Ether Type Validation Flaw in Cisco Sourcefire Snort 3.0
CVE-2017-6657

7.5HIGH

Key Information:

Vendor: Cisco
Status: Snort 3.0 All Versions Prior To Build 233.
Vendor: CVE Published:; 16 May 2017

Summary

An improper input validation flaw exists in Cisco Sourcefire Snort 3.0 prior to build 233. This vulnerability arises due to the mishandling of Ether Type validation. Specifically, the Snort++ architecture stores all protocol decoders in a single array, allowing attackers to craft packets with IP protocol numbers in the ether type field. This manipulation can confuse the decoder and lead to packet processing failures, such as crashes when legitimate packets like eth:llc:snap:icmp6 are processed without their corresponding IP headers. The fix introduced a validation check to ensure proper indexing of the decoder array, preventing out-of-range ether types.

Affected Version(s)

Snort 3.0 All prior to build 233. Snort 3.0 All versions prior to build 233.

References

http://www.securitytracker.com/id/1038483

vdb-entryx_refsource_SECTRACK

http://blog.snort.org/2017/05/snort-vulnerabilities-found...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2017
Vulnerability Reserved
Mar 9, 2017