Snort mailing list archives
Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability
From: Sam Evans <wintrmte () gmail com>
Date: Tue, 18 Oct 2005 18:31:23 -0600
Thanks, like I said, I think the problem was on my end (and it was). On 10/18/05, Ron Jenkins <rjenkins () dibr net> wrote:
I see it too. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jennifer Steffens Sent: Tuesday, October 18, 2005 5:31 PM To: Sam Evans Cc: snort-users @ lists. sourceforge. net Subject: Re: [Snort-users] Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Sam, Can you try refreshing the page? The 2.4.3 version is there for me. The actual link is http://www.snort.org/dl/current/snort-2.4.3.tar.gz. Thanks, Jennifer Sam Evans wrote:Jennifer, I might be missing something, but when I click the http://www.snort.org/dl/ link all I see is the 2.4.2 version, not the2.4.3.Thanks, Sam On 10/18/05, *Jennifer Steffens* <jennifer.steffens () sourcefire com <mailto:jennifer.steffens () sourcefire com>> wrote: Subject: Fix and Mitigation Available for Snort Vulnerability The Sourcefire Vulnerability Research Team (VRT) has learned of a vulnerability in Snort v2.4.0 and higher. Users are onlyvulnerable ifthe Back Orifice preprocessor is enabled. Snort v2.4.3 has beenreleasedto correct the issue and detailed instructions for mitigating theissueby disabling the Back Orifice preprocessor are below. Snort v2.4.3 In addition to fixing the vulnerability, this version includes a mechanism to detect exploits against vulnerable sensors and,optionallyfor inline sensors, drop the offending traffic. These featuresenable aphased approach to upgrading while protecting unpatched sensors. Detection capabilities are part of the new preprocessor andthereforeare available to all users regardless of subscription status. In addition to the source tarball, postgres, mysql and plain RPMsand awin32 installer are available at http://www.snort.org/dl. Please remember that updated rules are only included in major releases.Forupdated rules, visit http://www.snort.org/rules/. Mitigation Instructions: The Back Orifice preprocessor can be disabled by commenting outthe line"preprocessor bo" in snort.conf. This can be done in any texteditorusing the following procedure: 1. Locate the line "preprocessor bo" 2. Comment out this line by preceding it with a hash (#). The newlinewill look like "#preprocessor bo" 3. Save the file 4. Restart snort Background: On Thursday, October 13th Sourcefire was contacted by USCERT withnewsof a vulnerability in Snort. We used the subsequent days to verifythevulnerability and to prepare mitigation strategies and thesoftwareupdates necessary to fix the vulnerability for both Sourcefirecustomersand Snort users. While it cannot be said that no other problemswillever be found in the Snort code base, we can state that we will redouble our efforts to ensure the security of the system so many peoplehavecome to rely on for the detection of network-based threats.Sourcefirewill also continue to work with the most sophisticated testing facilities in the industry to assure that every reasonable step is being taken to provide the most secure code base possible. Technical Details: The Back Orifice preprocessor contains a stack-based bufferoverflow.This vulnerability could be leveraged by an attacker to executecoderemotely on a Snort sensor where the Back Orifice preprocessor is enabled. However, there are a number of factors that make remotecodeexecution difficult to achieve across different builds of Snort on different platforms, even on the same platform with differentcompilerversions, and it is more likely that an attacker could use the vulnerability as a denial of service attack. If you have any questions, please let us know at snort-team () sourcefire com <mailto:snort-team () sourcefire com> Thanks, Jennifer -- Jennifer S. Steffens Director, Snort Product Management | Sourcefire, Inc. W: 410.423.1930 | C: 202.409.7707 www.sourcefire.com <http://www.sourcefire.com> <http://www.sourcefire.com> | www.snort.org <http://www.snort.org><http://www.snort.org> ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Jennifer Steffens (Oct 18)
- Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Sam Evans (Oct 18)
- Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Jennifer Steffens (Oct 18)
- <Possible follow-ups>
- RE: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Ron Jenkins (Oct 18)
- Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Sam Evans (Oct 18)
- Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Sam Evans (Oct 18)