Skip to content

Defense Digests

Cisco Snort Modbus Denial of Service Vulnerability

Dataprise Defense Digest 550x550

Table of content

EXECUTIVE SUMMARY:

Cisco has identified new vulnerabilities affecting a wide range of products:

  • Cybervision Software
  • Meraki MX Series Software
  • Firepower Threat Defense (FTD) Software – All platforms
  • 1000 & 4000 series routers (ISRs)
  • Catalyst 8000V, 8300, 8500, 8500L Series Edge Platforms
  • Cloud Service Routers 1000V
  • Virtual Routers (ISRv)

“Snort” is an open source protocol which identifies malicious mobile network traffic. A successful attack would cause this process to stall and traffic inspection to cease. This would create a situation where no traffic is passing through the device, therefore denying services (i.e. Denial of Service, DoS attack).

 

ID: D3-2022-0002

Severity: 7.5 (HIGH)

IMPACT

This vulnerability covers a wide range of other products, but the risk to each is the same; a Denial of Service.

*For the Meraki MX series devices, exploitation of this vulnerability results in the bypass of inspection services. This could result in malicious traffic not generating alerts and in turn reaching devices that are located behind the MX series device. For this reason, the Security Impact Rating (SIR) for Meraki MX devices is Medium.

*For Cybervision, exploitation of this vulnerability results in the bypass of Snort intrusion detection (IDS) services. This could result in malicious traffic not generating alerts. Deep packet inspection (DPI) and anomaly detection services are not impacted. For this reason, the SIR for Cybervision software is Medium.

DETAILED ANALYSIS

This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop.

This vulnerability affects all open source Snort project releases earlier than Release 2.9.18 and Release 3.1.0.100. For more information, see the Snort website.

*Modbus inspection is enabled by default, but the Unified Threat Defense functionality (referenced below) is not installed by default.

DISCLOSED VULNERABILITIES

    • CVE-2022-20685Multiple Cisco Products Snort Modbus Denial of Service Vulnerability (High CVSS 7.5)

     MITIGATION STEPS

    Determine Whether UTD is Enabled

    To determine whether UTD is enabled on a device, issue the show utd engine standard status command and check for a Yes under Running. The following output shows a device with UTD enabled:

    Router# show utd engine standard status
    Engine version       : 1.0.19_SV2.9.16.1_XE17.3
    Profile              : Cloud-Low
    System memory        :
    Usage  : 6.00 %
    Status : Green
    Number of engines    : 1

     

    Engine        Running    Health     Reason
    ===========================================
    Engine(#1):   Yes        Green      None
    =======================================================


    .
    .
    .

    If there is no output after issuing the command, the device is not affected.

     

    Upgrade Device Software

    Cisco Cybervision Software Release First Fixed Release for This Vulnerability
    3.2 and earlier Migrate to a fixed release.
    4.0 4.0.2

     

    Cisco FTD Software Release First Fixed Release
    6.2.2 and earlier Migrate to a fixed release.
    6.2.3 Migrate to a fixed release.
    6.3.0 Migrate to a fixed release.
    6.4.0 6.4.0.13
    6.5.0 Migrate to a fixed release.
    6.6.0 6.6.5.1
    6.7.0 Migrate to a fixed release.
    7.0.0 7.0.1

     

    Cisco Meraki MX Software Release First Fixed Release
    MX14 Migrate to a fixed release.
    MX15 Migrate to a fixed release.
    MX16 Hot fix planned for mid-February 20221

    Release planned for March 20222

    1. The hotfix is planned for the MX67, MX68, MX75, MX80, MX84, MX85, MX95, MX100, MX105, MX250, MX250M, MX400, MX450, MX600 platforms.

    2. The release is planned for the MX64 and MX65 platforms.

     

    Cisco UTD Software Release First Fixed Release
    16.12 16.12.7
    17.3 17.3.5
    17.6 17.6.2
    17.7 Not vulnerable.

     

    Cisco Snort Software Release First Fixed Release
    2.x 2.9.18
    3.x 3.1.0.100

     

     SOURCES

 

CONTRIBUTING AUTHORS

  • Stephen Jones, Vice President, Cybersecurity Services
  • Sam Bourgeois, vCISO
  • Maximo Bredfeldt, vCISO

View all Dataprise Defense Digests here.

Recent Tweets

INSIGHTS

Learn about the latest threats and vulnerabilities with our D3 alerts.

Subscribe to get real-time notifications when a new Dataprise Defense Digest is published.