Sourcefire Responds Quickly to Snort Flaw
Sourcefire Inc. has advanced its popular open-source Snort IDS tool to the next version to fix security flaws vulnerable to attackers' exploits that could result in a DoS or install malicious code. Snort is a widely used detection system for open-source intrusion. It has a hole that attackers can use to execute malicious code on vulnerable computers, reported several security organizations on February 19, 2007.
According to a Sourcefire advisory, the flaw lies in the Snort DCE/RPC preprocessor. This preprocessor is open to a buffer overflow reliant on a stack that could enable attackers to run code enjoying the same privileges as the Snort binary, the vendor said.
Secunia, the vulnerability-tracking firm has ranked the threat as "highly critical", the second highest serious rating in its 1-5 scoring arrangement.
Neel Mehta, team leader of the X-Force Advanced Research Group at IBM Internet Security Systems discovered the flaw, CVE-2006-5276 in the list of Common Vulnerabilities and Exposures. Speaking to SCMagazine Mehta said Snort had a greater tendency for vulnerabilities because of the frequent updates Sourcefire undertakes for the program. He also appreciated the company to respond quickly to the threat.
Several editions of Snort, which form the security appliance line of Sourcefire, are susceptible to risk, according to advisories of US-CERT and the SANS Institute's Internet Storm Center.
Sourcefire's advisory said that the flaw makes impact on Snort versions 2.6.1, 18.104.22.168 and 22.214.171.124, Snort 2.7.0 beta1 and commercial products of the company. It recommends users of Snort 2.6.1x to upgrade to version 126.96.36.199 without losing time; and if the upgrading isn't possible then they should disable the DCE/RPC preprocessor. The disabling instructions are available on the company website.
The French Security Incident Response Team (FrSIRT) said the flaw was a critical buffer overflow inclusive to the DCE/RPC preprocessor emerging as a result of certain functions processing malicious data. Attackers could exploit it and compromise a weak system by running specially crafted program packages to a network that a vulnerable application monitors.
In January 2007, researchers uncovered a hole in Snort version 2.4.3 that could enable a DoS attack. The hole was plugged in version 2.6.1, said Secunia.
Related article: Srizbi Botnet - Deliverer of the Largest Spam
» SPAMfighter News - 03-03-2007