Vulnerability Note VU#139129
Heap overflow in Snort "stream4" preprocessor
The Snort "stream4" preprocessor module contains a vulnerability that allows remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root.
Researchers at CORE Security Technologies have discovered a remotely exploitable heap overflow in the Snort "stream4" preprocessor module. This module allows Snort to reassemble TCP packet fragments for further analysis.
This vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior to RC1.
This vulnerability allows remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root. Please note that it is not necessary for the attacker to know the IP address of the Snort device they wish to attack; merely sending malicious traffic where it can be observed by an affected Snort sensor is sufficient to exploit these vulnerabilities.
Upgrade to Snort 2.0
Binary-only versions of Snort are available from
Disable the "stream4" preprocessor module
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian||Affected||16 Apr 2003||19 May 2003|
|Gentoo Linux||Affected||22 Apr 2003||19 May 2003|
|Guardian Digital Inc.||Affected||16 Apr 2003||19 May 2003|
|MandrakeSoft||Affected||16 Apr 2003||19 May 2003|
|SmoothWall||Affected||17 Apr 2003||21 Apr 2003|
|Snort||Affected||16 Apr 2003||17 Apr 2003|
|Apple Computer Inc.||Not Affected||16 Apr 2003||17 Apr 2003|
|Conectiva||Not Affected||16 Apr 2003||19 May 2003|
|Fujitsu||Not Affected||16 Apr 2003||19 May 2003|
|Ingrian Networks||Not Affected||16 Apr 2003||17 Apr 2003|
|NetBSD||Not Affected||16 Apr 2003||17 Apr 2003|
|Red Hat Inc.||Not Affected||16 Apr 2003||17 Apr 2003|
|SGI||Not Affected||16 Apr 2003||17 Apr 2003|
|BSDI||Unknown||16 Apr 2003||17 Apr 2003|
|Cray Inc.||Unknown||16 Apr 2003||17 Apr 2003|
CVSS Metrics (Learn More)
This vulnerability was discovered by Bruce Leidl, Juan Pablo Martinez Kuhn, and Alejandro David Weil of Core Security Technologies.
This document was written by Jeffrey P. Lanza.
- CVE IDs: CAN-2003-0209
- CERT Advisory: CA-2003-13
- Date Public: 15 Apr 2003
- Date First Published: 16 Apr 2003
- Date Last Updated: 19 May 2003
- Severity Metric: 30.99
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.