Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Multiple Cisco Products Snort SMB2 Detection Engine Policy Bypass and Denial of Service Vulnerabilities

cisco-sa-snort-smb-3nfhJtr · Medium · Published · Updated

Multiple vulnerabilities in the Server Message Block Version 2 (SMB2) processor of the Snort detection engine on multiple Cisco products could allow an unauthenticated, remote attacker to bypass the configured policies or cause a denial of service (DoS) condition on an affected device. These vulnerabilities are due to improper management of system resources when the Snort detection engine is processing SMB2 traffic. An attacker could exploit these vulnerabilities by sending a high rate of certain types of SMB2 packets through an affected device. A successful exploit could allow the attacker to trigger a reload of the Snort process, resulting in a DoS condition. Note: When the snort preserve-connection option is enabled for the Snort detection engine, a successful exploit could also allow the attacker to bypass the configured policies and deliver a malicious payload to the protected network. The snort preserve-connection setting is enabled by default. See the Details section of this advisory for more information. Note: Only products that have Snort 3 configured are affected. Products that are configured with Snort 2 are not affected. Cisco has released software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Cisco advisory · CSAF JSON

Workarounds

There is a workaround that addresses these vulnerabilities. To remove the attack vector for these vulnerabilities for Cisco FMC Software-managed devices and Cisco Defense Orchestrator-managed devices, configure a fastpath prefilter rule to bypass the Snort detection engine. To remove the attack vector for these vulnerabilities for Cisco Firepower Device Manager (FDM)-managed devices, configure an access control rule to bypass the Snort detection engine.
Workaround for Cisco FMC Software-Managed Devices
To configure a fastpath prefilter rule for SMB traffic for Cisco FMC Software-managed devices, do the following:

Log in to the FMC web interface.
From the Policies menu, under the Access Control section, choose Prefilter.
Choose New Policy.
Enter the Name and Description and click Save.
In the resulting window, ensure that Default Action: Tunnel Traffic is set to Analyze all tunnel traffic.
Click Add Prefilter Rule.
In the resulting window, enter a rule Name and ensure the Enabled box is checked.
From the Action drop-down menu, choose Fastpath.
Configure the policy under the Interfaces, Networks, and Vlan Tags tabs for SMB traffic on the affected network.
Click the Port tab.
Enter the following destination ports for SMB traffic: TCP (6):138, TCP (6):139, TCP (6):445 and UDP (17):137.
Click Add to add the policy.
Click Save to save the policy.

To associate the SMB prefilter policy with the access control policy deployed on Cisco FMC Software-managed devices, do the following:

From the Policies menu, under the Access Control section, choose Access Control.
Find the policy of interest.
Click the Edit icon.
Click the name next to Prefilter Policy.
Choose the name of the newly created SMB prefilter policy from the drop-down menu.
Click OK.

For more information, see the Prefiltering and Prefilter Policies ["https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/access-prefilter.html"] chapter of the Firepower Management Center Device Configuration Guide.
Workaround for Cisco FDM-Managed Devices
Fastpath is not supported on Cisco FDM-managed devices. Instead, set an access control policy with an action of trust for the appropriate ports.

To configure an access control policy to bypass SMB traffic for Cisco FDM-managed devices, do the following:

Log in to the Cisco FDM web interface.
From the Policies menu, choose Access Control.
Create a new policy by clicking the plus (+) sign.
Enter a name and under the Action drop-down menu, choose Trust.
In the Port section, click the plus (+) sign.
Select Create new Port.
Enter a name, protocol type, and port number for each of the following ports: TCP (6):138, TCP (6):139, TCP (6):445, and UDP (17):137.
Once the ports have been created, select the four ports to be added to the rule by selecting their names.
Click OK when done.
Click OK to add the policy.
Deploy changes to Cisco FTD Software.

For more information, see the Access Control Chapter ["https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-access.html"] of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager.
Workaround for Cisco Defense Orchestrator-Managed Devices
To configure a fastpath prefilter rule for SMB traffic for Cisco Defense Orchestrator-managed devices, do the following:

Log in to the Cisco Defense Orchestrator web interface.
From the Policies menu, choose FTD Policies.
From the Policies menu, under the Access Control section, choose Prefilter.
Click New Policy.
Enter the Name and Description and click Save.
In the resulting window, ensure that Default Action: Tunnel Traffic is set to Analyze all tunnel traffic.
Click Add Prefilter Rule.
In the resulting window, enter a rule Name and ensure the Enabled box is checked.
From the Action drop-down menu, select Fastpath.
Configure the policy under the Interfaces, Networks, and Vlan Tags tabs for SMB traffic on the affected network.
Click the Port tab.
Enter the following destination ports for SMB traffic: TCP (6):138, TCP (6):139, TCP (6):445, and UDP (17):137.
Click Add to add the policy.
Click Save to save the policy.

