CVE-2021-1402
📋 TL;DR
An unauthenticated remote attacker can send crafted SSL/TLS messages through Cisco Firepower Threat Defense devices performing software-based SSL decryption, causing a process crash that triggers a device reload and denial of service. This affects Cisco FTD software with SSL decryption enabled. The device automatically recovers after reloading.
💻 Affected Systems
- Cisco Firepower Threat Defense (FTD)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Persistent DoS attacks causing repeated device reloads, disrupting network security and connectivity for extended periods
Likely Case
Temporary service disruption during device reload (typically 2-5 minutes), potentially affecting traffic inspection and security policies
If Mitigated
No impact if SSL decryption is disabled or devices are patched
🎯 Exploit Status
Exploitation requires sending crafted SSL/TLS messages through the device (not to the device). No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.6.1, 6.7.0, or 7.0.0
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-decrypt-dos-DdyLuK6c
Restart Required: Yes
Instructions:
1. Download appropriate FTD software version from Cisco. 2. Upload to device via FMC or CLI. 3. Deploy upgrade package. 4. Device will reboot automatically after upgrade.
🔧 Temporary Workarounds
Disable software-based SSL decryption
allTemporarily disable SSL decryption policies that use software-based decryption
configure via FMC: Policies > Access Control > SSL Rules > Disable or modify SSL decryption rules
Use hardware-based SSL decryption
allConfigure SSL decryption to use hardware acceleration if supported by platform
configure via FMC: Devices > Platform Settings > SSL > Enable hardware decryption
🧯 If You Can't Patch
- Disable all software-based SSL decryption policies immediately
- Implement network segmentation to restrict traffic flow through vulnerable devices
🔍 How to Verify
Check if Vulnerable:
Check FTD version via CLI: 'show version' and verify if SSL decryption is enabled via 'show ssl-decrypt-policy'Check Version:
show version | include VersionVerify Fix Applied:
After upgrade, verify version is 6.6.1, 6.7.0, or 7.0.0+ and test SSL decryption functionality📡 Detection & Monitoring
Log Indicators:
- Unexpected device reloads
- SSL process crashes in system logs
- High CPU/memory usage before crash
Network Indicators:
- Unusual SSL/TLS traffic patterns through decryption points
- Multiple SSL handshake failures
SIEM Query:
source="ftd" AND (event_type="reload" OR process="ssl") AND severity=HIGH