[Snort-users] Sourcefire Advisory: Vulnerability in Snort DCE/RPC Preprocessor

[Snort Releases <snortreleases@snort.org>]

February 19, 2007

Summary:

Sourcefire has learned of a remotely exploitable vulnerability in the 
Snort DCE/RPC preprocessor. This preprocessor is vulnerable to a 
stack-based buffer overflow that could potentially allow attackers to 
execute code with the same privileges as the Snort binary. Sourcefire 
has prepared updates for Snort open-source software to address this issue.

This vulnerability has been identified as CVE-2006-5276.


Snort Versions Affected:

* Snort 2.6.1, 2.6.1.1, and 2.6.1.2
* Snort 2.7.0 beta 1

This vulnerability also affects Sourcefire commercial products. For 
information and updates for Sourcefire products, please go to the 
Sourcefire support site.


Mitigating Factors:

Users who have disabled the DCE/RPC preprocessor are not vulnerable. 
However, the DCE/RPC preprocessor is enabled by default.


Recommended Actions:

* Open-source Snort 2.6.1.x users are advised to upgrade to Snort 
2.6.1.3 (or later) immediately.
* Open-source Snort 2.7 beta users are advised to mitigate this issue by 
disabling the DCE/RPC preprocessor.
   This issue will be resolved in Snort 2.7 beta 2.


Workarounds:

Snort users who cannot upgrade immediately are advised to disable the 
DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives 
from snort.conf and restarting Snort. However, be advised that disabling 
the DCE/RPC preprocessor reduces detection capabilities for attacks in 
DCE/RPC traffic. After upgrading, customers should reenable the DCE/RPC 
preprocessor.


Detecting Attacks Against This Vulnerability:

Sourcefire will be releasing a rule pack that provides detection for 
attacks against this vulnerability.


FAQs:

What does the update do?
- Snort 2.6.1.3 (or later) removes the vulnerability by correcting the 
buffer overflow condition in the DCE/RPC preprocessor.

Has Sourcefire received any reports that this vulnerability has been 
exploited?
- No. Sourcefire has not received any reports that this vulnerability 
has been exploited.


Acknowledgments:

Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting 
this issue and working with us to resolve it.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users