There is a buffer overflow vulnerability in the RPC preprocessing feature of Snort versions 1.8 through 1.9.0 and 2.0 beta.
Martin Roesch, the primary Snort developer, described the vulnerability by saying:
When the RPC decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size, leading to an overflow condition. The RPC preprocessor is enabled by default.
A remote attacker can execute arbitrary code as the user running the Snort process, usually root. The attacker does not need to send packets directly to the Snort sensor. It is sufficient to send packets to any of the hosts on the network monitored by Snort.
Upgrade to Snort version 1.9.1
Disable the rpc_decode preprocessor
Gentoo Linux Affected
Guardian Digital Inc. Affected
Apple Computer Inc. Not Affected
Fujitsu Not Affected
Ingrian Networks Not Affected
NetBSD Not Affected
Red Hat Inc. Not Affected
SGI Not Affected
Cray Inc. Unknown
Data General Unknown
Hewlett-Packard Company Unknown
MontaVista Software Unknown
NEC Corporation Unknown
Openwall GNU/*/Linux Unknown
Sony Corporation Unknown
SuSE Inc. Unknown
Sun Microsystems Inc. Unknown
The SCO Group (SCO Linux) Unknown
The SCO Group (SCO UnixWare) Unknown
Wind River Systems Inc. Unknown
Thanks to ISS X-Force for discovering this vulnerability, and to Martin Roesch for his assistance in developing this document.
This document was written by Cory F. Cohen.