CVE-2021-1402

Published: Apr 29, 2021Modified: Nov 21, 2024

8.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 4.0

Source: NVD

Description

A vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient validation of SSL/TLS messages when the device performs software-based SSL decryption. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message through an affected device. SSL/TLS messages sent to an affected device do not trigger this vulnerability. A successful exploit could allow the attacker to cause a process to crash. This crash would then trigger a reload of the device. No manual intervention is needed to recover the device after the reload.

Affected (2)

Products: Cisco: Firepower Threat Defense

Cisco

1 product

Firepower Threat Defense

Configuration A

2 vulnerable · 15 platform

Vulnerable Software	Affected Versions
Cisco Firepower Threat Defense	From 6.3.0 to 6.4.0
Cisco Firepower Threat Defense	From 6.5.0 to 6.6.0

Running on/with	Platform Versions
Cisco Asa 5512 X	All versions
Cisco Asa 5515 X	All versions
Cisco Asa 5525 X	All versions
Cisco Asa 5545 X	All versions
Cisco Asa 5555 X	All versions
Cisco Firepower 1010	All versions
Cisco Firepower 1120	All versions
Cisco Firepower 1140	All versions
Cisco Firepower 1150	All versions
Cisco Firepower 2110	All versions
Cisco Firepower 2120	All versions
Cisco Firepower 2130	All versions
Cisco Firepower 2140	All versions
Cisco Firepower Threat Defense Virtual	All versions
Cisco Isa 3000	All versions

Related CWEs

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-decrypt-dos-DdyLuK6c

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-decrypt-dos-DdyLuK6c

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.