|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#175500
Snort Back Orifice preprocessor buffer overflow
OverviewA buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges.
I. DescriptionSnort is an open-source intrusion detection system (IDS). A lack of validation on attacker-controlled data may allow a buffer overflow to occur in the in Snort Back Orifice preprocessor. A remote, unauthenticated attacker may be able to trigger the buffer overflow by sending a specially crafted Back Orifice ping to a vulnerable Snort installation.
To exploit this vulnerability, an attacker does not need to send packets directly to the Snort sensor. It is sufficient to send packets to any of the hosts on the network monitored by Snort.
II. ImpactA remote attacker can execute arbitrary code with the privileges of the Snort process, typically root or SYSTEM.
III. Solution
Update
This issue has been addressed in Snort version 2.4.3.
Disable Snort Back Orifice preprocessor
Disabling the Snort Back Orifice preprocessor will mitigate this vulnerability. However, without the Snort preprocessor, the Snort sensor will not detect or prevent Back Orifice traffic. Snort suggests the following steps to disable the Back Orifice preprocessor:
The Back Orifice preprocessor can be disabled by commenting out the line "preprocessor bo" in snort.conf. This can be done in any text editor using the following procedure:
1. Locate the line "preprocessor bo"
2. Comment out this line by preceding it with a hash (#). The new line will look like "#preprocessor bo"
3. Save the file
4. Restart snort
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| 3com, Inc. | Unknown | 18-Oct-2005 |
| Alcatel | Unknown | 18-Oct-2005 |
| Apple Computer, Inc. | Not Vulnerable | 9-Nov-2005 |
| AT&T | Unknown | 18-Oct-2005 |
| Avaya, Inc. | Not Vulnerable | 18-Oct-2005 |
| Avici Systems, Inc. | Unknown | 18-Oct-2005 |
| Borderware Technologies | Unknown | 18-Oct-2005 |
| Bro | Unknown | 11-Nov-2005 |
| Charlotte's Web Networks | Unknown | 18-Oct-2005 |
| Check Point Software Technologies | Unknown | 18-Oct-2005 |
| Chiaro Networks, Inc. | Unknown | 18-Oct-2005 |
| CIAC | Unknown | 11-Nov-2005 |
| Cisco Systems, Inc. | Unknown | 18-Oct-2005 |
| Computer Associates | Unknown | 18-Oct-2005 |
| Computer Associates eTrust Security Management | Unknown | 10-Nov-2005 |
| Conectiva Inc. | Unknown | 18-Oct-2005 |
| Cray Inc. | Unknown | 18-Oct-2005 |
| D-Link Systems, Inc. | Unknown | 18-Oct-2005 |
| Data Connection, Ltd. | Unknown | 18-Oct-2005 |
| Debian Linux | Not Vulnerable | 11-Nov-2005 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 18-Oct-2005 |
| Engarde Secure Linux | Unknown | 18-Oct-2005 |
| Enterasys Networks | Unknown | 10-Nov-2005 |
| Ericsson | Unknown | 18-Oct-2005 |
| eSoft, Inc. | Unknown | 18-Oct-2005 |
| Extreme Networks | Unknown | 18-Oct-2005 |
| F5 Networks, Inc. | Not Vulnerable | 19-Oct-2005 |
| Fedora Project | Unknown | 18-Oct-2005 |
| Force10 Networks, Inc. | Unknown | 18-Oct-2005 |
| Fortinet, Inc. | Unknown | 18-Oct-2005 |
| Foundry Networks, Inc. | Unknown | 18-Oct-2005 |
| FreeBSD, Inc. | Vulnerable | 18-Oct-2005 |
| Fujitsu | Unknown | 18-Oct-2005 |
| Gentoo Linux | Unknown | 18-Oct-2005 |
| Global Technology Associates | Not Vulnerable | 18-Oct-2005 |
| GNU netfilter | Unknown | 18-Oct-2005 |
| Hewlett-Packard Company | Unknown | 18-Oct-2005 |
