ISS reports Snort vulnerability
- 05 March, 2003 12:06
A software vulnerability in the widely used Snort open-source intrusion detection system (IDS) software could allow an attacker to crash the Snort sensor or gain control of the host device on which the sensor runs.
Snort serves as the basis for commercial IDS products such as those produced by Sourcefire and can be used to detect a wide range of network attacks and probes, such as attempted buffer overflows and port scans.
A buffer overflow vulnerability was found in code used by Snort to detect an attack technique called RPC (remote procedure call) fragmentation. This can be used to evade intrusion detection systems, according to an advisory reported by security vendor, Internet Security Systems (ISS).
RPC is a protocol that one software program can use to request a service from a program located in another computer in a network.
Snort does not properly check the size of the RPC fragments it is processing against the available space in the pre-processing buffer. Sending data to the buffer in excess of its capacity causes the buffer to overflow.
Buffer overflows might cause the Snort sensor to crash or enable an attacker to place and execute malicious code on the compromised host, ISS said.
To exploit the vulnerability, attackers would need to craft RPC traffic to specifically exploit the buffer overflow. Attackers would not, however, need to know the address of the Snort sensor they are targeting.
Simply sending exploit packets to a network that was protected by a Snort sensor was sufficient to launch an attack, ISS said.
Because Snort sensors and other IDS products typically guard against intrusion into critical networks, the compromise of a Snort sensor could lead to highly sensitive network traffic being accessible to remote attackers.
That traffic could, in turn, yield information needed to compromise internal network resources, ISS said.
All versions of Snort since version 1.8, released in July 2001, were affected by the RPC vulnerability, ISS said.
A new version of the Snort software that fixes the RPC vulnerability, version 1.9.1, is now available on the Snort Web page.
ISS recommended that Snort users consulted the Snort Web page at http://www.snort.org and upgraded their source implementation using patches or software upgrades available there.
Users who were unable to upgrade their Snort installation should disable the RPC preprocessor until they could upgrade, ISS said.