Uri Katz, a security researcher from Claroty, published a report last week in which he wrote about a vulnerability in Snort that can create a denial-of-service (DoS) condition and blind the Snort intrusion detection and prevention system to malicious packets. The flaw is being tracked under a CVE ID CVE-2022-20685 with a severity of 7.5 (High). The report says, attackers can target and exploit this flaw from remote. Successful exploitation of this vulnerability could stop the Snort from processing malicious traffic and triggering alerts. Since this vulnerability shut down the capability of detecting intrusion, it is important to fix this vulnerability as soon as possible. Let’s see how to fix CVE-2022-20685, a denial of service vulnerability in the Snort intrusion detection and prevention system.
What Is Snort Intrusion Detection And Prevention System?
Snort is a network intrusion detection and prevention system that can be used to monitor network traffic in order to detect suspicious activity. Snort is capable of real-time traffic analysis and can be used to detect a variety of attacks and exploits, including denial of service attacks, buffer overflows, and malware. Snort is also able to perform protocol analysis and can be used to detect anomalies in network traffic.
Snort is a free and open-source IDS/IPS that is widely used by security professionals. Snort has a variety of features that make it a powerful tool for protecting networks, including the ability to perform real-time traffic analysis, protocol analysis, and packet logging. Snort is also highly configurable and can be customized to meet the specific needs of any organization. Snort is an important tool for any security professional and can be a valuable asset in protecting networks from attack.
Snort is a free and open-source network intrusion detection and prevention system. It can be used to detect and prevent attacks on a network or host. Snort was developed by Sourcefire, which was acquired by Cisco in 2013. The free version of Snort is available for download from the official website. It can be used for personal, non-commercial use only. The paid version of Snort, called Snort Plus, is available for purchase from the website. It includes additional features and support.
Summary Of CVE-2022-20685:
This is a vulnerability in the Snort Modbus processor that can create a denial-of-service (DoS) condition and blind the Snort intrusion detection and prevention system to malicious packets. Successful exploitation could stop the Snort from processing malicious traffic and generating alerts.
The vulnerability is due to an integer overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite while-loop. Adversaries can exploit this vulnerability just by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop. This would put the organization in dangerous circumstances as it could lose the capability of detecting intrusion in the network.
|Associated CVE ID
|A Denial of Service Vulnerability in Snort Modbus Preprocessor
|Associated ZDI ID
|Attack Vector (AV)
|Attack Complexity (AC)
|Privilege Required (PR)
|User Interaction (UI)
Products Affected By CVE-2022-20685:
The flaw affects all the versions of Snort earlier than v2.9.19 and v22.214.171.124. In essence, the flaw affects multiple Cisco products and software running Modbus inspection Preprocessor.
List of Cisco software on which Modbus inspection is enabled by default.
- Cyber Vision Software
- FirePOWER Services Software – All platforms
- Firepower Threat Defense (FTD) Software – All platforms
- Meraki MX Series Software
List of Cisco products affected by this vulnerability. The products, if they are running a release earlier than the first fixed release of these components: 1. Cisco Unified Threat Defense (UTD), 2. Snort Intrusion Prevention System (IPS), 3. Engine for Cisco IOS XE Software, or 4. Cisco UTD Engine for Cisco IOS XE SD-WAN Software:
- 1000 Series Integrated Services Routers (ISRs)
- 4000 Series Integrated Services Routers (ISRs)
- Catalyst 8000V Edge Software
- Catalyst 8200 Series Edge Platforms
- Catalyst 8300 Series Edge Platforms
- Catalyst 8500 Series Edge Platforms
- Catalyst 8500L Series Edge Platforms
- Cloud Services Routers 1000V
- Integrated Services Virtual Routers (ISRv)
How To Check The Product Is Vulnerable To CVE-2022-20685?
UTD service is one of the key factors in determining whether the device is vulnerable. If you have UTD is installed and running on the appliance, then the product could be vulnerable. If you want to know if UTD is installed or enabled on these appliances. Run this command on the CLI Window. If you see Yes under Running, then the product could be vulnerable. If there is no output you see, then the product may not be affected.
Router# show utd engine standard status
Engine version : 1.0.19_SV126.96.36.199_XE17.3
Profile : Cloud-Low
System memory :
Usage : 6.00 %
Status : Green
Number of engines : 1
Engine Running Health Reason
Engine(#1): Yes Green None
# show utd engine standard status
Note: Cisco has confirmed products that are not vulnerable to the CVE-2022-20685 flaw in its advisory. So no action is required for the products listed here:
- Adaptive Security Appliance (ASA) Software
- Firepower Management Center (FMC) Software
How To Fix CVE-2022-20685- A Denial Of Service Vulnerability In Snort Modbus Preprocessor?
Cisco has responded to this vulnerability by releasing a patched version of Snort and Cisco products. You should upgrade Snort to v2.9.19 and v188.8.131.52 to fix CVE-2022-20685, a Denial of Service Vulnerability in Snort. Please see the tables below to see the fixed versions:
|Cisco Snort Software Release
|First Fixed Release
|Cisco UTD Software Release
|First Fixed Release