Medium Advisory ID: cisco-sa-sni-data-exfil-mFgzXqLN First Published: 2021 August 18 16:00 GMT Version 1.0: Interim Workarounds: No workarounds available Cisco Bug IDs: CSCvy50873CSCvy64824CSCvy76771 CVSS Score: Base 5.8 CVE-2021-34749 CWE-200 Download CVRF Email
- A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host. This vulnerability is due to inadequate filtering of the SSL handshake. An attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate with an external server. A successful exploit could allow the attacker to execute a command-and-control attack on a compromised host and perform additional data exfiltration attacks. There are no workarounds that address this vulnerability. This advisory is available at the following link:
- Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products. Products Under Investigation The following products are under active investigation to determine whether they are affected by the vulnerability that is described in this advisory:
- 1000 Series Integrated Services Routers (ISRs)
- 4000 Series ISRs
- Catalyst 8000V Edge Software
- Catalyst 8200 Series Edge Platforms
- Catalyst 8300 Series Edge Platforms
- Catalyst 8500L Edge Platforms
- Cloud Services Router 1000V Series (CSR 1000V)
- Integrated Services Virtual Router (ISRv)
- Meraki Security Appliances, all modelsVulnerable Products At the time of publication, this vulnerability affected all open source Snort project releases earlier than Release 2.9.18. For more information on open source Snort, see the Snort website. At the time of publication, this vulnerability affected the following Cisco products:
- 3000 Series Industrial Security Appliances (ISAs)
- FTD Software
- WSA SoftwareFor information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following products:
- Adaptive Security Appliance (ASA) Software
- Catalyst 8500 Edge Platforms
- Firepower Management Center (FMC) Software
- Open Source Snort 3
- Using SNIcat or a similar tool, a remote attacker can exfiltrate data in an SSL client hello packet because the return server hello packet from a server on the blocked list is not filtered. This communication can be used to execute a command-and-control attack on a compromised host or perform additional data exfiltration attacks.
Indicators of Compromise
- The Cisco Security Indicators of Compromise Reference Guide lists commonly observed IoCs, which can help identify devices that may have been impacted by the vulnerability disclosed in this Cisco security advisory.
- There are no workarounds that address this vulnerability.
- When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. For information about fixed software releases, see the Details section in the bug ID(s) at the top of this advisory.
Exploitation and Public Announcements
- The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.
- Cisco would like to thank Morten Marstrander and Alvaro Gutierrez from mnemonic, along with Matteo Malvica, for discovering and reporting this vulnerability.
- Version Description Section Status Date 1.0 Initial public release. – Interim 2021-AUG-18
- THIS DOCUMENT IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.