[Snort-users] Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability

Jennifer Steffens jennifer.steffens at ...1935...
Tue Oct 18 06:33:26 EDT 2005

Subject: Fix and Mitigation Available for Snort Vulnerability

The Sourcefire Vulnerability Research Team (VRT) has learned of a 
vulnerability in Snort v2.4.0 and higher. Users are only vulnerable if 
the Back Orifice preprocessor is enabled. Snort v2.4.3 has been released 
to correct the issue and detailed instructions for mitigating the issue 
by disabling the Back Orifice preprocessor are below.

Snort v2.4.3

In addition to fixing the vulnerability, this version includes a 
mechanism to detect exploits against vulnerable sensors and, optionally 
for inline sensors, drop the offending traffic. These features enable a 
phased approach to upgrading while protecting unpatched sensors. 
Detection capabilities are part of the new preprocessor and therefore 
are available to all users regardless of subscription status.

In addition to the source tarball, postgres, mysql and plain RPMs and a 
win32 installer are available at http://www.snort.org/dl. Please 
remember that updated rules are only included in major releases. For 
updated rules, visit http://www.snort.org/rules/.

Mitigation Instructions:

The Back Orifice preprocessor can be disabled by commenting out the line 
"preprocessor bo" in snort.conf. This can be done in any text editor 
using the following procedure:

1. Locate the line "preprocessor bo"
2. Comment out this line by preceding it with a hash (#). The new line 
will look like "#preprocessor bo"
3. Save the file
4. Restart snort


On Thursday, October 13th Sourcefire was contacted by USCERT with news 
of a vulnerability in Snort. We used the subsequent days to verify the 
vulnerability and to prepare mitigation strategies and the software 
updates necessary to fix the vulnerability for both Sourcefire customers 
and Snort users. While it cannot be said that no other problems will 
ever be found in the Snort code base, we can state that we will redouble 
our efforts to ensure the security of the system so many people have 
come to rely on for the detection of network-based threats. Sourcefire 
will also continue to work with the most sophisticated testing 
facilities in the industry to assure that every reasonable step is being 
taken to provide the most secure code base possible.

Technical Details:
The Back Orifice preprocessor contains a stack-based buffer overflow. 
This vulnerability could be leveraged by an attacker to execute code 
remotely on a Snort sensor where the Back Orifice preprocessor is 
enabled.  However, there are a number of factors that make remote code 
execution difficult to achieve across different builds of Snort on 
different platforms, even on the same platform with different compiler 
versions, and it is more likely that an attacker could use the 
vulnerability as a denial of service attack.

If you have any questions, please let us know at snort-team at ...1935...


Jennifer S. Steffens
Director, Snort Product Management | Sourcefire, Inc.
W: 410.423.1930 | C: 202.409.7707
www.sourcefire.com | www.snort.org

More information about the Snort-users mailing list