CVE-2021-1573 – An unauthenticated remote attacker can send a m... (How to Fix)

Q: What is the severity of CVE-2021-1573?

CVE-2021-1573 has a CVSS score of 8.6 (HIGH). An unauthenticated remote attacker can send a malicious HTTPS request to Cisco ASA or FTD devices, causing them to reload and creating a denial of service condition. This affects devices with the web services interface enabled, potentially disrupting network security services.

📋 TL;DR

An unauthenticated remote attacker can send a malicious HTTPS request to Cisco ASA or FTD devices, causing them to reload and creating a denial of service condition. This affects devices with the web services interface enabled, potentially disrupting network security services.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software

Versions: Multiple versions - see Cisco advisory for specific affected versions

Operating Systems: Cisco ASA OS, Cisco FTD OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with web services interface enabled. Devices without web services enabled are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network security outage as firewalls reload, allowing unfiltered traffic during the reload period and disrupting all protected services.

🟠

Likely Case

Temporary service disruption during firewall reloads, causing brief network outages and potential session drops for users.

🟢

If Mitigated

Minimal impact with proper network segmentation and redundant firewall configurations that can handle failover during reloads.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet if web services interface is exposed, allowing any remote attacker to trigger DoS.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks, but requires attacker to have network access to the management interface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specially crafted HTTPS request to the vulnerable interface. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions available - refer to Cisco advisory for specific version mapping

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-KSqJAKPA

Restart Required: Yes

Instructions:

1. Check current ASA/FTD version. 2. Download appropriate fixed version from Cisco. 3. Backup configuration. 4. Apply update following Cisco upgrade procedures. 5. Verify successful upgrade and functionality.

🔧 Temporary Workarounds

Disable Web Services Interface

all

Disable the vulnerable web services interface if not required

no webvpn
no http server enable

Restrict Access to Management Interface

all

Apply access control lists to limit which IPs can access the management interface

access-list MGMT-ACL permit ip [trusted-networks] any
http [ip-address] [mask] MGMT-ACL

🧯 If You Can't Patch

Implement strict network segmentation to isolate management interfaces from untrusted networks
Deploy redundant firewall pairs with failover to maintain service during potential reloads

🔍 How to Verify

Check if Vulnerable:

Check ASA/FTD version and compare against Cisco advisory. Verify if web services interface is enabled with 'show running-config | include webvpn|http server'

Check Version:

show version | include Version

Verify Fix Applied:

Verify upgraded version matches fixed versions in Cisco advisory. Test HTTPS connectivity to ensure functionality remains.

📡 Detection & Monitoring

Log Indicators:

Unexpected device reloads
Web services interface crash logs
High volume of malformed HTTPS requests

Network Indicators:

Spike in HTTPS traffic to management interfaces
Unusual patterns in HTTPS request sizes or structures

SIEM Query:

source="asa" OR source="ftd" AND (event_type="reload" OR message="webvpn" OR message="http")

📊 Metadata

CVE ID: CVE-2021-1573

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-121

Published: January 11, 2022

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-1573, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Web Services Interface

Restrict Access to Management Interface

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities