[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CPNI INFOSEC ADVISORY - 016/07 - Sourcefire Advisory: Vulnerability in Snort DCE/RPC Preprocessor
______________________________________________________________________________
CPNI INFOSEC ADVISORY - 016/07 dated 20.02.07 time 12:00
Centre for the Protection of National Infrastructure
______________________________________________________________________________
Further details about CPNI, including information about our products can be
found at www.cpni.gov.uk
______________________________________________________________________________
Title
=====
Sourcefire Advisory: Vulnerability in Snort DCE/RPC Preprocessor
Detail
======
Summary:
Sourcefire has learned of a remotely exploitable vulnerability in the Snort
DCE/RPC preprocessor. This preprocessor is vulnerable to a stack-based buffer
overflow that could potentially allow attackers to execute code with the same
privileges as the Snort binary. Sourcefire has prepared updates for Snort
open-source software to address this issue.
This vulnerability has been identified as CVE-2006-5276.
Snort Versions Affected:
Snort 2.6.1, 2.6.1.1, and 2.6.1.2
Snort 2.7.0 beta 1
This vulnerability also affects Sourcefire commercial products. For information
and updates for Sourcefire products, please go to the Sourcefire support site.
Mitigating Factors:
Users who have disabled the DCE/RPC preprocessor are not vulnerable. However,
the DCE/RPC preprocessor is enabled by default.
Recommended Actions:
Open-source Snort 2.6.1.x users are advised to upgrade to Snort 2.6.1.3
(or later) immediately. Open-source Snort 2.7 beta users are advised to
mitigate this issue by disabling the DCE/RPC preprocessor. This issue will be
resolved in Snort 2.7 beta 2.
Workarounds:
Snort users who cannot upgrade immediately are advised to disable the DCE/RPC
preprocessor by removing the DCE/RPC preprocessor directives from snort.conf
and restarting Snort. However, be advised that disabling the DCE/RPC
preprocessor reduces detection capabilities for attacks in DCE/RPC traffic.
After upgrading, customers should reenable the DCE/RPC preprocessor.
Detecting Attacks Against This Vulnerability:
Sourcefire will be releasing a rule pack that provides detection for attacks
against this vulnerability.
FAQs:
What does the update do?
Snort 2.6.1.3 (or later) removes the vulnerability by correcting the buffer
overflow condition in the DCE/RPC preprocessor.
Has Sourcefire received any reports that this vulnerability has been
exploited? No. Sourcefire has not received any reports that this vulnerability
has been exploited.
Acknowledgments:
Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting this
issue and working with us to resolve it.
______________________________________________________________________________
CPNI values your feedback.
1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)
Very useful:__ Useful:__ Not useful:__
2. If you did not find it useful, why not?
3. Any other comments? How could we improve our advisories?
Thank you for your contribution.
______________________________________________________________________________
For additional information or assistance, please contact our help desk by
telephone.
You may send Not Protectively Marked information via e-mail to
infosec@xxxxxxxxxxxx
Office hours:
Mon - Fri: 09:00 - 16:30 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749
On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts
______________________________________________________________________________
CPNI wishes to acknowledge the contributions of Sourcefire for the information
contained in this advisory.
______________________________________________________________________________
This advisory contains information released by the original author. Some of the
information may have changed since it was released. If the issue affects you,
it may be prudent to retrieve the advisory from the site of the original
source to ensure that you receive the most current information concerning that
problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by CPNI. The views and opinions of
authors expressed within this notice shall not be used for advertising or
product endorsement purposes.
CPNI shall not accept responsibility for any errors or omissions contained
within this advisory. In particular, they shall not be liable for any loss or
damage whatsoever, arising from or in connection with the usage of information
contained within this advisory.
CPNI is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
______________________________________________________________________________
<End of CPNI Advisory>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________