In an interesting case of technical irony, a tool used to help security professionals detect intrusions into their networks is in fact vulnerable to intrusions itself. US-CERT issued an advisory this week warning that the open source Snort intrusion detection system had a highly critical buffer overflow vulnerability that could allow an attacker to execute arbitrary code.
Snort is widely used and deployed in its open source form and as a commercial product. Snort creator Martin Roesh founded Sourcefire in 2001 as a commercial vendor for Snort. In October, Check Point Software acquired Sourcefire for $225 million. Sourcefire claims that Snort has been downloaded more than 2 million times and is also included in over 40 commercially available intrusion detection systems.
The reported vulnerability resides in Snort’s Back Orifice pre-processor and can be trigged by a single UDP packet that triggers a stack-based overflow allowing the attacker to infiltrate the system. “To exploit this vulnerability, an attacker does not need to send packets directly to the Snort sensor,” the US-CERT advisory states. “It is sufficient to send packets to any of the hosts on the network monitored by Snort.” According to SANS Internet Storm Center (ISC), exploits based on the vulnerability have already been published and range from remote code-execution exploits to DoS attacks.
SANS ISC noted that they the Snort vulnerability is a “big deal” because it could potential lead to rapidly spreading worms since Snort is very popular.
Snort users are being urged to update to the Snort v2.4.3, which was released this week and fixes the vulnerability.