Exploit Against Popular 'Snort' Network Utility Close At Hand - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

01:31 PM

Exploit Against Popular 'Snort' Network Utility Close At Hand

Security researchers say it is imperative that users patch or apply a work-around for a intrusion detection system vulnerability announced earlier this week.

Creating an exploit for the serious Snort intrusion detection system vulnerability announced earlier this week takes just two hours, a security researcher said Thursday, making it imperative that users patch or apply a work-around immediately.

"We're very close to full exploitation," wrote SANS Internet Storm Center (ISC) researcher Ed Skoudis Thursday. "Shut off that darn preprocessor ASAP. Check with your vendors if you suspect your commercial product may have Snort code."

Also on Thursday, another ISC researcher claimed he had assembled a working exploit against the Snort vulnerability in two hours, although he was not going to release it to the public.

Sourcefire, the developer of Snort, however, thinks that such dire warnings are unnecessary at this point. "It's more of a non-issue now," said Michele Perry, the head of marketing at Sourcefire. "All customers have had access to a patch [since Tuesday], or they've had instructions on how to turn off the preprocessor that's vulnerable."

To an extent, the ISC agreed: it lowered its Infocon alert from "Yellow" to "Green" on Thursday, saying on its site that "if you haven't shut off the Back Orifice preprocessor by now or come up with another work-around, you probably aren't going to in the near future."

A poster to the Full Disclosure security mailing list, however, said Wednesday that he'd made progress on an exploit which would work as a plug-in to the Metaploit framework, a break-in tool that runs on Unix.

"Attached some in-progress code for the snort bug," wrote someone identified as "HD Moore. "Any ideas on making this more reliable?"

The vulnerability is in a Snort preprocessor used to detect the older Back Orifice Trojan. A single UDP packet can trigger a stack-based overflow, allowing an attacker to fully compromise a system or appliance running Snort or Sourcefire.

Snort is an open-source intrusion detection system (IDS) used by more than 100,000 companies and government agencies to defend networks, according to its developer, Sourcefire. The Snort code is also tucked inside at least 45 commercially-sold IDS appliances.

"If we haven't said it loudly enough already, upgrade your Snort sensors or disable the Back Orifice preprocessor if running the vulnerable versions of Snort 2.4," the ISC advised in a follow-up warning Thursday.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
Study: Cloud Migration Gaining Momentum
John Edwards, Technology Journalist & Author,  6/22/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll