Snort’s Intrusion System Blows a Hole

In an interesting case of technical irony, a tool used to help security
professionals detect intrusions into their networks is in fact vulnerable to
intrusions itself.

US-CERT issued an advisory this week warning that the open source Snort intrusion detection system had a highly critical buffer overflow vulnerability that could allow an attacker to execute arbitrary code.

Snort is widely used and deployed in its open source form and as a
commercial product. Snort creator Martin Roesh founded Sourcefire in 2001 as a commercial vendor for Snort. In October, Check Point Software acquired Sourcefire for $225 million.

Sourcefire claims that Snort has been downloaded more than 2 million
times and is also included in over 40 commercially available intrusion detection systems.

The reported vulnerability resides in Snort’s Back Orifice pre-processor
and can be trigged by a single UDP packet that triggers a stack-based overflow allowing the attacker to infiltrate the system.

“To exploit this vulnerability, an attacker does not need to send packets
directly to the Snort sensor,” the US-CERT advisory states. “It is
sufficient to send packets to any of the hosts on the network monitored by
Snort.”

According to SANS Internet Storm Center (ISC), exploits based on the vulnerability have already been published and range from remote code-execution exploits to DoS attacks.

SANS ISC noted that they the Snort vulnerability is a “big deal”
because it could potential lead to rapidly spreading worms since Snort is
very popular.

Snort users are being urged to update to the Snort v2.4.3, which was
released this week and fixes the vulnerability.