CVE-2017-6657

Name of the Vulnerable Software and Affected Versions Cisco Sourcefire Snort version 3.0 before build 233

Description The issue arises from the mishandling of Ether Type Validation, allowing crafted packets to confuse the Snort++ decoder. This occurs because valid ether type and IP protocol numbers do not overlap, and all protocol decoders are stored in a single array. As a result, packets with IP protocol numbers in the ether type field can cause the decoder to malfunction. For instance, an eth:llc:snap:icmp6 packet can lead to a crash due to the absence of an ip6 header for calculating the icmp6 checksum. Affected decoders include gre, llc, trans bridge, ciscometadata, linux sll, and token ring. The problem is resolved by adding a check in the packet manager to validate the ether type before indexing the decoder array, raising an error for out of range ether types.

Recommendations For Cisco Sourcefire Snort version 3.0 before build 233, apply the fix that adds a check in the packet manager to validate the ether type before indexing the decoder array. As a temporary workaround, consider restricting access to the affected decoders, including gre, llc, trans bridge, ciscometadata, linux sll, and token ring, to minimize the risk of exploitation.