CVE-2021-1224 - Vulnerability Details

Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it is contained at least partially within the TFO connection handshake. An attacker could exploit this vulnerability by sending crafted TFO packets with an HTTP payload through an affected device. A successful exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious payload.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.01544.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Firepower Threat Defense Software

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:cisco:firepower_threat_defense::::::::
	cpe:2.3:a:cisco:secure_firewall_management_center:2.9.14.0:::::::*
	cpe:2.3:a:cisco:secure_firewall_management_center:2.9.15:::::::*
	cpe:2.3:a:cisco:secure_firewall_management_center:2.9.16:::::::*
	cpe:2.3:a:cisco:secure_firewall_management_center:2.9.17:::::::*
	cpe:2.3:a:cisco:secure_firewall_management_center:2.9.18:::::::*
	cpe:2.3:a:cisco:secure_firewall_management_center:3.0.1:::::::*

Configuration 2 [-]

AND

cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:cisco:1100-4p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1100-8p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1101-4p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1109-2p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1109-4p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1111x-8p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4221_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4321_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4331_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4351_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4431_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4451-x_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4461_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:csr_1000v:-:::::::*
	cpe:2.3:h:cisco:isa_3000:-:::::::*

Configuration 3 [-]

cpe:2.3:a:snort:snort:*:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:cisco:meraki_mx64_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx64:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:cisco:meraki_mx64w_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx64w:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:cisco:meraki_mx67_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx67:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:cisco:meraki_mx67c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx67c:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:cisco:meraki_mx67w_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx67w:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:cisco:meraki_mx68_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx68:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:cisco:meraki_mx68cw_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx68cw:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:cisco:meraki_mx68w_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx68w:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:cisco:meraki_mx100_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx100:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:cisco:meraki_mx84_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx84:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:cisco:meraki_mx250_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx250:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:cisco:meraki_mx450_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:meraki_mx450:-:*:*:*:*:*:*:*

No data.

Project Subscriptions

Vendors	Products
Cisco Subscribe	1100-4p Integrated Services Router Subscribe 1100-8p Integrated Services Router Subscribe 1101-4p Integrated Services Router Subscribe 1109-2p Integrated Services Router Subscribe 1109-4p Integrated Services Router Subscribe 1111x-8p Integrated Services Router Subscribe 4221 Integrated Services Router Subscribe 4321 Integrated Services Router Subscribe 4331 Integrated Services Router Subscribe 4351 Integrated Services Router Subscribe 4431 Integrated Services Router Subscribe 4451-x Integrated Services Router Subscribe 4461 Integrated Services Router Subscribe Csr 1000v Subscribe Firepower Threat Defense Subscribe Ios Xe Subscribe Isa 3000 Subscribe Meraki Mx100 Subscribe Meraki Mx100 Firmware Subscribe Meraki Mx250 Subscribe Meraki Mx250 Firmware Subscribe Meraki Mx450 Subscribe Meraki Mx450 Firmware Subscribe Meraki Mx64 Subscribe Meraki Mx64 Firmware Subscribe Meraki Mx64w Subscribe Meraki Mx64w Firmware Subscribe Meraki Mx67 Subscribe Meraki Mx67 Firmware Subscribe Meraki Mx67c Subscribe Meraki Mx67c Firmware Subscribe Meraki Mx67w Subscribe Meraki Mx67w Firmware Subscribe Meraki Mx68 Subscribe Meraki Mx68 Firmware Subscribe Meraki Mx68cw Subscribe Meraki Mx68cw Firmware Subscribe Meraki Mx68w Subscribe Meraki Mx68w Firmware Subscribe Meraki Mx84 Subscribe Meraki Mx84 Firmware Subscribe Secure Firewall Management Center Subscribe
Snort Subscribe	Snort Subscribe

Advisories

Source	ID	Title
Debian DLA	DLA-3317-1	snort security update
Debian DSA	DSA-5354-1	snort security update
EUVD	EUVD-2021-6691	Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it is contained at least partially within the TFO connection handshake. An attacker could exploit this vulnerability by sending crafted TFO packets with an HTTP payload through an affected device. A successful exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious payload.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2023/02/msg00011.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-tfo-bypass-MmzZrtes
https://www.debian.org/security/2023/dsa-5354

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00443}`	epss `{'score': 0.00486}`

Tue, 26 Nov 2024 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco secure Firewall Management Center
CPEs	cpe:2.3:a:cisco:firepower_management_center:2.9.14.0:::::::* cpe:2.3:a:cisco:firepower_management_center:2.9.15:::::::* cpe:2.3:a:cisco:firepower_management_center:2.9.16:::::::* cpe:2.3:a:cisco:firepower_management_center:2.9.17:::::::* cpe:2.3:a:cisco:firepower_management_center:2.9.18:::::::* cpe:2.3:a:cisco:firepower_management_center:3.0.1:::::::*	cpe:2.3:a:cisco:secure_firewall_management_center:2.9.14.0:::::::* cpe:2.3:a:cisco:secure_firewall_management_center:2.9.15:::::::* cpe:2.3:a:cisco:secure_firewall_management_center:2.9.16:::::::* cpe:2.3:a:cisco:secure_firewall_management_center:2.9.17:::::::* cpe:2.3:a:cisco:secure_firewall_management_center:2.9.18:::::::* cpe:2.3:a:cisco:secure_firewall_management_center:3.0.1:::::::*
Vendors & Products	Cisco firepower Management Center	Cisco secure Firewall Management Center

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2021-01-13T21:16:53.450812Z

Updated: 2024-11-12T20:48:38.628Z

Reserved: 2020-11-13T00:00:00

Link: CVE-2021-1224

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-01-13T22:15:20.410

Modified: 2024-11-26T16:09:02.407

Link: CVE-2021-1224

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object