Cisco Products Snort 3 JSTokenizer Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in multiple Cisco products that utilize the Snort 3 Detection Engine. This vulnerability allows an unauthenticated, remote attacker to disrupt packet inspection by causing the Snort 3 Detection Engine to restart unexpectedly. The issue arises from a flaw in the JSTokenizer normalization logic when handling JavaScript during HTTP inspection. Exploitation involves sending crafted HTTP packets through an established connection that Snort 3 is parsing. Although this vulnerability is not enabled by default, it could lead to a denial-of-service condition by causing the Snort 3 Detection Engine to restart unexpectedly.

Impact

Exploitation of this vulnerability causes the Snort 3 Detection Engine to restart, interrupting packet inspection and analysis.

Remediation

Cisco has released software updates that address this vulnerability. For Open Source Snort 3, users should upgrade to version 3.9.7.0 or later. For Cisco Secure Firewall Threat Defense (FTD) Software, Snort 3 must be active, and users can check their version using the Cisco Software Checker tool. Instructions for downloading the update are available on the Cisco Support and Downloads page.