GLSA: snort (200304-05) - gentoo-announce - Gentoo Mailing List Archives

From:	Daniel Ahlberg <aliz@g.o>
To:	gentoo-announce@g.o
Subject:	GLSA: snort (200304-05)
Date:	Tue, 22 Apr 2003 09:47:10
Message-Id:	`20030422074156.45EA2339A7@mail1.tamperd.net`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - ---------------------------------------------------------------------

5

GENTOO LINUX SECURITY ANNOUNCEMENT 200304-05

6

- - - ---------------------------------------------------------------------

7

8

          PACKAGE : snort

9

          SUMMARY : Multiple Vulnerabilities in Snort Preprocessors

10

             DATE : 2003-04-22 07:41 UTC

11

          EXPLOIT : remote

12

VERSIONS AFFECTED : <snort-2.0.0

13

    FIXED VERSION : >=snort-2.0.0

14

              CVE : CAN-2003-0029 CAN-2003-0033

15

16

- - - ---------------------------------------------------------------------

17

18

- - From advisories:

19

20

"The Sourcefire Vulnerability Research Team has learned of an integer overflow 

21

in the Snort stream4 preprocessor used by the Sourcefire Network Sensor

22

product line. The Snort stream4 preprocessor (spp_stream4) incorrectly

23

calculates segment size parameters during stream reassembly for certain

24

sequence number ranges which can lead to an integer overflow that can be

25

expanded to a heap overflow.

26

27

The Snort stream4 flaw may lead to a denial of service (DoS) attack or 

28

remote command execution on a host running Snort. This attack can be launched

29

by crafting TCP stream packets and transmitting them over a network segment

30

that is being monitored by a vulnerable Snort implementation. In its

31

default configuration, certain versions of snort are vulnerable to this

32

attack, as is the default configuration of the Snort IDS."

33

34

"Remote attackers may exploit the buffer overflow condition to run 

35

arbitrary code on a Snort sensor with the privileges of the Snort IDS 

36

process, which typically runs as the superuser. The vulnerable 

37

preprocessor is enabled by default. It is not necessary to establish an 

38

actual connection to a RPC portmapper service to exploit this 

39

vulnerability."

40

41

Read the full advisories at:

42

http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10

43

http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951

44

http://www.snort.org/advisories/snort-2003-04-16-1.txt

45

46

SOLUTION

47

48

It is recommended that all Gentoo Linux users who are running

49

net-analyzer/snort upgrade to snort-2.0.0 as follows:

50

51

emerge sync

52

emerge snort

53

emerge clean

54

55

- - - ---------------------------------------------------------------------

56

aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz

57

- - - ---------------------------------------------------------------------

58

-----BEGIN PGP SIGNATURE-----

59

Version: GnuPG v1.2.1 (GNU/Linux)

60

61

iD8DBQE+pPJDfT7nyhUpoZMRAh7CAJ9XFxvHhKal5RATFxolc5cXe+VU/gCfQuSe

62

4d/yDOhRLnIaN1oJiBLonWE=

63

=4IOX

64

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - ---------------------------------------------------------------------
5	GENTOO LINUX SECURITY ANNOUNCEMENT 200304-05
6	- - - ---------------------------------------------------------------------
7
8	PACKAGE : snort
9	SUMMARY : Multiple Vulnerabilities in Snort Preprocessors
10	DATE : 2003-04-22 07:41 UTC
11	EXPLOIT : remote
12	VERSIONS AFFECTED : <snort-2.0.0
13	FIXED VERSION : >=snort-2.0.0
14	CVE : CAN-2003-0029 CAN-2003-0033
15
16	- - - ---------------------------------------------------------------------
17
18	- - From advisories:
19
20	"The Sourcefire Vulnerability Research Team has learned of an integer overflow
21	in the Snort stream4 preprocessor used by the Sourcefire Network Sensor
22	product line. The Snort stream4 preprocessor (spp_stream4) incorrectly
23	calculates segment size parameters during stream reassembly for certain
24	sequence number ranges which can lead to an integer overflow that can be
25	expanded to a heap overflow.
26
27	The Snort stream4 flaw may lead to a denial of service (DoS) attack or
28	remote command execution on a host running Snort. This attack can be launched
29	by crafting TCP stream packets and transmitting them over a network segment
30	that is being monitored by a vulnerable Snort implementation. In its
31	default configuration, certain versions of snort are vulnerable to this
32	attack, as is the default configuration of the Snort IDS."
33
34	"Remote attackers may exploit the buffer overflow condition to run
35	arbitrary code on a Snort sensor with the privileges of the Snort IDS
36	process, which typically runs as the superuser. The vulnerable
37	preprocessor is enabled by default. It is not necessary to establish an
38	actual connection to a RPC portmapper service to exploit this
39	vulnerability."
40
41	Read the full advisories at:
42	http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
43	http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
44	http://www.snort.org/advisories/snort-2003-04-16-1.txt
45
46	SOLUTION
47
48	It is recommended that all Gentoo Linux users who are running
49	net-analyzer/snort upgrade to snort-2.0.0 as follows:
50
51	emerge sync
52	emerge snort
53	emerge clean
54
55	- - - ---------------------------------------------------------------------
56	aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
57	- - - ---------------------------------------------------------------------
58	-----BEGIN PGP SIGNATURE-----
59	Version: GnuPG v1.2.1 (GNU/Linux)
60
61	iD8DBQE+pPJDfT7nyhUpoZMRAh7CAJ9XFxvHhKal5RATFxolc5cXe+VU/gCfQuSe
62	4d/yDOhRLnIaN1oJiBLonWE=
63	=4IOX
64	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce