Researchers Unearth New Snort Vulnerability

A successful exploit would cause the IDS system CPU to run at 100 percent capacity and knock out Snort's intrusion detection capabilities, allowing malicious traffic to bypass Snort filters and enter the network, said Randy Smith, a Ph.D. student in the Computer Sciences Department at the University of Wisconsin-Madison.

Smith was part of the team of researchers that informed Sourcefire of the vulnerability and provided the vendor with a fix for the vulnerability. Sourcefire has fixed the problem in Snort version 2.6.1; previous versions are vulnerable.

The exploit is not very difficult to achieve, but an attacker would need to understand how Snort's signature matching operation works and have a detailed understanding of the code, Smith added. The exploit requires minimal bandwidth and could be triggered by an attacker using a dialup modem.

Symantec Deepsight rated the severity of the flaw as 7.8 on a 10 point scale. Secunia saw it as less serious, giving it a rating of 'less critical', or 2 on a 5 point scale.

Sourcefire, which oversees commercial development of Snort, last October filed for a $75 million initial public offering. Snort is used by Department of Defense and other government agencies, as well as by several large U.S. corporations.

Sourcefire's Vulnerability Research Team was credited with discovering a remote code execution flaw in Microsoft Outlook which was fixed earlier this week in the Redmond, Wash.-based vendor's monthly patch release.