[Snort-sigs] Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability
jennifer.steffens at ...435...
Tue Oct 18 06:34:36 EDT 2005
Subject: Fix and Mitigation Available for Snort Vulnerability
The Sourcefire Vulnerability Research Team (VRT) has learned of a
vulnerability in Snort v2.4.0 and higher. Users are only vulnerable if
the Back Orifice preprocessor is enabled. Snort v2.4.3 has been released
to correct the issue and detailed instructions for mitigating the issue
by disabling the Back Orifice preprocessor are below.
In addition to fixing the vulnerability, this version includes a
mechanism to detect exploits against vulnerable sensors and, optionally
for inline sensors, drop the offending traffic. These features enable a
phased approach to upgrading while protecting unpatched sensors.
Detection capabilities are part of the new preprocessor and therefore
are available to all users regardless of subscription status.
In addition to the source tarball, postgres, mysql and plain RPMs and a
win32 installer are available at http://www.snort.org/dl. Please
remember that updated rules are only included in major releases. For
updated rules, visit http://www.snort.org/rules/.
The Back Orifice preprocessor can be disabled by commenting out the line
"preprocessor bo" in snort.conf. This can be done in any text editor
using the following procedure:
1. Locate the line "preprocessor bo"
2. Comment out this line by preceding it with a hash (#). The new line
will look like "#preprocessor bo"
3. Save the file
4. Restart snort
On Thursday, October 13th Sourcefire was contacted by USCERT with news
of a vulnerability in Snort. We used the subsequent days to verify the
vulnerability and to prepare mitigation strategies and the software
updates necessary to fix the vulnerability for both Sourcefire customers
and Snort users. While it cannot be said that no other problems will
ever be found in the Snort code base, we can state that we will redouble
our efforts to ensure the security of the system so many people have
come to rely on for the detection of network-based threats. Sourcefire
will also continue to work with the most sophisticated testing
facilities in the industry to assure that every reasonable step is being
taken to provide the most secure code base possible.
The Back Orifice preprocessor contains a stack-based buffer overflow.
This vulnerability could be leveraged by an attacker to execute code
remotely on a Snort sensor where the Back Orifice preprocessor is
enabled. However, there are a number of factors that make remote code
execution difficult to achieve across different builds of Snort on
different platforms, even on the same platform with different compiler
versions, and it is more likely that an attacker could use the
vulnerability as a denial of service attack.
If you have any questions, please let us know at snort-team at ...435...
Jennifer S. Steffens
Director, Snort Product Management | Sourcefire, Inc.
W: 410.423.1930 | C: 202.409.7707
www.sourcefire.com | www.snort.org
More information about the Snort-sigs