An urgent security issue has been discovered in the Snort open source intrusion detection system (IDS) that could allow malicious packets to damage Snort-protected computers. Though no exploit is currently circulating, one vendor's advisory gives the flaw a 7.2 severity rating and 5.4 urgency, most likely due to Snort's widespread use and the current lack of a patch.
Cupertino, Calif.-based AV giant Symantec Corp. warned customers of its DeepSight Threat Management System early Thursday that the freely available intrusion detection system is prone to a detection-invasion vulnerability. The issue was
Likely due to a design error in Snort, Symantec said the problem affects Snort version 2.4.4, but may be an issue with other versions as well. It occurs when a malicious URL has a carriage return at the end, just prior to the HTTP protocol declaration. Such a URL can enable an attacker to successfully bypass "uricontent" rules to carry out an attack against a system being protected by Snort.
Symantec said it is currently unaware of any exploits for the flaw. Sourcefire Inc., the maker of Snort, has not yet issued a fix, but plans to do so early next week. Symantec recommends that organizations using Snort mitigate the issue by making use of multiple layers of security and filtering, including firewalls, antivirus and intrusion detection software.
IBM addresses Kerberos flaws
IBM says it has remedied a pair of vulnerabilities in its Distributed Computing Environment (DCE) that could result in a denial of service.
The flaws in DCE, which are a set of networking technologies from Big Blue that enable secure access to network resources using public key infrastructure (PKI) and supporting Lightweight Directory Access Protocol (LDAP), have been deemed extremely critical by Danish vulnerability clearinghouse Secunia.
According to IBM, an issue with the Massachusetts Institute of Technology's Kerberos 5 implementation Key Distribution Center (KDC) "can corrupt the heap by attempting to free memory at a random address when it receives a certain unlikely (but valid) request via a TCP connection. This attempt to free unallocated memory can result in a KDC crash and consequent denial of service."
Additionally, IBM said, when the same request is received by the KDC via TCP or UDP, it may activate a flaw in the Kerberos 5 library that results in a single-byte overflow of a heap buffer. Though it calls an attack of this nature "highly improbably," IBM said an unauthenticated attacker may be able to use the vulnerabilities to execute arbitrary code on the KDC host system to potentially compromise an entire Kerberos realm.
IBM said there are currently no known exploits. In its bulletin it recommends that customers disable TCP support in the KDC, and run the KDC "from init or from some similar automatic respawning facility," though the single-byte overflow is still possible without KDC TCP support enabled.
Symantec's Norton 360 faces delay
As Microsoft rolls out its long-awaited Windows OneCare Live software, the security industry's antivirus giants are also preparing their own challenges. However, Symantec's initiative has reportedly hit a stumbling block.
According to a report from CNET News.com, Symantec's Norton 360 software, which is being designed to compete with OneCare's combination of antivirus, antispyware and firewall capabilities, is now expected to ship in March 2007, instead of September 2006.
Symantec said Norton 360, previously known by its codename Genesis, may ship sooner, depending in part on the results of a sizable public beta beginning next month. Other product details have yet to be announced.
Microsoft's OneCare product debuts today at $49.99 a year for up to three PCs per home. It also includes tune-up tools and other backup features for Windows PCs. Santa Clara, Calif.-based McAfee Inc. is also preparing a rival product, dubbed Falcon, that will be available this summer. Falcon will offer features in its current product line to defend desktops against spyware, viruses, spam, phishing and rootkits, and will feature an overhauled management interface.