Summary

• Multiple vulnerabilities in the Server Message Block Version 2 (SMB2) processor of the Snort detection engine on multiple Cisco products could allow an unauthenticated, remote attacker to bypass the configured policies or cause a denial of service (DoS) condition on an affected device.

  These vulnerabilities are due to improper management of system resources when the Snort detection engine is processing SMB2 traffic. An attacker could exploit these vulnerabilities by sending a high rate of certain types of SMB2 packets through an affected device. A successful exploit could allow the attacker to trigger a reload of the Snort process, resulting in a DoS condition.

  Note: When the snort preserve-connection option is enabled for the Snort detection engine, a successful exploit could also allow the attacker to bypass the configured policies and deliver a malicious payload to the protected network. The snort preserve-connection setting is enabled by default. See the Details section of this advisory for more information.

  Note: Only products that have Snort 3 configured are affected. Products that are configured with Snort 2 are not affected.

  Cisco has released software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr

  This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Affected Products

• Vulnerable Products

  At the time of publication, these vulnerabilities affected Open Source Snort 3.

  For information about which Snort releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. For more information on Snort, see the Snort website.

  Impact to Cisco Products

  At the time of publication, these vulnerabilities affected the following Cisco products if they were running a vulnerable release of Cisco software:

  • Cyber Vision
  • FirePOWER Services - All platforms
  • Firepower Threat Defense (FTD) Software - All platforms
  • Meraki MX Security Appliances¹
  • Umbrella Secure Internet Gateway (SIG)

  1. See the Products Confirmed Not Vulnerable section of this advisory for a list of Meraki devices that are not affected by these vulnerabilities.

  For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

  Determine Cisco FTD Software Configuration

  On new installations of Cisco FTD Software releases 7.0.0 and later, Snort 3 is running by default. On devices that were running Cisco FTD Software Release 6.7.0 or earlier and were upgraded to Release 7.0.0 or later, Snort 2 is running by default.

  Determine Cisco FTD Software Configuration Using the FTD Software CLI

  To determine whether Snort 3 is configured on a device that is running Cisco FTD Software, log in to the Cisco FTD Software CLI and use the show snort3 status command. If the command produces the following output, the device is running Snort 3 and is affected by these vulnerabilities:

  show snort3 status
  Currently running Snort 3

  Determine Cisco FTD Software Configuration for Cisco Firepower Management Center Software-Managed Devices

  To determine whether Snort 3 is configured on a device that is managed by Cisco Firepower Management Center (FMC) Software, complete the following steps:

  1. Log in to the Cisco FMC Software web interface.
  2. From the Devices menu, choose Device Management.
  3. Choose the appropriate Cisco FTD device.
  4. Click the Edit pencil icon.
  5. Choose the Device tab and look in the Inspection Engine area.
  • If Snort 2 is listed, the device is not affected by these vulnerabilities.
  • If Snort 3 is listed, the device is affected by these vulnerabilities.

  Determine Cisco FTD Software Configuration for Cisco Firepower Device Manager Software-Managed Devices

  To determine whether Snort 3 is configured on a device that is managed by Cisco Firepower Device Manager (FDM) Software, complete the following steps:

  1. Log in to the Cisco FTD Software web interface.
  2. From the main menu, choose Policies.
  3. Choose the Intrusion tab.
  4. Look for the Inspection Engine version. The version will start with either a 2 for Snort 2 or a 3 for Snort 3.
  • If the device is running a Snort 2 version, it is not affected by these vulnerabilities.
  • If the device is running a Snort 3 version, it is affected by these vulnerabilities.

  Determine Cisco FTD Software Configuration for Cisco Defense Orchestrator-Managed Devices

  To determine whether Snort 3 is configured on a device that is managed by Cisco Defense Orchestrator, complete the following steps:

  1. Log in to the Cisco Defense Orchestrator web interface.
  2. From the Inventory menu, choose the appropriate Cisco FTD device.
  3. In the Device Details area, look for Snort Version. The version will start with either a 2 for Snort 2 or a 3 for Snort 3.
  • If the device is running a Snort 2 version, it is not affected by these vulnerabilities.
  • If the device is running a Snort 3 version, it is affected by these vulnerabilities.

  Products Confirmed Not Vulnerable

  Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.

  Cisco has confirmed that these vulnerabilities do not affect the following products:

  • Cisco 1000 Series Integrated Services Routers (ISRs)
  • Cisco 4000 Series Integrated Services Routers (ISRs)
  • Cisco Adaptive Security Appliance (ASA) Software
  • Cisco Catalyst 8000V Edge Software
  • Cisco Catalyst 8200 Series Edge Platforms
  • Cisco Catalyst 8300 Series Edge Platforms
  • Cisco Catalyst 8500 Series Edge Platforms
  • Cisco Catalyst 8500L Series Edge Platforms
  • Cisco Cloud Services Routers 1000V
  • Cisco Firepower Management Center (FMC) Software
  • Cisco Meraki MX64 and MX64w Appliances
  • Cisco Meraki MX65 and MX65w Appliances
  • Cisco Integrated Services Virtual Routers (ISRv)
  • Open Source Snort 2

Details

• snort preserve-connection Settings

  The impact of these vulnerabilities can be twofold, depending on whether the snort preserve-connection setting is enabled or disabled and whether a traffic flow began before the Snort process went down or began while the Snort process was down.

