Comments on this are welcomed and appreciate. Using snort on a few clients production boxes at the moment.
--- Crawford > -----Original Message----- > From: CERT Advisory [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 17, 2003 8:30 AM > To: cert-advisory@cert.org > Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort > Preprocessors > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors > > Original release date: April 17, 2003 > Last revised: -- > Source: CERT/CC > > A complete revision history can be found at the end of this file. > > Systems Affected > > * Snort IDS, versions 1.8 through 2.0 RC1 > > Overview > > There are two vulnerabilities in the Snort Intrusion Detection System, > each in a separate preprocessor module. Both vulnerabilities allow > remote attackers to execute arbitrary code with the privileges of the > user running Snort, typically root. > > I. Description > > The Snort intrusion detection system ships with a variety of > preprocessor modules that allow the user to selectively include > additional functionality. Researchers from two independent > organizations have discovered vulnerabilities in two of these modules, > the RPC preprocessor and the "stream4" TCP fragment reassembly > preprocessor. > > For additional information regarding Snort, please see > > http://www.snort.org/. > > VU#139129 - Heap overflow in Snort "stream4" preprocessor > (CAN-2003-0029) > > Researchers at CORE Security Technologies have discovered a remotely > exploitable heap overflow in the Snort "stream4" preprocessor module. > This module allows Snort to reassemble TCP packet fragments for > further analysis. > > To exploit this vulnerability, an attacker must disrupt the state > tracking mechanism of the preprocessor module by sending a series of > packets with crafted sequence numbers. This causes the module to > bypass a check for buffer overflow attempts and allows the attacker to > insert arbitrary code into the heap. > > For additional information, please read the Core Security Technologies > Advisory located at > > http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10 > > This vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior > to RC1. Snort has published an advisory regarding this vulnerability; > it is available at > > http://www.snort.org/advisories/snort-2003-04-16-1.txt. > > VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033) > > Researchers at Internet Security Systems (ISS) have discovered a > remotely exploitable buffer overflow in the Snort RPC preprocessor > module. Martin Roesch, primary developer for Snort, described the > vulnerability as follows: > > When the RPC decoder normalizes fragmented RPC records, it > incorrectly checks the lengths of what is being normalized against > the current packet size, leading to an overflow condition. The RPC > preprocessor is enabled by default. > > For additional information, please read the ISS X-Force advisory > located at > > http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951 > > This vulnerability affects Snort versions 1.8.x through 1.9.1 and > version 2.0 Beta. > > II. Impact > > Both VU#139129 and VU#916785 allow remote attackers to execute > arbitrary code with the privileges of the user running Snort, > typically root. In addition, it is not necessary for the attacker to > know the IP address of the Snort device they wish to attack; merely > sending malicious traffic where it can be observed by an affected > Snort sensor is sufficient to exploit these vulnerabilities. > > III. Solution > > Upgrade to Snort 2.0 > > Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which > is available at > > http://www.snort.org/dl/snort-2.0.0.tar.gz > > Binary-only versions of Snort are available from > > http://www.snort.org/dl/binaries > > For information from other vendors that ship affected versions of > Snort, please see Appendix A of this document. > > Disable affected preprocessor modules > > Sites that are unable to immediately upgrade affected Snort sensors > may prevent exploitation of this vulnerability by commenting out the > affected preprocessor modules in the "snort.conf" configuration file. > > To prevent exploitation of VU#139129, comment out the following line: > > preprocessor stream4_reassemble > > To prevent exploitation of VU#916785, comment out the following line: > > preprocessor rpc_decode: 111 32771 > > After commenting out the affected modules, send a SIGHUP signal to the > affected Snort process to update the configuration. Note that > disabling these modules may have adverse affects on a sensor's ability > to correctly process RPC record fragments and TCP packet fragments. In > particular, disabling the "stream4" preprocessor module will prevent > the Snort sensor from detecting a variety of IDS evasion attacks. > > Block outbound packets from Snort IDS systems > > You may be able limit an attacker's capabilities if the system is > compromised by blocking all outbound traffic from the Snort sensor. > While this workaround will not prevent exploitation of the > vulnerability, it may make it more difficult for the attacker to > create a useful exploit. > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > > Apple Computer, Inc. > > Snort is not shipped with Mac OS X or Mac OS X Server. > > Ingrian Networks > > Ingrian Networks products are not susceptible to VU#139129 and > VU#916785 since they do not use Snort. > > Ingrian customers who are using the IDS Extender Service Engine to > mirror cleartext data to a Snort-based IDS should upgrade their IDS > software. > > NetBSD > > NetBSD does not include snort in the base system. > > Snort is available from the 3rd party software system, pkgsrc. Users > who have installed net/snort, net/snort-mysql or net/snort-pgsql > should update to a fixed version. pkgsrc/security/audit-packages can > be used to keep up to date with these types of issues. > > Red Hat Inc. > > Not vulnerable. Red Hat does not ship Snort in any of our supported > products. > > SGI > > SGI does not ship snort as part of IRIX. > > Snort > > Snort 2.0 has undergone an external third party professional security > audit funded by Sourcefire. > _________________________________________________________________ > > The CERT/CC acknowledges Bruce Leidl, Juan Pablo Martinez Kuhn, and > Alejandro David Weil of Core Security Technologies for their discovery > of VU#139129. We also acknowledge Mark Dowd and Neel Mehta of ISS > X-Force for their discovery of VU#916785. > _________________________________________________________________ > > Authors: Jeffrey P. Lanza and Cory F. Cohen. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2003-13.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: [EMAIL PROTECTED] > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to [EMAIL PROTECTED] Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2003 Carnegie Mellon University. > > Revision History > April 17, 2003: Initial release > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBPp7GWGjtSoHZUTs5AQGmlAP+MWnegmA1Qft9AenH7xefffpEDVGDT+sl > T4iljwl/ySozE962r40mL4KCszZDPdwRW/MyMA7ZcFaoWbiZc/QrEhTa4A/YYJWC > A4kL1cEnM/LiQ7yYBSnJ6DIWDTo+M1PUS9so02M6a0f0e4jpzXZDJ5HmPDdo/aPq > NW70cU8gbgs= > =Vs2Q > -----END PGP SIGNATURE-----