Operating System:

Published:

18 October 2005

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

     ESB-2005.0830 -- US-CERT Technical Cyber Security Alert TA05-291A
              Snort Back Orifice Preprocessor Buffer Overflow
                              19 October 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Snort 2.4.0 to 2.4.2
Publisher:         US-CERT
Operating System:  UNIX variants
                   Windows
Impact:            Execute Arbitrary Code/Commands
Access:            Remote/Unauthenticated
CVE Names:         CAN-2005-3252

Original Bulletin: http://www.kb.cert.org/vuls/id/177500
                   http://xforce.iss.net/xforce/alerts/id/207
                   http://www.snort.org/pub-bin/snortnews.cgi#99

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                     National Cyber Alert System

               Technical Cyber Security Alert TA05-291A


Snort Back Orifice Preprocessor Buffer Overflow

   Original release date: October 18, 2005
   Last revised: --
   Source: US-CERT


Systems Affected

     * Snort versions 2.4.0 to 2.4.2
     * Sourcefire Intrusion Sensors

   Other products that use Snort or Snort components may be affected.


Overview

   The Snort Back Orifice preprocessor contains a buffer overflow that
   could allow a remote attacker to execute arbitrary code on a
   vulnerable system.


I. Description

   Snort is a widely-deployed, open-source network intrusion detection
   system (IDS). Snort and its components are used in other IDS
   products, notably Sourcefire Intrusion Sensors, and Snort is
   included with a number of operating system distributions.

   Snort preprocessors are modular plugins that extend functionality
   by operating on packets before the detection engine is run. The
   Back Orifice preprocessor decodes packets to determine if they
   contain Back Orifice ping messages. The ping detection code does
   not adequately limit the amount of data that is read from the
   packet into a fixed-length buffer, thus creating the potential for
   a buffer overflow.

   The vulnerable code will process any UDP packet that is not
   destined to or sourced from the default Back Orifice port
   (31337/udp). An attacker could exploit this vulnerability by
   sending a specially crafted UDP packet to a host or network
   monitored by Snort.

   US-CERT is tracking this vulnerability as VU#175500. Further
   information is available in an advisory from Internet Security
   Systems (ISS).


II. Impact

   A remote attacker who can send UDP packets to a Snort sensor may be
   able to execute arbitrary code. Snort typically runs with root or
   SYSTEM privileges, so an attacker could take complete control of a
   vulnerable system. An attacker does not need to target a Snort
   sensor directly; the attacker can target any host or network
   monitored by Snort.


III. Solution

Upgrade

   Sourcefire has released Snort 2.4.3 which is available from the
   Snort download site. For information about other vendors, please
   see the Systems Affected section of VU#175500.

Disable Back Orifice Preprocessor

   To disable the Back Orifice preprocessor, comment out the line that
   loads the preprocessor in the Snort configuration file (typically
   /etc/snort.conf on UNIX and Linux systems):

     [/etc/snort.conf]
     ...
     #preprocessor bo
     ...
   
   Restart Snort for the change to take effect.

Restrict Outbound Traffic

   Consider preventing Snort sensors from initiating outbound
   connections and restricting outbound traffic to only those hosts
   and networks that have legitimate requirements to communicate with
   the sensors. While this will not prevent exploitation of the
   vulnerability, it may make it more difficult for an attacker to
   access a compromised system or reconnoiter other systems.


Appendix A. References

     * US-CERT Vulnerability Note VU#175500 -
       <http://www.kb.cert.org/vuls/id/177500>

     * Fixes and Mitigation Instructions Available for Snort Back
       Orifice Vulnerability -
       <http://www.snort.org/pub-bin/snortnews.cgi#99>

     * Snort downloads - <http://www.snort.org/dl/>

     * Snort 2.4.3 Changelog -
       <http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>

     * Preprocessors -
       <http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
       node11.html#SECTION00310000000000000000>

     * Snort Back Orifice Parsing Remote Code Execution -
       <http://xforce.iss.net/xforce/alerts/id/207>


 ____________________________________________________________________

   This vulnerability was researched and reported by Internet Security
   Systems (ISS).
 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2005 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   Oct 18, 2005: Initial release


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3
T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H
+qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX
4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM
nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme
jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ==
=jjID
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQ1WPsSh9+71yA2DNAQI7SAP+N+GNQw9BETvQLxG3q+TZBHH5qzJ1G2T+
GLXKA5MMyuBQXjr4QRbBnD9O6FiA029BHCDn82NKjCzINFw06msOF+0JVFP+uRl4
FmBDPLgDgfU/GxAYCSE5aN0xKor8pv6AXANyC5b8AWEBBgyb4BHA2qLKWh/lLHsK
QL7BiMj04qo=
=q16/
-----END PGP SIGNATURE-----