Multiple Cisco products exposed to DoS attack due to a Snort issue

Cisco announced that a vulnerability in the Snort detection engine exposes several of its products to denial-of-service (DoS) attacks.

Cisco announced this week that several of its products are exposed to denial-of-service (DoS) attacks due to a vulnerability in the Snort detection engine.

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine.

The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames.

“The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to exhaust disk space on the affected device, which could result in administrators being unable to log in to the device or the device being unable to boot up correctly.”

The vulnerability has been rated high severity and received a CVSS score of 7.4.

The CVE-2021-1285 flaw affects all open source Snort project releases earlier than release 2.9.17.

The flaw affects multiple Cisco products running a vulnerable release of Cisco UTD Snort IPS Engine Software for IOS XE or Cisco UTD Engine for IOS XE SD-WAN Software and that are configured to pass Ethernet frames to the Snort detection engine:

• 1000 Series Integrated Services Routers (ISRs)
• 4000 Series Integrated Services Routers (ISRs)
• Catalyst 8000V Edge Software
• Catalyst 8200 Series Edge Platforms
• Catalyst 8300 Series Edge Platforms
• Cloud Services Router 1000V Series
• Integrated Services Virtual Router (ISRv)

The vulnerability does not affect the following Cisco products:

• 3000 Series Industrial Security Appliances (ISAs)
• Adaptive Security Appliance (ASA) Software
• Catalyst 8500 Series Edge Platforms
• Catalyst 8500L Series Edge Platforms
• Firepower Management Center (FMC) Software
• Firepower Threat Defense (FTD) Software¹
• Meraki Security Appliances

Cisco has no evidence that this vulnerability has been exploited in malicious attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Snort)

[adrotate banner=”5″]

[adrotate banner=”13″]