  The behavior for traffic flows that were established before the Snort process went down is configuration dependent. The behavior for traffic flows that begin while the Snort process is down is not configuration dependent and always results in a DoS condition. For details on the snort preserve-connection setting, see the Cisco Secure Firewall Threat Defense Command Reference and the Snort Restart Traffic Behavior section of the Firepower Management Center Configuration Guide.

  snort preserve-connection Is Enabled

  When the snort preserve-connection option is enabled for the Snort detection engine, existing traffic flow are not dropped when the Snort process goes down. Instead, existing traffic flows bypass the Snort detection engine. A successful exploit could allow an attacker to bypass the configured policies and deliver a malicious payload to the protected network. Traffic flows that begin while the Snort process is down are dropped, resulting in a DoS condition.

  The CVSS score for existing traffic flows is as follows: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

  The CVSS score for new traffic flows is as follows: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

  snort preserve-connection Is Disabled

  When the snort preserve-connection option is disabled for the Snort detection engine, existing traffic flows are dropped. A successful exploit could result in a DoS condition. Traffic flows that begin while the Snort process is down are also dropped, resulting in a DoS condition.

  The CVSS score is the same for both new and existing traffic flows: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

  Determine the Cisco FTD Software Configuration

  The snort preserve-connection setting is enabled by default. To view the current setting, log in to the Cisco FTD Software CLI and use the show running-config | include snort command. There are no GUI options for viewing the setting.

  If the command produces the following output, snort preserve-connection is enabled on the device:

  > show running-config | include snort
  snort preserve-connection
  >

  If the command produces the following output, snort preserve-connection is disabled on the device:

  > show running-config | include snort
  no snort preserve-connection
  >

  
  

Workarounds

• There is a workaround that addresses these vulnerabilities. To remove the attack vector for these vulnerabilities for Cisco FMC Software-managed devices and Cisco Defense Orchestrator-managed devices, configure a fastpath prefilter rule to bypass the Snort detection engine. To remove the attack vector for these vulnerabilities for Cisco Firepower Device Manager (FDM)-managed devices, configure an access control rule to bypass the Snort detection engine.

  Workaround for Cisco FMC Software-Managed Devices

  To configure a fastpath prefilter rule for SMB traffic for Cisco FMC Software-managed devices, do the following:

  1. Log in to the FMC web interface.
  2. From the Policies menu, under the Access Control section, choose Prefilter.
  3. Choose New Policy.
  4. Enter the Name and Description and click Save.
  5. In the resulting window, ensure that Default Action: Tunnel Traffic is set to Analyze all tunnel traffic.
  6. Click Add Prefilter Rule.
  7. In the resulting window, enter a rule Name and ensure the Enabled box is checked.
  8. From the Action drop-down menu, choose Fastpath.
  9. Configure the policy under the Interfaces, Networks, and Vlan Tags tabs for SMB traffic on the affected network.
  10. Click the Port tab.
  11. Enter the following destination ports for SMB traffic: TCP (6):138, TCP (6):139, TCP (6):445 and UDP (17):137.
  12. Click Add to add the policy.
  13. Click Save to save the policy.

  To associate the SMB prefilter policy with the access control policy deployed on Cisco FMC Software-managed devices, do the following:

  1. From the Policies menu, under the Access Control section, choose Access Control.
  2. Find the policy of interest.
  3. Click the Edit icon.
  4. Click the name next to Prefilter Policy.
  5. Choose the name of the newly created SMB prefilter policy from the drop-down menu.
  6. Click OK.

  For more information, see the Prefiltering and Prefilter Policies chapter of the Firepower Management Center Device Configuration Guide.

  Workaround for Cisco FDM-Managed Devices

  Fastpath is not supported on Cisco FDM-managed devices. Instead, set an access control policy with an action of trust for the appropriate ports.

  To configure an access control policy to bypass SMB traffic for Cisco FDM-managed devices, do the following:

  1. Log in to the Cisco FDM web interface.
  2. From the Policies menu, choose Access Control.
  3. Create a new policy by clicking the plus (+) sign.
  4. Enter a name and under the Action drop-down menu, choose Trust.
  5. In the Port section, click the plus (+) sign.
  6. Select Create new Port.
  7. Enter a name, protocol type, and port number for each of the following ports: TCP (6):138, TCP (6):139, TCP (6):445, and UDP (17):137.
  8. Once the ports have been created, select the four ports to be added to the rule by selecting their names.
  9. Click OK when done.
  10. Click OK to add the policy.
  11. Deploy changes to Cisco FTD Software.

