Cu scuze pentru divagare de la subiect, dar apropo de snort: OVERVIEW Snort is an open-source and freely available IDS product. Internet Security System's X-Force has discovered a buffer overflow flaw in Snort RPC preprocessing code that can lead to a Denial of Service or complete remote compromise of the Snort sensor. HOW BIG IS THE RISK? Remote attackers can exploit the Snort vulnerability by directing an exploit towards any host on any network monitored by the Snort intrusion detection system. A successful attack can either crash the Snort sensor, or lead to complete remote compromise. Network IDS systems, including Snort, are privy to large volumes of network traffic. Compromise of Snort sensors could lead to disclosure of sensitive information that could be used to further compromise internal networks. As an open source and free IDS product, Snort is supported by volunteer programmers and is not a commercially supported product. WHAT IS THE VULNERABILITY? A buffer overflow flaw exists in Snort RPC preprocessing code that is vulnerable to attack. In Snort 1.8, support was added to detect attacks that used RPC fragmentation as an IDS evasion technique. When processing this traffic, Snort does not properly check fragment sizes against the amount of space remaining in the preprocessing buffer, thus creating a buffer overflow condition that can lead to remote compromise of Snort sensors. WHAT SYSTEMS ARE AT RISK? Snort 1.8 (July 2001) up to and including Snort-Current. ISS REALSECURE PROTECTION The following previously released Internet Security Systems X-Press Update provides a virtual patch for the issue described in this advisory. This update is available from the ISS Download center http://www.iss.net/download . RealSecure Network Sensor XPU 20.10 and 5.9: RPC_Large_Fragmented - (http://www.iss.net/security_center/static/10956.php) OTHER RECOMMENDATIONS For manual patching, a temporary solutionmay be to disable the RPC preprocessor. Please note that doing so will potentially allow any RPC-based attacks to avoid detection by Snort. The vulnerable preprocessor can be disabled by commenting out the following line within the "snort.conf" configuration file: #preprocessor rpc_decode: 111 32771
Internet Security Systems * 6303 Barfield Road * Atlanta, GA 30328 * 800-776-2362 * www.iss.net X-Force Database http://www.iss.net/security_center/static/10956.php Warning-ul l-am primit in channel, in data de 4 Martie, 2003 1:09 PM -- Ionut -- Pentru dezabonare, trimiteti mail la [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
