A vulnerability in the popular open-source intrusion detection software could let an outsider commandeer an affected system.
A buffer overflow flaw exists in a Snort sensor designed to detect Back Orifice, an older remote-controlled Trojan horse, Snort developer Sourcefire said in an advisory on Tuesday. An attacker could commandeer a system running Snort 2.4.0 and higher by sending a specially crafted network packet, it warned.
Sourcefire's warning prompted security provider Symantec to raise its ThreatCon global threat index to Level 2, which means an outbreak is expected.
Snort is freely available open-source software intended to protect networks by detecting and preventing intrusions. The software is installed on more than 100,000 systems and is also part of at least 45 products from various vendors, according to Sourcefire. Additionally, about 75 other open-source projects use Snort, the company said.
The vulnerability affects all versions of Snort released since April and is very easy to exploit, said Neel Mehta, the team leader at Internet Security Systems who discovered the flaw. "If anyone were to take this and do anything malicious with it, it could be very quick to propagate," he said. ISS has published an alert about the Snort problem.
This is a serious flaw, said Michael Sutton, director at security intelligence company iDefense, a part of VeriSign. "Given the large deployment of Snort and the fact that these boxes, by design, are exposed to incoming packets from the Internet, this is a significant vulnerability," he said.
What further raises the urgency to patch the flaw is that an attack packet does not require any authentication and does not need to be directed at the vulnerable Snort system itself, but will be successful if just aimed at the network protected by the software, Sutton said.
Sourcefire on Tuesday released Snort version 2.4.3 to fix the problem. Users who can't upgrade immediately can disable the Back Orifice sensor, the company said. It is unclear which of the products built on Snort are also vulnerable.
There is no known attack code for the vulnerability, Mehta said. "It is really hit or miss as to what hackers exploit in the wild, we're watching and waiting," he said.
Sourcefire, which is in the process of being acquired by firewall specialist Check Point, prides itself on the few bugs in Snort. "Any vulnerability is bad, of course, but this is the first one in two years," said Michele Perry, a Sourcefire spokeswoman. "The good news is that there is a patch out there."
ISS reported the vulnerability first to the U.S. Computer Emergency Readiness Team, which helped coordinate disclosure, Mehta said. Sourcefire was informed on Thursday and released its advisory and a patch on Tuesday, Perry said. US CERT has also published an advisory on the issue.