Security Watch

Snort Vulnerability Overstated?

Various factors need to align for serious damage to be done.

• By Russ Cooper
• 11/14/2005

The vulnerability involves how Snort handles traffic it would normally associate with Back Orifice, over UDP 31337, that arrives on *any other* port. That is, Back Orifice-like traffic on a port other than that associated with Back Orifice.

Dire predictions of a Snort worm have gotten media attention. There are several questions that define the risk of such a worm:

a) Are there sufficient Snort installations to make a worm propagate?

Arguable. Since the attack involves a single UDP packet, it’s possible to garner sufficient victim systems despite there not being many around (certainly nowhere near as many as Windows boxes, or even SQL Servers). Further, Snort runs on a variety of platforms and it's highly likely that the attack will have to be specific for each platform. So the Snort population is further divided.

b) Can such a worm propagate fast enough to impact prior to detection and removal?

Again, a UDP worm can spread very fast, as we saw with SQL Slammer. If the impact desired is widespread denial of service (DoS), then such a worm could certainly propagate fast enough. If the desire is to 0wn systems, then a fast-spreading high-profile worm is not the attack of choice, as it would be detected quickly within the Snort community. Of course, those who thought to install Snort, but have failed to maintain it, could easily succumb.

Slow-moving detection is going to be significantly more difficult given that all traffic needs to be examined (other than traffic destined for 31337.)

c) Would a worm yield the desired results?

If the desired result is a widespread DoS, yes. Otherwise no, as stated above.

Denial of Service
Cisco Content Services Switch SSL Denial of Service Vulnerability: Cisco 11500 Series Content Services Switches (CSS) running versions 7.1 through 7.5 of the Cisco WebNS operating system contain a vulnerability that could allow a remote attacker to create a DoS condition. The vulnerability exists due to a memory corruption error that occurs when processing malicious client certificates during SSL session negotiation.

While the exploit is fairly difficult and complex, if you’re a target of choice it may be something that gets abused. Extortion DoS comes to mind if you’re a vendor relying upon Client SSL Certificates.

RSA Authentication Agent for Web Buffer Overflow Vulnerability: Exploit released that can cause a stack overflow in the SecurID Web Agent for IIS. Attempts to exploit this flaw will result in the termination and potential restart of the IIS service. Again, Extortion DoS possibilities.

Malicious Code
Fanbot.A (Mytob?): Exploits the Microsoft Windows Plug and Play remote code execution vulnerability described in Microsoft Security Bulletin MS05-039 and Cybertrust Alert 9572. (Sophos has seen five variants, Trend has four variants and 100+ infections since Oct. 16; Symantec has it at two.)

One of the new malware forms is an infector of the RAR file extension. This suggests malware authors may be looking for new fodder, attacking a file type that has not recently been abused. Fortunately, RAR is not a file type that WinZip or Windows XP File Compression resolve by default.

Governance
The banking industry is being called upon to strengthen security for Internet customers. Federal regulators will require banks to augment user names and password authentication mechanisms, but so far details regarding how have not been specified.

Media stories have ranged from "the end of phishing as we know it" to "any bank that doesn’t want to, doesn’t have to implement stronger authentication." The truth will likely be somewhere in between.