Vulnerability Note VU#196240
Sourcefire Snort DCE/RPC preprocessor does not properly reassemble fragmented packets
A vulnerability in the Sourcefire Snort DCE/RPC preprocessor may allow a remote, unauthenticated attacker to execute arbitrary code.
Sourcefire Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire, and Snort is included with a number of operating system distributions.
The DCE/RPC preprocessor is enabled by default and dynamically detects SMB traffic. An attacker does not have to complete a full TCP connection to exploit this vulnerability. According to ISS:
This vulnerability occurred as a result of violating rule ARR33-C of the CERT Secure Coding Standard.
A remote, unauthenticated attacker may be able to execute arbitrary code with the privilege level of the Snort preprocessor. In most cases this would allow an attacker to compromise the system running Snort.
Disable the preprocessor
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Gentoo Linux||Affected||19 Feb 2007||12 Mar 2007|
|Nortel Networks, Inc.||Affected||19 Feb 2007||21 Feb 2007|
|Snort||Affected||17 Feb 2007||19 Feb 2007|
|Sourcefire||Affected||17 Feb 2007||19 Feb 2007|
|Apple Computer, Inc.||Not Affected||19 Feb 2007||22 Feb 2007|
|Cisco Systems, Inc.||Not Affected||19 Feb 2007||20 Feb 2007|
|F5 Networks, Inc.||Not Affected||19 Feb 2007||23 Feb 2007|
|Force10 Networks, Inc.||Not Affected||19 Feb 2007||22 Mar 2007|
|Foundry Networks, Inc.||Not Affected||19 Feb 2007||30 Jan 2008|
|Intel Corporation||Not Affected||19 Feb 2007||20 Feb 2007|
|Internet Security Systems, Inc.||Not Affected||19 Feb 2007||20 Feb 2007|
|Intoto||Not Affected||19 Feb 2007||20 Feb 2007|
|Juniper Networks, Inc.||Not Affected||19 Feb 2007||22 Feb 2007|
|NetBSD||Not Affected||19 Feb 2007||20 Feb 2007|
|Openwall GNU/*/Linux||Not Affected||19 Feb 2007||20 Feb 2007|
CVSS Metrics (Learn More)
This vulnerability was reported and researched by Neel Mehta from IBM ISS X-Force.
This document was written by Chris Taschner and Art Manion.
- CVE IDs: CVE-2006-5276
- Date Public: 19 Feb 2007
- Date First Published: 19 Feb 2007
- Date Last Updated: 30 Jan 2008
- Severity Metric: 23.62
- Document Revision: 44
If you have feedback, comments, or additional information about this vulnerability, please send us email.