CVE-2021-1494
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to bypass HTTP file policies on affected Cisco devices by sending specially crafted HTTP packets. It affects multiple Cisco products using the Snort detection engine, potentially enabling malicious payload delivery despite configured security policies.
💻 Affected Systems
- Cisco Firepower Threat Defense (FTD)
- Cisco Firepower Management Center (FMC)
- Cisco Adaptive Security Appliance (ASA) with FirePOWER Services
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers deliver malware, ransomware, or other malicious payloads through HTTP traffic that should have been blocked by file policies, leading to system compromise or data exfiltration.
Likely Case
Attackers bypass file filtering to deliver malicious scripts or executables that would normally be blocked, potentially leading to initial foothold in networks.
If Mitigated
With proper network segmentation and additional security controls, impact is limited to potential policy bypass without direct system compromise.
🎯 Exploit Status
Exploitation requires sending crafted HTTP packets through affected devices; no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FTD 6.6.4.1, 6.7.0.2, 7.0.0 and later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-fp-bp-KfDdcQhc
Restart Required: Yes
Instructions:
1. Check current version. 2. Download appropriate patch from Cisco. 3. Apply patch following Cisco upgrade procedures. 4. Restart affected services/devices.
🔧 Temporary Workarounds
Disable HTTP file inspection
allTemporarily disable HTTP file policy inspection to prevent bypass (reduces security posture)
🧯 If You Can't Patch
- Implement network segmentation to isolate affected devices
- Deploy additional web application firewall or proxy with file filtering
🔍 How to Verify
Check if Vulnerable:
Check device version against affected versions list in Cisco advisoryCheck Version:
show version (Cisco CLI)Verify Fix Applied:
Verify version is 6.6.4.1, 6.7.0.2, 7.0.0 or later📡 Detection & Monitoring
Log Indicators:
- Unexpected HTTP traffic bypassing file policies
- File policy violations decreasing
Network Indicators:
- HTTP traffic with unusual header patterns
- File downloads from unexpected sources
SIEM Query:
source="cisco-firepower" AND (event_type="file_policy" AND result="bypassed")