The open-source Snort intrusion detection and prevention system and Sourcefire Intrusion Sensor IDS/IPS are vulnerable to a stack-based buffer overflow, which can result in remote code execution, IBM’s Internet Security Systems division has advised. IBM ISS posted the flaw on Feb. 19 (link to IBM ISS’ advisory requires registration). Sourcefire has updates on hand to address the issue and is advising that users immediately upgrade to 2.6.1.3 or take mitigating steps.
The remotely exploitable vulnerability exists in Snort 2.6.1, 2.6.1.1, 2.6.1.2, and 2.7 beta 1, as well as commercial products.
According to Sourcefire, Snort’s preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow attackers to execute code with the same privileges as the Snort binary.
Sourcefire says that users who have disabled the DCE/RPC preprocessor are not vulnerable. However, the DCE/RPC preprocessor is enabled by default. Sourcefire recommends that users of open-source Snort 2.6.1.x upgrade to Snort 2.6.1.3 (or later), while open-source Snort 2.7 beta users are advised to mitigate the issue by disabling the DCE/RPC preprocessor. The issue will be resolved in Snort 2.7 beta 2.
As for Snort users who can’t upgrade immediately, Sourcefire recommends disabling the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, Sourcefire notes that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should re-enable the DCE/RPC preprocessor, Sourcefire says.
Sourcefire is now working on a rule pack that detects attacks against this vulnerability. So far, there have been no reports of exploits.