Description Robert Buchholz (RETIRED) 2008-05-22 14:59:22 UTC

iDefense writes:
Remote exploitation of a design error vulnerability in Snort, as
included in various vendors' operating system distributions, could
allow an attacker to bypass filter rules.

Due to a design error vulnerability, Snort does not properly reassemble
fragmented IP packets. When receiving incoming fragments, Snort checks
the Time To Live (TTL) value of the fragment, and compares it to the
TTL of the initial fragment. If the difference between the initial
fragment and the following fragments is more than a configured amount,
the fragments will be silently discard. This results in valid traffic
not being examined and/or filtered by Snort.

III. ANALYSIS

Exploitation of this vulnerability allows an attacker to bypass all
Snort rules. In order to exploit this vulnerability, an attacker would
have to fragment IP packets destined for a targeted host, ensuring that
the TTL difference is greater than the configured maximum. By default,
the maximum difference is 5.

If an attacker is successful, all fragments with invalid TTL differences
will be dropped. No rules will be applied to them.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Snort 2.8
and 2.6. Snort 2.4 is not vulnerable.

V. WORKAROUND

In the snort.conf file, set the ttl_limit configuration value to 255 as
shown below.

  preprocessor frag3_engine: ttl_limit 255

This will set the allowable difference to the maximum possible value,
and prevent fragments from being dropped.

VI. VENDOR RESPONSE

Sourcefire has addressed this vulnerability by releasing version 2.8.1
of Snort. For more information consult their change log and source
differences at the following URLs.

http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11

http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h