Snort: Remote execution of arbitrary code — GLSA 200703-01

The Snort DCE/RPC preprocessor contains a buffer overflow that could result in the remote execution of arbitrary code.

Affected packages

net-analyzer/snort on all architectures
Affected versions < 2.6.1.3
Unaffected versions >= 2.6.1.3

Background

Snort is a widely deployed intrusion detection program.

Description

The Snort DCE/RPC preprocessor does not properly reassemble certain types of fragmented SMB and DCE/RPC packets.

Impact

A remote attacker could send specially crafted fragmented SMB or DCE/RPC packets, without the need to finish the TCP handshake, that would trigger a stack-based buffer overflow while being reassembled. This could lead to the execution of arbitrary code with the permissions of the user running the Snort preprocessor.

Workaround

Disable the DCE/RPC processor by commenting the 'preprocessor dcerpc' section in /etc/snort/snort.conf .

Resolution

All Snort users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.3"

References

Release date
February 23, 2007

Latest revision
March 02, 2007: 02

Severity
high

Exploitable
remote

Bugzilla entries