A recently discovered security issue in Snort, the open source intrusion prevention and detection technology used in government agencies and many large corporations, could allow attackers to bypass security on compromised machines.
Researchers from Demarc, a Carpinteria, Calif.-based security vendor, discovered the flaw May 17 and released a patch earlier this week. Researchers found that while connecting to Web ports via telnet, adding a carriage return after the URL before the HTTP protocol declaration would enable Snort detection to be evaded, said Joel Ebrahimi, director of application development at Demarc.
Although there are no blatant flaws in the Snort code, this discovery is significant because it enables the URL to bypass up to 2000 Uniform Resource Identifier (URI) content rules in the Snort rule language and attack infected machines, Ebrahimi added.
Although the flaw makes it possible to evade Snort detection, it doesn't enable other types of attacks to be launched, and only applies to a particular subset of Snort rules and protected Apache web servers, said Michele Perry, chief marketing officer at SourceFire, the Columbia, Md., security software vendor that manages the open source Snort.
"We think it's a manageable issue," said Perry, who said SourceFire is working on patches for versions 2.4 and 2.6 of Snort and plans to release them Monday.
There is some disagreement between the two sides as to whether proper protocol was followed in the announcement of the issue. According to Ebrahimi, Demarc notified SourceFire and provided full disclosure about the flaw May 18. Five days later, SourceFire responded and said it was working on a patch. But when SourceFire declined to share a copy of the patch, Demarc decided to code one of its own, which it released May 31.
"We were concerned about [the vulnerability] being in the wild -- you never know with open source if someone already knows about [a vulnerability]," Ebrahimi said. Demarc released the patch initially only to Snort-specific user lists to keep a low profile, he added.
However, SourceFire's position is that Demarc didn't follow standard industry protocol for releasing information on vulnerabilities. "This could have been patched, but [Demarc] chose to go for the publicity," said Perry.
|
Five Companies That Dropped The Ball This Week For the week ending Feb. 10, CRN looks at five companies that were either asleep at the wheel or just didn't make good decisions. |
|
Five Companies That Came To Win This Week For the week ending Feb. 10, CRN looks at five companies that brought their 'A' game and made moves to beat out competitors |
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Grow Your MSP Business Easily and Affordably with Cisco OnPlus Network Assessment, Management and Advisory Services
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
