CVE-2021-40116
📋 TL;DR
This vulnerability in Cisco products with Snort3 configured allows unauthenticated remote attackers to cause denial of service by sending crafted IP packets. The attack causes through traffic to be dropped on affected devices. Only products with Snort3 configured and specific rule actions (Block with Reset or Interactive Block with Reset) are vulnerable.
💻 Affected Systems
- Cisco Firepower Threat Defense (FTD)
- Cisco Firepower Management Center (FMC)
- Cisco Secure Firewall Management Center
- Cisco Secure Firewall Threat Defense
📦 What is this software?
Secure Firewall Management Center by Cisco
Snort by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service on affected network devices, disrupting all network traffic through the device
Likely Case
Intermittent traffic drops and service disruption affecting network availability
If Mitigated
No impact if Snort3 is not configured with vulnerable rule actions or if workarounds are implemented
🎯 Exploit Status
Exploitation requires sending crafted IP packets to vulnerable devices, which is relatively straightforward for attackers with network access
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple fixed versions depending on product - see Cisco advisory for specific versions
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-RywH7ezM
Restart Required: Yes
Instructions:
1. Review Cisco advisory for specific fixed versions for your product. 2. Apply the appropriate patch/update. 3. Restart affected services or devices as required.
🔧 Temporary Workarounds
Disable vulnerable rule actions
allRemove or disable rules using Block with Reset or Interactive Block with Reset actions in Snort3 configuration
# Configuration varies by product - consult Cisco documentation for specific commands
Use Snort2 instead of Snort3
allConfigure affected devices to use Snort2 instead of Snort3
# Configuration varies by product - consult Cisco documentation for specific commands
🧯 If You Can't Patch
- Implement network segmentation to limit access to vulnerable devices
- Apply strict firewall rules to limit which IP addresses can send traffic to vulnerable devices
🔍 How to Verify
Check if Vulnerable:
Check if Snort3 is configured and if rules with Block with Reset or Interactive Block with Reset actions are enabled without proper constraintsCheck Version:
# Command varies by product - typically 'show version' or similar in CLIVerify Fix Applied:
Verify that patches have been applied and check version against Cisco's fixed versions list📡 Detection & Monitoring
Log Indicators:
- Unusual traffic drops
- Snort3 process restarts
- High CPU/memory usage on affected devices
Network Indicators:
- Sudden increase in traffic to specific ports on affected devices
- Unusual IP packet patterns
SIEM Query:
Search for traffic drops or device restarts on Cisco FTD/FMC devices with Snort3 configured