Flaw lets intruders sneak past defenses
A vulnerability in Snort, a popular open-source intrusion detection system, could allow an attacker to disable the devices that would normally spot intruders.
While for most companies the vulnerability isn't as serious as the Sendmail flaw unveiled Monday, the security hole could be used to take down the network alarm systems that might otherwise signal that a company is under attack, said Marty Roesch, creator of the open-source Snort program and president of Sourcefire, a company that sells security appliances based on the intrusion detection system.
"It's nasty," he said. "You don't have to target the box running Snort; you just have to throw the attack on the network, and the box will just receive it because it's doing its job."
The flaw occurs in a "normalization" feature of Snort. The program recognizes attacks by matching certain patterns in the malicious code. However, some attacks are fragmented by potential intruders in an attempt to elude detection. Snort will piece together the fragmented attacks, or "normalize" them, so that it can use a single signature for each class of attack.
Roesch stressed that patches for the flaw are available and, judging from the number of downloads, are being applied quickly. The patches can be found at the Snort development site.
The vulnerability was discovered by Internet Security Systems, the same security software company that found the flaw in Sendmail mail-server software. Roesch said that Internet Security Systems told him of the hole on Feb. 21 and that Snort programmers had the problem fixed a day later. However, the U.S. government delayed release of the flaw announcement until the Snort group's response could be synchronized with other responders.
"We had to be a good corporate citizen," he said.
Coming the same day as the announcement of a vulnerability in the open-source Sendmail mail-server software, the Snort flaw seems to refute claims that open-source software is as secure as proprietary products. However, Alfred Huger, senior director of engineering for security software firm Symantec, dismissed such concerns.
"Historically, almost every commercially available IDS has had a similar problem to this," he said. The track record of the open-source product has been, for the most part, better than its competitors. "In the past, Snort has never had a problem this large to my knowledge."