Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Sourcefire addresses Snort vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sourcefire addresses Snort vulnerability
The Sourcefire Vulnerability Research Team (VRT) today announced a vulnerability found in the DCE/RPC preprocessor in Snort and Sourcefire Intrusion Sensors.  The DCE/RPC preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow an attacker to execute code with the same privileges as the Snort binary.
There are no publicly available exploits for this vulnerability at this time.
Mitigation for Snort:  If, for some reason, you can’t upgrade your version of Snort to v2.6.1.3, you can turn off the DCE/RPC preprocessor in your snort.conf file by commenting it out and restarting Snort.  Upgrading to the new version of Snort is highly recommended as soon as possible.  The new version of Snort is available here.
Your snort.conf will have an entry like:
preprocessor dcerpc: \
    autodetect \
    max_frag_size 3000 \
    memcap 100000
Just comment out these lines like:
#preprocessor dcerpc: \
#    autodetect \
#   max_frag_size 3000 \
#    memcap 100000
and restart Snort.  Then upgrade to v2.6.1.3.
If you have a Sourcefire Intrusion Sensor, Sourcefire released SEU 64 today that patches this vulnerability, and this update can be downloaded from the Sourcefire Customer Support Web Site.  After downloading and installing SEU 64, you will need to re-push your policies out from your Defense Center.
Mitigation for Sourcefire customers:  If, for some reason, you can’t update your SEU, edit your policies, uncheck the DCE/RPC “Enabled” check box, and re-push your policy until you can upgrade.
This vulnerability has been identified as CVE-2006-5276.
Joel Esler
(Yes, I am a Sourcefire employee)

454 Posts
Feb 19th 2007

Sign Up for Free or Log In to start participating in the conversation!