This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort Denial of Service Vulnerability CVE-2022-20685

SG-1 over 1 year ago

RichBaldry Is Sophos aware of and working on this?

https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-modbus-ot-preprocessor/

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-9D3hJLuj

This thread was automatically locked due to age.

Top Replies

Amodin over 1 year ago +1

Under 58906, 58907 on the ID. Astaro IPS Rules

Amodin over 1 year ago

Under 58906, 58907 on the ID.

Astaro IPS Rules

PFSense Plus 23.05 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | Fiber Conn (awaiting ATT Fiber)
(Former Sophos UTM Veteran, XG Rookie)
Cancel
Vote Up +1 Vote Down

Cancel
Amodin over 1 year ago

Well I tried to reply to this topic, but my reply was actually being moderated and labeled as 'spam'.

At any rate, let's see if this works - IPS rules has two listings for it. Astaro IPS Rules

PFSense Plus 23.05 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | Fiber Conn (awaiting ATT Fiber)
(Former Sophos UTM Veteran, XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel
SG-1 over 1 year ago in reply to Amodin

Thanks for the info! Unfortunately the Snort site doesn't have details on the two IDs. I'm afraid that the Snort software itself needs to be updated by/on Sophos though. I currently see Snort Version 2.9.17.1 on a 9.710-1 Sophos UTM. I found this interesting link which states that the Snort engine can be delivered by Sophos via the pattern updates. That's why I tried to ask RichBaldry here.
Cancel
Vote Up 0 Vote Down

Cancel
LuCar Toni over 1 year ago in reply to SG-1

You should create a Support Case to get this answer.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
RichBaldry over 1 year ago

Yes this is on our radar and we are working on a patch for the current snort engine. In the meantime, the risk of this being used by an external attacker is virtually eliminated by blocking inbound TCP connections on TCP port 502.
Cancel
Vote Up +1 Vote Down

Cancel
SG-1 over 1 year ago in reply to RichBaldry

Thank you! Publicly here in the Sophos Community the info should be useful for the time being.
Cancel
Vote Up 0 Vote Down

Cancel