Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809
Summary: Snort URIContent Rules Detection Evasion Vulnerability Product: Fedora Extras Version: devel Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: snort AssignedTo: dennis@ausil.us ReportedBy: dennis@ausil.us QAContact: extras-qa@fedoraproject.org CC: extras-qa@fedoraproject.org,fedora-security- list@redhat.com
Snort is reportedly prone to a vulnerability that may allow malicious packets to bypass detection.
A successful attack can allow attackers to bypass intrusion detection and to carry out attacks against computers protected by Snort.
This vulnerability affects Snort 2.4.4. Other versions may be vulnerable as well.
there is no CVE yet
Demarc snort-2.4.4-demarc-patch.diff http://www.demarc.com/files/patch_20060531/snort-2.4.4-demarc-patch.diff
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809
dennis@ausil.us changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Snort URIContent Rules |CVE-2006-2769 Snort |Detection Evasion |URIContent Rules Detection |Vulnerability |Evasion Vulnerability Status|NEW |CLOSED Resolution| |NEXTRELEASE
------- Additional Comments From dennis@ausil.us 2006-06-02 11:24 EST ------- I've applied the supplied patch.
Fixed in 2.4.4-4
Hans would you mind doing an audit of the snort code? this is the second similar vulnerability this year
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809
dennis@ausil.us changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Keywords| |Reopened Resolution|NEXTRELEASE |
------- Additional Comments From dennis@ausil.us 2006-06-02 16:08 EST ------- turns out that the patch is incomplete.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809
------- Additional Comments From ville.skytta@iki.fi 2006-06-03 14:47 EST ------- FYI: due to rawhide libpcap packaging issues, libpcap may have been statically linked in in the current devel snort package, see bug 193189 comment 2
One possible workaround: BuildRequire both libpcap and libpcap-devel
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809
------- Additional Comments From ville.skytta@iki.fi 2006-06-29 05:48 EST ------- Ping, status update?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809
dennis@ausil.us changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |2.6.0-1
------- Additional Comments From dennis@ausil.us 2006-06-29 07:34 EST ------- I was looking at thins last night. I have updated to 2.6.0 since and according to snort.org its fixed there
Sourcefire is aware of a possible Snort evasion that exists in the http_inspect preprocessor. This evasion case only applies to protected Apache web servers. We have prepared fixes for both the 2.4 and 2.6 branches and will have fully tested releases, including binaries, available for both on Monday, June 5th.
Evasion Details:
The Apache web server supports special characters in HTTP requests that do not affect the processing of the particular request. The current target-based profiles for Apache in the http_inspect preprocessor do not properly handle these requests, resulting in the possibility that an attacker can bypass detection of rules that use the "uricontent" keyword by embedding special characters in a HTTP request.
Background Information:
It is important to note that this is an evasion and not a vulnerability. This means that while it is possible for an attacker to bypass detection, Snort sensors and the networks they protect are not at a heightened risk of other attacks.
Timeline:
Sourcefire has prepared fixes and is currently finalizing a complete round of testing to ensure that the fixes not only solve the issue at hand but do not create new bugs as well. The following releases, including binaries for Linux and Windows deployments, will be available on Monday, June 5th:
* Snort v2.4.5 * Snort v2.6.0 final
Questions:
Any questions regarding these releases can be sent to snort-team@sourcefire.com.
security@lists.fedoraproject.org
-
Red Hat Bugzilla