Sourcefire Warns Of Critical Snort IDS Vulnerability

The stack-based buffer overflow flaw affects Snort 2.6.1, 2.6.1.1 and 2.6.1.2 and Snort 2.7.0 beta 1. Sourcefire Intrusion Sensors versions 4.1.x, 4.5.x and 4.6.x with SEUs prior to SEU 64 also are affected, according to a U.S. Computer Emergency Readiness Team (US-CERT) bulletin released Monday.

Columbia, Md.-based Sourcefire advised Snort 2.6.1.x users to upgrade immediately to Snort 2.6.1.3 and said Snort 2.7 beta users can protect their systems disabling the DCE/RPC preprocessor, which comes enabled by default.

In a Deepsight Threat Management System bulletin, Symantec said hackers could exploit the flaw by sending specially crafted Server Message Block (SMB) network data in specially rigged "DCE" and "RPC" network packets to a vulnerable application. SMB is an application-level network protocol used for shared access to files, printers, serial ports and communications between network nodes.

The open-source Snort IDS software works with Linux, Unix and Windows platforms and is used by U.S. Department Of Defense networks, as well as many large enterprises. Sourcefire, which oversees the commercial development of Snort, last October filed for a $75 million initial public offering.

Security firm Secunia rated the Snort threat highly critical, or 4 on a 5-point scale, and Symantec assigned the vulnerability its highest rating of 10.

Sourcefire last month fixed a remotely exploitable flaw that hackers could use to launch denail-of-service attacks and disable malicious traffic detection.