Remote code execution hole in Snort

Summary:A stack-based buffer overflow in the Snort IDS (intrusion detection system) could leave government and enterprise installations vulnerable to remote unauthenticated code execution attacks.

A stack-based buffer overflow in the Snort IDS (intrusion detection system) could leave government and enterprise installations vulnerable to remote unauthenticated code execution attacks.

The flaw, found by researchers at IBM's ISS X-Force, affects the Snort DCE/RPC preprocessor and could be used to execute code with the same privileges (usually root or SYSTEM) as the Snort binary. The Snort DCE/RPC is enabled by default to handle dynamic detection of SMB traffic.

Exploitation of this vulnerability does not require user interaction, according to the ISS X-Force alert.

Snort versions affected: Snort 2.6.1, 2.6.1.1, 2.6.1.2 and Snort 2.7.0 beta 1.

Sourcefire, the company that owns and maintains Snort, is strongly urging users to upgrade immediately to Snort version 2.6.1.3. Snort 2.7 beta users are can temporarily mitigate this issue by disabling the DCE/RPC preprocessor.

A vulnerability note from the U.S. CERT explains the severity of the risk:

An attacker does not have to complete a full TCP connection to exploit this vulnerability. This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.