Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it is contained at least partially within the TFO connection handshake. An attacker could exploit this vulnerability by sending crafted TFO packets with an HTTP payload through an affected device. A successful exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious payload.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Cisco
  • 1100-4p Integrated Services Router
  • 1100-8p Integrated Services Router
  • 1101-4p Integrated Services Router
  • 1109-2p Integrated Services Router
  • 1109-4p Integrated Services Router
  • 1111x-8p Integrated Services Router
  • 4221 Integrated Services Router
  • 4321 Integrated Services Router
  • 4331 Integrated Services Router
  • 4351 Integrated Services Router
  • 4431 Integrated Services Router
  • 4451-x Integrated Services Router
  • 4461 Integrated Services Router
  • Csr 1000v
  • Firepower Management Center
  • Firepower Threat Defense
  • Ios Xe
  • Isa 3000
  • Meraki Mx100
  • Meraki Mx100 Firmware
  • Meraki Mx250
  • Meraki Mx250 Firmware
  • Meraki Mx450
  • Meraki Mx450 Firmware
  • Meraki Mx64
  • Meraki Mx64 Firmware
  • Meraki Mx64w
  • Meraki Mx64w Firmware
  • Meraki Mx67
  • Meraki Mx67 Firmware
  • Meraki Mx67c
  • Meraki Mx67c Firmware
  • Meraki Mx67w
  • Meraki Mx67w Firmware
  • Meraki Mx68
  • Meraki Mx68 Firmware
  • Meraki Mx68cw
  • Meraki Mx68cw Firmware
  • Meraki Mx68w
  • Meraki Mx68w Firmware
  • Meraki Mx84
  • Meraki Mx84 Firmware
Snort
  • Snort

Configuration 1 [-]

OR cpe:2.3:a:cisco:firepower_management_center:2.9.14.0:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_management_center:2.9.15:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_management_center:2.9.16:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_management_center:2.9.17:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_management_center:2.9.18:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_management_center:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
OR cpe:2.3:h:cisco:1100-4p_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:1100-8p_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:1101-4p_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:1109-2p_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:1109-4p_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:1111x-8p_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:4221_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:4321_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:4331_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:4351_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:4431_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:4451-x_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:4461_integrated_services_router:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:csr_1000v:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:isa_3000:-:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:snort:snort:*:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:cisco:meraki_mx64_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:meraki_mx64:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:cisco:meraki_mx64w_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:meraki_mx64w:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:cisco:meraki_mx67_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:meraki_mx67:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:cisco:meraki_mx67c_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:meraki_mx67c:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:cisco:meraki_mx67w_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:meraki_mx67w:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND
cpe:2.3:o:cisco:meraki_mx68_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:meraki_mx68:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:cisco:meraki_mx68cw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:meraki_mx68cw:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND
cpe:2.3:h:cisco:meraki_mx68w:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:meraki_mx68w_firmware:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND
cpe:2.3:h:cisco:meraki_mx100:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:meraki_mx100_firmware:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND
cpe:2.3:h:cisco:meraki_mx84:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:meraki_mx84_firmware:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND
cpe:2.3:h:cisco:meraki_mx250:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:meraki_mx250_firmware:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND
cpe:2.3:h:cisco:meraki_mx450:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:meraki_mx450_firmware:-:*:*:*:*:*:*:*

No data.

References
Link Providers
https://lists.debian.org/debian-lts-announce/2023/02/msg00011.html cve-icon cve-icon
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-tfo-bypass-MmzZrtes cve-icon cve-icon
https://www.debian.org/security/2023/dsa-5354 cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2021-01-13T21:16:53.450812Z

Updated: 2024-09-16T17:59:10.265Z

Reserved: 2020-11-13T00:00:00

Link: CVE-2021-1224

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-01-13T22:15:20.410

Modified: 2023-11-07T03:27:44.583

Link: CVE-2021-1224

cve-icon Redhat

No data.