March 2007

ID: 74
Ref: 016/2007
Date: 07 March 2007:18:39:30
Version: 1

---

Title: Sourcefire Advisory: Vulnerability in Snort DCE/RPC Preprocessor
Abstract: Sourcefire has learned of a remotely exploitable vulnerability in the Snort DCE/RPC preprocessor. This preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow attackers to execute code with the same privileges as the Snort binary.

---

Summary:
Sourcefire has learned of a remotely exploitable vulnerability in the Snort DCE/RPC preprocessor. This preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow attackers to execute code with the same privileges as the Snort binary. Sourcefire has prepared updates for Snort open-source software to address this issue.

This vulnerability has been identified as CVE-2006-5276.

Snort Versions Affected:
Snort 2.6.1, 2.6.1.1, and 2.6.1.2
Snort 2.7.0 beta 1
This vulnerability also affects Sourcefire commercial products. For information and updates for Sourcefire products, please go to the Sourcefire support site.

Mitigating Factors:
Users who have disabled the DCE/RPC preprocessor are not vulnerable. However, the DCE/RPC preprocessor is enabled by default.

Recommended Actions:
Open-source Snort 2.6.1.x users are advised to upgrade to Snort 2.6.1.3 (or later) immediately. Open-source Snort 2.7 beta users are advised to mitigate this issue by disabling the DCE/RPC preprocessor. This issue will be resolved in Snort 2.7 beta 2.

Workarounds:
Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic.
After upgrading, customers should reenable the DCE/RPC preprocessor.

Detecting Attacks Against This Vulnerability:
Sourcefire will be releasing a rule pack that provides detection for attacks against this vulnerability.

FAQs:

What does the update do?
Snort 2.6.1.3 (or later) removes the vulnerability by correcting the buffer overflow condition in the DCE/RPC preprocessor.

Has Sourcefire received any reports that this vulnerability has been exploited? No. Sourcefire has not received any reports that this vulnerability has been exploited.

Acknowledgments:
Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting this issue and working with us to resolve it.

______________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

CPNI wishes to acknowledge the contributions of Sourcefire for the information contained in this advisory.
______________________________________________________________________________