  For more information, see the Access Control Chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager.

  Workaround for Cisco Defense Orchestrator-Managed Devices

  To configure a fastpath prefilter rule for SMB traffic for Cisco Defense Orchestrator-managed devices, do the following:

  1. Log in to the Cisco Defense Orchestrator web interface.
  2. From the Policies menu, choose FTD Policies.
  3. From the Policies menu, under the Access Control section, choose Prefilter.
  4. Click New Policy.
  5. Enter the Name and Description and click Save.
  6. In the resulting window, ensure that Default Action: Tunnel Traffic is set to Analyze all tunnel traffic.
  7. Click Add Prefilter Rule.
  8. In the resulting window, enter a rule Name and ensure the Enabled box is checked.
  9. From the Action drop-down menu, select Fastpath.
  10. Configure the policy under the Interfaces, Networks, and Vlan Tags tabs for SMB traffic on the affected network.
  11. Click the Port tab.
  12. Enter the following destination ports for SMB traffic: TCP (6):138, TCP (6):139, TCP (6):445, and UDP (17):137.
  13. Click Add to add the policy.
  14. Click Save to save the policy.

  To associate the SMB prefilter policy with the access control policy deployed on Cisco Defense Orchestrator-managed devices, do the following:

  1. From the Policies menu, under the Access Control section, choose Access Control.
  2. Find the policy of interest.
  3. Click the Edit icon.
  4. Click the name next to Prefilter Policy.
  5. Choose the name of the newly created SMB prefilter policy from the drop-down menu.
  6. Click OK.

  For more information, see the Cisco Defense Orchestrator website.

  While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Fixed Software

• When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

  Cisco ASA, FMC, and FTD Software: CSCwb87762, CSCwb66736, CSCwa55404, CSCvy97080

  To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories that the Software Checker identifies (“Combined First Fixed”).

  To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps:

  1. Choose which advisories the tool will search-all advisories, only High and Critical advisories, or only this advisory.
  2. Choose the appropriate software.
  3. Choose the appropriate platform (for Cisco ASA and FTD Software only).
  4. Enter a release number-for example, 16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software.
  5. Click Check.

  Only this advisory All Critical and High advisories All advisories Cisco ASA Software Cisco FMC Software Cisco FTD Software Any Platform 3000 Series Industrial Security Appliances (ISA) ASA 5500-X Series Firewalls ASA Service Module Adaptive Security Virtual Appliance (ASAv) Firepower 1000 Series Firepower 2100 Series Firepower 4100 Series Firepower 9000 Series Secure Firewall 3100 Series

  For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide.

  Cyber Vision: CSCwc37339, CSCwc37518, CSCwb78519

  At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

  Cisco Cyber Vision Release	First Fixed Release for CVE-2022-20922 and CVE-2022-20943
  3.x	Migrate to a fixed release.
  4.0	Migrate to a fixed release.
  4.1	4.1.2

  
  

  Meraki MX Security Appliances

  Cisco Meraki MX Security Appliances Release	First Fixed Release for CVE-2022-20922	First Fixed Release for CVE-2022-20943
  MX15 and earlier	None planned.	Migrate to a fixed release.
  MX16	None planned.	Hotfix available for 16.16.7
  MX17	None planned.	Hotfix available for 17.11.1
  MX18	None planned.	Hotfix available for 18.1.3

  
  

  Snort: CSCwb87762, CSCwb66736, CSCwa55404, CSCvy97080

  Snort Release	First Fixed Release for CVE-2022-20922	First Fixed Release for CVE-2022-20943
  2.x	Not vulnerable	Not vulnerable
  3.x	3.1.31.0	Not vulnerable

  
  

  Umbrella SIG: CSCwb91454

  Cisco plans to address these vulnerabilities in Cisco Umbrella SIG, which is cloud based. No user action is required.

  Customers who need additional information are advised to contact Cisco Umbrella Support at umbrella-support@cisco.com or their contracted maintenance providers.

  Additional Resources

  For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance.

  Cisco ASA Compatibility
  Cisco Secure Firewall ASA Upgrade Guide
  Cisco Secure Firewall Threat Defense Compatibility Guide

  The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

Source

• These vulnerabilities were found during the resolution of a Cisco TAC support case.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr

Revision History

• Version	Description	Section	Status	Date
  1.1	Updated Meraki hotfix version from 16.6.7 to 16.16.7.	Fixed Releases	Final	2022-NOV-30
  1.0	Initial public release.	-	Final	2022-NOV-09

  Show Less