Researchers Detail Bug That Could Paralyze Snort Intrusion Detection SystemSecurity Affairs

CVE-2022-20685 flaw in the Modbus preprocessor of the Snort detection engine could trigger a DoS condition and make it ineffective against malicious traffic.

Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) which is currently developed by Cisco.

The software performs real-time traffic analysis and packet logging on Internet Protocol (IP) networks, protocol analysis, content searching and matching. The project is also known for its use in attack detection.

Uri Katz, a security researcher at Claroty, detailed a flaw in the Modbus preprocessor of the Snort detection engine, tracked as CVE-2022-20685, that could trigger a DoS condition and make the software ineffective against malicious traffic.

The CVE-2022-20685 vulnerability is an integer-overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite while-loop.

According to the advisory, the vulnerability can be exploited by a remote attacker. The flaw affects all open-source Snort project releases earlier than 2.9.19 and release 3.1.11.0.

While researching Snort OT preprocessors, we decided to focus on Modbus because it was one of the more complex OT preprocessors Snort supports.

The researchers focused their analysis on Snort OT preprocessor, in particular in Modbus one because Modbus is a popular industrial protocol.

“An integer overflow vulnerability in the Snort Modbus OT preprocessor enables an attacker to remotely send a crafted packet to a vulnerable system, triggering an infinite while-loop and creating a denial-of-service condition.” reads the analysis published by Claroty that includes technical details about the issue.

“A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.” reads the security advisory published by Cisco. “This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop. ”

The researchers pointed out that successful exploitation of this vulnerability can have devastating impacts on enterprise and OT networks.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, DoS)




Source

CVE-2022-20685 flaw in the Modbus preprocessor of the Snort detection engine could trigger a DoS condition and make it ineffective against malicious traffic.

Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) which is currently developed by Cisco.

The software performs real-time traffic analysis and packet logging on Internet Protocol (IP) networks, protocol analysis, content searching and matching. The project is also known for its use in attack detection.

Uri Katz, a security researcher at Claroty, detailed a flaw in the Modbus preprocessor of the Snort detection engine, tracked as CVE-2022-20685, that could trigger a DoS condition and make the software ineffective against malicious traffic.

The CVE-2022-20685 vulnerability is an integer-overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite while-loop.

According to the advisory, the vulnerability can be exploited by a remote attacker. The flaw affects all open-source Snort project releases earlier than 2.9.19 and release 3.1.11.0.

While researching Snort OT preprocessors, we decided to focus on Modbus because it was one of the more complex OT preprocessors Snort supports.

The researchers focused their analysis on Snort OT preprocessor, in particular in Modbus one because Modbus is a popular industrial protocol.

“An integer overflow vulnerability in the Snort Modbus OT preprocessor enables an attacker to remotely send a crafted packet to a vulnerable system, triggering an infinite while-loop and creating a denial-of-service condition.” reads the analysis published by Claroty that includes technical details about the issue.

“A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.” reads the security advisory published by Cisco. “This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop. ”

The researchers pointed out that successful exploitation of this vulnerability can have devastating impacts on enterprise and OT networks.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, DoS)




Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Senators Urge FTC to Probe ID.me Over Selfie Data – Krebs on Security

Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for “deceptive statements”...

Personal Information of Nearly Two Million Texans Exposed

The personal information of nearly two million Texans was exposed for nearly three years due to a programming issue at the Texas Department of...

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity,...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!