[Snort-users] Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability

Ron Jenkins rjenkins at ...12829...
Tue Oct 18 15:36:07 EDT 2005


I see it too.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jennifer
Steffens
Sent: Tuesday, October 18, 2005 5:31 PM
To: Sam Evans
Cc: snort-users @ lists. sourceforge. net
Subject: Re: [Snort-users] Fixes and Mitigation Instructions Available
for Snort Back Orifice Vulnerability

Sam,

Can you try refreshing the page? The 2.4.3 version is there for me. The 
actual link is http://www.snort.org/dl/current/snort-2.4.3.tar.gz.

Thanks,
Jennifer

Sam Evans wrote:
> Jennifer,
>  
> I might be missing something, but when I click the 
> http://www.snort.org/dl/ link all I see is the 2.4.2 version, not the
2.4.3.
>  
> Thanks,
> Sam
> 
> 
>  
> On 10/18/05, *Jennifer Steffens* <jennifer.steffens at ...1935... 
> <mailto:jennifer.steffens at ...1935...>> wrote:
> 
>     Subject: Fix and Mitigation Available for Snort Vulnerability
> 
>     The Sourcefire Vulnerability Research Team (VRT) has learned of a
>     vulnerability in Snort v2.4.0 and higher. Users are only
vulnerable if
>     the Back Orifice preprocessor is enabled. Snort v2.4.3 has been
released
>     to correct the issue and detailed instructions for mitigating the
issue
>     by disabling the Back Orifice preprocessor are below.
> 
> 
>     Snort v2.4.3
> 
>     In addition to fixing the vulnerability, this version includes a
>     mechanism to detect exploits against vulnerable sensors and,
optionally
>     for inline sensors, drop the offending traffic. These features
enable a
>     phased approach to upgrading while protecting unpatched sensors.
>     Detection capabilities are part of the new preprocessor and
therefore
>     are available to all users regardless of subscription status.
> 
>     In addition to the source tarball, postgres, mysql and plain RPMs
and a
>     win32 installer are available at http://www.snort.org/dl. Please
>     remember that updated rules are only included in major releases.
For
>     updated rules, visit http://www.snort.org/rules/.
> 
> 
>     Mitigation Instructions:
> 
>     The Back Orifice preprocessor can be disabled by commenting out
the line
>     "preprocessor bo" in snort.conf. This can be done in any text
editor
>     using the following procedure:
> 
>     1. Locate the line "preprocessor bo"
>     2. Comment out this line by preceding it with a hash (#). The new
line
>     will look like "#preprocessor bo"
>     3. Save the file
>     4. Restart snort
> 
> 
>     Background:
> 
>     On Thursday, October 13th Sourcefire was contacted by USCERT with
news
>     of a vulnerability in Snort. We used the subsequent days to verify
the
>     vulnerability and to prepare mitigation strategies and the
software
>     updates necessary to fix the vulnerability for both Sourcefire
customers
>     and Snort users. While it cannot be said that no other problems
will
>     ever be found in the Snort code base, we can state that we will
>     redouble
>     our efforts to ensure the security of the system so many people
have
>     come to rely on for the detection of network-based threats.
Sourcefire
>     will also continue to work with the most sophisticated testing
>     facilities in the industry to assure that every reasonable step is
>     being
>     taken to provide the most secure code base possible.
> 
> 
>     Technical Details:
>     The Back Orifice preprocessor contains a stack-based buffer
overflow.
>     This vulnerability could be leveraged by an attacker to execute
code
>     remotely on a Snort sensor where the Back Orifice preprocessor is
>     enabled.  However, there are a number of factors that make remote
code
>     execution difficult to achieve across different builds of Snort on
>     different platforms, even on the same platform with different
compiler
>     versions, and it is more likely that an attacker could use the
>     vulnerability as a denial of service attack.
> 
> 
>     If you have any questions, please let us know at
>     snort-team at ...1935... <mailto:snort-team at ...1935...>
> 
>     Thanks,
>     Jennifer
> 
> 
>     --
>     Jennifer S. Steffens
>     Director, Snort Product Management | Sourcefire, Inc.
>     W: 410.423.1930 | C: 202.409.7707
>     www.sourcefire.com <http://www.sourcefire.com> | www.snort.org
>     <http://www.snort.org>
> 
> 
>     -------------------------------------------------------
>     This SF.Net email is sponsored by:
>     Power Architecture Resource Center: Free content, downloads,
>     discussions,
>     and more. http://solutions.newsforge.com/ibmarch.tmpl
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     <https://lists.sourceforge.net/lists/listinfo/snort-users>
>     Snort-users list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads,
discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list