One of Snort's security vulnerabilities has been discovered that could cause a "denial of service" (DoS) condition and leave the system unable to stop malicious traffic.
Known as CVE-2022-20685, the flaw affects Snort's Modbus preprocessor and has a 7.5 severity rating. Open-source Snort versions prior to 2.9.19 and 3.1.11.0 are all affected.
As an open source intrusion detection system (IDS) and an intrusion prevention system (IPS), Snort aims to detect and prevent malicious activity by analyzing network traffic in real time.
The Snort Modbus OT preprocessor can go into an infinite while loop if the vulnerability, CVE-2022-20685, is exploited, according to Claroty security researcher Uri Katz in a report released last week. As a result of a successful attack, Snort cannot process new packets and generate alerts.
As a result of a flaw in the way Snort handles Modbus packets, which is an industrial data communication protocol used in SCADA networks, an attacker could send a maliciously crafted packet to a vulnerable device.
In an advisory published earlier this month, Cisco warned that a successful exploit could allow an attacker to cause the Snort process to hang, causing traffic inspection to stop.
An unauthenticated remote attacker could, therefore, exploit the vulnerability to cause a denial-of-service (DoS) condition on affected devices, thereby hindering Snort's detection of attacks and opening the network up to malicious traffic.
Network analysis tools such as Snort are vulnerable to attack, which can have a devastating impact on enterprise and OT networks, Katz said.
As OT networks are increasingly being centrally managed by IT network analysts familiar with Snort and other similar tools, network analysis tools are an under-researched area that deserves more analysis and attention."
Post a Comment
Your suggestions and comments are welcome