To associate the SMB prefilter policy with the access control policy deployed on Cisco Defense Orchestrator-managed devices, do the following:

From the Policies menu, under the Access Control section, choose Access Control.
Find the policy of interest.
Click the Edit icon.
Click the name next to Prefilter Policy.
Choose the name of the newly created SMB prefilter policy from the drop-down menu.
Click OK.

For more information, see the Cisco Defense Orchestrator website ["https://docs.defenseorchestrator.com/"].

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

CVEsCVE-2022-20922, CVE-2022-20943
Cisco Bug IDsCSCvy97080, CSCwb78519, CSCwa55404, CSCwb66736, CSCwb87762, CSCwb91454, CSCwc37518, CSCwc37339
CVSS ScoreBase 5.8
Base 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L/E:X/RL:X/RC:X
Product Names From Source
Cisco Umbrella Insights Virtual Appliance, Cisco Cyber Vision, Cisco Firepower Threat Defense Software 7.0.0, Cisco Firepower Threat Defense Software 7.0.0.1, Cisco Firepower Threat Defense Software 7.0.1, Cisco Firepower Threat Defense Software 7.0.1.1, Cisco Firepower Threat Defense Software 7.1.0, Cisco Firepower Threat Defense Software 7.1.0.1, Cisco Firepower Threat Defense Software 7.1.0.2, Cisco Firepower Threat Defense Software 7.2.0, Cisco Firepower Threat Defense Software 7.2.0.1, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco Firepower 2100 Series, Cisco Firepower 1000 Series, Cisco ASA 5500-X Series Firewalls, Cisco 3000 Series Industrial Security Appliances (ISA), Cisco Firepower 9000 Series, Cisco Firepower 4100 Series, Cisco Secure Firewall Threat Defense Virtual, Cisco Secure Firewall 3100 Series

Related Products

Product CVE Evidence
Cisco Umbrella Insights Virtual Appliance CVE-2022-20943 Cisco OpenVuln
Cisco Umbrella Insights Virtual Appliance CVE-2022-20922 Cisco OpenVuln
Cisco Umbrella CVE-2022-20943 Cisco OpenVuln
Cisco Umbrella CVE-2022-20922 Cisco OpenVuln
Cisco Secure Firewall Threat Defense Virtual CVE-2022-20943 Cisco OpenVuln
Cisco Secure Firewall Threat Defense Virtual CVE-2022-20922 Cisco OpenVuln
Cisco Secure Firewall Threat Defense (FTD) Software CVE-2022-20943 Cisco OpenVuln
Cisco Secure Firewall Threat Defense (FTD) Software CVE-2022-20922 Cisco OpenVuln
Cisco Secure Firewall 3100 Series CVE-2022-20943 Cisco OpenVuln
Cisco Secure Firewall 3100 Series CVE-2022-20922 Cisco OpenVuln
Cisco Firepower Threat Defense Software CVE-2022-20943 Cisco OpenVuln
Cisco Firepower Threat Defense Software CVE-2022-20922 Cisco OpenVuln
Cisco Firepower 9000 Series CVE-2022-20943 Cisco OpenVuln
Cisco Firepower 9000 Series CVE-2022-20922 Cisco OpenVuln
Cisco Firepower 4100 Series CVE-2022-20943 Cisco OpenVuln
Cisco Firepower 4100 Series CVE-2022-20922 Cisco OpenVuln
Cisco Firepower 2100 Series CVE-2022-20943 Cisco OpenVuln
Cisco Firepower 2100 Series CVE-2022-20922 Cisco OpenVuln
Cisco Firepower 1000 Series CVE-2022-20943 Cisco OpenVuln
Cisco Firepower 1000 Series CVE-2022-20922 Cisco OpenVuln
Cisco Cyber Vision CVE-2022-20943 Cisco OpenVuln
Cisco Cyber Vision CVE-2022-20922 Cisco OpenVuln
Cisco ASA 5500-X Series Firewalls CVE-2022-20943 Cisco OpenVuln
Cisco ASA 5500-X Series Firewalls CVE-2022-20922 Cisco OpenVuln
Cisco 3000 Series Industrial Security Appliances (ISA) CVE-2022-20943 Cisco OpenVuln
Cisco 3000 Series Industrial Security Appliances (ISA) CVE-2022-20922 Cisco OpenVuln