{"id":"MGASA-2023-0117","summary":"Updated snort packages fix security vulnerability","details":"Multiple Cisco products are affected by a vulnerability in the Snort\ndetection engine that could allow an unauthenticated, remote attacker to\nbypass a configured File Policy for HTTP. The vulnerability is due to\nincorrect detection of modified HTTP packets used in chunked responses. An\nattacker could exploit this vulnerability by sending crafted HTTP packets\nthrough an affected device. A successful exploit could allow the attacker\nto bypass a configured File Policy for HTTP packets and deliver a\nmalicious payload. (CVE-2020-3299)\n\nMultiple Cisco products are affected by a vulnerability in the Snort\ndetection engine that could allow an unauthenticated, remote attacker to\nbypass the configured file policies on an affected system. The\nvulnerability is due to errors in how the Snort detection engine handles\nspecific HTTP responses. An attacker could exploit this vulnerability by\nsending crafted HTTP packets that would flow through an affected system. A\nsuccessful exploit could allow the attacker to bypass the configured file\npolicies and deliver a malicious payload to the protected network.\n(CVE-2020-3315)\n\nMultiple Cisco products are affected by a vulnerability in the Snort\ndetection engine that could allow an unauthenticated, remote attacker to\nbypass a configured file policy for HTTP. The vulnerability is due to\nincorrect handling of an HTTP range header. An attacker could exploit this\nvulnerability by sending crafted HTTP packets through an affected device.\nA successful exploit could allow the attacker to bypass configured file\npolicy for HTTP packets and deliver a malicious payload. (CVE-2021-1223)\n\nMultiple Cisco products are affected by a vulnerability with TCP Fast Open\n(TFO) when used in conjunction with the Snort detection engine that could\nallow an unauthenticated, remote attacker to bypass a configured file\npolicy for HTTP. The vulnerability is due to incorrect detection of the\nHTTP payload if it is contained at least partially within the TFO\nconnection handshake. An attacker could exploit this vulnerability by\nsending crafted TFO packets with an HTTP payload through an affected\ndevice. A successful exploit could allow the attacker to bypass\nconfigured file policy for HTTP packets and deliver a malicious payload.\n(CVE-2021-1224)\n\nMultiple Cisco products are affected by a vulnerability in the Snort\napplication detection engine that could allow an unauthenticated, remote\nattacker to bypass the configured policies on an affected system. The\nvulnerability is due to a flaw in the detection algorithm. An attacker\ncould exploit this vulnerability by sending crafted packets that would\nflow through an affected system. A successful exploit could allow the\nattacker to bypass the configured policies and deliver a malicious\npayload to the protected network. (CVE-2021-1236)\n\nMultiple Cisco products are affected by vulnerabilities in the Snort\ndetection engine that could allow an unauthenticated, remote attacker to\nbypass a configured file policy for HTTP. These vulnerabilities are due\nto incorrect handling of specific HTTP header parameters. An attacker\ncould exploit these vulnerabilities by sending crafted HTTP packets\nthrough an affected device. A successful exploit could allow the attacker\nto bypass a configured file policy for HTTP packets and deliver a\nmalicious payload. (CVE-2021-1494)\n\nMultiple Cisco products are affected by a vulnerability in the Snort\ndetection engine that could allow an unauthenticated, remote attacker to\nbypass a configured file policy for HTTP. The vulnerability is due to\nincorrect handling of specific HTTP header parameters. An attacker could\nexploit this vulnerability by sending crafted HTTP packets through an\naffected device. A successful exploit could allow the attacker to bypass a\nconfigured file policy for HTTP packets and deliver a malicious payload.\n(CVE-2021-1495)\n\nA vulnerability in Server Name Identification (SNI) request filtering of\nCisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD),\nand the Snort detection engine could allow an unauthenticated, remote\nattacker to bypass filtering technology on an affected device and\nexfiltrate data from a compromised host. This vulnerability is due to\ninadequate filtering of the SSL handshake. An attacker could exploit this\nvulnerability by using data from the SSL client hello packet to\ncommunicate with an external server. A successful exploit could allow the\nattacker to execute a command-and-control attack on a compromised host and\nperform additional data exfiltration attacks. (CVE-2021-34749)\n\nMultiple Cisco products are affected by a vulnerability in the way the\nSnort detection engine processes ICMP traffic that could allow an\nunauthenticated, remote attacker to cause a denial of service (DoS)\ncondition on an affected device. The vulnerability is due to improper\nmemory resource management while the Snort detection engine is processing\nICMP packets. An attacker could exploit this vulnerability by sending a\nseries of ICMP packets through an affected device. A successful exploit\ncould allow the attacker to exhaust resources on the affected device,\ncausing the device to reload. (CVE-2021-40114)\n","modified":"2026-02-04T04:03:19.872464Z","published":"2023-03-31T00:13:46Z","related":["CVE-2020-3299","CVE-2020-3315","CVE-2021-1223","CVE-2021-1224","CVE-2021-1236","CVE-2021-1494","CVE-2021-1495","CVE-2021-34749","CVE-2021-40114"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0117.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27741"},{"type":"REPORT","url":"https://www.debian.org/lts/security/2023/dla-3317"}],"affected":[{"package":{"name":"snort","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/snort?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9.20-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0117.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}