(SmoothWall Firewall Issues Fix) Re: Snort Intrusion Detection System Buffer Overflow in Processing RPC Messages Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1006248 |
|
SecurityTracker URL: http://securitytracker.com/id/1006248
|
|
CVE Reference:
CAN-2003-0033
(Links to External Site)
|
Date: Mar 7 2003
|
Impact:
Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Snort 1.8 (July 2001) - Snort 1.9.0
|
Description:
A buffer overflow vulnerability was reported in Snort in the preprocessing of RPC messages. A remote user could cause arbitrary code to be executed. SmoothWall GPL includes Snort and, therefore, is affected.
Internet Security Systems (ISS) reported that a remote user may be able to cause arbitrary code to be executed on a target Snort sensor. The code would run with the privileges of the Snort IDS process (typically 'root' privileges). The affected preprocessor is enabled by default, according to the report.
The flaw is reported to reside in 'spp_rpc_decode.c' and occurs during the normalization of RPC records. The code does not properly check the length of the information being normalized against the current packet size, according to the vendor.
ISS has indicated that the remote user does not need to establish a valid connection to an RPC daemon. A remote user can send specially crafted exploit packets via the network segment that Snort is running on to trigger the flaw.
|
Impact:
A remote user may be able to cause arbitrary code to be executed on a Snort sensor with the privileges of the Snort process.
|
Solution:
The SmoothWall Project has released "fixes2 for SmoothWall GPL 1.0" to correct the flaw in Snort (which is included in SmoothWall GPL). Information about the fix is available at:
http://www.smoothwall.org/get/download/patches/1.0-20030304-fixes2.html
According to the report, a fix was not yet available at the time of this entry for SmoothWall GPL 2.0 beta. The report suggests that users of the beta version disable Snort from the admin configuration panel.
|
Vendor URL: www.smoothwall.org/home/news/item/20030305.01.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 7 Mar 2003 09:27:40 -0000
Subject: Smoothwall Firewall SNORT buffer overflow
|
All,
Please note that the Linux based firewall smoothwall
(http://www.smoothwall.org) is using a vulnerable version of snort.
A patch has been released for the stable GPL 1.0 version:
http://www.smoothwall.org/home/news/item/20030305.01.html
However, no patch has been released for the beta version GPL 2.0 Mallard. If
you are running this version you should disable snort from the admin
configuration panel.
I am sending an email to this list because I have contacted the snort
developers some days ago and no announcement/information has yet been
published on their website or on the
developer mailing list.
Snort vulnerability reference:
http://www.kb.cert.org/vuls/id/916785
- - -
Mr Sylvain Martinez
Infrastructure Security Specialist
http://www.encryptsolutions.com
|
|
