Researchers Detail Bug That Could Paralyze Snort Intrusion Detection System

Details have emerged about a now-patched security vulnerability in the Snort intrusion detection and prevention system that could trigger a denial-of-service (DoS) condition and render it powerless against malicious traffic.

Tracked as CVE-2022-20685, the vulnerability is rated 7.5 for severity and resides in the Modbus preprocessor of the Snort detection engine. It affects all open-source Snort project releases earlier than 2.9.19 as well as version

Maintained by Cisco, Snort is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS) that offers real-time network traffic analysis to spot potential signs of malicious activity based on predefined rules.

“The vulnerability, CVE-2022-20685, is an integer-overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite while loop,” Uri Katz, a security researcher with Claroty, said in a report published last week. “A successful exploit keeps Snort from processing new packets and generating alerts.”

Specifically, the shortcoming relates to how Snort processes Modbus packets — an industrial data communications protocol used in supervisory control and data acquisition (SCADA) networks — leading to a scenario where an attacker can send a specially crafted packet to an affected device.

“A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop,” Cisco noted in an advisory published earlier this January addressing the flaw.

In other words, exploitation of the issue could allow an unauthenticated, remote attacker to create a denial-of-service (DoS) condition on affected devices, effectively hindering Snort’s ability to detect attacks and making it possible to run malicious packets on the network. Read more:

You can also read this: Elementor Fixes Critical Bug in Popular WordPress Plugin

Leave a Reply

Your email address will not be published. Required fields are marked *