Alert

Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow

Last Revised
Alert Code
TA07-050A

Systems Affected

  • Snort 2.6.1, 2.6.1.1, and 2.6.1.2
  • Snort 2.7.0 beta 1
  • Sourcefire Intrusion Sensors version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64
  • Sourcefire Intrusion Sensors for Crossbeam version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64

Other products that use Snort or Snort components may be affected.

Overview

A stack buffer overflow vulnerability in the Sourcefire Snort DCE/RPC preprocessor could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the Snort process.

Description

Sourcefire Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire, and Snort is included with a number of operating system distributions. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC traffic before passing data to the Snort rules.

The vulnerable code does not properly reassemble certain types of SMB and DCE/RPC packets. An attacker could exploit this vulnerability by sending a specially crafted TCP packet to a host or network monitored by Snort. The DCE/RPC preprocessor is enabled by default, and it is not necessary for an attacker to complete a TCP handshake.

US-CERT is tracking this vulnerability as VU#196240. This vulnerability has been assigned CVE number CVE-2006-5276. Further information is available in advisories from Sourcefire and ISS.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privilege level of the Snort preprocessor.

Solution

Upgrade

Snort 2.6.1.3 is available from the Snort download site. Sourcefire customers should visit the Sourcefire Support Login site.

Disable the DCE/RPC Preprocessor

To disable the DCE/RPC preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems):



[/etc/snort.conf]



...

#preprocessor dcerpc...

...

Restart Snort for the change to take effect.

Disabling the preprocessor will prevent Snort from reassembling fragmented SMB and DCE/RPC packets. This may allow attacks to evade the IDS.


References


Revision History

  • February 19, 2007: Initial release

This product is provided subject to this Notification and this Privacy & Use policy.