September 2005

ID: 00791
Ref: 737/05
Date: 13 September 2005:15:53:50
Version: 1

---

Title: Snort - Remote Vulnerability Found in Snort - Fix and Workaround Available
Abstract: Snort have issued an announcement on their website regarding a denial of service vulnerability.
Vendors affected: Snort
Operating systems affected: Snort
Applications affected: Snort

---

Title
=====
Snort - Remote Vulnerability Found in Snort - Fix and Workaround Available


Detail
======

Snort have issued an announcement on their website regarding a denial of service
vulnerability. The text of the announcement reads:

"A vulnerability was found in PrintTcpOptions() function located in snort-2.4.0/src/log.c
that could allow an attacker to craft a malformed TCP/IP packet and potentially cause a
DoS in Snort. This is a NULL pointer dereference and therefore not exploitable beyond the
DoS.

This vulnerability is only present when Snort is run in verbose mode (using the switch -v).
If you're running in verbose mode (which you should not be doing if you're running a NIDS)
then you could be vulnerable. If you're running any of the standard NIDS logging modes
like database, pcap or unified, you're fine.

Details:
An attacker can exploit this vulnerability with malicious TCP traffic containing a bad TCP
SACK option causing the Snort engine to crash. Restarting Snort will cause the engine to
return to normal functionality.

Fix and Workaround Details:
A fix for this vulnerability was checked into the Snort 2.4 CVS tree on August 23rd, 2005
and is available for download here. This fix will also be included in the upcoming 2.4.1
release. Users who do not wish to upgrade can simply not run Snort in verbose mode to avoid
being vulnerable."

The announcement (with links to the workaround) can currently be viewed at the following
URL: http://www.snort.org/pub-bin/snortnews.cgi