Snort update fixes security hole

Attackers could exploit a flaw in the open source IDS to gain unauthorized network access, security firms warn. But a fix is available.

Updated Wednesday, Oct. 19, to include a warning from the SANS Internet Storm Center.

Snort users should install the latest version of the IDS tool to fix a flaw that attackers could exploit to gain unauthorized network access, security firms warned Tuesday. Atlanta-based vendor Internet Security Systems' (ISS) X-Force uncovered the glitch and released details Tuesday in an advisory.

Since many other commercial IDS and IPS systems are based on Snort, ISS X-Force said there may be "many affected downstream vendors." A long list of those vendors appears in an advisory the United States Computer Emergency Readiness Team (US-CERT) issued Tuesday. They include 3Com Corp., Apple Computer Inc., IBM Corp. Juniper Networks Inc., Cisco Systems Inc. and Check Point Software Technologies Ltd., which announced plans earlier this month to buy Snort's distributor, Sourcefire Inc., for about $225 million in cash.

For more information

Read our exclusive: Snort users fear future under Check Point.

Vote in our poll: What does the future hold for Snort?

At issue is a remotely exploitable security hole in Snort's Back Orifice preprocessor, which decodes packets to determine if they contain Back Orifice ping messages. "A stack-based overflow can be triggered with a single (User Datagram Protocol) UDP packet," according to the X-Force advisory, "allowing an attacker to fully compromise a Snort or Sourcefire installation.

"Compromise of networks and machines using Snort may lead to exposure of confidential information, loss of productivity, and further network compromise," the advisory added. "Successful exploitation of these vulnerabilities could be used to gain unauthorized access to networks and machines."

Making matters worse, ISS X-Force said no authentication is necessary for attackers to exploit the flaw and compromise networks and machines. "Snort installations are vulnerable in their default configurations," the organization said. "It is not necessary to know the exact location of Snort sensors, but simply to attack a network which they may be listening on."

The vulnerability affects Snort 2.4.0, 2.4.1 and 2.4.2. Columbia, Md.-based Sourcefire Inc. said in an advisory that it has released version 2.4.3 to correct the problem. In addition, Sourcefire said, "detailed instructions for mitigating the issue by disabling the Back Orifice preprocessor are included [in its advisory]."

The flaw has prompted the Bethesda, Md.-based SANS Internet Storm Center to raise its infocon status to yellow. The organization said on its Web site Wednesday, "After some deliberation, we feel that the Snort Back Orifice preprocessor vulnerability could become a big problem very fast."

They said it's a big deal because:

  • The exploit is rather easy to write. Yes, it's specific to a particular binary, but there are a number of common binaries deployed in large numbers.
  • It uses a single UDP packet, which can lead to very fast-spreading worms.
  • The UDP packet can be spoofed, and can use any port combination.
  • Snort is very popular. A fast-spreading (noisy) UDP worm could lead to local slowdowns/outages.

Dig deeper on Network Intrusion Detection (IDS)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close