Snort mailing list archives
RE: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability
From: "Ron Jenkins" <rjenkins () dibr net>
Date: Tue, 18 Oct 2005 17:22:45 -0500
I see it too. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jennifer Steffens Sent: Tuesday, October 18, 2005 5:31 PM To: Sam Evans Cc: snort-users @ lists. sourceforge. net Subject: Re: [Snort-users] Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Sam, Can you try refreshing the page? The 2.4.3 version is there for me. The actual link is http://www.snort.org/dl/current/snort-2.4.3.tar.gz. Thanks, Jennifer Sam Evans wrote:
Jennifer, I might be missing something, but when I click the http://www.snort.org/dl/ link all I see is the 2.4.2 version, not the
2.4.3.
Thanks, Sam On 10/18/05, *Jennifer Steffens* <jennifer.steffens () sourcefire com <mailto:jennifer.steffens () sourcefire com>> wrote: Subject: Fix and Mitigation Available for Snort Vulnerability The Sourcefire Vulnerability Research Team (VRT) has learned of a vulnerability in Snort v2.4.0 and higher. Users are only
vulnerable if
the Back Orifice preprocessor is enabled. Snort v2.4.3 has been
released
to correct the issue and detailed instructions for mitigating the
issue
by disabling the Back Orifice preprocessor are below. Snort v2.4.3 In addition to fixing the vulnerability, this version includes a mechanism to detect exploits against vulnerable sensors and,
optionally
for inline sensors, drop the offending traffic. These features
enable a
phased approach to upgrading while protecting unpatched sensors. Detection capabilities are part of the new preprocessor and
therefore
are available to all users regardless of subscription status. In addition to the source tarball, postgres, mysql and plain RPMs
and a
win32 installer are available at http://www.snort.org/dl. Please remember that updated rules are only included in major releases.
For
updated rules, visit http://www.snort.org/rules/. Mitigation Instructions: The Back Orifice preprocessor can be disabled by commenting out
the line
"preprocessor bo" in snort.conf. This can be done in any text
editor
using the following procedure: 1. Locate the line "preprocessor bo" 2. Comment out this line by preceding it with a hash (#). The new
line
will look like "#preprocessor bo" 3. Save the file 4. Restart snort Background: On Thursday, October 13th Sourcefire was contacted by USCERT with
news
of a vulnerability in Snort. We used the subsequent days to verify
the
vulnerability and to prepare mitigation strategies and the
software
updates necessary to fix the vulnerability for both Sourcefire
customers
and Snort users. While it cannot be said that no other problems
will
ever be found in the Snort code base, we can state that we will redouble our efforts to ensure the security of the system so many people
have
come to rely on for the detection of network-based threats.
Sourcefire
will also continue to work with the most sophisticated testing facilities in the industry to assure that every reasonable step is being taken to provide the most secure code base possible. Technical Details: The Back Orifice preprocessor contains a stack-based buffer
overflow.
This vulnerability could be leveraged by an attacker to execute
code
remotely on a Snort sensor where the Back Orifice preprocessor is enabled. However, there are a number of factors that make remote
code
execution difficult to achieve across different builds of Snort on different platforms, even on the same platform with different
compiler
versions, and it is more likely that an attacker could use the vulnerability as a denial of service attack. If you have any questions, please let us know at snort-team () sourcefire com <mailto:snort-team () sourcefire com> Thanks, Jennifer -- Jennifer S. Steffens Director, Snort Product Management | Sourcefire, Inc. W: 410.423.1930 | C: 202.409.7707 www.sourcefire.com <http://www.sourcefire.com> | www.snort.org <http://www.snort.org> ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Jennifer Steffens (Oct 18)
- Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Sam Evans (Oct 18)
- Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Jennifer Steffens (Oct 18)
- <Possible follow-ups>
- RE: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Ron Jenkins (Oct 18)
- Re: Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability Sam Evans (Oct 18)