Cisco Snort 3 VBA Decompression Heap Overflow Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Cisco Snort 3, specifically within the Visual Basic for Applications (VBA) feature. This vulnerability allows an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to crash. The issue arises from improper range checking when decompressing user-controlled VBA data, leading to a heap overflow that causes a DoS condition. The vulnerability affects multiple Cisco products, including Cisco Secure Firewall Threat Defense Software, Cisco IOS XE Software, and Cisco Cyber Vision, under certain conditions.

Impact

Exploitation of this vulnerability causes the Snort 3 Detection Engine to crash, leading to a denial-of-service condition.

Remediation

Cisco has released software updates to address this vulnerability. For Cisco Secure Firewall Threat Defense, Snort 3 VBA decompression is not enabled by default. If it is disabled until the device can be upgraded to a fixed release, the vulnerability will not be active. Instructions for checking and modifying Snort 3 configurations are available in the Cisco Secure Firewall Management Center Snort 3 Configuration Guide, Version 7.2. For Cisco IOS XE Software, the vulnerability can be addressed by upgrading to a fixed release, such as 17.12.7, 17.15.5, 17.18.3, or 26.1.1.