CVE-2021-34787

A vulnerability in the identity-based firewall (IDFW) rule processing feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass security protections. This vulnerability is due to improper handling of network requests by affected devices configured to use object group search. An attacker could exploit this vulnerability by sending a specially crafted network request to an affected device. A successful exploit could allow the attacker to bypass access control list (ACL) rules on the device, bypass security protections, and send network traffic to unauthorized hosts.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:cisco:adaptive_security_appliance:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
OR cpe:2.3:o:cisco:asa_5512-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5512-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5512-x:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
OR cpe:2.3:o:cisco:asa_5505_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5505_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5505:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
OR cpe:2.3:o:cisco:asa_5515-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5515-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5515-x:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
OR cpe:2.3:o:cisco:asa_5525-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5525-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5525-x:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
OR cpe:2.3:o:cisco:asa_5545-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5545-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5545-x:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
OR cpe:2.3:o:cisco:asa_5555-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5555-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5555-x:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
OR cpe:2.3:o:cisco:asa_5580_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5580_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5580:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
OR cpe:2.3:o:cisco:asa_5585-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5585-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5585-x:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:11

Type Values Removed Values Added
References () https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rule-bypass-ejjOgQEY - Vendor Advisory () https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rule-bypass-ejjOgQEY - Vendor Advisory

16 Aug 2023, 16:17

Type Values Removed Values Added
CPE cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*

29 Oct 2021, 12:31

Type Values Removed Values Added
References (CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rule-bypass-ejjOgQEY - (CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rule-bypass-ejjOgQEY - Vendor Advisory
CWE CWE-755
CPE cpe:2.3:h:cisco:asa_5512-x:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5505:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5545-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:a:cisco:adaptive_security_appliance:*:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5515-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5585-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5555-x:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5512-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5525-x:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5545-x:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5580_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5515-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5555-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5580:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5515-x:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5580_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5555-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5505_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5525-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5512-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:h:cisco:asa_5585-x:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5585-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5505_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5525-x_firmware:009.009:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asa_5545-x_firmware:009.012:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 4.3
v3 : 5.3

27 Oct 2021, 20:15

Type Values Removed Values Added
Summary A vulnerability in the identity-based firewall (IDFW) rule processing feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass security protections. This vulnerability is due to improper handling of network requests by affected devices configured to use object group search. An attacker could exploit this vulnerability by sending a specially crafted network request to an affected device. A successful exploit could allow the attacker to bypass access control list (ACL) rules on the device, bypass security protections, and send network traffic to unauthorized hosts. A vulnerability in the identity-based firewall (IDFW) rule processing feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass security protections. This vulnerability is due to improper handling of network requests by affected devices configured to use object group search. An attacker could exploit this vulnerability by sending a specially crafted network request to an affected device. A successful exploit could allow the attacker to bypass access control list (ACL) rules on the device, bypass security protections, and send network traffic to unauthorized hosts.

27 Oct 2021, 19:35

Type Values Removed Values Added
New CVE

Information

Published : 2021-10-27 19:15

Updated : 2024-11-21 06:11


NVD link : CVE-2021-34787

Mitre link : CVE-2021-34787

CVE.ORG link : CVE-2021-34787


JSON object : View

Products Affected

cisco

  • asa_5545-x_firmware
  • asa_5505
  • asa_5525-x_firmware
  • adaptive_security_appliance
  • asa_5580
  • asa_5505_firmware
  • asa_5555-x_firmware
  • asa_5555-x
  • asa_5525-x
  • asa_5580_firmware
  • asa_5512-x_firmware
  • asa_5515-x_firmware
  • asa_5515-x
  • asa_5545-x
  • asa_5512-x
  • asa_5585-x_firmware
  • asa_5585-x
  • adaptive_security_appliance_software
  • firepower_threat_defense
CWE
CWE-183

Permissive List of Allowed Inputs

CWE-755

Improper Handling of Exceptional Conditions