Hole in Snort intrusion detector
Sourcefire has announced the discovery of a hole in its Open Source intrusion detection system called Snort that allows code to be injected into a monitoring system and executed with the rights of Snort. In the process, attackers not only get past the intrusion detection but could also take complete control of systems.
The cause of the vulnerability is a buffer overflow in the preprocessor for processing the DCE/RPC protocol, which is used for distributed applications under Unix and Windows. Although the DCE/RPC preprocessor in Snort is activated by default, DCE-RPC traffic is usually blocked at the firewall. For most users, risks from the Internet will probably be slight.
Snort 2.6.1, 2.6.1.1, and 2.6.1.2 are affected. The flaw also affects the commercial version. The update for 2.6.1.3 remedies the problem. No update has yet been made available for Snort 2.7.0. As a workaround, users should disable the affected preprocessor. To do so, add the following to snort.conf:
#preprocessor dcerpc: \
# autodetect \
# max_frag_size 3000 \
# memcap 100000
Then restart Snort. Sourcefire says it will soon be releasing a rule pack to detect attacks on the DCE/RPC preprocessor.
- Vulnerability in Snort DCE/RPC Preprocessor, Sourcefire's security advisory
(ehe)