Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Snort Vulnerabilities SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Snort Vulnerabilities
Two vulnerabilities are reported recently. One is pertaining to Rule Matching Backtrack Denial of Service Vulnerability.  A attacker may cause denial of service, which could allow the remote user to evade detection. This issue is fixed in v2.6.1.

http://www.snort.org/pub-bin/snortnews.cgi#591
http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf

The other one, affecting Snort 2.6.1.2, is due to an integer underflow that may allow a remote attacker to cause Snort to read beyond a specified length of memory, potentially corrupting logfiles.

The system is only affected if you have compiled Snort to decode the Generic Routing Encapsulation (GRE) protocol. GRE is used to encapsulate arbitrary protocols to a remote host. The vulnerable code is not compiled by default.

Update: The "gre" decoder is usually not enabled by default. In order to enable it, you need to use the "--enable-gre" switch during "configure" to turn on the vulnerable  decoder. See the snort-users list for more details.

Sourcefire has released a fix for this vulnerability in Snort's current CVS tree.

http://labs.calyptix.com/advisories/CX-2007-01.txt
Koon Yaw

68 Posts

Sign Up for Free or Log In to start participating in the conversation!