco Firepower Threat Defense Software 6.4.0.3, Cisco Firepower Threat Defense Software 6.4.0.2, Cisco Firepower Threat Defense Software 6.4.0.4, Cisco Firepower Threat Defense Software 6.4.0.5, Cisco Firepower Threat Defense Software 6.4.0.6, Cisco Firepower Threat Defense Software 6.4.0.7, Cisco Firepower Threat Defense Software 6.4.0.8, Cisco Firepower Threat Defense Software 6.4.0.9, Cisco Firepower Threat Defense Software 6.4.0.10, Cisco Firepower Threat Defense Software 6.4.0.11, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco Firepower 2100 Series, Cisco Firepower 1000 Series, Cisco 3000 Series Industrial Security Appliances (ISA), Cisco Firepower 9000 Series, Cisco Firepower 4100 Series, Cisco Secure Firewall Threat Defense Virtual

Related Products

Product CVE Evidence
Cisco UTD SNORT IPS Engine Software CVE-2021-1224 Cisco OpenVuln
Cisco Secure Firewall Threat Defense Virtual CVE-2021-1224 Cisco OpenVuln
Cisco Secure Firewall Threat Defense (FTD) Software CVE-2021-1224 Cisco OpenVuln
Cisco Firepower Threat Defense Software CVE-2021-1224 Cisco OpenVuln
Cisco Firepower 9000 Series CVE-2021-1224 Cisco OpenVuln
Cisco Firepower 4100 Series CVE-2021-1224 Cisco OpenVuln
Cisco Firepower 2100 Series CVE-2021-1224 Cisco OpenVuln
Cisco Firepower 1000 Series CVE-2021-1224 Cisco OpenVuln
Cisco 3000 Series Industrial Security Appliances (ISA) CVE-2021-1224 Cisco OpenVuln