
Subscribe to
Computerworld
or
Other Spam, Malware and Vulnerabilities Stories
March 04, 2003 (Computerworld) -- A software vulnerability in the widely used Snort open-source intrusion-detection system (IDS) software could allow an attacker to crash the Snort sensor or gain control of the host device on which the sensor runs.
Snort serves as the basis for commercial IDS products, such as those produced by Sourcefire Inc., and can be used to detect a wide range of network attacks and probes, such as attempted buffer overflows and port scans.
A buffer overflow vulnerability was found in code used by Snort to detect an attack technique called RPC (remote procedure call) fragmentation. RPC fragmentation can be used to evade IDSs, according to an advisory issued yesterday by security vendor Internet Security Systems Inc. (ISS).
RPC is a protocol that one software program can use to request a service from a program located in another computer in a network.
Snort doesn't properly check the size of the RPC fragments it's processing against the available space in the preprocessing buffer. Sending data to the buffer in excess of its capacity causes the buffer to overflow. Buffer overflows may cause the Snort sensor to crash or enable an attacker to place and execute malicious code on the compromised host, ISS said.
To exploit the vulnerability, attackers would need to craft RPC traffic to specifically exploit the buffer overflow. Attackers wouldn't, however, need to know the address of the Snort sensor they were targeting. Simply sending exploit packets to a network that's protected by a Snort sensor is sufficient to launch an attack, ISS said.
Because Snort sensors and other IDS products typically guard against intrusion into critical networks, the compromise of a Snort sensor could lead to highly sensitive network traffic being accessible to remote attackers. That traffic could, in turn, yield information needed to compromise internal network resources, according to ISS.
All versions of Snort since Version 1.8, released in July 2001, are affected by the RPC vulnerability, ISS said. A new version of the Snort software that fixes the RPC vulnerability, Version 1.9.1, is now available on the Snort Web page. ISS recommended that Snort users consult the Snort site and upgrade their source implementation using the patches or software upgrades available there.
Users who are unable to upgrade their Snort installation should disable the RPC preprocessor until they can upgrade, ISS said.
|
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
|
|
|
All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone |
|
|
| ||||||||
| ||||||||
| ||||||||
|


| XenServer FREE trial Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration. |

| Try Fluke Networks'
EtherScope Analyzer on your network FREE Quickly solve the wide range of problems you encounter - 10, 100 and Gigabit, twisted pair and optical fiber, LAN or wireless LAN. The EtherScope Analyzer combines the essential tools you need to monitor network traffic and switch interfaces, discover devices, networks, VLANs, access points, mobile clients and more. See the power of this portable network analyzer on your network. Request free trial now
*Terms and conditions: Evaluation units are available only for a limited time and will be scheduled on a first-come first-served basis. Not available in all geographies. Limited quantities available; customers requesting evaluation units may be waitlisted for the next available unit. It will be at the discretion of Fluke Networks to accept or decline requests for this free evaluation. |
| About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map |
|
CIO The Industry Standard |