[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] snort DoS vulnerability and remote exploit
- To: linux-security
- Subject: [linux-security] snort DoS vulnerability and remote exploit
- From: Martin Siegert <siegert@sfu.ca>
- Date: Sat, 31 May 2003 17:13:24 -0700
- User-Agent: Mutt/1.4.1i
Topic
=====
DoS attack or remote exploit against systems running snort
Problem Description
===================
Snort is a popular intrusion detection system (IDS).
An integer overflow was discovered in the Snort stream4 preprocessor.
This preprocessor (spp_stream4) incorrectly calculates segment size
parameters during stream reassembly for certainm sequence number ranges.
This can lead to an integer overflow that can in turn lead to a heap
overflow that can be exploited to perform a denial of service (DoS) or
even remote command excution on the host running Snort.
Affected Versions
=================
snort versions 1.8 through 1.9.1
Workaround
==========
disable the stream4 preprocessor
Solution
========
upgrade to snort version 2.0.0
(or patched version for your distribution)
Mandrake 8.2, 9.0, 9.1
----------------------
rpm -Fvh snort-2.0.0-2.1mdk.i586.rpm \
snort-bloat-2.0.0-2.1mdk.i586.rpm \
snort-mysql+flexresp-2.0.0-2.1mdk.i586.rpm \
snort-mysql-2.0.0-2.1mdk.i586.rpm \
snort-plain+flexresp-2.0.0-2.1mdk.i586.rpm \
snort-postgresql+flexresp-2.0.0-2.1mdk.i586.rpm \
snort-postgresql-2.0.0-2.1mdk.i586.rpm \
snort-snmp+flexresp-2.0.0-2.1mdk.i586.rpm \
snort-snmp-2.0.0-2.1mdk.i586.rpm
Debian 3.0 (woody)
------------------
upgrade to snort_1.8.4beta1-3.1_i386.deb,
snort-common_1.8.4beta1-3.1_i386.deb,
snort-mysql_1.8.4beta1-3.1_i386.deb
RedHat
------
RedHat does not include snort packages (and therefore is not affected).
For RedHat 7.3 I provide snort-2.0.0 rpm packages on sphinx in the
/vol/vol0/distrib/redhat/7.3/contrib directory.