A vulnerability was found in PrintTcpOptions() function located in snort-2.4.0/src/log.c that could allow an attacker to craft a malformed TCP/IP packet and potentially cause a DoS in Snort. This is a NULL pointer dereference and therefore not exploitable beyond the DoS. This vulnerability is only present when Snort is run in verbose mode (using the switch -v). If you're running in verbose mode (which you should not be doing if you're running a NIDS) then you could be vulnerable. If you're running any of the standard NIDS logging modes like database, pcap or unified, you're fine. Details: An attacker can exploit this vulnerability with malicious TCP traffic containing a bad TCP SACK option causing the Snort engine to crash. Restarting Snort will cause the engine to return to normal functionality. Fix and Workaround Details: A fix for this vulnerability was checked into the Snort 2.4 CVS tree on August 23rd, 2005 and is available for download here. This fix will also be included in the upcoming 2.4.1 release. Users who do not wish to upgrade can simply not run Snort in verbose mode to avoid being vulnerable.
netmon: you prefer to wait for 2.4.1 release or patch 2.3.x ?
I'd be tempted to wait. I think marty will get one out soon.
Created attachment 68633 [details, diff] Proposed Patch to log.c
We better patch up. 2.4.x series is not ready to be marked stable, its init script does not work and I remember somebody discussing a different problem in #gentoo-netmon.
Created attachment 68634 [details, diff] snort-2.4.0-log.c.diff I think this provided patch is actually backwards. I am working on a 2.4.1 version bump and back-porting a fix to 2.3.3.
Fixed in >=snort-2.3.3. Please test and stabilize =snort-2.3.3. Don't stabilize newer versions nor their unstable libprelude dependencies :-).
Comment on attachment 68633 [details, diff] Proposed Patch to log.c Yep it's backwards.
(In reply to comment #6) > Fixed in >=snort-2.3.3. > Please test and stabilize =snort-2.3.3. > Don't stabilize newer versions nor their unstable libprelude dependencies :-). Did you patch the tarball itself? I don't see the new patch.
snort-2.3.3.ebuild, line 71, epatch "${FILESDIR}/${P}-log.c.diff" same patch in 2.3.3-r1 2.4.1 has the fix upstream
x86, ppc, please test and mark =2.3.3 stable
OK I have it now my mirror must have been out of sync. Builds and runs fine on amd64. I tested with an exploit and snort survived the attack. Interestingly though the default installed rulebase doesn't appear to have a signature to detect this.
Stable on ppc.
Stable on x86
This one is ready for GLSA vote. I vote NO.
Voting NO too and closing.
