Multiple vulnerabilities in the Server Message Block Version 2 (SMB2) processor of the Snort detection engine on multiple Cisco products could allow an unauthenticated, remote attacker to bypass the configured policies or cause a denial of service (DoS) condition on an affected device. These vulnerabilities are due to improper management of system resources when the Snort detection engine is processing SMB2 traffic. An attacker could exploit these vulnerabilities by sending a high rate of certain types of SMB2 packets through an affected device. A successful exploit could allow the attacker to trigger a reload of the Snort process, resulting in a DoS condition. Note: When the snort preserve-connection option is enabled for the Snort detection engine, a successful exploit could also allow the attacker to bypass the configured policies and deliver a malicious payload to the protected network. The snort preserve-connection setting is enabled by default. See the Details section of this advisory for more information. Note: Only products that have Snort 3 configured are affected. Products that are configured with Snort 2 are not affected. Cisco has released software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities. This advisory is available at the following link:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.
Multiple vulnerabilities in the Server Message Block Version 2 (SMB2) processor of the Snort detection engine on multiple Cisco products could allow an unauthenticated, remote attacker to bypass the configured policies or cause a denial of service (DoS) condition on an affected device.
These vulnerabilities are due to improper management of system resources when the Snort detection engine is processing SMB2 traffic. An attacker could exploit these vulnerabilities by sending a high rate of certain types of SMB2 packets through an affected device. A successful exploit could allow the attacker to trigger a reload of the Snort process, resulting in a DoS condition.
Note: When the snort preserve-connection option is enabled for the Snort detection engine, a successful exploit could also allow the attacker to bypass the configured policies and deliver a malicious payload to the protected network. The snort preserve-connection setting is enabled by default. See the Details section of this advisory for more information.
Note: Only products that have Snort 3 configured are affected. Products that are configured with Snort 2 are not affected.
Cisco has released software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr
This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.
At the time of publication, these vulnerabilities affected Open Source Snort 3.
For information about which Snort releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. For more information on Snort, see the Snort website.
At the time of publication, these vulnerabilities affected the following Cisco products if they were running a vulnerable release of Cisco software:
For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
On new installations of Cisco FTD Software releases 7.0.0 and later, Snort 3 is running by default. On devices that were running Cisco FTD Software Release 6.7.0 or earlier and were upgraded to Release 7.0.0 or later, Snort 2 is running by default.
To determine whether Snort 3 is configured on a device that is running Cisco FTD Software, log in to the Cisco FTD Software CLI and use the show snort3 status command. If the command produces the following output, the device is running Snort 3 and is affected by these vulnerabilities:
show snort3 status
Currently running Snort 3
To determine whether Snort 3 is configured on a device that is managed by Cisco Firepower Management Center (FMC) Software, complete the following steps:
To determine whether Snort 3 is configured on a device that is managed by Cisco Firepower Device Manager (FDM) Software, complete the following steps:
To determine whether Snort 3 is configured on a device that is managed by Cisco Defense Orchestrator, complete the following steps:
Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following products:
The impact of these vulnerabilities can be twofold, depending on whether the snort preserve-connection setting is enabled or disabled and whether a traffic flow began before the Snort process went down or began while the Snort process was down.
The behavior for traffic flows that were established before the Snort process went down is configuration dependent. The behavior for traffic flows that begin while the Snort process is down is not configuration dependent and always results in a DoS condition. For details on the snort preserve-connection setting, see the Cisco Secure Firewall Threat Defense Command Reference and the Snort Restart Traffic Behavior section of the Firepower Management Center Configuration Guide.
When the snort preserve-connection option is enabled for the Snort detection engine, existing traffic flow are not dropped when the Snort process goes down. Instead, existing traffic flows bypass the Snort detection engine. A successful exploit could allow an attacker to bypass the configured policies and deliver a malicious payload to the protected network. Traffic flows that begin while the Snort process is down are dropped, resulting in a DoS condition.
The CVSS score for existing traffic flows is as follows: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
The CVSS score for new traffic flows is as follows: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
When the snort preserve-connection option is disabled for the Snort detection engine, existing traffic flows are dropped. A successful exploit could result in a DoS condition. Traffic flows that begin while the Snort process is down are also dropped, resulting in a DoS condition.
The CVSS score is the same for both new and existing traffic flows: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
The snort preserve-connection setting is enabled by default. To view the current setting, log in to the Cisco FTD Software CLI and use the show running-config | include snort command. There are no GUI options for viewing the setting.
If the command produces the following output, snort preserve-connection is enabled on the device:
> show running-config | include snort
snort preserve-connection
>
If the command produces the following output, snort preserve-connection is disabled on the device:
> show running-config | include snort
no snort preserve-connection
>
There is a workaround that addresses these vulnerabilities. To remove the attack vector for these vulnerabilities for Cisco FMC Software-managed devices and Cisco Defense Orchestrator-managed devices, configure a fastpath prefilter rule to bypass the Snort detection engine. To remove the attack vector for these vulnerabilities for Cisco Firepower Device Manager (FDM)-managed devices, configure an access control rule to bypass the Snort detection engine.
To configure a fastpath prefilter rule for SMB traffic for Cisco FMC Software-managed devices, do the following:
To associate the SMB prefilter policy with the access control policy deployed on Cisco FMC Software-managed devices, do the following:
For more information, see the Prefiltering and Prefilter Policies chapter of the Firepower Management Center Device Configuration Guide.
Fastpath is not supported on Cisco FDM-managed devices. Instead, set an access control policy with an action of trust for the appropriate ports.
To configure an access control policy to bypass SMB traffic for Cisco FDM-managed devices, do the following:
For more information, see the Access Control Chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager.
To configure a fastpath prefilter rule for SMB traffic for Cisco Defense Orchestrator-managed devices, do the following:
To associate the SMB prefilter policy with the access control policy deployed on Cisco Defense Orchestrator-managed devices, do the following:
For more information, see the Cisco Defense Orchestrator website.
While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories that the Software Checker identifies (“Combined First Fixed”).
To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps:
For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide.
At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Cisco Cyber Vision Release | First Fixed Release for CVE-2022-20922 and CVE-2022-20943 |
---|---|
3.x | Migrate to a fixed release. |
4.0 | Migrate to a fixed release. |
4.1 | 4.1.2 |
Cisco Meraki MX Security Appliances Release | First Fixed Release for CVE-2022-20922 | First Fixed Release for CVE-2022-20943 |
---|---|---|
MX15 and earlier | None planned. | Migrate to a fixed release. |
MX16 | None planned. | Hotfix available for 16.6.7 (Nov 22, 2022) |
MX17 | None planned. | Hotfix available for 17.11.1 (Nov 22, 2022) |
MX18 | None planned. | Hotfix available for 18.1.3 (Nov 22, 2022) |
Snort Release | First Fixed Release for CVE-2022-20922 | First Fixed Release for CVE-2022-20943 |
---|---|---|
2.x | Not vulnerable | Not vulnerable |
3.x | 3.1.31.0 | Not vulnerable |
Cisco plans to address these vulnerabilities in Cisco Umbrella SIG, which is cloud based. No user action is required.
Customers who need additional information are advised to contact Cisco Umbrella Support at umbrella-support@cisco.com or their contracted maintenance providers.
For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
These vulnerabilities were found during the resolution of a Cisco TAC support case.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.0 | Initial public release. | - | Final | 2022-NOV-09 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.