CVE-2021-34749: 
Snort vulnerability analysis and mitigation

A vulnerability (CVE-2021-34749) was discovered in the web filtering features of multiple Cisco products, first published on August 18, 2021. This vulnerability affects various Cisco products including 3000 Series Industrial Security Appliances, 4000 Series Integrated Services Routers, Catalyst Series Edge Platforms, Firepower Threat Defense Software, and Web Security Appliance when configured with SSL/TLS decryption option and using web reputation or URL filtering features. The vulnerability is due to inadequate inspection of the Server Name Identification (SNI) header in the SSL/TLS handshake (Cisco Advisory).

The vulnerability has a CVSS base score of 5.8 and is classified under CWE-200. The issue stems from inadequate filtering of the SSL handshake, specifically in the inspection of the Server Name Identification (SNI) header. An attacker could exploit this vulnerability by using data from the TLS client hello packet to communicate with a blocked external server. The vulnerability affects all open source Snort project releases earlier than Release 2.9.18 (Cisco Advisory).

A successful exploit could allow an unauthenticated, remote attacker to bypass web reputation filters and threat detection mechanisms on an affected device and exfiltrate data from a compromised host to a blocked external server. The vulnerability could be used to circumvent protections based on web reputation filters, URL filtering, and threat detection (Cisco Advisory).

No direct workarounds are available for this vulnerability. However, Cisco has released a Snort rule with SID 58062 to detect and mitigate attacks performed with the SNIcat tool. To ensure full protection, the action for the rule should be set to Block. Cisco is also working on developing a solution to extend web reputation, URL filtering, and threat inspection features to the SNI header (Cisco Advisory).