Snort Suffers from 'Trivially Exploitable' Hole

By Michael Hall | Oct 20, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3558076/Snort-Suffers-from-Trivially-Exploitable-Hole.htm

A bit of functionality designed to detect a venerable Windows back door has prompted security researchers to warn of a potential root compromise in the Snort intrusion detection package.

According to an advisory released by Internet Security Systems (ISS), a vulnerability in Snort’s Back Orifice pre-processor opens the system running the software to remote attack and exploit. Back Orifice is a remote management tool that first surfaced in 1998, allowing users to control Windows systems. It has seen common use as a surreptitiously installed back door.

The firm said the vulnerability, triggerable with a single UDP packet, is "trivially exploitable."

The vulnerability can be easily mitigated by disabling the Back Orifice pre-processor, which is accomplished by commenting out the line preprocessor bo in the snort.conf configuration file.

Security firm Secunia has rated the vulnerability "highly critical," and recommended users immediately update to Snort v2.4.3.

In addition to the basic Snort application, a number of software packages and applications that use the open source Snort software share the vulnerability.