FW: ISS Alert: Remote Denial of Service Vulnerability in Snort ID S

[Ryan Hill <rhill () xypoint com>]

Marty, et. al. - Have anyone else seen this and/or confirmed its validity?

Regards,

Ryan Hill, MCSE 
IT Ninja
Corporate Information Systems
TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB


> -----Original Message-----
> From: Matt Fearnow [mailto:matt () incidents org] 
> Sent: Monday, January 28, 2002 1:23 PM
> To: intrusions () incidents org
> Subject: [Fwd: ISSalert: ISS Alert: Remote Denial of Service 
> Vulnerability in Snort IDS]
>
>
> I thought this was worthy to forward on to the list.
>
> -----Forwarded Message-----
>
> From: X-Force <xforce () iss net>
> To: alert () iss net
> Subject: ISSalert: ISS Alert: Remote Denial of Service 
> Vulnerability in Snort IDS
> Date: 28 Jan 2002 16:10:27 -0500
>
>
> TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your 
> message to majordomo () iss net  Contact alert-owner () iss net for 
> help with any problems!
> --------------------------------------------------------------
> -------------
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Internet Security Systems Security Alert
> January 28, 2002
>
> Remote Denial of Service Vulnerability in Snort IDS
>
> Synopsis:
>
> Internet Security Systems (ISS) X-Force is aware of a remote 
> Denial of service (DoS) vulnerability present in Marty 
> Roesch's Snort Intrusion Detection System (IDS). It may be 
> possible for remote attackers to send specially crafted ICMP 
> packets to the program, resulting in a segmentation fault 
> that would crash the Snort engine. This attack can be 
> launched from any routable address, and if launched 
> successfully against a Snort-protected network, all IDS 
> functionality may be disabled until Snort is manually restarted.
>
> Affected Versions:
>
> Marty Roesch Snort Version 1.8.3 and earlier for all 
> supported platforms
>
> Description:
>
> Snort is an open-source Intrusion Detection System designed 
> to be simple and lightweight.  Snort has packet logging, 
> protocol analysis, attack signature matching and recognition 
> capabilities and is maintained by Marty Roesch of Snort.org.
>
> An exploit has been published that demonstrates a flaw in the 
> ICMP protocol handling functionality. Snort incorrectly 
> handles ICMP "Echo" and ICMP "Echo-Reply" packets that 
> contain less than 5 bytes of ICMP data. If Snort encounters 
> such a packet, it will crash and exit. Packets that are used 
> to exploit this vulnerability can be sent with the "ping" 
> command that is present on most operating systems.
>
> This exploit technique has been publicly documented, and 
> attackers do not need to have access to the target network or 
> possess knowledge of its configuration.
>
> Recommendations:
>
> ISS X-Force recommends that all Snort users install the 
> vendor-supplied patch immediately or upgrade to the latest 
> version of Snort.
>
> To apply a source code patch to your Snort package:
>
> 1. Locate the "decode.h" file in your source distribution.
> 2. Enter the directory containing decode.h.
> 3. To update your decode.h file, create a file named "decode.diff",
>    containing the following text:
> - --- olddecode.h Thu Jan 10 15:47:48 2002
> +++ decode.h    Thu Jan 10 12:15:33 2002
> @@ -105,7 +105,7 @@
>  #define IP_HEADER_LEN           20
>  #define TCP_HEADER_LEN          20
>  #define UDP_HEADER_LEN          8
> - -#define ICMP_HEADER_LEN         8
> +#define ICMP_HEADER_LEN         4
>
>  #define TH_FIN  0x01
>  #define TH_SYN  0x02
> 4. Apply the source code update using the "patch" command, or 
> a similar
>    utility.
> 5. Build new binaries and reinstall.
>
>
> To upgrade to the latest version of Snort:
>
> Use a CVS client to access the Snort CVS server at 
> "cvs.snort.sourceforge.net" with the following command:
>
> cvs 
> -d:pserver:anonymous () cvs snort sourceforge net:/cvsroot/snort login
>
> Use a blank password when prompted.
>
> cvs -z3 
> -d:pserver:anonymous () cvs snort sourceforge net:/cvsroot/snort co snort
>
> Snort''s default configuration does not have the ability to 
> restat when it crashes. ISS X-Force advises all Snort users 
> to develop this functionality using freely available watchdog 
> process monitors, cronjobs, or shell scripts.
>
> For more information about applying source code patches or 
> upgrading Snort, please refer to the "SNORT FAQ" document 
> available at: http://www.snort.org.
>
> Additional Information:
>
> ISS X-Force Database,
> http://xforce.iss.net/static/7874.php
>
> Marty Roesch Snort,
> http://www.snort.org
>
> Credits:
>
> This vulnerability was discovered by Sinbad 
> <securitymail () 263 net>, and reported to the BugTraq mailing list.
>
> ______
>
>
> About Internet Security Systems (ISS)
> Internet Security Systems is a leading global provider of 
> security management solutions for the Internet, protecting 
> digital assets and ensuring safe and uninterrupted 
> e-business.  With its industry-leading intrusion detection 
> and vulnerability assessment, remote managed security 
> services, and strategic consulting and education offerings, 
> ISS is a trusted security provider to more than 9,000 
> customers worldwide including 21 of the 25 largest U.S. 
> commercial banks, the top 10 U.S. telecommunications 
> companies, and all major branches of the U.S. Federal 
> Government.  Founded in 1994, ISS is headquartered in 
> Atlanta, GA, with additional offices throughout North America 
> and international operations in Asia, Australia, Europe, 
> Latin America and the Middle East.  For more information, 
> visit the Internet Security Systems web site at www.iss.net 
> or call 888-901-7477.
>
> Copyright (c) 2002 Internet Security Systems, Inc. All rights 
> reserved worldwide.
>
> Permission is hereby granted for the redistribution of this 
> Alert electronically. It is not to be edited in any way 
> without express consent of the X-Force. If you wish to 
> reprint the whole or any part of this Alert in any other 
> medium excluding electronic medium, please e-mail 
> xforce () iss net for permission.
>
> Disclaimer
>
> The information within this paper may change without notice. 
> Use of this information constitutes acceptance for use in an 
> AS IS condition. There are NO warranties with regard to this 
> information. In no event shall the author be liable for any 
> damages whatsoever arising out of or in connection with the 
> use or spread of this information. Any use of this 
> information is at the user's own risk.
>
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
> as well as on MIT's PGP key server and PGP.com's key server.
>
> Please send suggestions, updates, and comments to: X-Force 
> xforce () iss net of Internet Security Systems, Inc.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3a
> Charset: noconv
>
> iQCVAwUBPFW8CTRfJiV99eG9AQGJYQP/WED3cUn9UvD9s+p/+gsLb2JK/m8W6vtm
> Oo0lzOgxi2OoMxBks297jBsYxpY4e9G4QlLrPNcKIq/WTB+ccOhjVvcxk3mgX8SR
> GIAwn/S1417I+aUV7xixhA5fKXR3uA1Ne4T7pa8/WJWsqFigKh4QTTwesrMrlTmJ
> A2yMcndSamg=
> =b2Gw
> -----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users