Snort users should install the latest version of the IDS tool to fix a flaw that attackers could exploit to gain unauthorized network access, security firms warned Tuesday. Atlanta-based vendor Internet Security Systems' (ISS) X-Force uncovered the glitch and released details Tuesday in an
Since many other commercial IDS and IPS systems are based on Snort, ISS X-Force said there may be "many affected downstream vendors." A long list of those vendors appears in an advisory the United States Computer Emergency Readiness Team (US-CERT) issued Tuesday. They include 3Com Corp., Apple Computer Inc., IBM Corp. Juniper Networks Inc., Cisco Systems Inc. and Check Point Software Technologies Ltd., which announced plans earlier this month to buy Snort's distributor, Sourcefire Inc., for about $225 million in cash.
"Compromise of networks and machines using Snort may lead to exposure of confidential information, loss of productivity, and further network compromise," the advisory added. "Successful exploitation of these vulnerabilities could be used to gain unauthorized access to networks and machines."
Making matters worse, ISS X-Force said no authentication is necessary for attackers to exploit the flaw and compromise networks and machines. "Snort installations are vulnerable in their default configurations," the organization said. "It is not necessary to know the exact location of Snort sensors, but simply to attack a network which they may be listening on."
The vulnerability affects Snort 2.4.0, 2.4.1 and 2.4.2. Columbia, Md.-based Sourcefire Inc. said in an advisory that it has released version 2.4.3 to correct the problem. In addition, Sourcefire said, "detailed instructions for mitigating the issue by disabling the Back Orifice preprocessor are included [in its advisory]."
The flaw has prompted the Bethesda, Md.-based SANS Internet Storm Center to raise its infocon status to yellow. The organization said on its Web site Wednesday, "After some deliberation, we feel that the Snort Back Orifice preprocessor vulnerability could become a big problem very fast."
They said it's a big deal because:
- The exploit is rather easy to write. Yes, it's specific to a particular binary, but there are a number of common binaries deployed in large numbers.
- It uses a single UDP packet, which can lead to very fast-spreading worms.
- The UDP packet can be spoofed, and can use any port combination.
- Snort is very popular. A fast-spreading (noisy) UDP worm could lead to local slowdowns/outages.