CVE-2022-20943 Multiple vulnerabilities in the SMB2 processor of the Snort detection engine could allow an unauthenticated, remote attacker to bypass the configured policies or cause a DoS.

and is not likely to be changed by an attacker. Cisco devices that are enabled with the snort preserve-connection setting are not at risk of exploitation by this vulnerability. --------------------------- Table 1: Severity of Cisco Products Affected by Vulnerability - Critical Component Cisco products that are susceptible to these vulnerabilities are: Cisco FirePOWER devices: Cisco FirePOWER appliances running Snort, Cisco FirePOWER MDs running Snort, Cisco FirePOWER sensors running Snort, and Cisco FirePOWER callpoints running Snort Cisco ASR 9000 Series Routers running Snort Cisco ASR 9000 Series Routers running Snort Cisco Catalyst 6500 Series Switches running Snort Cisco Nexus 5XXX V2 Routers running Snort Cisco Nexus 6XXX V2 Routers running Snort Cisco Nexus 5XXX V1 Routers running Snort Cisco Nexus 6XXX V1 Routers running Snort Cisco Firepower Threat Defense appliances running Snort Cisco Firepower Threat Defense appliances running Snort Cisco Firepower Threat Defense sensors running Snort Cisco Firepower Threat Defense sensors running Snort Cisco Firepower Threat Defense callpoints running Snort Cisco Firepower Threat Defense callpoints running Snort --------------------------- Note that this table does not address all Cisco products that are likely to be affected by these vulnerabilities. Cisco does not recommend disabling the Snort detection engine. Disabling the Snort detection engine may cause some Cisco products to stop functioning

How to Determine If Your Cisco Product is Vulnerable

In order to determine if your Cisco product is vulnerable, you must first be familiar with the vulnerability. This table provides a list of products that are likely to be affected by the vulnerability. If your Cisco product is listed, you should review this table for information on how to remediate the issue. --------------------------
Table 2: Severity of Cisco Products Affected by Vulnerability - Critical Component
Product Severity --------------------------
Cisco FirePOWER devices: Cisco FirePOWER appliances running Snort, Cisco FirePOWER MDs running Snort, Cisco FirePOWER sensors running Snort, and Cisco FirePOWER callpoints running Snort -------------------------- Critical Component
Cisco ASR 9000 Series Routers running Snort -------------------------- Moderate Component
Cisco ASR 9000 Series Routers running Snort -------------------------- Low Component

Cisco FirePOWER MDs

Cisco Firepower Threat Defense MDs running snort are not vulnerable to exploitation by CVE-2022-20943. --------------------------- Table 1: Severity of Cisco Products Affected by Vulnerability - Not Critical Component Cisco products that are not affected by these vulnerabilities are: Cisco FirePOWER devices: Cisco FirePOWER appliances running Snort, Cisco FirePOWER MDs running Snort, and Cisco FirePOWER sensors running Snort Cisco ASR 9000 Series Routers running Snort Cisco ASR 9000 Series Routers running Snort Cisco Catalyst 6500 Series Switches running Snort Cisco Nexus 5XXX V2 Routers running Snort Cisco Nexus 6XXX V2 Routers running Snort and all other devices with the status "Not critical" in Table 1.

Cisco FirePOWER Devices

Cisco FirePOWER devices are vulnerable to exploitation by CVE-2022-20943. The vulnerability is classified as critical because the attacker can take complete control of the device. The authentication mechanism in affected Cisco FirePOWER devices is not likely to be changed by an attacker.
Cisco has confirmed that this vulnerability affects the following products:
Cisco FirePOWER appliances running Snort, Cisco FirePOWER MDs running Snort, Cisco FirePOWER sensors running Snort, and Cisco FirePOWER callpoints running Snort

Cisco Firepower Threat Defense (FTD) Devices

Cisco FTD devices running the Snort detection engine are not at risk of exploitation by this vulnerability.

Snort Vulnerability: Cisco FirePOWER MDs running Snort

The vulnerability CVE-2022-20943 is a vulnerability that affects Cisco FirePOWER MDs running Snort. The vulnerability allows an attacker to access the Snort engine and, as a result, execute code on vulnerable devices. This vulnerability is not likely to be changed by an attacker. --------------------------- Note that this table does not address all Cisco products that are likely to be affected by these vulnerabilities. Cisco does not recommend disabling the Snort detection engine. Disabling the Snort detection engine may cause some Cisco products to stop functioning correctly

Timeline

Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/23/2022 14:30:00 UTC

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20943