Snort Vulnerability Overstated?
Various factors need to align for serious damage to be done.
Snort Back Orifice Preprocessor Buffer Overflow Vulnerability:
versions 2.4.0 through 2.4.2 contain a buffer overflow vulnerability in the
Back Orifice preprocessor that could allow a remote attacker to execute arbitrary
code on an affected system. Updates are available.
The vulnerability involves how Snort handles traffic it would normally associate
with Back Orifice, over UDP 31337, that arrives on *any other* port. That is,
Back Orifice-like traffic on a port other than that associated with Back Orifice.
Dire predictions of a Snort worm have gotten media attention. There are several
questions that define the risk of such a worm:
a) Are there sufficient Snort installations to make a worm propagate?
Arguable. Since the attack involves a single UDP packet, it’s possible
to garner sufficient victim systems despite there not being many around (certainly
nowhere near as many as Windows boxes, or even SQL Servers). Further, Snort
runs on a variety of platforms and it's highly likely that the attack will have
to be specific for each platform. So the Snort population is further divided.
b) Can such a worm propagate fast enough to impact prior to detection and removal?
Again, a UDP worm can spread very fast, as we saw with SQL Slammer. If the
impact desired is widespread denial of service (DoS), then such a worm could
certainly propagate fast enough. If the desire is to 0wn systems, then a fast-spreading
high-profile worm is not the attack of choice, as it would be detected quickly
within the Snort community. Of course, those who thought to install Snort, but
have failed to maintain it, could easily succumb.
Slow-moving detection is going to be significantly more difficult given that
all traffic needs to be examined (other than traffic destined for 31337.)
c) Would a worm yield the desired results?
If the desired result is a widespread DoS, yes. Otherwise no, as stated above.
Denial of Service
Cisco Content Services Switch SSL Denial of Service Vulnerability: Cisco
11500 Series Content Services Switches (CSS) running versions 7.1 through 7.5
of the Cisco WebNS operating system contain a vulnerability that could allow
a remote attacker to create a DoS condition. The vulnerability exists due to
a memory corruption error that occurs when processing malicious client certificates
during SSL session negotiation.
While the exploit is fairly difficult and complex, if you’re a target
of choice it may be something that gets abused. Extortion DoS comes to mind
if you’re a vendor relying upon Client SSL Certificates.
RSA Authentication Agent for Web Buffer Overflow Vulnerability: Exploit
released that can cause a stack overflow in the SecurID Web Agent for IIS. Attempts
to exploit this flaw will result in the termination and potential restart of
the IIS service. Again, Extortion DoS possibilities.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Fanbot.A (Mytob?): Exploits the Microsoft Windows Plug and Play
remote code execution vulnerability described in Microsoft Security Bulletin
and Cybertrust Alert 9572. (Sophos has seen five variants, Trend has four variants
and 100+ infections since Oct. 16; Symantec has it at two.)
One of the new malware forms is an infector of the RAR file extension. This
suggests malware authors may be looking for new fodder, attacking a file type
that has not recently been abused. Fortunately, RAR is not a file type that
WinZip or Windows XP File Compression resolve by default.
The banking industry is being called upon to strengthen security for
Internet customers. Federal regulators will require banks to augment user names
and password authentication mechanisms, but so far details regarding how have
not been specified.
Media stories have ranged from "the end of phishing as we know it"
to "any bank that doesn’t want to, doesn’t have to implement
stronger authentication." The truth will likely be somewhere in between.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.