CVE-2021-34790 Overview
Multiple vulnerabilities in the Application Level Gateway (ALG) for the Network Address Translation (NAT) feature of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the ALG and open unauthorized connections with a host located behind the ALG. This vulnerability has been publicly discussed as NAT Slipstreaming, a technique that allows attackers to remotely access any TCP/UDP service bound to a victim machine, bypassing the NAT/firewall protections.
Critical Impact
An unauthenticated remote attacker can bypass NAT ALG protections and establish unauthorized connections to internal hosts behind Cisco ASA or FTD firewalls, potentially exposing internal services to external threats.
Affected Products
- Cisco Adaptive Security Appliance (ASA) Software
- Cisco Firepower Threat Defense (FTD) Software
- Cisco ASA 5500-X Series (5505, 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5580, 5585-X)
Discovery Timeline
- October 27, 2021 - CVE-2021-34790 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-34790
Vulnerability Analysis
This vulnerability affects the Application Level Gateway (ALG) component within Cisco's NAT implementation. The ALG is responsible for inspecting and modifying application-layer protocol data as it passes through the firewall, ensuring proper NAT translation for protocols that embed IP addresses in their payloads. The flaw allows attackers to craft malicious network traffic that exploits weaknesses in how the ALG processes certain protocol data, enabling them to bypass NAT restrictions and establish connections to hosts on the internal network.
The vulnerability is classified under CWE-358 (Improperly Implemented Security Check for Standard) and CWE-20 (Improper Input Validation), indicating that the ALG fails to properly validate or implement security checks on incoming protocol data. This implementation weakness allows crafted packets to slip through the NAT boundary without proper authorization.
Root Cause
The root cause of this vulnerability lies in improper input validation within the NAT ALG processing logic. The ALG fails to adequately validate protocol-specific data embedded in network traffic, allowing specially crafted packets to manipulate the NAT translation tables. This enables an attacker to trick the firewall into opening pinhole connections that would normally be blocked by the NAT/firewall policy.
The NAT Slipstreaming technique exploits the trust relationship between the ALG and application-layer protocols (such as SIP, H.323, or FTP), where the firewall expects certain embedded IP address and port information to be legitimate. By crafting malicious payloads that abuse this trust, attackers can cause the firewall to create unauthorized NAT mappings.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker positioned on the external network can send specially crafted packets to a victim who is behind the vulnerable Cisco ASA or FTD device. When the victim's traffic passes through the ALG, the malicious payload causes the firewall to create unauthorized NAT entries, effectively punching holes through the firewall that allow the attacker to reach internal services.
The NAT Slipstreaming attack typically involves:
- Inducing a victim behind the firewall to access attacker-controlled content (e.g., a malicious website)
- The attacker's payload triggers ALG processing that manipulates NAT tables
- The firewall creates unintended port mappings allowing external access to internal hosts
- The attacker can then connect directly to services on the internal network
Since no verified code examples are available for this vulnerability, organizations should refer to the Cisco Security Advisory for detailed technical information about the exploitation mechanism and specific protocol interactions involved.
Detection Methods for CVE-2021-34790
Indicators of Compromise
- Unexpected NAT translation entries appearing in the firewall's connection table
- Unusual inbound connections to internal hosts that bypass normal firewall policies
- Anomalous ALG-related protocol traffic (SIP, H.323, FTP) with suspicious payloads
- Unauthorized external connections to services that should only be accessible internally
Detection Strategies
- Monitor firewall logs for unexpected NAT pinhole creation events
- Implement deep packet inspection to identify malformed ALG protocol payloads
- Deploy intrusion detection systems with signatures for NAT Slipstreaming techniques
- Audit active NAT translations regularly to identify unauthorized mappings
Monitoring Recommendations
- Enable detailed logging for ALG processing events on Cisco ASA/FTD devices
- Configure alerts for new NAT translation entries that don't match expected application behavior
- Monitor for outbound connections to known NAT Slipstreaming test infrastructure
- Review connection logs for internal services receiving unexpected external connections
How to Mitigate CVE-2021-34790
Immediate Actions Required
- Apply the latest security patches from Cisco for ASA and FTD software immediately
- Review and audit current NAT ALG configurations for unnecessary protocol inspections
- Disable unused ALG functionality for protocols not required in your environment
- Implement additional access controls on internal services as defense-in-depth
Patch Information
Cisco has released security updates to address this vulnerability. Organizations should upgrade to a fixed software version as specified in the Cisco Security Advisory. The advisory contains detailed information about affected versions and the corresponding fixed releases for both Cisco ASA Software and Firepower Threat Defense Software.
Workarounds
- Disable specific ALG inspections for protocols not required in your environment
- Implement strict egress filtering to limit outbound connections from internal hosts
- Use network segmentation to isolate critical internal services from potential NAT bypass attacks
- Consider implementing additional perimeter security controls as a compensating measure
# Example: Disable specific ALG inspection on Cisco ASA (consult Cisco documentation for your environment)
# Enter configuration mode
configure terminal
# Disable SIP inspection if not required
policy-map global_policy
class inspection_default
no inspect sip
# Save configuration
write memory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
