[NEWS] Multiple Vendor Snort IP Fragment TTL Evasion Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Vendor Snort IP Fragment TTL Evasion Vulnerability
------------------------------------------------------------------------


SUMMARY

Snort is "an open source network intrusion detection (IDS) and prevention
system (IPS). In addition to being available as a package for most Unix
operating system distributions, various commercial hardware devices also
use Snort as an IDS/IPS". Remote exploitation of a design error
vulnerability in Snort, as included in various vendors' operating system
distributions, could allow an attacker to bypass filter rules.

DETAILS

Vulnerable Systems:
* Snort version 2.8
* Snort version 2.6

Immune Systems:
* Snort version 2.4
* Snort version 2.8.1

Due to a design error vulnerability, Snort does not properly reassemble
fragmented IP packets. When receiving incoming fragments, Snort checks the
Time To Live (TTL) value of the fragment, and compares it to the TTL of
the initial fragment. If the difference between the initial fragment and
the following fragments is more than a configured amount, the fragments
will be silently discard. This results in valid traffic not being examined
and/or filtered by Snort.

Analysis
Exploitation of this vulnerability allows an attacker to bypass all Snort
rules. In order to exploit this vulnerability, an attacker would have to
fragment IP packets destined for a targeted host, ensuring that the TTL
difference is greater than the configured maximum. By default, the maximum
difference is 5.

If an attacker is successful, all fragments with invalid TTL differences
will be dropped. No rules will be applied to them.

Workaround:
In the snort.conf file, set the ttl_limit configuration value to 255 as
shown below.

preprocessor frag3_engine: ttl_limit 255

This will set the allowable difference to the maximum possible value, and
prevent fragments from being dropped.

Vendor response:
Sourcefire has addressed this vulnerability by releasing version 2.8.1 of
Snort. For more information consult their change log and source
differences at the following URLs.
<http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11>
http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11

<http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h> http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1804>
CVE-2008-1804

Disclosure Timeline:
02/26/2008 - Initial vendor notification
02/26/2008 - Initial vendor response
05/21/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [UNIX] Snort Back Orifice Preprocessor Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Snort is a widely-deployed, open-source network ... The vulnerable code will process any UDP packet that is not destined to or ... The Snort Back Orifice preprocessor vulnerability can be triggered with a ...
    (Securiteam)
  • [TOOL] SnortALog - Snort Analyzer Logs
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SnortALog works with all versions of SNORT and is ... the only script who can analyze snort's logs in all formats (Syslog, ...
    (Securiteam)
  • [UNIX] Snort SACK TCP Option Handling DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Snort is "an open source network intrusion ... TCP Options => Violaci n de segmento ... que el campo TCP->th_sum es 0, por lo tanto, el primer Router por ...
    (Securiteam)
  • [EXPL] Snort Back Orifice Preprocessor Buffer Overflow (Exploit #2)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Snort is a widely-deployed, open-source network ... my $class = shift; ... sub Exploit { ...
    (Securiteam)
  • Verified evasion in Snort
    ... decided to look and see if Snort was vulnerable. ... We fragmented the icmp echo request into two ... Wait 5 seconds for the fragment to timeout on the XP Host. ... # send the first fragment which causes the IDS to reassemble ...
    (Bugtraq)