Cisco Firepower Threat Defense Software SSH Connections Denial of Service Vulnerability [CVE-2021-34781]
CVE number – CVE-2021-34781
A vulnerability in the processing of SSH connections for multi-instance deployments of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.
This vulnerability is due to a lack of proper error handling when an SSH session fails to be established. An attacker could exploit this vulnerability by sending a high rate of crafted SSH connections to the instance. A successful exploit could allow the attacker to cause resource exhaustion, which causes a DoS condition on the affected device. The device must be manually reloaded to recover.
Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.
Vulnerable Products
This vulnerability affects devices if they are running a vulnerable release of Cisco FTD Software that is configured for multi-instance operation. Multi-instance configuration support was introduced in Cisco FTD Software Release 6.3.0; earlier releases are not affected by this multi-instance vulnerability.
The only Cisco FTD Software platforms that support multi-instance operation are the following:
- Firepower 4100 Series Security Appliances
- Firepower 9300 Series Security Appliances
Note: Affected devices are vulnerable only when accessed from an IP address in the configured SSH command range. The SSH service is enabled by default on all devices that run Cisco FTD Software.
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
Determine the Device Configuration
To determine whether a device is providing multi-instance services, log in to the Cisco FXOS CLI and use the show app-instance command within the ssa scope. If the Deploy Type field has a value of Container, application instances are present and the device is vulnerable. The following example shows the command output for a vulnerable device:
firepower# scope ssa
firepower /ssa # show app-instance
| App Name | Identifier | Slot ID | Admin State | Oper State | Running Version | Startup Version | Deploy Type | Turbo Mode | Profile Name | Cluster State | Cluster Role |
| —– | ——- | —— | —— | —– | ——- | ——- | —— | —– | —– | ——- | ——- |
| ftd | ftd1 | 1 | Enabled | Online | 6.2.3.14 | 6.2.3.14 | Native | No | Not Applicable | None | |
| ftd | ftd2-1 | 2 | Enabled | Online | 6.4.0.4 | 6.4.0.4 | Container | No | mid | Not Applicable |
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-rUDseW3r
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.