Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability

[Sam Evans <wintrmte () gmail com>]

Thanks, like I said, I think the problem was on my end (and it was).



On 10/18/05, Ron Jenkins <rjenkins () dibr net> wrote:
> I see it too.
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jennifer
> Steffens
> Sent: Tuesday, October 18, 2005 5:31 PM
> To: Sam Evans
> Cc: snort-users @ lists. sourceforge. net
> Subject: Re: [Snort-users] Fixes and Mitigation Instructions Available
> for Snort Back Orifice Vulnerability
>
> Sam,
>
> Can you try refreshing the page? The 2.4.3 version is there for me. The
> actual link is http://www.snort.org/dl/current/snort-2.4.3.tar.gz.
>
> Thanks,
> Jennifer
>
> Sam Evans wrote:
> > Jennifer,
> >
> > I might be missing something, but when I click the
> > http://www.snort.org/dl/ link all I see is the 2.4.2 version, not the
> 2.4.3.
> > Thanks,
> > Sam
> >
> >
> >
> > On 10/18/05, *Jennifer Steffens* <jennifer.steffens () sourcefire com
> > <mailto:jennifer.steffens () sourcefire com>> wrote:
> >
> > Subject: Fix and Mitigation Available for Snort Vulnerability
> >
> > The Sourcefire Vulnerability Research Team (VRT) has learned of a
> > vulnerability in Snort v2.4.0 and higher. Users are only
> vulnerable if
> > the Back Orifice preprocessor is enabled. Snort v2.4.3 has been
> released
> > to correct the issue and detailed instructions for mitigating the
> issue
> > by disabling the Back Orifice preprocessor are below.
> >
> >
> > Snort v2.4.3
> >
> > In addition to fixing the vulnerability, this version includes a
> > mechanism to detect exploits against vulnerable sensors and,
> optionally
> > for inline sensors, drop the offending traffic. These features
> enable a
> > phased approach to upgrading while protecting unpatched sensors.
> > Detection capabilities are part of the new preprocessor and
> therefore
> > are available to all users regardless of subscription status.
> >
> > In addition to the source tarball, postgres, mysql and plain RPMs
> and a
> > win32 installer are available at http://www.snort.org/dl. Please
> > remember that updated rules are only included in major releases.
> For
> > updated rules, visit http://www.snort.org/rules/.
> >
> >
> > Mitigation Instructions:
> >
> > The Back Orifice preprocessor can be disabled by commenting out
> the line
> > "preprocessor bo" in snort.conf. This can be done in any text
> editor
> > using the following procedure:
> >
> > 1. Locate the line "preprocessor bo"
> > 2. Comment out this line by preceding it with a hash (#). The new
> line
> > will look like "#preprocessor bo"
> > 3. Save the file
> > 4. Restart snort
> >
> >
> > Background:
> >
> > On Thursday, October 13th Sourcefire was contacted by USCERT with
> news
> > of a vulnerability in Snort. We used the subsequent days to verify
> the
> > vulnerability and to prepare mitigation strategies and the
> software
> > updates necessary to fix the vulnerability for both Sourcefire
> customers
> > and Snort users. While it cannot be said that no other problems
> will
> > ever be found in the Snort code base, we can state that we will
> > redouble
> > our efforts to ensure the security of the system so many people
> have
> > come to rely on for the detection of network-based threats.
> Sourcefire
> > will also continue to work with the most sophisticated testing
> > facilities in the industry to assure that every reasonable step is
> > being
> > taken to provide the most secure code base possible.
> >
> >
> > Technical Details:
> > The Back Orifice preprocessor contains a stack-based buffer
> overflow.
> > This vulnerability could be leveraged by an attacker to execute
> code
> > remotely on a Snort sensor where the Back Orifice preprocessor is
> > enabled. However, there are a number of factors that make remote
> code
> > execution difficult to achieve across different builds of Snort on
> > different platforms, even on the same platform with different
> compiler
> > versions, and it is more likely that an attacker could use the
> > vulnerability as a denial of service attack.
> >
> >
> > If you have any questions, please let us know at
> > snort-team () sourcefire com <mailto:snort-team () sourcefire com>
> >
> > Thanks,
> > Jennifer
> >
> >
> > --
> > Jennifer S. Steffens
> > Director, Snort Product Management | Sourcefire, Inc.
> > W: 410.423.1930 | C: 202.409.7707
> > www.sourcefire.com <http://www.sourcefire.com> <
> http://www.sourcefire.com> | www.snort.org <http://www.snort.org>
> > <http://www.snort.org>
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Power Architecture Resource Center: Free content, downloads,
> > discussions,
> > and more. http://solutions.newsforge.com/ibmarch.tmpl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > <mailto:Snort-users () lists sourceforge net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > <https://lists.sourceforge.net/lists/listinfo/snort-users>
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users