CVE-2021-34791: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

CVE-2021-34791 is a vulnerability in the File Transfer Protocol (FTP) Application Level Gateway (ALG) for the Network Address Translation (NAT) feature of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. This vulnerability was publicly disclosed on October 27, 2021, and has been discussed as part of NAT Slipstreaming attacks. The vulnerability affects Cisco ASA Software and Cisco FTD Software, with the FTP ALG being enabled by default (Cisco Advisory).

The vulnerability is caused by insufficient traffic validation for the FTP ALG. It has been assigned a CVSS Base Score of 4.7 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. The vulnerability is tracked under Cisco Bug ID CSCvx50914 and has been classified with CWE-358. The FTP ALG is enabled by default in the affected software versions (Cisco Advisory).

A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to bypass the ALG and open unauthorized connections with a host located behind the ALG. This could enable the attacker to undertake actions leveraging the compromised host (Cisco Advisory).

While there are no direct workarounds for this vulnerability, Cisco has released software updates that address the issue. As a mitigation, customers who do not need the FTP ALG can disable it to reduce the attack surface. This can be accomplished from the CLI for Cisco ASA Software or by using FlexConfig for Cisco FTD Software. Fixed versions include ASA Software 9.8.4.40, 9.12.4.18, 9.14.2.15, 9.15.1.15, and FTD Software 6.4.0.12, 6.6.5, 6.7.0.2 (Cisco Advisory).

The vulnerability was discovered through public discussion of NAT Slipstreaming attacks, indicating significant attention from the security research community (Cisco Advisory).