From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 13:59:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEED437B404 for ; Thu, 17 Apr 2003 13:59:56 -0700 (PDT) Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id E725543FBD for ; Thu, 17 Apr 2003 13:59:55 -0700 (PDT) (envelope-from apeiron@comcast.net) Received: from [192.168.0.8] (pcp01380957pcs.levtwn01.pa.comcast.net [68.81.162.166]) by mtaout10.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) security@freebsd.org; Thu, 17 Apr 2003 16:50:28 -0400 (EDT) Date: Thu, 17 Apr 2003 16:51:15 -0400 From: Christopher Nehren To: security@freebsd.org Message-id: <1050612674.1534.22.camel@prophecy.dyndns.org> Organization: MIME-version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Content-type: multipart/signed; boundary="=-7HDuwzlPlR5r5UuaIUNP"; protocol="application/pgp-signature"; micalg=pgp-sha1 Subject: [Fwd: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 20:59:57 -0000 --=-7HDuwzlPlR5r5UuaIUNP Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I figured that someone reading this list might want to take a look at the proceeding, considering that the version of Snort in FreeBSD ports -is- affected. -----Forwarded Message----- > From: CERT Advisory > To: cert-advisory@cert.org > Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Prepr= ocessors > Date: 17 Apr 2003 11:30:47 -0400 >=20 >=20 >=20 > -----BEGIN PGP SIGNED MESSAGE----- >=20 > CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors >=20 > Original release date: April 17, 2003 > Last revised: -- > Source: CERT/CC >=20 > A complete revision history can be found at the end of this file. >=20 > Systems Affected >=20 > * Snort IDS, versions 1.8 through 2.0 RC1 >=20 > Overview >=20 > There are two vulnerabilities in the Snort Intrusion Detection System, > each in a separate preprocessor module. Both vulnerabilities allow > remote attackers to execute arbitrary code with the privileges of the > user running Snort, typically root. >=20 > I. Description >=20 > The Snort intrusion detection system ships with a variety of > preprocessor modules that allow the user to selectively include > additional functionality. Researchers from two independent > organizations have discovered vulnerabilities in two of these modules, > the RPC preprocessor and the "stream4" TCP fragment reassembly > preprocessor. >=20 > For additional information regarding Snort, please see > =20 > http://www.snort.org/. >=20 > VU#139129 - Heap overflow in Snort "stream4" preprocessor (CAN-2003-00= 29) >=20 > Researchers at CORE Security Technologies have discovered a remotely > exploitable heap overflow in the Snort "stream4" preprocessor module. > This module allows Snort to reassemble TCP packet fragments for > further analysis. >=20 > To exploit this vulnerability, an attacker must disrupt the state > tracking mechanism of the preprocessor module by sending a series of > packets with crafted sequence numbers. This causes the module to > bypass a check for buffer overflow attempts and allows the attacker to > insert arbitrary code into the heap. >=20 > For additional information, please read the Core Security Technologies > Advisory located at >=20 > http://www.coresecurity.com/common/showdoc.php?idx=3D313&idxseccion= =3D10 >=20 > This vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior > to RC1. Snort has published an advisory regarding this vulnerability; > it is available at >=20 > http://www.snort.org/advisories/snort-2003-04-16-1.txt. >=20 > VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033) >=20 > Researchers at Internet Security Systems (ISS) have discovered a > remotely exploitable buffer overflow in the Snort RPC preprocessor > module. Martin Roesch, primary developer for Snort, described the > vulnerability as follows: >=20 > When the RPC decoder normalizes fragmented RPC records, it > incorrectly checks the lengths of what is being normalized against > the current packet size, leading to an overflow condition. The RPC > preprocessor is enabled by default. >=20 > For additional information, please read the ISS X-Force advisory > located at >=20 > http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=3D21951 >=20 > This vulnerability affects Snort versions 1.8.x through 1.9.1 and > version 2.0 Beta. >=20 > II. Impact >=20 > Both VU#139129 and VU#916785 allow remote attackers to execute > arbitrary code with the privileges of the user running Snort, > typically root. In addition, it is not necessary for the attacker to > know the IP address of the Snort device they wish to attack; merely > sending malicious traffic where it can be observed by an affected > Snort sensor is sufficient to exploit these vulnerabilities. >=20 > III. Solution >=20 > Upgrade to Snort 2.0 >=20 > Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which > is