[Snort-users] Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability

Sam Evans wintrmte at ...11827...
Tue Oct 18 14:55:47 EDT 2005

 I might be missing something, but when I click the
http://www.snort.org/dl/link all I see is the
2.4.2 version, not the 2.4.3.

 On 10/18/05, Jennifer Steffens <jennifer.steffens at ...1935...> wrote:
> Subject: Fix and Mitigation Available for Snort Vulnerability
> The Sourcefire Vulnerability Research Team (VRT) has learned of a
> vulnerability in Snort v2.4.0 and higher. Users are only vulnerable if
> the Back Orifice preprocessor is enabled. Snort v2.4.3 has been released
> to correct the issue and detailed instructions for mitigating the issue
> by disabling the Back Orifice preprocessor are below.
> Snort v2.4.3
> In addition to fixing the vulnerability, this version includes a
> mechanism to detect exploits against vulnerable sensors and, optionally
> for inline sensors, drop the offending traffic. These features enable a
> phased approach to upgrading while protecting unpatched sensors.
> Detection capabilities are part of the new preprocessor and therefore
> are available to all users regardless of subscription status.
> In addition to the source tarball, postgres, mysql and plain RPMs and a
> win32 installer are available at http://www.snort.org/dl. Please
> remember that updated rules are only included in major releases. For
> updated rules, visit http://www.snort.org/rules/.
> Mitigation Instructions:
> The Back Orifice preprocessor can be disabled by commenting out the line
> "preprocessor bo" in snort.conf. This can be done in any text editor
> using the following procedure:
> 1. Locate the line "preprocessor bo"
> 2. Comment out this line by preceding it with a hash (#). The new line
> will look like "#preprocessor bo"
> 3. Save the file
> 4. Restart snort
> Background:
> On Thursday, October 13th Sourcefire was contacted by USCERT with news
> of a vulnerability in Snort. We used the subsequent days to verify the
> vulnerability and to prepare mitigation strategies and the software
> updates necessary to fix the vulnerability for both Sourcefire customers
> and Snort users. While it cannot be said that no other problems will
> ever be found in the Snort code base, we can state that we will redouble
> our efforts to ensure the security of the system so many people have
> come to rely on for the detection of network-based threats. Sourcefire
> will also continue to work with the most sophisticated testing
> facilities in the industry to assure that every reasonable step is being
> taken to provide the most secure code base possible.
> Technical Details:
> The Back Orifice preprocessor contains a stack-based buffer overflow.
> This vulnerability could be leveraged by an attacker to execute code
> remotely on a Snort sensor where the Back Orifice preprocessor is
> enabled. However, there are a number of factors that make remote code
> execution difficult to achieve across different builds of Snort on
> different platforms, even on the same platform with different compiler
> versions, and it is more likely that an attacker could use the
> vulnerability as a denial of service attack.
> If you have any questions, please let us know at snort-team at ...1935...
> Thanks,
> Jennifer
> --
> Jennifer S. Steffens
> Director, Snort Product Management | Sourcefire, Inc.
> W: 410.423.1930 | C: 202.409.7707
> www.sourcefire.com <http://www.sourcefire.com> | www.snort.org<http://www.snort.org>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051018/76356eff/attachment.html>

More information about the Snort-users mailing list