Vulnerability Note VU#916785
Buffer overflow in Snort RPC preprocessor
There is a buffer overflow vulnerability in the RPC preprocessing feature of Snort versions 1.8 through 1.9.0 and 2.0 beta.
Martin Roesch, the primary Snort developer, described the vulnerability by saying:
When the RPC decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size, leading to an overflow condition. The RPC preprocessor is enabled by default.
The ISS X-Force team has published an advisory with additional information on this issue:
Information about this vulnerability can also be found on the Snort web site at:
A remote attacker can execute arbitrary code as the user running the Snort process, usually root. The attacker does not need to send packets directly to the Snort sensor. It is sufficient to send packets to any of the hosts on the network monitored by Snort.
Upgrade to Snort version 1.9.1
Disable the rpc_decode preprocessor
Block outbound packets from Snort IDS systems
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Conectiva||Affected||16 Apr 2003||17 Apr 2003|
|Debian||Affected||16 Apr 2003||19 May 2003|
|Gentoo Linux||Affected||06 Mar 2003||19 May 2003|
|Guardian Digital Inc.||Affected||16 Apr 2003||17 Apr 2003|
|MandrakeSoft||Affected||16 Apr 2003||17 Apr 2003|
|SmoothWall||Affected||07 Mar 2003||21 Apr 2003|
|Snort||Affected||28 Feb 2003||17 Apr 2003|
|Apple Computer Inc.||Not Affected||16 Apr 2003||17 Apr 2003|
|Fujitsu||Not Affected||16 Apr 2003||19 May 2003|
|Ingrian Networks||Not Affected||16 Apr 2003||17 Apr 2003|
|NetBSD||Not Affected||16 Apr 2003||17 Apr 2003|
|Red Hat Inc.||Not Affected||16 Apr 2003||17 Apr 2003|
|SGI||Not Affected||16 Apr 2003||17 Apr 2003|
|BSDI||Unknown||16 Apr 2003||17 Apr 2003|
|Cray Inc.||Unknown||16 Apr 2003||17 Apr 2003|
CVSS Metrics (Learn More)
Thanks to ISS X-Force for discovering this vulnerability, and to Martin Roesch for his assistance in developing this document.
This document was written by Cory F. Cohen.
- CVE IDs: CAN-2003-0033
- CERT Advisory: CA-2003-13
- Date Public: 03 Mar 2003
- Date First Published: 03 Mar 2003
- Date Last Updated: 19 May 2003
- Severity Metric: 6.41
- Document Revision: 21
If you have feedback, comments, or additional information about this vulnerability, please send us email.