Details have emerged about a now-patched security vulnerability in the Snort intrusion detection and prevention system that could trigger a denial-of-service (DoS) condition and render it powerless against malicious traffic.
Tracked as CVE-2022-20685, the vulnerability is rated 7.5 for severity and resides in the Modbus preprocessor of the Snort detection engine. It affects all open-source Snort project releases earlier than 2.9.19 as well as version 18.104.22.168.
Maintained by Cisco, Snort is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS) that offers real-time network traffic analysis to spot potential signs of malicious activity based on predefined rules.
“The vulnerability, CVE-2022-20685, is an integer-overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite while loop,” Uri Katz, a security researcher with Claroty, said in a report published last week. “A successful exploit keeps Snort from processing new packets and generating alerts.”
Specifically, the shortcoming relates to how Snort processes Modbus packets — an industrial data communications protocol used in supervisory control and data acquisition (SCADA) networks — leading to a scenario where an attacker can send a specially crafted packet to an affected device.
“A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop,” Cisco noted in an advisory published earlier this January addressing the flaw.
In other words, exploitation of the issue could allow an unauthenticated, remote attacker to create a denial-of-service (DoS) condition on affected devices, effectively hindering Snort’s ability to detect attacks and making it possible to run malicious packets on the network.
“Successful exploits of vulnerabilities in network analysis tools such as Snort can have devastating impacts on enterprise and OT networks,” Katz said.
“Network analysis tools are an under-researched area that deserves more analysis and attention, especially as OT networks are increasingly being centrally managed by IT network analysts familiar with Snort and other similar tools.”