Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect handling of specific HTTP header parameters. An attacker could exploit this vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass a configured file policy for HTTP packets and deliver a malicious payload.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5354 advisory.

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured File Policy for HTTP. The vulnerability is due to     incorrect detection of modified HTTP packets used in chunked responses. An attacker could exploit this     vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow     the attacker to bypass a configured File Policy for HTTP packets and deliver a malicious payload.
    (CVE-2020-3299)

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass the configured file policies on an affected system. The     vulnerability is due to errors in how the Snort detection engine handles specific HTTP responses. An     attacker could exploit this vulnerability by sending crafted HTTP packets that would flow through an     affected system. A successful exploit could allow the attacker to bypass the configured file policies and     deliver a malicious payload to the protected network. (CVE-2020-3315)

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to     incorrect handling of an HTTP range header. An attacker could exploit this vulnerability by sending     crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass     configured file policy for HTTP packets and deliver a malicious payload. (CVE-2021-1223)

  - Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction     with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a     configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it     is contained at least partially within the TFO connection handshake. An attacker could exploit this     vulnerability by sending crafted TFO packets with an HTTP payload through an affected device. A successful     exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious     payload. (CVE-2021-1224)

  - Multiple Cisco products are affected by a vulnerability in the Snort application detection engine that     could allow an unauthenticated, remote attacker to bypass the configured policies on an affected system.
    The vulnerability is due to a flaw in the detection algorithm. An attacker could exploit this     vulnerability by sending crafted packets that would flow through an affected system. A successful exploit     could allow the attacker to bypass the configured policies and deliver a malicious payload to the     protected network. (CVE-2021-1236)

  - Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to     incorrect handling of specific HTTP header parameters. An attacker could exploit this vulnerability by     sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to     bypass a configured file policy for HTTP packets and deliver a malicious payload. (CVE-2021-1495)

  - A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance     (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an     unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data     from a compromised host. This vulnerability is due to inadequate filtering of the SSL handshake. An     attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate     with an external server. A successful exploit could allow the attacker to execute a command-and-control     attack on a compromised host and perform additional data exfiltration attacks. (CVE-2021-34749)

  - Multiple Cisco products are affected by a vulnerability in the way the Snort detection engine processes     ICMP traffic that could allow an unauthenticated, remote attacker to cause a denial of service (DoS)     condition on an affected device. The vulnerability is due to improper memory resource management while the     Snort detection engine is processing ICMP packets. An attacker could exploit this vulnerability by sending     a series of ICMP packets through an affected device. A successful exploit could allow the attacker to     exhaust resources on the affected device, causing the device to reload. (CVE-2021-40114)

  - Multiple Ciscoproducts are affected by vulnerabilities in the Snort detection engine that could allow an     unauthenticated, remote attacker to bypass a configured file policy for HTTP. (CVE-2021-1494)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3317 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3317-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Markus Koschany     February 11, 2023                             https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : snort     Version        : 2.9.20-0+deb10u1     CVE ID         : CVE-2020-3299 CVE-2020-3315 CVE-2021-1223 CVE-2021-1224                      CVE-2021-1236 CVE-2021-1494 CVE-2021-1495 CVE-2021-34749                      CVE-2021-40114     Debian Bug     : 1021276

    Multiple security vulnerabilities were discovered in snort, a flexible Network     Intrusion Detection System, which could allow an unauthenticated, remote     attacker to cause a denial of service (DoS) condition or bypass filtering     technology on an affected device and ex-filtrate data from a compromised host.

    For Debian 10 buster, these problems have been fixed in version     2.9.20-0+deb10u1.

    We recommend that you upgrade your snort packages.

    For the detailed security status of snort please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/snort

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, Cisco IOS XE is affected by a vulnerability in the Snort   detection engine due to a flaw in the handling of HTTP header parameters. An unauthenticated, remote attacker can exploit this by   sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass a configured file   policy for HTTP packets and deliver a malicious payload.

  Please see the included Cisco BIDs and Cisco Security Advisory for more information.

According to its self-reported version, Cisco IOS XE is affected by a vulnerability in the Snort   detection engine due to a flaw in the handling of HTTP header parameters. An unauthenticated, remote attacker can   exploit this by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker   to bypass a configured file policy for HTTP packets and deliver a malicious payload.

  Please see the included Cisco BIDs and Cisco Security Advisory for more information.

ID	Name	Product	Family	Severity
171628	Debian DSA-5354-1 : snort - security update	Nessus	Debian Local Security Checks	high
171378	Debian dla-3317 : snort - security update	Nessus	Debian Local Security Checks	high
150059	Cisco Firepower Threat Defence Snort HTTP Detection Engine File Policy Bypass (cisco-sa-http-fp-bp-KfDdcQhc)	Nessus	CISCO	medium
150058	Multiple Cisco Products Snort HTTP Detection Engine File Policy Bypass (cisco-sa-http-fp-bp-KfDdcQhc)	Nessus	CISCO	medium

Detections

Analytics

CVE-2021-1494

medium

Tenable Plugins

high

high

medium

medium