[Snort-users] Sourcefire Advisory: Vulnerability in Snort DCE/RPC Preprocessor
snortreleases at ...950...
Mon Feb 19 13:16:54 EST 2007
February 19, 2007
Sourcefire has learned of a remotely exploitable vulnerability in the
Snort DCE/RPC preprocessor. This preprocessor is vulnerable to a
stack-based buffer overflow that could potentially allow attackers to
execute code with the same privileges as the Snort binary. Sourcefire
has prepared updates for Snort open-source software to address this issue.
This vulnerability has been identified as CVE-2006-5276.
Snort Versions Affected:
* Snort 2.6.1, 188.8.131.52, and 184.108.40.206
* Snort 2.7.0 beta 1
This vulnerability also affects Sourcefire commercial products. For
information and updates for Sourcefire products, please go to the
Sourcefire support site.
Users who have disabled the DCE/RPC preprocessor are not vulnerable.
However, the DCE/RPC preprocessor is enabled by default.
* Open-source Snort 2.6.1.x users are advised to upgrade to Snort
220.127.116.11 (or later) immediately.
* Open-source Snort 2.7 beta users are advised to mitigate this issue by
disabling the DCE/RPC preprocessor.
This issue will be resolved in Snort 2.7 beta 2.
Snort users who cannot upgrade immediately are advised to disable the
DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives
from snort.conf and restarting Snort. However, be advised that disabling
the DCE/RPC preprocessor reduces detection capabilities for attacks in
DCE/RPC traffic. After upgrading, customers should reenable the DCE/RPC
Detecting Attacks Against This Vulnerability:
Sourcefire will be releasing a rule pack that provides detection for
attacks against this vulnerability.
What does the update do?
- Snort 18.104.22.168 (or later) removes the vulnerability by correcting the
buffer overflow condition in the DCE/RPC preprocessor.
Has Sourcefire received any reports that this vulnerability has been
- No. Sourcefire has not received any reports that this vulnerability
has been exploited.
Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting
this issue and working with us to resolve it.
More information about the Snort-users