FW: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors
Comments on this are welcomed and appreciate. Using
snort on a few clients production boxes at the moment.
--- Crawford
> -----Original Message-----
> From: CERT Advisory [mailto:cert-advisory@cert.org]
> Sent: Thursday, April 17, 2003 8:30 AM
> To: cert-advisory@cert.org
> Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort
> Preprocessors
>
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors
>
> Original release date: April 17, 2003
> Last revised: --
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> * Snort IDS, versions 1.8 through 2.0 RC1
>
> Overview
>
> There are two vulnerabilities in the Snort Intrusion Detection System,
> each in a separate preprocessor module. Both vulnerabilities allow
> remote attackers to execute arbitrary code with the privileges of the
> user running Snort, typically root.
>
> I. Description
>
> The Snort intrusion detection system ships with a variety of
> preprocessor modules that allow the user to selectively include
> additional functionality. Researchers from two independent
> organizations have discovered vulnerabilities in two of these modules,
> the RPC preprocessor and the "stream4" TCP fragment reassembly
> preprocessor.
>
> For additional information regarding Snort, please see
>
> http://www.snort.org/.
>
> VU#139129 - Heap overflow in Snort "stream4" preprocessor
> (CAN-2003-0029)
>
> Researchers at CORE Security Technologies have discovered a remotely
> exploitable heap overflow in the Snort "stream4" preprocessor module.
> This module allows Snort to reassemble TCP packet fragments for
> further analysis.
>
> To exploit this vulnerability, an attacker must disrupt the state
> tracking mechanism of the preprocessor module by sending a series of
> packets with crafted sequence numbers. This causes the module to
> bypass a check for buffer overflow attempts and allows the attacker to
> insert arbitrary code into the heap.
>
> For additional information, please read the Core Security Technologies
> Advisory located at
>
> http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
>
> This vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior
> to RC1. Snort has published an advisory regarding this vulnerability;
> it is available at
>
> http://www.snort.org/advisories/snort-2003-04-16-1.txt.
>
> VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033)
>
> Researchers at Internet Security Systems (ISS) have discovered a
> remotely exploitable buffer overflow in the Snort RPC preprocessor
> module. Martin Roesch, primary developer for Snort, described the
> vulnerability as follows:
>
> When the RPC decoder normalizes fragmented RPC records, it
> incorrectly checks the lengths of what is being normalized against
> the current packet size, leading to an overflow condition. The RPC
> preprocessor is enabled by default.
>
> For additional information, please read the ISS X-Force advisory
> located at
>
> http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
>
> This vulnerability affects Snort versions 1.8.x through 1.9.1 and
> version 2.0 Beta.
>
> II. Impact
>
> Both VU#139129 and VU#916785 allow remote attackers to execute
> arbitrary code with the privileges of the user running Snort,
> typically root. In addition, it is not necessary for the attacker to
> know the IP address of the Snort device they wish to attack; merely
> sending malicious traffic where it can be observed by an affected
> Snort sensor is sufficient to exploit these vulnerabilities.
>
> III. Solution
>
> Upgrade to Snort 2.0
>
> Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which
> is available at
>
> http://www.snort.org/dl/snort-2.0.0.tar.gz
>
> Binary-only versions of Snort are available from
>
> http://www.snort.org/dl/binaries
>
> For information from other vendors that ship affected versions of
> Snort, please see Appendix A of this document.
>
> Disable affected preprocessor modules
>
> Sites that are unable to immediately upgrade affected Snort sensors
> may prevent exploitation of this vulnerability by commenting out the
> affected preprocessor modules in the "snort.conf" configuration file.
>
> To prevent exploitation of VU#139129, comment out the following line:
>
> preprocessor stream4_reassemble
>
> To prevent exploitation of VU#916785, comment out the following line:
>
> preprocessor rpc_decode: 111 32771
>
> After commenting out the affected modules, send a SIGHUP signal to the
> affected Snort process to update the configuration. Note that
> disabling these modules may have adverse affects on a sensor's ability
> to correctly process RPC record fragments and TCP packet fragments. In
> particular, disabling the "stream4" preprocessor module will prevent
> the Snort sensor from detecting a variety of IDS evasion attacks.
>
> Block outbound packets from Snort IDS systems
>
> You may be able limit an attacker's capabilities if the system is
> compromised by blocking all outbound traffic from the Snort sensor.
> While this workaround will not prevent exploitation of the
> vulnerability, it may make it more difficult for the attacker to
> create a useful exploit.
>
> Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for this
> advisory. As vendors report new information to the CERT/CC, we will
> update this section and note the changes in our revision history. If a
> particular vendor is not listed below, we have not received their
> comments.
>
> Apple Computer, Inc.
>
> Snort is not shipped with Mac OS X or Mac OS X Server.
>
> Ingrian Networks
>
> Ingrian Networks products are not susceptible to VU#139129 and
> VU#916785 since they do not use Snort.
>
> Ingrian customers who are using the IDS Extender Service Engine to
> mirror cleartext data to a Snort-based IDS should upgrade their IDS
> software.
>
> NetBSD
>
> NetBSD does not include snort in the base system.
>
> Snort is available from the 3rd party software system, pkgsrc. Users
> who have installed net/snort, net/snort-mysql or net/snort-pgsql
> should update to a fixed version. pkgsrc/security/audit-packages can
> be used to keep up to date with these types of issues.
>
> Red Hat Inc.
>
> Not vulnerable. Red Hat does not ship Snort in any of our supported
> products.
>
> SGI
>
> SGI does not ship snort as part of IRIX.
>
> Snort
>
> Snort 2.0 has undergone an external third party professional security
> audit funded by Sourcefire.
> _________________________________________________________________
>
> The CERT/CC acknowledges Bruce Leidl, Juan Pablo Martinez Kuhn, and
> Alejandro David Weil of Core Security Technologies for their discovery
> of VU#139129. We also acknowledge Mark Dowd and Neel Mehta of ISS
> X-Force for their discovery of VU#916785.
> _________________________________________________________________
>
> Authors: Jeffrey P. Lanza and Cory F. Cohen.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2003-13.html
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert@cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
> EDT(GMT-4) Monday through Friday; they are on call for emergencies
> during other hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to majordomo@cert.org. Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2003 Carnegie Mellon University.
>
> Revision History
> April 17, 2003: Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQCVAwUBPp7GWGjtSoHZUTs5AQGmlAP+MWnegmA1Qft9AenH7xefffpEDVGDT+sl
> T4iljwl/ySozE962r40mL4KCszZDPdwRW/MyMA7ZcFaoWbiZc/QrEhTa4A/YYJWC
> A4kL1cEnM/LiQ7yYBSnJ6DIWDTo+M1PUS9so02M6a0f0e4jpzXZDJ5HmPDdo/aPq
> NW70cU8gbgs=
> =Vs2Q
> -----END PGP SIGNATURE-----
Reply to: