Pierluigi Paganini April 21, 2022

CVE-2022-20685 flaw in the Modbus preprocessor of the Snort detection engine could trigger a DoS condition and make it ineffective against malicious traffic.

Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS)  which is currently developed by Cisco.

The software performs real-time traffic analysis and packet logging on Internet Protocol (IP) networks, protocol analysis, content searching and matching. The project is also known for its use in attack detection.

Uri Katz, a security researcher at Claroty, detailed a flaw in the Modbus preprocessor of the Snort detection engine, tracked as CVE-2022-20685, that could trigger a DoS condition and make the software ineffective against malicious traffic.

The CVE-2022-20685 vulnerability is an integer-overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite while-loop.

According to the advisory, the vulnerability can be exploited by a remote attacker. The flaw affects all open-source Snort project releases earlier than 2.9.19 and release 3.1.11.0.

While researching Snort OT preprocessors, we decided to focus on Modbus because it was one of the more complex OT preprocessors Snort supports.

The researchers focused their analysis on Snort OT preprocessor, in particular in Modbus one because Modbus is a popular industrial protocol.

“An integer overflow vulnerability in the Snort Modbus OT preprocessor enables an attacker to remotely send a crafted packet to a vulnerable system, triggering an infinite while-loop and creating a denial-of-service condition.” reads the analysis published by Claroty that includes technical details about the issue.

“A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.” reads the security advisory published by Cisco. “This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop.”

The researchers pointed out that successful exploitation of this vulnerability can have devastating impacts on enterprise and OT networks. 

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, DoS)

[adrotate banner=”5″]

[adrotate banner=”13″]