[Snort-users] FW: ISS Alert: Remote Denial of Service Vulnerability in Snort ID S

Ryan Hill rhill at ...2446...
Mon Jan 28 15:03:04 EST 2002


Marty, et. al. - Have anyone else seen this and/or confirmed its validity?

Regards,

Ryan Hill, MCSE 
IT Ninja
Corporate Information Systems
TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB


> -----Original Message-----
> From: Matt Fearnow [mailto:matt at ...2034...] 
> Sent: Monday, January 28, 2002 1:23 PM
> To: intrusions at ...2034...
> Subject: [Fwd: ISSalert: ISS Alert: Remote Denial of Service 
> Vulnerability in Snort IDS]
> 
> 
> I thought this was worthy to forward on to the list.
> 
> -----Forwarded Message-----
> 
> From: X-Force <xforce at ...4133...>
> To: alert at ...4133...
> Subject: ISSalert: ISS Alert: Remote Denial of Service 
> Vulnerability in Snort IDS
> Date: 28 Jan 2002 16:10:27 -0500
> 
> 
> TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your 
> message to majordomo at ...4133...  Contact alert-owner at ...4133... for 
> help with any problems!
> --------------------------------------------------------------
> -------------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Internet Security Systems Security Alert
> January 28, 2002
> 
> Remote Denial of Service Vulnerability in Snort IDS
> 
> Synopsis:
> 
> Internet Security Systems (ISS) X-Force is aware of a remote 
> Denial of service (DoS) vulnerability present in Marty 
> Roesch's Snort Intrusion Detection System (IDS). It may be 
> possible for remote attackers to send specially crafted ICMP 
> packets to the program, resulting in a segmentation fault 
> that would crash the Snort engine. This attack can be 
> launched from any routable address, and if launched 
> successfully against a Snort-protected network, all IDS 
> functionality may be disabled until Snort is manually restarted.
> 
> Affected Versions:
> 
> Marty Roesch Snort Version 1.8.3 and earlier for all 
> supported platforms
> 
> Description:
> 
> Snort is an open-source Intrusion Detection System designed 
> to be simple and lightweight.  Snort has packet logging, 
> protocol analysis, attack signature matching and recognition 
> capabilities and is maintained by Marty Roesch of Snort.org.
> 
> An exploit has been published that demonstrates a flaw in the 
> ICMP protocol handling functionality. Snort incorrectly 
> handles ICMP "Echo" and ICMP "Echo-Reply" packets that 
> contain less than 5 bytes of ICMP data. If Snort encounters 
> such a packet, it will crash and exit. Packets that are used 
> to exploit this vulnerability can be sent with the "ping" 
> command that is present on most operating systems.
> 
> This exploit technique has been publicly documented, and 
> attackers do not need to have access to the target network or 
> possess knowledge of its configuration.
> 
> Recommendations:
> 
> ISS X-Force recommends that all Snort users install the 
> vendor-supplied patch immediately or upgrade to the latest 
> version of Snort.
> 
> To apply a source code patch to your Snort package:
> 
> 1. Locate the "decode.h" file in your source distribution.
> 2. Enter the directory containing decode.h.
> 3. To update your decode.h file, create a file named "decode.diff",
>    containing the following text:
> - --- olddecode.h Thu Jan 10 15:47:48 2002
> +++ decode.h    Thu Jan 10 12:15:33 2002
> @@ -105,7 +105,7 @@
>  #define IP_HEADER_LEN           20
>  #define TCP_HEADER_LEN          20
>  #define UDP_HEADER_LEN          8
> - -#define ICMP_HEADER_LEN         8
> +#define ICMP_HEADER_LEN         4
> 
>  #define TH_FIN  0x01
>  #define TH_SYN  0x02
> 4. Apply the source code update using the "patch" command, or 
> a similar
>    utility.
> 5. Build new binaries and reinstall.
> 
> 
> To upgrade to the latest version of Snort:
> 
> Use a CVS client to access the Snort CVS server at 
> "cvs.snort.sourceforge.net" with the following command:
> 
> cvs 
> -d:pserver:anonymous at cvs.snort.sourceforge.net:/cvsroot/snort login
> 
> Use a blank password when prompted.
> 
> cvs -z3 
> -d:pserver:anonymous at cvs.snort.sourceforge.net:/cvsroot/snort co snort
> 
> Snort''s default configuration does not have the ability to 
> restat when it crashes. ISS X-Force advises all Snort users 
> to develop this functionality using freely available watchdog 
> process monitors, cronjobs, or shell scripts.
> 
> For more information about applying source code patches or 
> upgrading Snort, please refer to the "SNORT FAQ" document 
> available at: http://www.snort.org.
> 
> Additional Information:
> 
> ISS X-Force Database,
> http://xforce.iss.net/static/7874.php
> 
> Marty Roesch Snort,
> http://www.snort.org
> 
> Credits:
> 
> This vulnerability was discovered by Sinbad 
> <securitymail at ...786...>, and reported to the BugTraq mailing list.
> 
> ______
> 
> 
> About Internet Security Systems (ISS)
> Internet Security Systems is a leading global provider of 
> security management solutions for the Internet, protecting 
> digital assets and ensuring safe and uninterrupted 
> e-business.  With its industry-leading intrusion detection 
> and vulnerability assessment, remote managed security 
> services, and strategic consulting and education offerings, 
> ISS is a trusted security provider to more than 9,000 
> customers worldwide including 21 of the 25 largest U.S. 
> commercial banks, the top 10 U.S. telecommunications 
> companies, and all major branches of the U.S. Federal 
> Government.  Founded in 1994, ISS is headquartered in 
> Atlanta, GA, with additional offices throughout North America 
> and international operations in Asia, Australia, Europe, 
> Latin America and the Middle East.  For more information, 
> visit the Internet Security Systems web site at www.iss.net 
> or call 888-901-7477.
> 
> Copyright (c) 2002 Internet Security Systems, Inc. All rights 
> reserved worldwide.
> 
> Permission is hereby granted for the redistribution of this 
> Alert electronically. It is not to be edited in any way 
> without express consent of the X-Force. If you wish to 
> reprint the whole or any part of this Alert in any other 
> medium excluding electronic medium, please e-mail 
> xforce at ...4133... for permission.
> 
> Disclaimer
> 
> The information within this paper may change without notice. 
> Use of this information constitutes acceptance for use in an 
> AS IS condition. There are NO warranties with regard to this 
> information. In no event shall the author be liable for any 
> damages whatsoever arising out of or in connection with the 
> use or spread of this information. Any use of this 
> information is at the user's own risk.
> 
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
> as well as on MIT's PGP key server and PGP.com's key server.
> 
> Please send suggestions, updates, and comments to: X-Force 
> xforce at ...4133... of Internet Security Systems, Inc.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3a
> Charset: noconv
> 
> iQCVAwUBPFW8CTRfJiV99eG9AQGJYQP/WED3cUn9UvD9s+p/+gsLb2JK/m8W6vtm
> Oo0lzOgxi2OoMxBks297jBsYxpY4e9G4QlLrPNcKIq/WTB+ccOhjVvcxk3mgX8SR
> GIAwn/S1417I+aUV7xixhA5fKXR3uA1Ne4T7pa8/WJWsqFigKh4QTTwesrMrlTmJ
> A2yMcndSamg=
> =b2Gw
> -----END PGP SIGNATURE-----
> 
> 
> 




More information about the Snort-users mailing list