[Snort-users] FW: ISS Alert: Remote Denial of Service Vulnerability in Snort ID S
rhill at ...2446...
Mon Jan 28 15:03:04 EST 2002
Marty, et. al. - Have anyone else seen this and/or confirmed its validity?
Ryan Hill, MCSE
Corporate Information Systems
TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001
> -----Original Message-----
> From: Matt Fearnow [mailto:matt at ...2034...]
> Sent: Monday, January 28, 2002 1:23 PM
> To: intrusions at ...2034...
> Subject: [Fwd: ISSalert: ISS Alert: Remote Denial of Service
> Vulnerability in Snort IDS]
> I thought this was worthy to forward on to the list.
> -----Forwarded Message-----
> From: X-Force <xforce at ...4133...>
> To: alert at ...4133...
> Subject: ISSalert: ISS Alert: Remote Denial of Service
> Vulnerability in Snort IDS
> Date: 28 Jan 2002 16:10:27 -0500
> TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your
> message to majordomo at ...4133... Contact alert-owner at ...4133... for
> help with any problems!
> -----BEGIN PGP SIGNED MESSAGE-----
> Internet Security Systems Security Alert
> January 28, 2002
> Remote Denial of Service Vulnerability in Snort IDS
> Internet Security Systems (ISS) X-Force is aware of a remote
> Denial of service (DoS) vulnerability present in Marty
> Roesch's Snort Intrusion Detection System (IDS). It may be
> possible for remote attackers to send specially crafted ICMP
> packets to the program, resulting in a segmentation fault
> that would crash the Snort engine. This attack can be
> launched from any routable address, and if launched
> successfully against a Snort-protected network, all IDS
> functionality may be disabled until Snort is manually restarted.
> Affected Versions:
> Marty Roesch Snort Version 1.8.3 and earlier for all
> supported platforms
> Snort is an open-source Intrusion Detection System designed
> to be simple and lightweight. Snort has packet logging,
> protocol analysis, attack signature matching and recognition
> capabilities and is maintained by Marty Roesch of Snort.org.
> An exploit has been published that demonstrates a flaw in the
> ICMP protocol handling functionality. Snort incorrectly
> handles ICMP "Echo" and ICMP "Echo-Reply" packets that
> contain less than 5 bytes of ICMP data. If Snort encounters
> such a packet, it will crash and exit. Packets that are used
> to exploit this vulnerability can be sent with the "ping"
> command that is present on most operating systems.
> This exploit technique has been publicly documented, and
> attackers do not need to have access to the target network or
> possess knowledge of its configuration.
> ISS X-Force recommends that all Snort users install the
> vendor-supplied patch immediately or upgrade to the latest
> version of Snort.
> To apply a source code patch to your Snort package:
> 1. Locate the "decode.h" file in your source distribution.
> 2. Enter the directory containing decode.h.
> 3. To update your decode.h file, create a file named "decode.diff",
> containing the following text:
> - --- olddecode.h Thu Jan 10 15:47:48 2002
> +++ decode.h Thu Jan 10 12:15:33 2002
> @@ -105,7 +105,7 @@
> #define IP_HEADER_LEN 20
> #define TCP_HEADER_LEN 20
> #define UDP_HEADER_LEN 8
> - -#define ICMP_HEADER_LEN 8
> +#define ICMP_HEADER_LEN 4
> #define TH_FIN 0x01
> #define TH_SYN 0x02
> 4. Apply the source code update using the "patch" command, or
> a similar
> 5. Build new binaries and reinstall.
> To upgrade to the latest version of Snort:
> Use a CVS client to access the Snort CVS server at
> "cvs.snort.sourceforge.net" with the following command:
> -d:pserver:anonymous at cvs.snort.sourceforge.net:/cvsroot/snort login
> Use a blank password when prompted.
> cvs -z3
> -d:pserver:anonymous at cvs.snort.sourceforge.net:/cvsroot/snort co snort
> Snort''s default configuration does not have the ability to
> restat when it crashes. ISS X-Force advises all Snort users
> to develop this functionality using freely available watchdog
> process monitors, cronjobs, or shell scripts.
> For more information about applying source code patches or
> upgrading Snort, please refer to the "SNORT FAQ" document
> available at: http://www.snort.org.
> Additional Information:
> ISS X-Force Database,
> Marty Roesch Snort,
> This vulnerability was discovered by Sinbad
> <securitymail at ...786...>, and reported to the BugTraq mailing list.
> About Internet Security Systems (ISS)
> Internet Security Systems is a leading global provider of
> security management solutions for the Internet, protecting
> digital assets and ensuring safe and uninterrupted
> e-business. With its industry-leading intrusion detection
> and vulnerability assessment, remote managed security
> services, and strategic consulting and education offerings,
> ISS is a trusted security provider to more than 9,000
> customers worldwide including 21 of the 25 largest U.S.
> commercial banks, the top 10 U.S. telecommunications
> companies, and all major branches of the U.S. Federal
> Government. Founded in 1994, ISS is headquartered in
> Atlanta, GA, with additional offices throughout North America
> and international operations in Asia, Australia, Europe,
> Latin America and the Middle East. For more information,
> visit the Internet Security Systems web site at www.iss.net
> or call 888-901-7477.
> Copyright (c) 2002 Internet Security Systems, Inc. All rights
> reserved worldwide.
> Permission is hereby granted for the redistribution of this
> Alert electronically. It is not to be edited in any way
> without express consent of the X-Force. If you wish to
> reprint the whole or any part of this Alert in any other
> medium excluding electronic medium, please e-mail
> xforce at ...4133... for permission.
> The information within this paper may change without notice.
> Use of this information constitutes acceptance for use in an
> AS IS condition. There are NO warranties with regard to this
> information. In no event shall the author be liable for any
> damages whatsoever arising out of or in connection with the
> use or spread of this information. Any use of this
> information is at the user's own risk.
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
> as well as on MIT's PGP key server and PGP.com's key server.
> Please send suggestions, updates, and comments to: X-Force
> xforce at ...4133... of Internet Security Systems, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3a
> Charset: noconv
> -----END PGP SIGNATURE-----
More information about the Snort-users