Is this the first reported vulnerability in Snort?
This is only vulnerability in Snort ever that I'm aware of. Hackers and the technology they use to exploit vulnerabilities are so sophisticated, it was nearly inevitable.
We're not thrilled about it. We are re-doubling our efforts to secure our code base. We are dedicating internal resources and bringing in external resources to go through our code to make sure there are no others. Was the vulnerability discovered in the open-source or commercial version of Snort?
The vulnerability was discovered in the open-source version of Snort. That part of the code, however, is used in both the open source and commercial. How severe is an RPC normalization preprocessor buffer overflow?
This is as severe as a vulnerability gets. Properly crafted, one could take over the machine by taking advantage of a buffer overflow. An attacker could write their own instructions onto a device. It's easy to mitigate and exploit. Can you take us through the first few days after Sourcefire learned of the vulnerability?
We learned about it the evening of Feb. 20. Internet Security Systems discovered it. They recognized how pervasive Snort is and it led them to take a back seat to us in addressing the vulnerability and releasing the information to the public. We worked together to form a disclosure strategy. We put the elements together to mitigate the vulnerability, including the patch, so that at the start of business on Monday March 3, we were ready with everything needed to remediate.
Snort is used heavily in the (U.S.) government. We concluded that we should include NIPC in the initial disclosure and let them guide us on the disclosure strategy (on Feb. 27). They used the subsequent week to mitigate and patch anything. Last Monday (March 3), we made the disclosure to our customers and the public. The Snort community is a loyal following. What has the community's reaction been to the first vulnerability?
I've heard few complaints. The ones that I have heard are mainly from those who are upset that we did not let everyone know at the same time. I don't think, however, that would have been appropriate or prudent. People were surprised how prepared for this we were. With NIPC's involvement, you got a firsthand look at how the Department of Homeland Security handles vulnerabilities and the sharing and dissemination of information. What's your first impression of that process?
I was quite impressed to tell the truth. Everyone understood the potential ramifications of an exploit. I was impressed how quickly and thoroughly it was remediated within the government. Snort is very pervasive in government. It's found in some of the country's most sensitive systems and networks. The vulnerability was both mitigated and software was patched within the government without leaking information to the public. It was important given the sensitive nature of the information to keep it secure and given the risk that word would leak and hackers would get it first and launch an attack was.
This kind of vulnerability, if not dealt with in the proper way, could represent a worst-case scenario. This was blueprint for how these things could be dealt with in the future. There was generous corporate support. Thoughtful people prepared the mitigation strategy and the fixes were rolled out in a thoughtful way in a classified context within the government. It worked as well as I can imagine. Were you hesitant about the initial reports considering one of your biggest rivals in the IDS space discovered the vulnerability?
It occurred to us that ISS could use this to market benefit, partly because they are a public company. There was a lot at stake here and some one at ISS understood how crucial this could be for critical systems and infrastructure in the U.S. My compliments to them.
FOR MORE INFORMATION:
- FEEDBACK: Does the first vulnerability in Snort shake your faith in the open-source IDS?
Send your thoughts to News Editor Michael S. Mimoso.
It speaks to the mindset of the open-source community as opposed to the closed-source. Their strategy is to hide vulnerabilities and prevent exploits that way. We believe in exposing serious vulnerabilities for the community to deal with and in the end we have secure products.