CVE-2021-40118

Q: What is the severity of CVE-2021-40118?

CVE-2021-40118 has a CVSS score of 8.6 (HIGH). An unauthenticated remote attacker can send a malicious HTTPS request to Cisco ASA/FTD devices to trigger a denial of service condition, causing the device to reload. This affects Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software with vulnerable web services interface configurations.

8.6 HIGH

Denial of Service

📋 TL;DR

An unauthenticated remote attacker can send a malicious HTTPS request to Cisco ASA/FTD devices to trigger a denial of service condition, causing the device to reload. This affects Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software with vulnerable web services interface configurations.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software

Versions: Multiple versions - see Cisco advisory for specific affected releases

Operating Systems: Cisco ASA OS, Cisco FTD OS

Default Config Vulnerable: ✅ No

Notes: Only affects devices with web services interface enabled (WebVPN or AnyConnect). Devices without these services configured are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network outage as firewall reloads, disrupting all traffic passing through the device during reload period.

🟠

Likely Case

Temporary service disruption lasting 1-5 minutes during device reload, potentially causing dropped connections and brief network unavailability.

🟢

If Mitigated

No impact if device is patched or workarounds are properly implemented.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploit against internet-facing web services interface.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires attacker to have network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTPS request manipulation required. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed releases - see Cisco advisory for specific versions

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-KSqJAKPA

Restart Required: Yes

Instructions:

1. Check current ASA/FTD version. 2. Download appropriate fixed release from Cisco. 3. Apply update following Cisco upgrade procedures. 4. Reboot device to complete installation.

🔧 Temporary Workarounds

Disable WebVPN/AnyConnect

all

Disable the vulnerable web services interface if not required

no webvpn enable
no anyconnect enable

Restrict Access with ACLs

all

Apply access control lists to limit HTTPS access to trusted sources only

access-list WEBVPN-ACL extended permit tcp trusted-networks any eq 443
access-group WEBVPN-ACL in interface outside

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable devices
Deploy intrusion prevention systems to detect and block exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check if WebVPN or AnyConnect is enabled: 'show running-config | include webvpn|anyconnect'

Check Version:

show version | include Version

Verify Fix Applied:

Verify running version is patched: 'show version' and compare to fixed releases in advisory

📡 Detection & Monitoring

Log Indicators:

Unexpected device reloads
WebVPN/AnyConnect service crashes
Multiple malformed HTTPS requests

Network Indicators:

Spike in HTTPS traffic to firewall on port 443
Unusual request patterns to WebVPN interface

SIEM Query:

source="asa.log" AND ("Reloading" OR "webvpn" OR "anyconnect") AND severity=ERROR

📊 Metadata

CVE ID: CVE-2021-40118

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-121

Published: October 27, 2021

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Asa 5505 Firmware by Cisco

Asa 5505 Firmware by Cisco

Asa 5505 Firmware by Cisco

Asa 5505 Firmware by Cisco

Asa 5505 Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5585 X Firmware by Cisco

Asa 5585 X Firmware by Cisco

Asa 5585 X Firmware by Cisco

Asa 5585 X Firmware by Cisco

Asa 5585 X Firmware by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WebVPN/AnyConnect

Restrict Access with ACLs

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities