CVE-2024-20363
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to bypass Cisco Snort IPS rules by sending specially crafted HTTP packets. Affected systems include Cisco Firepower Threat Defense, Secure Firewall Management Center, and other products using Snort 3. Organizations using these products for network security are at risk.
💻 Affected Systems
- Cisco Firepower Threat Defense
- Cisco Secure Firewall Management Center
- Cisco Secure Firewall 3100 Series
- Cisco Secure Firewall 4200 Series
- Cisco Secure Firewall 9300 Series
📦 What is this software?
Snort by Cisco
Unified Threat Defense Snort Intrusion Prevention System Engine by Cisco
View all CVEs affecting Unified Threat Defense Snort Intrusion Prevention System Engine →
Unified Threat Defense Snort Intrusion Prevention System Engine by Cisco
View all CVEs affecting Unified Threat Defense Snort Intrusion Prevention System Engine →
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass all IPS protections, allowing malware, exploits, or unauthorized traffic to enter the network undetected.
Likely Case
Targeted attackers could bypass specific IPS rules to deliver payloads or exfiltrate data while avoiding detection.
If Mitigated
With proper segmentation and defense-in-depth, impact would be limited to bypassing IPS rules only, with other security controls potentially catching malicious activity.
🎯 Exploit Status
Exploitation requires sending crafted HTTP packets through the affected device, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Snort 3 version 3.2.0.0 or later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-ips-bypass-uE69KBMd
Restart Required: Yes
Instructions:
1. Log into Cisco Firepower Management Center. 2. Navigate to Devices > Updates. 3. Download and install Snort 3 version 3.2.0.0 or later. 4. Deploy configuration changes to affected devices. 5. Restart Snort services on all affected devices.
🔧 Temporary Workarounds
Disable HTTP inspection
allTemporarily disable HTTP inspection in Snort 3 policies to prevent exploitation while patching.
# In FMC GUI: Policies > Access Control > Edit Policy > Disable HTTP inspection rules
🧯 If You Can't Patch
- Implement network segmentation to limit traffic flow through vulnerable devices
- Deploy additional network monitoring and IDS/IPS systems as compensating controls
🔍 How to Verify
Check if Vulnerable:
Check Snort 3 version in Cisco FMC: System > Updates > Installed Updates, or via CLI: show version | include SnortCheck Version:
show version | include SnortVerify Fix Applied:
Verify Snort 3 version is 3.2.0.0 or higher and that HTTP inspection is functioning normally📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP traffic patterns
- IPS rule bypass events in Snort logs
- Increased traffic volume through inspection points
Network Indicators:
- Crafted HTTP packets with unusual headers or payloads
- Traffic that should be blocked by IPS rules but isn't
SIEM Query:
source="snort" AND (event_type="bypass" OR rule_id="*" AND action="allowed")