, SecurityFocus 2005-10-19
A three-month-old flaw in a preprocessor function for the open-source intrusion detection system may attract worm writers, but the number of vulnerable systems is likely low, security experts said on Wednesday.
The vulnerability exists in an update to the way the Snort intrusion detection system handles network data produced by the BackOrifice program, a seven-year-old remote administration tool used by online attackers to control compromised systems. A single specially-crafted user datagram protocol (UDP) packet--the fire-and-forget data of the Internet--could compromise any Snort system that inspects the packet.
"The main thing that concerns me is that it can be triggered with a single UDP packet, so any automatic exploitation would spread really fast," said Neel Mehta, vulnerability research team leader of network protection firm Internet Security Systems, which found the issue earlier this month. "It is hard to gauge worm writers' intentions, but on the technical merits, this is definitely a wormable flaw."
The flaw in Snort, which only affects version 2.4.0 to version 2.4.2, is the latest to affect a popular security product. Several critical flaws have been found in antivirus scanners in the past year, including in Symantec's AntiVirus and, most recently, in Kaspersky Lab's antivirus engine. A flaw in Internet Security Systems' software found 18 months ago, became the vector for the spread of the Witty worm.
Internet Security Systems and Kaspersky Labs compete in some security markets with Symantec, the parent company of SecurityFocus.
The Internet Storm Center, a group of volunteers that monitor network threats, raised their general threat level to Infocon Yellow on Wednesday to reflect the danger that a worm may be created to spread using the Snort flaw. An exploit for the flaw will likely come out quickly because the vulnerability is a straightforward memory error known as a stack-based buffer overflow, said Johannes Ullrich, chief research officer for the Internet Storm Center and its parent, the SANS Institute. A recent Microsoft flaw that spurred worries of a potential worm is actually harder to exploit reliably, he said.
"The Snort issue is more dangerous because the exploit is really simple," Ullrich said.
A developer introduced the vulnerability into Snort in July, when the code for detecting the BackOrifice program was modified to discriminate between traffic going into or out of a network. Some customers of Sourcefire--the company that manages the Snort project and builds its own intrusion detection systems based on the software--had asked for the functionality, said Matt Watchinski, director of vulnerability research for Sourcefire.
"It was a feature request," he said. "We vet everything that goes into Snort, but as with all software, bugs are sometimes missed. Moving forward we intend to double our efforts to detect these sorts of issues."
Watchinski noted that the flaw had only been in the last three revisions of Snort, which made the vulnerability less than three months old. Sourcefire did not have a reliable estimate of the number or fraction of Snort users that might have upgraded to the 2.4.x version of the software, he said. Firewall maker Check Point Software announced this month that it would buy Sourcefire.
The fix for the flaw is simple, he added. Snort users can upgrade their software to the latest version, or at the very least, disable the BackOrifice preprocessor by commenting out its line in the configuration file.
While some security researchers have warned that disabling the BackOrifice detection by Snort may result in a resurgence of attacks using the program, ISS's Mehta discounted the threat of the seven-year-old program.
"BackOrifice is really not a credible threat," Mehta said. Instead, the ability to detect the program is a must-have feature for intrusion detection systems, he said.
While a worm is a distinct possibility, a widespread denial-of-service attack may be more likely, because it is easier to create an exploit for the flaw that crashes the system running Snort, said Sourcefire's Watchinski.
"We think that it is more likely to be a denial of service attack than a worm," he said. "Moreover, a lot of people are still running the 2.3.x codebase, which is not vulnerable."