Snort, the open-source intrusion-detection software, is vulnerable to hackers, its developers revealed this week.
Snort's popularity has grown as many businesses have been tempted away from expensive proprietary intrusion-detection systems. Snort's advocates argue that it is more secure than products created by the likes of Cisco and other network equipment vendors, as its code is open for developers to both find and fix flaws.
But on Monday, Sourcefire — the company behind Snort — said that hackers could potentially execute malicious code on a system running Snort and gain access to confidential data.
The vulnerability was reported to Sourcefire by Internet Security Systems (ISS), the security arm of IBM.
Reporting the weakness, an ISS report said: "Snort IDS and Sourcefire Intrusion Sensor IDS/IPS [intrusion-detection/prevention system] are vulnerable to a stack-based buffer overflow, which can result in remote code execution... Compromise of machines using affected versions of Snort or Sourcefire may lead to exposure of confidential information, loss of productivity and further compromise. Successful exploitation of this vulnerability results in remote code execution with the privilege level of Snort, usually root or system."
ISS said the following products are affected:
- Snort 2.6.1, 220.127.116.11, and 18.104.22.168
- Snort 2.7.0 beta 1
- Sourcefire Intrusion Sensors versions 4.1.x, 4.5.x, and 4.6.x with SEUs prior to SEU 64
- Sourcefire Intrusion Sensor Software for Crossbeam versions 4.1.x, 4.5.x and 4.6.x with SEUs prior to SEU 64
Snort said users of version 22.214.171.124 and 126.96.36.199 should upgrade to 188.8.131.52l, which is not vulnerable. Users of version 2.7 should disable the DCE/RPC preprocessor, the program that contains the vulnerability. Version 2.7 is currently in beta, and the issue will be resolved in a second beta version, Snort said.
Cisco was hit by several vulnerabilities last week, including one that allows hackers to circumvent the IPS protection in its routers.