Researchers Detail Bug That Could Paralyze Snort Intrusion Detection System

Details have emerged about a now-patched security vulnerability
in the Snort intrusion detection and prevention system that could
trigger a denial-of-service (DoS) condition and render it powerless
against malicious traffic.

Tracked as CVE-2022-20685, the vulnerability is
rated 7.5 for severity and resides in the Modbus preprocessor of
the Snort detection engine. It affects all open-source Snort
project releases earlier than 2.9.19 as well as version
3.1.11.0.

Maintained by Cisco, Snort ^[1]
is an open-source intrusion detection system (IDS) and intrusion
prevention system (IPS) that offers real-time network traffic
analysis to spot potential signs of malicious activity based on
predefined rules.

“The vulnerability, CVE-2022-20685, is an integer-overflow issue
that can cause the Snort Modbus OT preprocessor to enter an
infinite while loop ^[2],” Uri Katz, a security
researcher with Claroty, said ^[3]
in a report published last week. “A successful exploit keeps Snort
from processing new packets and generating alerts.”

Specifically, the shortcoming relates to how Snort processes
Modbus ^[4]
packets — an industrial data communications
protocol ^[5] used in supervisory
control and data acquisition (SCADA) networks — leading to a
scenario where an attacker can send a specially crafted packet to
an affected device.

“A successful exploit could allow the attacker to cause the
Snort process to hang, causing traffic inspection to stop,” Cisco
noted ^[6]
in an advisory published earlier this January addressing the
flaw.

In other words, exploitation of the issue could allow an
unauthenticated, remote attacker to create a denial-of-service
(DoS) condition on affected devices, effectively hindering Snort’s
ability to detect attacks and make it possible to run malicious
packets on the network.

“Successful exploits of vulnerabilities in network analysis
tools such as Snort can have devastating impacts on enterprise and
OT networks,” Katz said.

“Network analysis tools are an under-researched area that
deserves more analysis and attention, especially as OT networks are
increasingly being centrally managed by IT network analysis
familiar with Snort and other similar tools.”

References

^{^}
Snort
(en.wikipedia.org)
^{^}
while
loop (en.wikipedia.org)
^{^}
said
(claroty.com)
^{^}
Modbus
(www.snort.org)
^{^}
data
communications protocol (en.wikipedia.org)
^{^}
noted
(tools.cisco.com)