Multiple Cisco products exposed to DoS attack due to a Snort issue

Cisco announced that a vulnerability in the Snort detection engine exposes several of its products to denial-of-service (DoS) attacks.

Cisco announced this week that several of its products are exposed to denial-of-service (DoS) attacks due to a vulnerability in the Snort detection engine.

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine.

The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames.

“The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to exhaust disk space on the affected device, which could result in administrators being unable to log in to the device or the device being unable to boot up correctly.”

The vulnerability has been rated high severity and received a CVSS score of 7.4.

The CVE-2021-1285 flaw affects all open source Snort project releases earlier than release 2.9.17.

The flaw affects multiple Cisco products running a vulnerable release of Cisco UTD Snort IPS Engine Software for IOS XE or Cisco UTD Engine for IOS XE SD-WAN Software and that are configured to pass Ethernet frames to the Snort detection engine:

1000 Series Integrated Services Routers (ISRs)
4000 Series Integrated Services Routers (ISRs)
Catalyst 8000V Edge Software
Catalyst 8200 Series Edge Platforms
Catalyst 8300 Series Edge Platforms
Cloud Services Router 1000V Series
Integrated Services Virtual Router (ISRv)

The vulnerability does not affect the following Cisco products:

3000 Series Industrial Security Appliances (ISAs)
Adaptive Security Appliance (ASA) Software
Catalyst 8500 Series Edge Platforms
Catalyst 8500L Series Edge Platforms
Firepower Management Center (FMC) Software
Firepower Threat Defense (FTD) Software¹
Meraki Security Appliances

Cisco has no evidence that this vulnerability has been exploited in malicious attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Snort)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.