| Hitachi | Not Vulnerable | 20-Oct-2005 |
| Hyperchip | Unknown | 18-Oct-2005 |
| IBM Corporation | Unknown | 18-Oct-2005 |
| Immunix Communications, Inc. | Unknown | 18-Oct-2005 |
| Ingrian Networks, Inc. | Unknown | 18-Oct-2005 |
| Intel Corporation | Unknown | 18-Oct-2005 |
| Internet Security Systems, Inc. | Not Vulnerable | 18-Oct-2005 |
| Intoto | Not Vulnerable | 11-Nov-2005 |
| IP Filter | Unknown | 18-Oct-2005 |
| Juniper Networks, Inc. | Not Vulnerable | 20-Oct-2005 |
| Linksys (A division of Cisco Systems) | Unknown | 18-Oct-2005 |
| Lucent Technologies | Unknown | 18-Oct-2005 |
| Luminous Networks | Unknown | 18-Oct-2005 |
| Mandriva, Inc. | Unknown | 18-Oct-2005 |
| McAfee | Unknown | 10-Nov-2005 |
| Microsoft Corporation | Unknown | 18-Oct-2005 |
| MontaVista Software, Inc. | Unknown | 18-Oct-2005 |
| Multinet (owned Process Software Corporation) | Unknown | 18-Oct-2005 |
| Multitech, Inc. | Unknown | 18-Oct-2005 |
| NEC Corporation | Unknown | 18-Oct-2005 |
| NetBSD | Unknown | 18-Oct-2005 |
| Network Appliance, Inc. | Unknown | 18-Oct-2005 |
| NextHop Technologies, Inc. | Not Vulnerable | 18-Oct-2005 |
| Nortel Networks, Inc. | Vulnerable | 19-Oct-2005 |
| Novell, Inc. | Unknown | 18-Oct-2005 |
| OpenBSD | Unknown | 18-Oct-2005 |
| Openwall GNU/*/Linux | Not Vulnerable | 18-Oct-2005 |
| QNX, Software Systems, Inc. | Unknown | 18-Oct-2005 |
| Red Hat, Inc. | Not Vulnerable | 18-Oct-2005 |
| Redback Networks, Inc. | Unknown | 18-Oct-2005 |
| Riverstone Networks, Inc. | Unknown | 18-Oct-2005 |
| Secure Computing Network Security Division | Not Vulnerable | 18-Oct-2005 |
| Sequent Computer Systems, Inc. | Unknown | 18-Oct-2005 |
| Silicon Graphics, Inc. | Unknown | 18-Oct-2005 |
| Slackware Linux Inc. | Unknown | 18-Oct-2005 |
| Snort | Vulnerable | 18-Oct-2005 |
| Sony Corporation | Unknown | 18-Oct-2005 |
| Sourcefire | Vulnerable | 26-Oct-2005 |
| Stonesoft | Not Vulnerable | 20-Oct-2005 |
| Sun Microsystems, Inc. | Not Vulnerable | 18-Oct-2005 |
| SUSE Linux | Vulnerable | 19-Oct-2005 |
| Symantec, Inc. | Unknown | 18-Oct-2005 |
| The SCO Group | Unknown | 18-Oct-2005 |
| TippingPoint, Technologies, Inc. | Unknown | 10-Nov-2005 |
| Trustix Secure Linux | Unknown | 18-Oct-2005 |
| Turbolinux | Unknown | 18-Oct-2005 |
| Ubuntu | Vulnerable | 19-Oct-2005 |
| Unisys | Unknown | 18-Oct-2005 |
| Watchguard Technologies, Inc. | Not Vulnerable | 18-Oct-2005 |
| Wind River Systems, Inc. | Unknown | 18-Oct-2005 |
| ZyXEL | Unknown | 18-Oct-2005 |
References
http://www.us-cert.gov/cas/techalerts/TA05-291A.html
http://www.snort.org/pub-bin/snortnews.cgi#99
http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt
http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node11.html#SECTION00310000000000000000
http://xforce.iss.net/xforce/alerts/id/207
http://secunia.com/advisories/17220/
Credit
This vulnerability was researched and reported by Internet Security Systems (ISS).
This document was written by Art Manion and Jeff Gennari.
Other Information
| Date Public: | 2005-10-18 |
| Date First Published: | 2005-10-18 |
| Date Last Updated: | 2005-11-11 |
| CERT Advisory: | |
| CVE-ID(s): | CAN-2005-3252 |
| NVD-ID(s): | CAN-2005-3252 |
| US-CERT Technical Alerts: | |
| Metric: | 31.05 |
| Document Revision: | 37 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader