Snort mailing list archives

Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability

From: Jennifer Steffens <jennifer.steffens () sourcefire com>
Date: Tue, 18 Oct 2005 18:31:19 -0400

Sam,

Can you try refreshing the page? The 2.4.3 version is there for me. Theactual link is http://www.snort.org/dl/current/snort-2.4.3.tar.gz.


Thanks,
Jennifer

Sam Evans wrote:

Jennifer,

I might be missing something, but when I click thehttp://www.snort.org/dl/ link all I see is the 2.4.2 version, not the 2.4.3.Thanks,

Sam

On 10/18/05, *Jennifer Steffens* <jennifer.steffens () sourcefire com<mailto:jennifer.steffens () sourcefire com>> wrote:


    Subject: Fix and Mitigation Available for Snort Vulnerability

    The Sourcefire Vulnerability Research Team (VRT) has learned of a
    vulnerability in Snort v2.4.0 and higher. Users are only vulnerable if
    the Back Orifice preprocessor is enabled. Snort v2.4.3 has been released
    to correct the issue and detailed instructions for mitigating the issue
    by disabling the Back Orifice preprocessor are below.


    Snort v2.4.3

    In addition to fixing the vulnerability, this version includes a
    mechanism to detect exploits against vulnerable sensors and, optionally
    for inline sensors, drop the offending traffic. These features enable a
    phased approach to upgrading while protecting unpatched sensors.
    Detection capabilities are part of the new preprocessor and therefore
    are available to all users regardless of subscription status.

    In addition to the source tarball, postgres, mysql and plain RPMs and a
    win32 installer are available at http://www.snort.org/dl. Please
    remember that updated rules are only included in major releases. For
    updated rules, visit http://www.snort.org/rules/.


    Mitigation Instructions:

    The Back Orifice preprocessor can be disabled by commenting out the line
    "preprocessor bo" in snort.conf. This can be done in any text editor
    using the following procedure:

    1. Locate the line "preprocessor bo"
    2. Comment out this line by preceding it with a hash (#). The new line
    will look like "#preprocessor bo"
    3. Save the file
    4. Restart snort


    Background:

    On Thursday, October 13th Sourcefire was contacted by USCERT with news
    of a vulnerability in Snort. We used the subsequent days to verify the
    vulnerability and to prepare mitigation strategies and the software
    updates necessary to fix the vulnerability for both Sourcefire customers
    and Snort users. While it cannot be said that no other problems will
    ever be found in the Snort code base, we can state that we will
    redouble
    our efforts to ensure the security of the system so many people have
    come to rely on for the detection of network-based threats. Sourcefire
    will also continue to work with the most sophisticated testing
    facilities in the industry to assure that every reasonable step is
    being
    taken to provide the most secure code base possible.


    Technical Details:
    The Back Orifice preprocessor contains a stack-based buffer overflow.
    This vulnerability could be leveraged by an attacker to execute code
    remotely on a Snort sensor where the Back Orifice preprocessor is
    enabled.  However, there are a number of factors that make remote code
    execution difficult to achieve across different builds of Snort on
    different platforms, even on the same platform with different compiler
    versions, and it is more likely that an attacker could use the
    vulnerability as a denial of service attack.


    If you have any questions, please let us know at
    snort-team () sourcefire com <mailto:snort-team () sourcefire com>

    Thanks,
    Jennifer


    --
    Jennifer S. Steffens
    Director, Snort Product Management | Sourcefire, Inc.
    W: 410.423.1930 | C: 202.409.7707
    www.sourcefire.com <http://www.sourcefire.com> | www.snort.org
    <http://www.snort.org>


    -------------------------------------------------------
    This SF.Net email is sponsored by:
    Power Architecture Resource Center: Free content, downloads,
    discussions,
    and more. http://solutions.newsforge.com/ibmarch.tmpl
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    <https://lists.sourceforge.net/lists/listinfo/snort-users>
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Jennifer Steffens (Oct 18)
- Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Sam Evans (Oct 18)
  - Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Jennifer Steffens (Oct 18)
- <Possible follow-ups>
- RE: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Ron Jenkins (Oct 18)
  - Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Sam Evans (Oct 18)