CERT Warns of Snort Vulnerabilities

Security researchers have found multiple security vulnerabilities in the
open-source Snort network intrusion
detection system, warning that older versions are wide open to code
execution and denial-of-service attacks.

Snort, which is used primarily to perform real-time traffic analysis and
packet logging on IP networks, has been upgraded to version 2.0 to fix the
holes. (Download location here).

An advisory from the CERT Coordination Center warned of two bugs, each in
a separate preprocessor module, that could let remote attackers execute
arbitrary code with the privileges of the user running Snort, typically
root.

The problems like in the preprocessor modules within Snort that lets
users personalize the system’s functionalities — the “stream4” TCP fragment
reassembly preprocessor and the RPC preprocessor.

In “stream4” preprocessor, researchers at CORE Security Technologies found a
heap overflow bug that can be exploited by an attacker. “To exploit this
vulnerability, an attacker must disrupt the state tracking mechanism of the
preprocessor module by sending a series of packets with crafted sequence
numbers. This causes the module to bypass a check for buffer overflow
attempts and allows the attacker to insert arbitrary code into the heap,”
CERT/CC warned.

Separately, researchers at the Internet Security Systems (ISS) discovered
a buffer overflow vulnerability in the Snort RPC preprocessor module. “When
the RPC decoder normalizes fragmented RPC records, it incorrectly checks the
lengths of what is being normalized against the current packet size, leading
to an overflow condition,” the Center said.

IT administrators running Snort have been warned that it was not
necessary for the intruder to know the IP address of the Snort device to
mount a successful attack. “Merely sending malicious traffic where it can be
observed by an affected Snort sensor is sufficient to exploit these
vulnerabilities.”

The lightweight Snort is used to perform protocol analysis, content
searching/matching and can be used to detect a variety of attacks and
probes, such as buffer overflows, port scans, CGI attacks or SMB probes.