CERT Warns of Snort Vulnerabilities
Page 1 of 1
Security researchers have found multiple security vulnerabilities in the open-source Snort network intrusion detection system, warning that older versions are wide open to code execution and denial-of-service attacks.
Snort, which is used primarily to perform real-time traffic analysis and packet logging on IP networks, has been upgraded to version 2.0 to fix the holes. (Download location here).
An advisory from the CERT Coordination Center warned of two bugs, each in a separate preprocessor module, that could let remote attackers execute arbitrary code with the privileges of the user running Snort, typically root.
The problems like in the preprocessor modules within Snort that lets users personalize the system's functionalities -- the "stream4" TCP fragment reassembly preprocessor and the RPC preprocessor.
In "stream4" preprocessor, researchers at CORE Security Technologies found a heap overflow bug that can be exploited by an attacker. "To exploit this vulnerability, an attacker must disrupt the state tracking mechanism of the preprocessor module by sending a series of packets with crafted sequence numbers. This causes the module to bypass a check for buffer overflow attempts and allows the attacker to insert arbitrary code into the heap," CERT/CC warned.
Separately, researchers at the Internet Security Systems (ISS) discovered a buffer overflow vulnerability in the Snort RPC preprocessor module. "When the RPC decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size, leading to an overflow condition," the Center said.
IT administrators running Snort have been warned that it was not necessary for the intruder to know the IP address of the Snort device to mount a successful attack. "Merely sending malicious traffic where it can be observed by an affected Snort sensor is sufficient to exploit these vulnerabilities."
The lightweight Snort is used to perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, port scans, CGI attacks or SMB probes.