This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Exploit Against Popular 'Snort' Network Utility Close At Hand
Security researchers say it is imperative that users patch or apply a work-around for a intrusion detection system vulnerability announced earlier this week.
Creating an exploit for the serious Snort intrusion detection system vulnerability announced earlier this week takes just two hours, a security researcher said Thursday, making it imperative that users patch or apply a work-around immediately.
"We're very close to full exploitation," wrote SANS Internet Storm Center (ISC) researcher Ed Skoudis Thursday. "Shut off that darn preprocessor ASAP. Check with your vendors if you suspect your commercial product may have Snort code."
Also on Thursday, another ISC researcher claimed he had assembled a working exploit against the Snort vulnerability in two hours, although he was not going to release it to the public.
Sourcefire, the developer of Snort, however, thinks that such dire warnings
are unnecessary at this point. "It's more of a non-issue now," said Michele
Perry, the head of marketing at Sourcefire. "All customers have had access
to a patch [since Tuesday], or they've had instructions on how to turn off
the preprocessor that's vulnerable."
To an extent, the ISC agreed: it lowered its Infocon alert from "Yellow" to
"Green" on Thursday, saying on its site that "if you haven't shut off the
Back Orifice preprocessor by now or come up with another work-around, you
probably aren't going to in the near future."
A poster to the Full Disclosure security mailing list, however, said Wednesday that he'd made progress on an exploit which would work as a plug-in to the Metaploit framework, a break-in tool that runs on Unix.
"Attached some in-progress code for the snort bug," wrote someone identified as "HD Moore. "Any ideas on making this more reliable?"
The vulnerability is in a Snort preprocessor used to detect the older Back Orifice Trojan. A single UDP packet can trigger a stack-based overflow, allowing an attacker to fully compromise a system or appliance running Snort or Sourcefire.
Snort is an open-source intrusion detection system (IDS) used by more than 100,000 companies and government agencies to defend networks, according to its developer, Sourcefire. The Snort code is also tucked inside at least 45 commercially-sold IDS appliances.
"If we haven't said it loudly enough already, upgrade your Snort sensors or disable the Back Orifice preprocessor if running the vulnerable versions of Snort 2.4," the ISC advised in a follow-up warning Thursday.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
The State of IT & Cybersecurity Operations 2020Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!