lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 4 Apr 2003 14:21:28 -0300
From: Conectiva Updates <secure@...ectiva.com.br>
To: conectiva-updates@...aleguas.conectiva.com.br, lwn@....net,
	bugtraq@...urityfocus.com, security-alerts@...uxsecurity.com,
	linsec@...ts.seifried.org
Subject: [CLA-2003:613] Conectiva Security Announcement - snort


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : snort
SUMMARY   : RPC preprocessor vulnerability
DATE      : 2003-04-04 14:20:00
ID        : CLA-2003:613
RELEVANT
RELEASES  : 8

- -------------------------------------------------------------------------

DESCRIPTION
 Snort is an Open Source Network Intrusion Detection System (NIDS).
 
 ISS X-Force has discovered[1] a remotely exploitable buffer overflow 
 vulnerability in Snort. It resides in the RPC preprocessor, which is
 responsible for normalizing RPC traffic before its analisys by the
 rules processor.
 
 A remote atacker able to insert specially crafted RPC traffic in the
 network being monitored by snort may crash the sensor or execute
 arbitrary code in the context of it, which is run by the root user.
 
 The RPC preprocessor feature was added in snort 1.8, which is
 distributed with Conectiva Linux 8. Users of Conectiva Linux versions
 6.0 and 7.0 are not vulnerable to this attack.
 
 IMPORTANT: Please note that this update is from snort 1.8.4b1 to
 1.9.1. Since several components have changed in snort 1.9.1, the old
 snort.conf file and the alerts database need some small changes in
 order to work with this new version. Instructions about how to
 smoothly upgrade are available at the end of this announcement.


SOLUTION
 This is a serious vulnerability. All snort users should upgrade.
 
 A workaround for this problem is to disable the RPC preprocessor by
 commenting the following line in the snort.conf file:
 
    preprocessor rpc_decode: 111
 
 
 REFERENCES:
 1.http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
 
 
 
 UPGRADING FROM SNORT 1.8.4b1 TO SNORT 1.9.1:
 
 The snort update from 1.8.4b1 to 1.9.1 basically needs two manual
 interventions to work: changes in the config file
 (/etc/snort/snort.conf) and in the SQL database (in the case of using
 an SQL backend).
 
 
 Necessary changes to the configuration file (snort.conf)
 --------------------------------------------------------
 
 Since several components have been changed in snort 1.9.1, some
 changes were made in the snort.conf file. Below are listed the
 necessary changes in order to let snort 1.9.1 work with the old
 config file from snort 1.8.4b1. Notice that, in order to take full
 advantage of the new available features, it is recommended to create
 a new config file based on the one distributed with snort 1.9.1. In
 an rpm based installation, the old configuration file is preserved
 and the new one is saved as "snort.conf.rpmnew".
 
 - New variables:
 
 The following variables (and their default values) were added and
 some rules need these definitions in order to work (i.e. snort will
 not start if these variables are not defined).
 
     # List of telnet servers on your network
     var TELNET_SERVERS $HOME_NET
 
     # List of SMTP servers on your network
     var SMTP_SERVERS $HOME_NET
 
     # Ports you run web servers on
     var HTTP_PORTS 80
 
     # Ports you want to look for SHELLCODE on.
     var SHELLCODE_PORTS !80
 
     # AIM Servers (AOL Instant Messaging)
     var AIM_SERVERS
 [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
 
     # Ports you do oracle attacks on
     var ORACLE_PORTS 1521
 
 
 - Rules directory:
 
 The snort rules are now under the /etc/snort/rules directory. The
 config file must be changed to point to it:
 
 Change the line
     var RULE_PATH ./
 
 To
     var RULE_PATH /etc/snort/rules
 
 
 - Preprocessor changes:
 
 The "http_decode" preprocessor was configured with the following
 parameters in snort 1.8.4b1:
 
     preprocessor http_decode: 80 -unicode -cginull
 
 The syntax in snort 1.9.1 has been changed and now the default is:
 
     preprocessor http_decode: 80 unicode iis_alt_unicode
 double_encode iis_flip_slash full_whitespace
 
 Besides that change, several other preprocessor were modified.
 Although the older configuration may still work, it is recommended to
 adapt it to the new defaults in order to get the best of snort
 capabilities.
 
 
 Necessary changes to the SQL database
 -------------------------------------
 
 The snort database in version 1.8.4b1 (schema 104) is not compatible
 with snort 1.9.1 (schema 106). In order to keep using the old
 database, snort 1.9.1 needs some small changes in the "sensor" and
 "schema" tables. Besides that, a new snort functionality needs
 "update" access to the database tables.
 
 Below are the necessary commands to make such changes in a scenario
 where MySQL is being used to store the snort database locally
 (localhost). If snort is running in a distributed model or using
 another SQL backend, the commands must be adapted accordingly.
 
 - Access the MySQL interface:
   $ mysql -u root -p snortdatabase
 
 - Add to the table "sensor" a field "last_cid", needed by snort
 1.9.1:
   mysql> alter table sensor add last_cid INT UNSIGNED NOT NULL;
 
 - Change the "schema" version to 106 (this is the version expected by
 snort 1.9.1):
   mysql> update schema set vseq=106;
 
 - Grant update permission to the user snort in all tables from
 "snortdatabase":
   mysql> grant update on snortdatabase.* to snort@...alhost
 identified by 'snort_user_password';
 
 - Exit MySQL:
   mysql> quit;
 
 Aditional info can be found in the above URLs:
 Snort: http://www.snort.org/
 Conectiva Linux: http://www.conectiva.com/


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/snort-1.9.1-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/snort-1.9.1-1U80_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright 2003 (c) Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@...aleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@...aleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+jb8X42jd0JmAcZARAmuBAKCTrDSKsintRRjoSUrry6U5gZuM1QCfcKR/
KncikHmelXswYPtVPC3mRpU=
=nR3N
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