Flaw Found in Snort Intrusion Detection Product

A new vulnerability in Snort, an open source intrusion-detection system (IDS), enables hackers to inject hostile code into exposed systems.

Sourcefire, the company behind the Snort package, said hackers could remotely gain control of systems running the software and execute malicious code, as well as gain access to confidential data.

The Fix

The primary flaw, which was discovered this week, is in Snort’s DCE/RPC (distributed computing environment/remote procedure calls) processor, which is vulnerable to stack-based buffer overflow attacks.

Sourcefire has released updates to fix the problem and so far has not received any reports of attacks, according to an advisory.

Danish Security firm Secunia has ranked the buffer overflow flaw as “highly critical,” its second most severe rating.

Snort versions 2.6.1, 2.6.1.1, 2.6.1.2 and the Snort 2.7.0 beta are all vulnerable to the bug.

Enterprise Level

The open source Snort IDS package works with Linux, Unix and Windows platforms and is primarily used by large organizations including IBM and the U.S. Department Of Defense.

Snort’s popularity has grown in recent years as many businesses have moved away from more costly proprietary intrusion-detection systems, to open source products like Snort.

Despite the flaw, Snort and other open source systems generally are considered more secure than products created by network equipment vendors.

Disabling Protection

Hackers can exploit the Snort flaw by sending Server Message Block (SMB) network data in DCE and RPC network packets to a vulnerable application, according to security outfit Symantec.

The SMB is an application-level network protocol used for shared access to files, printers and serial ports.

Worse than simply disabling this protection, the vulnerability creates a means to attack networks using the very tools designed to safeguard them.

Successful Exploitation

The vulnerability was reported to Sourcefire by Internet Security Systems (ISS) team member Neel Mehta.

“Successful exploitation of this vulnerability results in remote code execution with the privilege level of Snort, usually root or system,” Mehta told LinuxInsider. “Compromise of machines using affected versions of Snort may lead to exposure of confidential information, loss of productivity and further compromise.”

The Snort IDS and Sourcefire Intrusion Sensor IDS/IPS (intrusion detection system/intrusion prevention system) are also vulnerable to a stack-based buffer overflow, which can result in remote code execution.

Sourcefire said users of version 2.6.1.1 and 2.6.1.2 should immediately upgrade to 2.6.1.3.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

What was your initial reaction to news of the Colonial Pipeline cyberattack?
Loading ... Loading ...

LinuxInsider Channels