FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

snort -- DCE/RPC preprocessor vulnerability

Affected packages
2.6.1 <= snort < 2.6.1.3

Details

VuXML ID afdf500f-c1f6-11db-95c5-000c6ec775d9
Discovery 2007-02-19
Entry 2007-02-21

A IBM Internet Security Systems Protection Advisory reports:

Snort is vulnerable to a stack-based buffer overflow as a result of DCE/RPC reassembly. This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire.

Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should re-enable the DCE/RPC preprocessor.

References

CERT/CC Vulnerability Note 196240
CVE Name CVE-2006-5276
URL http://www.snort.org/docs/advisory-2007-02-19.html
URL http://xforce.iss.net/xforce/xfdb/31275