available at >=20 > http://www.snort.org/dl/snort-2.0.0.tar.gz >=20 > Binary-only versions of Snort are available from >=20 > http://www.snort.org/dl/binaries >=20 > For information from other vendors that ship affected versions of > Snort, please see Appendix A of this document. >=20 > Disable affected preprocessor modules >=20 > Sites that are unable to immediately upgrade affected Snort sensors > may prevent exploitation of this vulnerability by commenting out the > affected preprocessor modules in the "snort.conf" configuration file. >=20 > To prevent exploitation of VU#139129, comment out the following line: >=20 > preprocessor stream4_reassemble >=20 > To prevent exploitation of VU#916785, comment out the following line: >=20 > preprocessor rpc_decode: 111 32771 >=20 > After commenting out the affected modules, send a SIGHUP signal to the > affected Snort process to update the configuration. Note that > disabling these modules may have adverse affects on a sensor's ability > to correctly process RPC record fragments and TCP packet fragments. In > particular, disabling the "stream4" preprocessor module will prevent > the Snort sensor from detecting a variety of IDS evasion attacks. >=20 > Block outbound packets from Snort IDS systems >=20 > You may be able limit an attacker's capabilities if the system is > compromised by blocking all outbound traffic from the Snort sensor. > While this workaround will not prevent exploitation of the > vulnerability, it may make it more difficult for the attacker to > create a useful exploit. >=20 > Appendix A. - Vendor Information >=20 > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. >=20 > Apple Computer, Inc. >=20 > Snort is not shipped with Mac OS X or Mac OS X Server. >=20 > Ingrian Networks >=20 > Ingrian Networks products are not susceptible to VU#139129 and > VU#916785 since they do not use Snort. >=20 > Ingrian customers who are using the IDS Extender Service Engine to > mirror cleartext data to a Snort-based IDS should upgrade their IDS > software. >=20 > NetBSD >=20 > NetBSD does not include snort in the base system. >=20 > Snort is available from the 3rd party software system, pkgsrc. Users > who have installed net/snort, net/snort-mysql or net/snort-pgsql > should update to a fixed version. pkgsrc/security/audit-packages can > be used to keep up to date with these types of issues. >=20 > Red Hat Inc. >=20 > Not vulnerable. Red Hat does not ship Snort in any of our supported > products. >=20 > SGI >=20 > SGI does not ship snort as part of IRIX. >=20 > Snort >=20 > Snort 2.0 has undergone an external third party professional security > audit funded by Sourcefire. > _________________________________________________________________ >=20 > The CERT/CC acknowledges Bruce Leidl, Juan Pablo Martinez Kuhn, and > Alejandro David Weil of Core Security Technologies for their discovery > of VU#139129. We also acknowledge Mark Dowd and Neel Mehta of ISS > X-Force for their discovery of VU#916785. > _________________________________________________________________ >=20 > Authors: Jeffrey P. Lanza and Cory F. Cohen. > ______________________________________________________________________ >=20 > This document is available from: > http://www.cert.org/advisories/CA-2003-13.html > ______________________________________________________________________ >=20 > CERT/CC Contact Information >=20 > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. >=20 > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. >=20 > Using encryption >=20 > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key >=20 > If you prefer to use DES, please call the CERT hotline for more > information. >=20 > Getting security information >=20 > CERT publications and other security information are available from > our web site > http://www.cert.org/ >=20 > To subscribe to the CERT mailing list for advisories and bulletins, > send email to majordomo@cert.org. Please include in the body of your > message >=20 > subscribe cert-advisory >=20 > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ >=20 > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ >=20 > Conditions for use, disclaimers, and sponsorship information >=20 > Copyright 2003 Carnegie Mellon University. >=20 > Revision History > April 17, 2003: Initial release >=20 > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 >=20 > iQCVAwUBPp7GWGjtSoHZUTs5AQGmlAP+MWnegmA1Qft9AenH7xefffpEDVGDT+sl > T4iljwl/ySozE962r40mL4KCszZDPdwRW/MyMA7ZcFaoWbiZc/QrEhTa4A/YYJWC > A4kL1cEnM/LiQ7yYBSnJ6DIWDTo+M1PUS9so02M6a0f0e4jpzXZDJ5HmPDdo/aPq > NW70cU8gbgs=3D > =3DVs2Q > -----END PGP SIGNATURE----- --=-7HDuwzlPlR5r5UuaIUNP Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA+nxPCUdqurN0fljsRAsE6AKCKI7e4pcMXfc1KrD1aPFCWV4dASQCgrUzQ N+VKHdqwKg01oGdXRULa5CU= =cwVl -----END PGP SIGNATURE----- --=-7HDuwzlPlR5r5UuaIUNP--