Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Back to Green on the Snort BO Buffer Overflow

Published: 2005-10-20
Last Updated: 2005-10-20 12:47:35 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
We've decided to go back to green on the Snort Back Orifice pre-processor buffer overflow vulnerability.  The reason for ratcheting down to green is primarily this: if you haven't shut off the Back Orifice preprocessor by now or come up with another work around, you probably aren't going to in the near future.  This is still a hugely important issue, but our infocon status is designed to reflect changes in the threat level.  So, we're back at green, but reserve the right to go to Yellow or higher if a worm starts to spread using this vulnerability.  From our internal deliberations, such a worm would be highly problematic.  BTW, as Kyle Haugsness pointed out last night in this article, HD Moore has recently released some piece-parts of a sploit for this flaw in Metasploit.  We're very close to full exploitation, so shut off that darn preprocessor ASAP.  Also, check with your vendors if you suspect your commercial product may have Snort code in it.  Several IDS and IPS tools do, so watch out!
Keywords:
0 comment(s)
Diary Archives