Snort vulnerability opens door to remote code execution

Posted by Wolfgang Gruener

Chicago (IL) – Sourcefire, the company behind the free network intrusion detection software Snort, has confirmed a vulnerability in the Snort DCE/RPC preprocessor, which enables an attacker to remotely run programs.

IBM’s Internet Security Systems (ISS) division, which claims credit for discovering the vulnerability, categorizes the security issue as a stack-based buffer overflow. According to ISS a successful attack on Snort results in remote code execution with the privilege level of Snort, potentially causing exposure and loss of confidential information on a computer.

Affected versions of Snort include the releases 2.6.1, 2.6.1.1, 2.6.1.2 as well as 2.7.0 beta 1. Also vulnerable are Sourcefire’s Intrusion Sensors versions 4.1.x, 4.5.x, and 4.6.x with SEUs prior to SEU 64, and Intrusion Sensor Software for Crossbeam versions 4.1.x, 4.5.x and 4.6.x with SEUs prior to SEU 64.

Sourcefire said that it is working on a rule pack to patch the vulnerability, but recommends Snort users to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort.