The Sourcefire Vulnerability Research Team (VRT) today announced a vulnerability found in the DCE/RPC preprocessor in Snort and Sourcefire Intrusion Sensors. The DCE/RPC preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow an attacker to execute code with the same privileges as the Snort binary.
There are no publicly available exploits for this vulnerability at this time.
Mitigation for Snort: If, for some reason, you can’t upgrade your version of Snort to v184.108.40.206, you can turn off the DCE/RPC preprocessor in your snort.conf file by commenting it out and restarting Snort. Upgrading to the new version of Snort is highly recommended as soon as possible. The new version of Snort is available here.
Your snort.conf will have an entry like:
preprocessor dcerpc: \
max_frag_size 3000 \
Just comment out these lines like:
#preprocessor dcerpc: \
# autodetect \
# max_frag_size 3000 \
# memcap 100000
and restart Snort. Then upgrade to v220.127.116.11.
If you have a Sourcefire Intrusion Sensor, Sourcefire released SEU 64 today that patches this vulnerability, and this update can be downloaded from the Sourcefire Customer Support Web Site. After downloading and installing SEU 64, you will need to re-push your policies out from your Defense Center.
Mitigation for Sourcefire customers: If, for some reason, you can’t update your SEU, edit your policies, uncheck the DCE/RPC “Enabled” check box, and re-push your policy until you can upgrade.
This vulnerability has been identified as CVE-2006-5276.
(Yes, I am a Sourcefire employee)
Feb 19th 2007
1 decade ago