Headline
CVE-2021-1236: Cisco Security Advisory: Multiple Cisco Products Snort Application Detection Engine Policy Bypass Vulnerability
Multiple Cisco products are affected by a vulnerability in the Snort application detection engine that could allow an unauthenticated, remote attacker to bypass the configured policies on an affected system. The vulnerability is due to a flaw in the detection algorithm. An attacker could exploit this vulnerability by sending crafted packets that would flow through an affected system. A successful exploit could allow the attacker to bypass the configured policies and deliver a malicious payload to the protected network.
At the time of publication, this vulnerability affected all open source Snort project releases earlier than Release 2.9.14. For more information, see the Snort website.
At the time of publication, this vulnerability affected the following Cisco products if they were running a vulnerable release of Cisco software:
- 3000 Series Industrial Security Appliances (ISAs)
- Firepower Threat Defense (FTD) Software
At the time of publication, this vulnerability affected the following Cisco products if they were running a release earlier than the first fixed release of Cisco Unified Threat Defense (UTD) Snort Intrusion Prevention System (IPS) Engine for Cisco IOS XE Software or Cisco UTD Engine for Cisco IOS XE SD-WAN Software. Note: UTD is not installed on these devices by default. If the UTD file is not installed, the device is not vulnerable.
- 1000 Series Integrated Services Routers (ISRs)
- 4000 Series Integrated Services Routers (ISRs)
- Cloud Services Router 1000V
- Integrated Services Virtual Router (ISRv)
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Determine Whether UTD is Enabled
To determine whether UTD is enabled on a device, issue the show utd engine standard status command and check for a Yes under Running. If there is no output, the device is not affected. The following output example shows a device that has UTD enabled:
Router# show utd engine standard status
Engine version : 1.0.19_SV2.9.16.1_XE17.3
Profile : Cloud-Low
System memory :
Usage : 6.00 %
Status : Green
Number of engines : 1Engine Running Health Reason
===========================================
Engine(#1): Yes Green None
=======================================================.
.
.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Adaptive Security Appliance (ASA) Software
- Firepower Management Center (FMC) Software
- Meraki Security Appliances
Related news
Debian Linux Security Advisory 5354-1 - Multiple security vulnerabilities were discovered in snort, a flexible Network Intrusion Detection System, which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or bypass filtering technology on an affected device and ex-filtrate data from a compromised host.