Snort Flaw

An intrusion detection system called Snort has been found to have a security vulnerability, reported by the cyber security analysts at Team82. And this could trigger the occurrence of a denial of service (DoS) condition, making the system ineffective.

This security flaw has been assigned with CVE ID, “CVE-2022-20685,” and it has managed to achieve a 7.5 severity score. While in the Modbus preprocessor of the Snort detection engine this vulnerability has been identified.

In addition, there was a regression that affects all Snort open-source projects releases older than version:-

  • 2.9.19

In the security industry, Snort is a popular open-source intrusion detection system (IDS) and intrusion prevention system (IPS) which is sustained by Cisco.

Based on predefined rules, Snort is capable of detecting real-time signs of malicious activity based on network traffic analysis.

Snort Rules Could Trigger One of Three Actions

Here below we have mentioned all the actions that could be triggered by the Snort rules:-

  • Alert rules: Generate an alert
  • Log rules: Alert and log the alert
  • Pass rules: Ignore the packet

As part of Snort’s rule-writing functionality, there are a number of preprocessors that make it simpler to write rules and improve its detection capabilities.

Snort’s preprocessors are left on by default in this case allowing the network traffic to be analyzed and structured into objects that can be later specified in Snort rules.

Here we have mentioned some of the well-known Snort preprocessors below:-

  • ARP
  • DNS
  • SSH 
  • Some OT (operational technology) protocols like MODBUS/DNP3

CVE-2022-20685 Vulnerability

Here’s what a security researcher with Claroty, Uri Katz stated:-

“The vulnerability, CVE-2022-20685, is an integer-overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite while loop. A successful exploit keeps Snort from processing new packets and generating alerts.”

Due to what Snort does with Modbus packets, there is a situation in which an attacker could facilitate the transmission of a specially crafted Modbus packet into an affected system.

A remote attacker could be able to exploit the issue to create a denial-of-service (DoS) condition on affected devices as a result of an exploitation of the vulnerability without being authenticated.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.