Gentoo: snort buffer overflow vulnerability - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

How strictly do your users obey your security policies?

	To the letter.
	For the most part.
	When it suits them.
	By chance.
	Not at all.

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

Emily Ratliff: OS Security

DanWalsh LiveJournal

Security Bloggers Network

Latest Newsletters

Linux Advisory Watch: December 5th, 2008

Linux Security Week: December 1st, 2008

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Gentoo: snort buffer overflow vulnerability

User Rating:

How can I rate this item?

Posted by LinuxSecurity.com Team

There is an integer overflow in the Snort stream4 preprocessor used by the Sourcefire network Sensor product line.


- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200304-05
- - - ---------------------------------------------------------------------

          PACKAGE : snort
          SUMMARY : Multiple Vulnerabilities in Snort Preprocessors
             DATE : 2003-04-22 07:41 UTC
          EXPLOIT : remote
VERSIONS AFFECTED : =snort-2.0.0
              CVE : CAN-2003-0029 CAN-2003-0033

- - - ---------------------------------------------------------------------

- - From advisories:

"The Sourcefire Vulnerability Research Team has learned of an integer overflow 
in the Snort stream4 preprocessor used by the Sourcefire Network Sensor
product line. The Snort stream4 preprocessor (spp_stream4) incorrectly
calculates segment size parameters during stream reassembly for certain
sequence number ranges which can lead to an integer overflow that can be
expanded to a heap overflow.

The Snort stream4 flaw may lead to a denial of service (DoS) attack or 
remote command execution on a host running Snort. This attack can be launched
by crafting TCP stream packets and transmitting them over a network segment
that is being monitored by a vulnerable Snort implementation. In its
default configuration, certain versions of snort are vulnerable to this
attack, as is the default configuration of the Snort IDS."

"Remote attackers may exploit the buffer overflow condition to run 
arbitrary code on a Snort sensor with the privileges of the Snort IDS 
process, which typically runs as the superuser. The vulnerable 
preprocessor is enabled by default. It is not necessary to establish an 
actual connection to a RPC portmapper service to exploit this 
vulnerability."

Read the full advisories at: 
http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10 
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951 
http://www.snort.org/advisories/snort-2003-04-16-1.txt

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-analyzer/snort upgrade to snort-2.0.0 as follows:

emerge sync
emerge snort
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at  http://cvs.gentoo.org/~aliz
- - - ---------------------------------------------------------------------

< Prev		Next >

Partner:

Latest Features

A Secure Nagios Server

Never Installed a Firewall on Ubuntu? Try Firestarter

Review: Hacking Exposed Linux, Third Edition

Security Features of Firefox 3.0

Review: The Book of Wireless

April 2008 Open Source Tool of the Month: sudo

Open Source Tool of March: ZoneMinder

Yesterday's Edition

Keeping an Eye On Your Network with PasTmon

Linux And Unix Internet Users And Site Security - How Much Is Too Much?

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
Security Projects , Latest News , Newsletters , SELinux , Privacy , Home,
Hardening , About Us, Advertise, Legal Notice, RSS, Guardian Digital