ISS Coverage |
| Product |
Content Version |
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX) prior to Firmware Version 1.2
Server Sensor 7.0 |
24.56 |
Proventia IPS (G/GX) Firmware Version 1.2 or
later
Proventia Multifunction Appliance
Proventia Server (Linux) |
1.95 |
| Proventia Server (Windows) |
1.0.914.1960 |
| Proventia Desktop |
8.0.x.1960 |
| RealSecure Desktop 7.0 (AM SP 6.73 or 7.73) |
EQB |
| BlackICE PC Protection 3.6 |
CQB |
|
|
|
|
|
Detailed Description |
| Business Impact: |
Compromise of machines using affected versions of Snort or Sourcefire may lead to exposure of confidential information, loss of productivity, and further compromise. Successful exploitation of this vulnerability results in remote code execution with the privilege level of Snort, usually root or SYSTEM. Exploitation of this vulnerability does not require user interaction. |
| CVSS: |
Base Score: |
10 |
| |
Access Vector: |
Remote |
| Access Complexity: |
Low |
| Authentication: |
Not Required |
| Confidentiality Impact: |
Complete |
| Integrity Impact: |
Complete |
| Availability Impact: |
Complete |
| Impact Bias: |
Normal |
| Adjusted Temporal Score: |
7.4 |
| |
Exploitability: |
Unproven |
| Remediation Level: |
Official Fix |
| Report Confidence: |
Confirmed |
| Affected Products: |
- Snort 2.6.1, 2.6.1.1, and 2.6.1.2
- Snort 2.7.0 beta 1
- Sourcefire Intrusion Sensors versions 4.1.x, 4.5.x, and 4.6.x with SEUs prior to SEU 64
- Sourcefire Intrusion Sensor Software for Crossbeam versions 4.1.x, 4.5.x and 4.6.x with SEUs prior to SEU 64
|
| Technical Description: |
Snort is vulnerable to a stack-based buffer overflow as a result of DCE/RPC reassembly. This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire. |
| Workarounds: |
The affected Snort versions use a DCE/RPC + SMB preprocessor for reassembling DCE/RPC messages fragmented across multiple higher-level protocol messages. The SMB preprocessor in particular exists primarily to reassemble DCE/RPC IPC transactions conducted via an NT named pipe over SMB.
Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should re-enable the DCE/RPC preprocessor. |
|
References |
|
|
Revision History |
|
|
|
About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.
|
