CVE-2021-40116: 
Snort vulnerability analysis and mitigation

CVE-2021-40116 is a vulnerability affecting multiple Cisco products running Snort3 that was discovered in 2021. The vulnerability exists in Snort rules implementation and affects systems with Block with Reset or Interactive Block with Reset actions configured without proper constraints. This vulnerability was first published on October 27, 2021, and primarily impacts Cisco Firepower Threat Defense (FTD) Software and open source Snort3 project releases earlier than Release 3.1.0.100 (Cisco Advisory).

The vulnerability stems from improper handling of the Block with Reset or Interactive Block with Reset actions in Snort rules when configured without proper constraints. The vulnerability has received a CVSS Base Score of 8.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. For a device to be vulnerable, three conditions must be met: it must run Snort3, have a rule configured with a Block with Reset or Interactive Block with Reset action, and the rule must not specify an application or protocol (TCP or UDP) within the rule (Cisco Advisory).

A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The attacker could cause through traffic to be dropped by sending a crafted IP packet to the affected device (Cisco Advisory).

Cisco has provided three workaround options: 1) Change the Snort inspection engine from Snort3 to Snort2, 2) Change all rule actions from Block with Reset or Interactive Block with Reset to another action, or 3) Narrow the firewall reset rule to block TCP and/or UDP directly or specify an application that runs over UDP or TCP. Additionally, Cisco has released software updates that address this vulnerability, with version 3.1.0.100 being the first fixed release for Snort3 (Cisco Advisory).