Vulnerability Description
Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it is contained at least partially within the TFO connection handshake. An attacker could exploit this vulnerability by sending crafted TFO packets with an HTTP payload through an affected device. A successful exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious payload.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Firepower Threat Defense | < 6.7.0 |
| Cisco | Secure Firewall Management Center | 2.9.14.0 |
| Cisco | Ios Xe | < 17.4.1 |
| Cisco | 1100-4P Integrated Services Router | - |
| Cisco | 1100-8P Integrated Services Router | - |
| Cisco | 1101-4P Integrated Services Router | - |
| Cisco | 1109-2P Integrated Services Router | - |
| Cisco | 1109-4P Integrated Services Router | - |
| Cisco | 1111X-8P Integrated Services Router | - |
| Cisco | 4221 Integrated Services Router | - |
| Cisco | 4321 Integrated Services Router | - |
| Cisco | 4331 Integrated Services Router | - |
| Cisco | 4351 Integrated Services Router | - |
| Cisco | 4431 Integrated Services Router | - |
| Cisco | 4451-X Integrated Services Router | - |
| Cisco | 4461 Integrated Services Router | - |
| Cisco | Csr 1000V | - |
| Cisco | Isa 3000 | - |
| Snort | Snort | < 2.9.17 |
| Cisco | Meraki Mx64 Firmware | - |
Related Weaknesses (CWE)
References
- https://lists.debian.org/debian-lts-announce/2023/02/msg00011.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sVendor Advisory
- https://www.debian.org/security/2023/dsa-5354
- https://lists.debian.org/debian-lts-announce/2023/02/msg00011.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sVendor Advisory
- https://www.debian.org/security/2023/dsa-5354
FAQ
What is CVE-2021-1224?
CVE-2021-1224 is a vulnerability with a CVSS score of 5.8 (MEDIUM). Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass...
How severe is CVE-2021-1224?
CVE-2021-1224 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-1224?
Check the references section above for vendor advisories and patch information. Affected products include: Cisco Firepower Threat Defense, Cisco Secure Firewall Management Center, Cisco Ios Xe, Cisco 1100-4P Integrated Services Router, Cisco 1100-8P Integrated Services Router.