A software vulnerability in the widely used Snort open-source intrusion detection system (IDS) software could allow an attacker to crash the Snort sensor or gain control of the host device on which the sensor runs.
Snort serves as the basis for commercial IDS products such as those produced by Sourcefire and can be used to detect a wide range of network attacks and probes, such as attempted buffer overflows and port scans.
A buffer overflow vulnerability was found in code used by Snort to detect an attack technique called RPC (remote procedure call) fragmentation. RPC fragmentation can be used to evade intrusion detection systems, according to an advisory reported Monday by security vendor Internet Security Systems Inc. (ISS).
RPC is a protocol that one software program can use to request a service from a program located in another computer in a network.
Snort does not properly check the size of the RPC fragments it is processing against the available space in the preprocessing buffer. Sending data to the buffer in excess of its capacity causes the buffer to overflow. Buffer overflows may cause the Snort sensor to crash or enable an attacker to place and execute malicious code on the compromised host, ISS said.
To exploit the vulnerability, attackers would need to craft RPC traffic to specifically exploit the buffer overflow. Attackers would not, however, need to know the address of the Snort sensor they are targeting. Simply sending exploit packets to a network that is protected by a Snort sensor is sufficient to launch an attack, ISS said.
Because Snort sensors and other IDS products typically guard against intrusion into critical networks, the compromise of a Snort sensor could lead to highly sensitive network traffic being accessible to remote attackers. That traffic could, in turn, yield information needed to compromise internal network resources, according to ISS.
All versions of Snort since version 1.8, released in July 2001, are affected by the RPC vulnerability, ISS said. A new version of the Snort software that fixes the RPC vulnerability, version 1.9.1, was available on the Snort Web page as of Tuesday.
ISS recommended that Snort users consult the Snort Web page at http://www.snort.org and upgrade their source implementation using patches or software upgrades available there.
Users who are unable to upgrade their Snort installation should disable the RPC preprocessor until they can upgrade, ISS said.
Get the independent advice and expertise you need to support a virtual workforce.
The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.
Download now »
Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.
Download now »
A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.
Download now »
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
Recommend This
