 |
Snort is a widely used, open source, lightweight IP network IDS that can perform real-time traffic analysis and packet logging. It was recently discovered that two modules in later versions of Snort each contain a different vulnerability.
This advisory is significant because Snort is so popular and because either vulnerability will allow an attacker to run arbitrary code on the at-risk system. Since the user level for running Snort is normally superuser (root), any penetration could give the attacker considerable access to the affected system.
Details
The first problem is a heap overflow vulnerability in the Snort stream4 preprocessor. The vulnerability, designated VU#139129, was discovered by Core Security Technologies. It has posted a page with technical details explaining what it found. Stream4 is the plug-in that reassembles TCP traffic before forwarding it for analysis. Exploit proof-of-concept code is posted on the Core Security Technologies site. The people at Snort.org have acknowledged this vulnerability and posted their own report.
At about the same time, Internet Security Systems discovered and reported a buffer overflow problem in the Snort RPC preprocessor. The problem has been designated VU#916785. See the ISS X-Force advisory for more details on this threat, which appeared in version 1.8 because that version added RPC fragmentation detection. According to ISS, an attacker only needs to send the specially formed packets to any portion of the network to initiate the attack. Having a non-executable stack doesn’t protect against this threat.
Applicability
Although there are two separate vulnerabilities, they mostly involve the same versions. Snort versions 1.8.x, 1.9.x, and 2.0 prior to release candidate 1 are all affected by VU#139129, a heap overflow in stream4. Snort versions 1.8.x through 1.9.0 and 2.0 beta are subject to VU#916785, a buffer overflow in RPC.
Risk level—serious
This flaw could allow an attacker to remotely execute arbitrary code with root privileges on a Snort system.
Fix—upgrade
Both of these module vulnerabilities are addressed in the final version 2.0 of Snort, which is available for download from the Snort.org site. Cert has provided an emergency workaround for those who can’t immediately update Snort:
Go to the snort.conf configuration file. To prevent exploitation of VU#139129, comment out the following line:
preprocessor stream4_reassemble
To prevent exploitation of VU#916785, comment out the following line:
preprocessor rpc_decode: 111 32771
Finally, send a SIGHUP signal to the affected Snort process to update the configuration. According to CERT, blocking all outbound traffic from the Snort sensor will provide some degree of protection until the update can be installed.
Final word
Any network that includes a Snort IDS needs to immediately upgrade to version 2.0. If it's going to take awhile, you should implement the workaround as soon as possible.
TechRepublic is the online
community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical
articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to
firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and
e-newsletters.
©2003 TechRepublic, Inc.
3%
2%
