CVE-2021-34792

Q: What is the severity of CVE-2021-34792?

CVE-2021-34792 has a CVSS score of 8.6 (HIGH). This vulnerability allows unauthenticated remote attackers to cause a denial of service (DoS) by overwhelming Cisco ASA and FTD devices with excessive connections. The improper resource management causes device reloads, disrupting network security services. Organizations using affected Cisco security appliances are at risk.

8.6 HIGH

Denial of Service

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to cause a denial of service (DoS) by overwhelming Cisco ASA and FTD devices with excessive connections. The improper resource management causes device reloads, disrupting network security services. Organizations using affected Cisco security appliances are at risk.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software

Versions: Multiple versions - see Cisco advisory for specific affected versions

Operating Systems: Cisco ASA OS, Cisco FTD OS

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations are vulnerable when exposed to high connection rates. Devices with high traffic volumes are at greater risk.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network security service disruption as the device reloads, potentially allowing attacks to bypass security controls during the outage.

🟠

Likely Case

Intermittent service disruptions and performance degradation during connection floods, requiring manual intervention to restore services.

🟢

If Mitigated

Minimal impact with proper rate limiting and network segmentation in place, though device may still experience performance issues.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires generating high connection rates, which can be achieved with simple flooding tools. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions - refer to Cisco advisory for specific patched releases

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-dos-Unk689XY

Restart Required: Yes

Instructions:

1. Check current ASA/FTD version. 2. Download appropriate fixed version from Cisco. 3. Backup configuration. 4. Apply update via ASDM or CLI. 5. Reboot device. 6. Verify update success.

🔧 Temporary Workarounds

Connection Rate Limiting

all

Implement connection rate limiting to prevent excessive connections from single sources

class-map match-any CMAP_CONNECTION_LIMIT
match access-list ACL_CONNECTION_LIMIT
policy-map global_policy
class CMAP_CONNECTION_LIMIT
set connection per-client-max 100
set connection per-client-embryonic-max 50

TCP Intercept Configuration

all

Configure TCP intercept to manage connection establishment rates

ip tcp intercept list ACL_TCP_INTERCEPT
ip tcp intercept mode intercept
ip tcp intercept max-incomplete high 500
ip tcp intercept max-incomplete low 400

🧯 If You Can't Patch

Implement strict connection rate limiting and monitoring
Deploy network segmentation to limit exposure and contain potential DoS impact

🔍 How to Verify

Check if Vulnerable:

Check ASA/FTD version against affected versions in Cisco advisory: show version

Check Version:

show version

Verify Fix Applied:

Verify version is updated to patched release: show version | include Version

📡 Detection & Monitoring

Log Indicators:

High connection establishment rates
Device reload events
Memory allocation failures
Resource exhaustion warnings

Network Indicators:

Sudden spike in connection attempts
Unusual traffic patterns from single sources
Service interruption alerts

SIEM Query:

source="cisco_asa" AND ("%ASA-4-106023" OR "%ASA-4-106100" OR "%ASA-6-302013" OR "%ASA-6-302014") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-34792

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-400

Published: October 27, 2021

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Asa 5505 Firmware by Cisco

Asa 5505 Firmware by Cisco

Asa 5505 Firmware by Cisco

Asa 5505 Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5585 X Firmware by Cisco

Asa 5585 X Firmware by Cisco

Asa 5585 X Firmware by Cisco

Asa 5585 X Firmware by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Connection Rate Limiting

TCP Intercept Configuration

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities