ISS Warns of Worm-Friendly Hole in Snort IDS

By Paul F. Roberts  |  Posted 2005-10-18 Print this article Print

Updated: The hole is easy to exploit, Internet Security Systems says, and attackers do not need to know the specific address of a system running Snort to trigger the hole.

Security experts from Internet Security Systems Inc. and the U.S. Computer Emergency Readiness Team are warning companies that use the popular Snort Intrusion Detection System that the technology contains a critical and easily exploitable hole that could be used to compromise vulnerable systems.

ISS and U.S. CERT both issued advisories Tuesday concerning vulnerability in a Snort component called the Back Orifice pre-processor.

Remote attackers could use the hole to take control of systems running some versions of Snort or software by parent company Sourcefire Inc.

The hole is easy to exploit and is ideally suited to adoption by a self-replicating worm, ISS said.

A Sourcefire spokesperson said that the company was made aware of the hole last week and issued a software fix Tuesday morning to fix the hole.

Snort is a popular open-source network IDS technology.

The product is free and widely deployed across the Internet to look for network attacks.

Check Point Software Technologies Ltd. said Oct. 6 that it was buying Snorts parent company, Sourcefire, for $225 million.

Versions 2.4.0, 2.4.1 and 2.4.2 of Snort create a stack-based overflow when processing Back Orifice backdoor packets.

Other commercial IDS and IPS (intrusion protection system) products that use Snort may also be affected.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. Back Orifice is a well-known hacking and remote system administration tool designed to give remote users total control over Windows systems.

Attackers can trigger the stack overflow by sending a single UDP (User Datagram Protocol) packet to any port monitored by Snort.

Because of the way IDS sensors work, attackers do not need to know the specific address of a system running Snort to trigger the hole.

They only need to send an attack packet to a network monitored by Snort.

That makes the hole ideally suited to use by Internet worms and other self-replicating attacks, ISS said.

To patch the hole, Sourcefire released Snort Version 2.4.3 and advised customers to upgrade.

Customers can also disable the Black Orifice preprocessor to mitigate the threat posed by the hole, Sourcefire said.

The SANS Institutes Internet Storm Center changed its rating of Internet security from "Green" to "Yellow" late last week because of the vulnerability and urged IT managers to upgrade vulnerable Snort sensors or disable the Back Orifice preprocessor.

The Back Orifice preprocessor vulnerability could become a "big problem," given the widespread use of Snort and the relative ease with which the hole can be exploited, according to a blog post by ISC Chief Technology Officer Johannes Ullrich.

As of Oct. 20, security discussion lists such as Full-Disclosure contained example exploit code for the hole.

Editors Note: This story was updated to add more information from the SANS Institutes Internet Storm Center. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel