Bug in security software enables remote attack

Stephen Withers
Thursday, 22 February 2007 04:39

Business IT - Security

A buffer overflow vulnerability in Snort, the popular open-source intrusion detection system for Linux and Windows, could lead to the compromise of the system it is running on, security researchers have warned.

The flaw was reported by IBM Internet Security Systems, which said "Compromise of machines using affected versions of Snort or Sourcefire may lead to exposure of confidential information, loss of productivity, and further compromise.  Successful exploitation of this vulnerability results in remote code execution with the privilege level of Snort, usually root or SYSTEM. Exploitation of this vulnerability does not require user interaction."

The good news is that it hasn't been proven that the vulnerability is actually exploitable, and it has been fixed. The affected versions are Snort 2.6.1, 2.6.1.1, 2.6.1.2, and 2.7 beta 1, and the cure is to update to version 2.6.1.3 or later. Version 2.7 beta 2 will also resolve the issue. Rules have also been released to detect attacks targeting the vulnerability in affected versions.

This isn't the first time that a vulnerability in security software has provided the bad guys with an attack vector. For example, a stack overflow vulnerability in Symantec Client Security and AntiVirus Corporate Edition discovered last year had the potential for arbitrary code execution, and in 2004 a flaw in the firewall included in several Symantec products caused a complete system halt if maliciously formatted TCP packets were received.