Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect handling of an HTTP range header. An attacker could exploit this vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious payload.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5354 advisory.

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured File Policy for HTTP. The vulnerability is due to     incorrect detection of modified HTTP packets used in chunked responses. An attacker could exploit this     vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow     the attacker to bypass a configured File Policy for HTTP packets and deliver a malicious payload.
    (CVE-2020-3299)

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass the configured file policies on an affected system. The     vulnerability is due to errors in how the Snort detection engine handles specific HTTP responses. An     attacker could exploit this vulnerability by sending crafted HTTP packets that would flow through an     affected system. A successful exploit could allow the attacker to bypass the configured file policies and     deliver a malicious payload to the protected network. (CVE-2020-3315)

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to     incorrect handling of an HTTP range header. An attacker could exploit this vulnerability by sending     crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass     configured file policy for HTTP packets and deliver a malicious payload. (CVE-2021-1223)

  - Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction     with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a     configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it     is contained at least partially within the TFO connection handshake. An attacker could exploit this     vulnerability by sending crafted TFO packets with an HTTP payload through an affected device. A successful     exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious     payload. (CVE-2021-1224)

  - Multiple Cisco products are affected by a vulnerability in the Snort application detection engine that     could allow an unauthenticated, remote attacker to bypass the configured policies on an affected system.
    The vulnerability is due to a flaw in the detection algorithm. An attacker could exploit this     vulnerability by sending crafted packets that would flow through an affected system. A successful exploit     could allow the attacker to bypass the configured policies and deliver a malicious payload to the     protected network. (CVE-2021-1236)

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to     incorrect handling of specific HTTP header parameters. An attacker could exploit this vulnerability by     sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to     bypass a configured file policy for HTTP packets and deliver a malicious payload. (CVE-2021-1495)

  - A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance     (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an     unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data     from a compromised host. This vulnerability is due to inadequate filtering of the SSL handshake. An     attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate     with an external server. A successful exploit could allow the attacker to execute a command-and-control     attack on a compromised host and perform additional data exfiltration attacks. (CVE-2021-34749)

  - Multiple Cisco products are affected by a vulnerability in the way the Snort detection engine processes     ICMP traffic that could allow an unauthenticated, remote attacker to cause a denial of service (DoS)     condition on an affected device. The vulnerability is due to improper memory resource management while the     Snort detection engine is processing ICMP packets. An attacker could exploit this vulnerability by sending     a series of ICMP packets through an affected device. A successful exploit could allow the attacker to     exhaust resources on the affected device, causing the device to reload. (CVE-2021-40114)

  - Multiple Ciscoproducts are affected by vulnerabilities in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured file policy for HTTP. (CVE-2021-1494)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3317 advisory.

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured File Policy for HTTP. The vulnerability is due to     incorrect detection of modified HTTP packets used in chunked responses. An attacker could exploit this     vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow     the attacker to bypass a configured File Policy for HTTP packets and deliver a malicious payload.
    (CVE-2020-3299)

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass the configured file policies on an affected system. The     vulnerability is due to errors in how the Snort detection engine handles specific HTTP responses. An     attacker could exploit this vulnerability by sending crafted HTTP packets that would flow through an     affected system. A successful exploit could allow the attacker to bypass the configured file policies and     deliver a malicious payload to the protected network. (CVE-2020-3315)

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to     incorrect handling of an HTTP range header. An attacker could exploit this vulnerability by sending     crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass     configured file policy for HTTP packets and deliver a malicious payload. (CVE-2021-1223)

  - Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction     with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a     configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it     is contained at least partially within the TFO connection handshake. An attacker could exploit this     vulnerability by sending crafted TFO packets with an HTTP payload through an affected device. A successful     exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious     payload. (CVE-2021-1224)

  - Multiple Cisco products are affected by a vulnerability in the Snort application detection engine that     could allow an unauthenticated, remote attacker to bypass the configured policies on an affected system.
    The vulnerability is due to a flaw in the detection algorithm. An attacker could exploit this     vulnerability by sending crafted packets that would flow through an affected system. A successful exploit     could allow the attacker to bypass the configured policies and deliver a malicious payload to the     protected network. (CVE-2021-1236)

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to     incorrect handling of specific HTTP header parameters. An attacker could exploit this vulnerability by     sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to     bypass a configured file policy for HTTP packets and deliver a malicious payload. (CVE-2021-1495)

  - A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance     (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an     unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data     from a compromised host. This vulnerability is due to inadequate filtering of the SSL handshake. An     attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate     with an external server. A successful exploit could allow the attacker to execute a command-and-control     attack on a compromised host and perform additional data exfiltration attacks. (CVE-2021-34749)

  - Multiple Cisco products are affected by a vulnerability in the way the Snort detection engine processes     ICMP traffic that could allow an unauthenticated, remote attacker to cause a denial of service (DoS)     condition on an affected device. The vulnerability is due to improper memory resource management while the     Snort detection engine is processing ICMP packets. An attacker could exploit this vulnerability by sending     a series of ICMP packets through an affected device. A successful exploit could allow the attacker to     exhaust resources on the affected device, causing the device to reload. (CVE-2021-40114)

  - Multiple Ciscoproducts are affected by vulnerabilities in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured file policy for HTTP. (CVE-2021-1494)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its version and configuration, the Cisco Firepower Threat Defense (FTD) Software running on the remote device is affected by affected by a file policy bypass vulnerability due to the incorrect handling of a HTTP range header. An unauthenticated, remote attacker could send a carefully crafted malicious payload to the device bypass file policy configurations

According to its version and configuration, the Cisco Software running on the remote Integrated Services Router device is affected by affected by a file policy bypass vulnerability due to the incorrect handling of a HTTP range header. An unauthenticated, remote attacker could send a carefully crafted malicious payload to the device bypass file policy configurations

ID	Name	Product	Family	Severity
171628	Debian DSA-5354-1 : snort - security update	Nessus	Debian Local Security Checks	high
171378	Debian DLA-3317-1 : snort - LTS security update	Nessus	Debian Local Security Checks	high
146203	Cisco Firepower Threat Defense HTTP Detection Engine File Policy Bypass (cisco-sa-snort-filepolbypass-67DEwMe2)	Nessus	CISCO	high
146202	Cisco Integrated Services Routers 1000/4000 Series HTTP Detection Engine File Policy Bypass (cisco-sa-snort-filepolbypass-67DEwMe2)	Nessus	CISCO	high

Detections

Analytics

CVE-2021-1223

high

Tenable Plugins

high

high

high

high