CVE-2021-1224

moderate-risk
Published 2021-01-13

Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it is contained at least partially within the TFO connection handshake. An attacker could exploit this vulnerability by sending crafted TFO packets with an HTTP payload through an affected device. A successful exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious payload.

Do I need to act?

-
0.48% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.8/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Snort
Meraki Mx64 Firmware
Meraki Mx64W Firmware
Meraki Mx67 Firmware
Meraki Mx67C Firmware
Meraki Mx67W Firmware
Meraki Mx68 Firmware
Meraki Mx68Cw Firmware
Meraki Mx68W Firmware
Meraki Mx100 Firmware
Meraki Mx84 Firmware
Meraki Mx250 Firmware

Affected Vendors

Cisco Snort

References (6)

https://lists.debian.org/debian-lts-announce/2023/02/msg00011.html
Vendor Advisory https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-s...
https://www.debian.org/security/2023/dsa-5354
https://lists.debian.org/debian-lts-announce/2023/02/msg00011.html
Vendor Advisory https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-s...
https://www.debian.org/security/2023/dsa-5354
44
/ 100
moderate-risk
Severity 22/34 · High
Exploitability 2/34 · Minimal
Exposure 20/34 · Moderate