[Snort-users] Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability

Jennifer Steffens jennifer.steffens at ...1935...
Tue Oct 18 15:32:43 EDT 2005


Can you try refreshing the page? The 2.4.3 version is there for me. The 
actual link is http://www.snort.org/dl/current/snort-2.4.3.tar.gz.


Sam Evans wrote:
> Jennifer,
> I might be missing something, but when I click the 
> http://www.snort.org/dl/ link all I see is the 2.4.2 version, not the 2.4.3.
> Thanks,
> Sam
> On 10/18/05, *Jennifer Steffens* <jennifer.steffens at ...1935... 
> <mailto:jennifer.steffens at ...1935...>> wrote:
>     Subject: Fix and Mitigation Available for Snort Vulnerability
>     The Sourcefire Vulnerability Research Team (VRT) has learned of a
>     vulnerability in Snort v2.4.0 and higher. Users are only vulnerable if
>     the Back Orifice preprocessor is enabled. Snort v2.4.3 has been released
>     to correct the issue and detailed instructions for mitigating the issue
>     by disabling the Back Orifice preprocessor are below.
>     Snort v2.4.3
>     In addition to fixing the vulnerability, this version includes a
>     mechanism to detect exploits against vulnerable sensors and, optionally
>     for inline sensors, drop the offending traffic. These features enable a
>     phased approach to upgrading while protecting unpatched sensors.
>     Detection capabilities are part of the new preprocessor and therefore
>     are available to all users regardless of subscription status.
>     In addition to the source tarball, postgres, mysql and plain RPMs and a
>     win32 installer are available at http://www.snort.org/dl. Please
>     remember that updated rules are only included in major releases. For
>     updated rules, visit http://www.snort.org/rules/.
>     Mitigation Instructions:
>     The Back Orifice preprocessor can be disabled by commenting out the line
>     "preprocessor bo" in snort.conf. This can be done in any text editor
>     using the following procedure:
>     1. Locate the line "preprocessor bo"
>     2. Comment out this line by preceding it with a hash (#). The new line
>     will look like "#preprocessor bo"
>     3. Save the file
>     4. Restart snort
>     Background:
>     On Thursday, October 13th Sourcefire was contacted by USCERT with news
>     of a vulnerability in Snort. We used the subsequent days to verify the
>     vulnerability and to prepare mitigation strategies and the software
>     updates necessary to fix the vulnerability for both Sourcefire customers
>     and Snort users. While it cannot be said that no other problems will
>     ever be found in the Snort code base, we can state that we will
>     redouble
>     our efforts to ensure the security of the system so many people have
>     come to rely on for the detection of network-based threats. Sourcefire
>     will also continue to work with the most sophisticated testing
>     facilities in the industry to assure that every reasonable step is
>     being
>     taken to provide the most secure code base possible.
>     Technical Details:
>     The Back Orifice preprocessor contains a stack-based buffer overflow.
>     This vulnerability could be leveraged by an attacker to execute code
>     remotely on a Snort sensor where the Back Orifice preprocessor is
>     enabled.  However, there are a number of factors that make remote code
>     execution difficult to achieve across different builds of Snort on
>     different platforms, even on the same platform with different compiler
>     versions, and it is more likely that an attacker could use the
>     vulnerability as a denial of service attack.
>     If you have any questions, please let us know at
>     snort-team at ...1935... <mailto:snort-team at ...1935...>
>     Thanks,
>     Jennifer
>     --
>     Jennifer S. Steffens
>     Director, Snort Product Management | Sourcefire, Inc.
>     W: 410.423.1930 | C: 202.409.7707
>     www.sourcefire.com <http://www.sourcefire.com> | www.snort.org
>     <http://www.snort.org>
>     -------------------------------------------------------
>     This SF.Net email is sponsored by:
>     Power Architecture Resource Center: Free content, downloads,
>     discussions,
>     and more. http://solutions.newsforge.com/ibmarch.tmpl
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     <https://lists.sourceforge.net/lists/listinfo/snort-users>
>     Snort-users list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list