Defense Digests

Cisco Snort Modbus Denial of Service Vulnerability

Table of content

EXECUTIVE SUMMARY:

Cisco has identified new vulnerabilities affecting a wide range of products:

Cybervision Software
Meraki MX Series Software
Firepower Threat Defense (FTD) Software – All platforms
1000 & 4000 series routers (ISRs)
Catalyst 8000V, 8300, 8500, 8500L Series Edge Platforms
Cloud Service Routers 1000V
Virtual Routers (ISRv)

“Snort” is an open source protocol which identifies malicious mobile network traffic. A successful attack would cause this process to stall and traffic inspection to cease. This would create a situation where no traffic is passing through the device, therefore denying services (i.e. Denial of Service, DoS attack).

ID: D3-2022-0002

Severity: 7.5 (HIGH)

IMPACT

This vulnerability covers a wide range of other products, but the risk to each is the same; a Denial of Service.

*For the Meraki MX series devices, exploitation of this vulnerability results in the bypass of inspection services. This could result in malicious traffic not generating alerts and in turn reaching devices that are located behind the MX series device. For this reason, the Security Impact Rating (SIR) for Meraki MX devices is Medium.

*For Cybervision, exploitation of this vulnerability results in the bypass of Snort intrusion detection (IDS) services. This could result in malicious traffic not generating alerts. Deep packet inspection (DPI) and anomaly detection services are not impacted. For this reason, the SIR for Cybervision software is Medium.

DETAILED ANALYSIS

This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop.

This vulnerability affects all open source Snort project releases earlier than Release 2.9.18 and Release 3.1.0.100. For more information, see the Snort website.

*Modbus inspection is enabled by default, but the Unified Threat Defense functionality (referenced below) is not installed by default.

DISCLOSED VULNERABILITIES

CVE-2022-20685Multiple Cisco Products Snort Modbus Denial of Service Vulnerability (High CVSS 7.5)

MITIGATION STEPS

Determine Whether UTD is Enabled

To determine whether UTD is enabled on a device, issue the show utd engine standard status command and check for a Yes under Running. The following output shows a device with UTD enabled:

Router# show utd engine standard status
Engine version       : 1.0.19_SV2.9.16.1_XE17.3
Profile              : Cloud-Low
System memory        :
Usage : 6.00 %
Status : Green
Number of engines    : 1

Engine Running Health Reason
===========================================
Engine(#1): Yes Green None
=======================================================

.
.
.

If there is no output after issuing the command, the device is not affected.

Upgrade Device Software

Licensed Users – Upgrade for free through Cisco or authorized reseller.
Unlicensed Users – Contact the Cisco TAC
- https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Cisco Cybervision Software Release	First Fixed Release for This Vulnerability
3.2 and earlier	Migrate to a fixed release.
4.0	4.0.2

Cisco FTD Software Release	First Fixed Release
6.2.2 and earlier	Migrate to a fixed release.
6.2.3	Migrate to a fixed release.
6.3.0	Migrate to a fixed release.
6.4.0	6.4.0.13
6.5.0	Migrate to a fixed release.
6.6.0	6.6.5.1
6.7.0	Migrate to a fixed release.
7.0.0	7.0.1

Cisco Meraki MX Software Release	First Fixed Release
MX14	Migrate to a fixed release.
MX15	Migrate to a fixed release.
MX16	Hot fix planned for mid-February 2022¹ Release planned for March 2022²