CVE-2021-34787: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2021-34787) was discovered in the identity-based firewall (IDFW) rule processing feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The vulnerability was first published on October 27, 2021, and affects devices configured to use object group search. This security flaw could allow an unauthenticated, remote attacker to bypass security protections (Cisco Advisory).

The vulnerability stems from improper handling of network requests by affected devices configured to use object group search. It has been assigned a CVSS base score of 5.3 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X. The vulnerability is tracked under CWE-183 and was discovered during the resolution of a Cisco TAC support case (Cisco Advisory).

A successful exploitation of this vulnerability could allow an attacker to bypass access control list (ACL) rules on the device, bypass security protections, and send network traffic to unauthorized hosts. The overall impact of exploitation is organization-specific as it depends on the importance of the assets that the ACL was supposed to protect (Cisco Advisory).

Cisco has released software updates that address this vulnerability. For ASA Software, fixed versions include 9.8.4.40, 9.12.4.25, 9.14.3.1, 9.15.1.17, and 9.16.1.28. For FTD Software, fixed versions include 6.4.0.13, 6.6.5, 6.7.0.3, and 7.0.1. There are no workarounds available for this vulnerability, and customers are advised to upgrade to a supported release that includes the fix (Cisco Advisory).