[Snort-users] Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability
rjenkins at ...12829...
Tue Oct 18 15:36:07 EDT 2005
I see it too.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jennifer
Sent: Tuesday, October 18, 2005 5:31 PM
To: Sam Evans
Cc: snort-users @ lists. sourceforge. net
Subject: Re: [Snort-users] Fixes and Mitigation Instructions Available
for Snort Back Orifice Vulnerability
Can you try refreshing the page? The 2.4.3 version is there for me. The
actual link is http://www.snort.org/dl/current/snort-2.4.3.tar.gz.
Sam Evans wrote:
> I might be missing something, but when I click the
> http://www.snort.org/dl/ link all I see is the 2.4.2 version, not the
> On 10/18/05, *Jennifer Steffens* <jennifer.steffens at ...1935...
> <mailto:jennifer.steffens at ...1935...>> wrote:
> Subject: Fix and Mitigation Available for Snort Vulnerability
> The Sourcefire Vulnerability Research Team (VRT) has learned of a
> vulnerability in Snort v2.4.0 and higher. Users are only
> the Back Orifice preprocessor is enabled. Snort v2.4.3 has been
> to correct the issue and detailed instructions for mitigating the
> by disabling the Back Orifice preprocessor are below.
> Snort v2.4.3
> In addition to fixing the vulnerability, this version includes a
> mechanism to detect exploits against vulnerable sensors and,
> for inline sensors, drop the offending traffic. These features
> phased approach to upgrading while protecting unpatched sensors.
> Detection capabilities are part of the new preprocessor and
> are available to all users regardless of subscription status.
> In addition to the source tarball, postgres, mysql and plain RPMs
> win32 installer are available at http://www.snort.org/dl. Please
> remember that updated rules are only included in major releases.
> updated rules, visit http://www.snort.org/rules/.
> Mitigation Instructions:
> The Back Orifice preprocessor can be disabled by commenting out
> "preprocessor bo" in snort.conf. This can be done in any text
> using the following procedure:
> 1. Locate the line "preprocessor bo"
> 2. Comment out this line by preceding it with a hash (#). The new
> will look like "#preprocessor bo"
> 3. Save the file
> 4. Restart snort
> On Thursday, October 13th Sourcefire was contacted by USCERT with
> of a vulnerability in Snort. We used the subsequent days to verify
> vulnerability and to prepare mitigation strategies and the
> updates necessary to fix the vulnerability for both Sourcefire
> and Snort users. While it cannot be said that no other problems
> ever be found in the Snort code base, we can state that we will
> our efforts to ensure the security of the system so many people
> come to rely on for the detection of network-based threats.
> will also continue to work with the most sophisticated testing
> facilities in the industry to assure that every reasonable step is
> taken to provide the most secure code base possible.
> Technical Details:
> The Back Orifice preprocessor contains a stack-based buffer
> This vulnerability could be leveraged by an attacker to execute
> remotely on a Snort sensor where the Back Orifice preprocessor is
> enabled. However, there are a number of factors that make remote
> execution difficult to achieve across different builds of Snort on
> different platforms, even on the same platform with different
> versions, and it is more likely that an attacker could use the
> vulnerability as a denial of service attack.
> If you have any questions, please let us know at
> snort-team at ...1935... <mailto:snort-team at ...1935...>
> Jennifer S. Steffens
> Director, Snort Product Management | Sourcefire, Inc.
> W: 410.423.1930 | C: 202.409.7707
> www.sourcefire.com <http://www.sourcefire.com> | www.snort.org
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> <mailto:Snort-users at lists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users