US-CERT Technical Cyber Security Alert TA07-050A -- Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow

National Cyber Alert System

Technical Cyber Security Alert TA07-050A

Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow

Original release date: February 19, 2007
Last revised: --
Source: US-CERT

Systems Affected

Snort 2.6.1, 2.6.1.1, and 2.6.1.2
Snort 2.7.0 beta 1
Sourcefire Intrusion Sensors version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64
Sourcefire Intrusion Sensors for Crossbeam version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64

Other products that use Snort or Snort components may be affected.

Overview

A stack buffer overflow vulnerability in the Sourcefire Snort DCE/RPC preprocessor could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the Snort process.

I. Description

Sourcefire Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire, and Snort is included with a number of operating system distributions. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC traffic before passing data to the Snort rules.

The vulnerable code does not properly reassemble certain types of SMB and DCE/RPC packets. An attacker could exploit this vulnerability by sending a specially crafted TCP packet to a host or network monitored by Snort. The DCE/RPC preprocessor is enabled by default, and it is not necessary for an attacker to complete a TCP handshake.

US-CERT is tracking this vulnerability as VU#196240. This vulnerability has been assigned CVE number CVE-2006-5276. Further information is available in advisories from Sourcefire and ISS.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privilege level of the Snort preprocessor.

III. Solution

Upgrade

Snort 2.6.1.3 is available from the Snort download site. Sourcefire customers should visit the Sourcefire Support Login site.

Disable the DCE/RPC Preprocessor

To disable the DCE/RPC preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems):

[/etc/snort.conf]

...
#preprocessor dcerpc...
...

Restart Snort for the change to take effect.

Disabling the preprocessor will prevent Snort from reassembling fragmented SMB and DCE/RPC packets. This may allow attacks to evade the IDS.

IV. References

US-CERT Vulnerability Note VU#196240 - <http://www.kb.cert.org/vuls/id/196240>
Sourcefire Advisory 2007-02-19 - <http://www.snort.org/docs/advisory-2007-02-19.html>
Sourcefire Support Login - <https://support.sourcefire.com/>
Sourcefire Snort Release Notes for 2.6.1.3 - <http://www.snort.org/docs/release_notes/release_notes_2613.txt>
Snort downloads - <http://www.snort.org/dl/>
DCE/RPC Preprocessor - <http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html>
IBM Internet Security Systems Protection Advisory - <http://iss.net/threats/257.html>
CVE-2006-5276 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276>

Feedback can be directed to US-CERT.

Produced 2007 by US-CERT, a government organization. Terms of use

Revision History

February 19, 2007: Initial release

Last updated February 19, 2007

US-CERT: United States Computer Emergency Readiness Team

Information For

Sign Up

Reporting

DHS Threat Advisory