Buffer overflow in Snort RPC preprocessor

Overview

There is a buffer overflow vulnerability in the RPC preprocessing feature of Snort versions 1.8 through 1.9.0 and 2.0 beta.

Description

Martin Roesch, the primary Snort developer, described the vulnerability by saying:

When the RPC decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size, leading to an overflow condition. The RPC preprocessor is enabled by default.

The ISS X-Force team has published an advisory with additional information on this issue:

<http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951&gt;

Information about this vulnerability can also be found on the Snort web site at:

<http://www.snort.org/&gt;

---

Impact

A remote attacker can execute arbitrary code as the user running the Snort process, usually root. The attacker does not need to send packets directly to the Snort sensor. It is sufficient to send packets to any of the hosts on the network monitored by Snort.

---

Solution

Upgrade to Snort version 1.9.1

Upgrade to Snort version 1.9.1 to correct this vulnerability. This version of snort is available at:

<http://www.snort.org/dl/snort-1.9.1.tar.gz&gt;

Disable the rpc_decode preprocessor

You can prevent exploitation of this vulnerability by commenting out the rpc_decode preprocessor in the “snort.conf” configuration file. Note that this change may affect your ability to correctly process RPC record fragments.

Block outbound packets from Snort IDS systems

You may be able limit an attacker’s capabilities if the system is compromised by blocking all outbound traffic from the Snort sensor. While this workaround will not prevent exploitation of the vulnerability, it may make it more difficult for the attacker to create a useful exploit.

---

Vendor Information

916785

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Conectiva __ Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Conectiva has published Conectiva Linux Security Announcement CLA-2003:613 to address this issue. For more information, please see:

http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000613

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Debian __ Affected

Notified: April 16, 2003 Updated: May 19, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

`- --------------------------------------------------------------------------
Debian Security Advisory DSA 297-1 [email protected]
<http://www.debian.org/security/&gt; Martin Schulze
May 1st, 2003 <http://www.debian.org/security/faq&gt;

---

Package : snort
Vulnerability : integer overflow, buffer overflow
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2003-0033 CAN-2003-0209
CERT advisories: VU#139129 VU#916785
Bugtraq Ids : 7178 6963
Two vulnerabilities have been discoverd in Snort, a popular network
intrusion detection system. Snort comes with modules and plugins that
perform a variety of functions such as protocol analysis. The
following issues have been identified:
Heap overflow in Snort “stream4” preprocessor
(VU#139129, CAN-2003-0209, Bugtraq Id 7178)`

Researchers at CORE Security Technologies have discovered a remotely exploitable inteter overflow that results in overwriting the heap in the "stream4" preprocessor module. This module allows Snort to reassemble TCP packet fragments for further analysis. An attacker could insert arbitrary code that would be executed as the user running Snort, probably root.

Buffer overflow in Snort RPC preprocessor (VU#916785, CAN-2003-0033, Bugtraq Id 6963)

Researchers at Internet Security Systems X-Force have discovered a remotely exploitable buffer overflow in the Snort RPC preprocessor module. Snort incorrectly checks the lengths of what is being normalized against the current packet size. An attacker could exploit this to execute arbitrary code under the privileges of the Snort process, probably root.

For the stable distribution (woody) these problems have been fixed in version 1.8.4beta1-3.1.
The old stable distribution (potato) is not affected by these problems since it doesn't contain the problematic code.
For the unstable distribution (sid) these problems have been fixed in version 2.0.0-1.
We recommend that you upgrade your snort package immediately.
You are also advised to upgrade to the most recent version of Snort, since Snort, as any intrusion detection system, is rather useless if it is based on old and out-dated data and not kept up to date. Such installations would be unable to detect intrusions using modern methods. The current version of Snort is 2.0.0, while the version in the stable distribution (1.8) is quite old and the one in the old stable distribution is beyond hope.
Since Debian does not update arbitrary packages in stable releases, even Snort is not going to see updates other than to fix security problems, you are advised to upgrade to the most recent version from third party sources.
The Debian maintainer for Snort provides backported up-to-date packages for woody (stable) and potato (oldstable) for cases where you cannot upgrade your entire system. These packages are untested, though and only exist for the i386 architecture:
deb <http://people.debian.org/~ssmeenk/snort-stable-i386/> ./ deb-src <http://people.debian.org/~ssmeenk/snort-stable-i386/> ./
deb <http://people.debian.org/~ssmeenk/snort-oldstable-i386/> ./ deb-src <http://people.debian.org/~ssmeenk/snort-oldstable-i386/> ./

`Upgrade Instructions

---

wget url
will fetch the file for you dpkg -i file.deb
will install the referenced file.`

If you are using the apt-get package manager, use the line for sources.list as given below:
apt-get update will update the internal database
apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

`Debian GNU/Linux 3.0 alias woody

---

Source archives:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1.dsc&gt;
Size/MD5 checksum: 681 2186ab4fe2efad905f07fb9522f04597 <http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1.diff.gz&gt;
Size/MD5 checksum: 67265 1f8ea5bc8a842626a30a2fb693398a16 <http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1.orig.tar.gz&gt;
Size/MD5 checksum: 1718574 80201d9c4e33af5e0b56121e4f9f7f7b`

Architecture independent components:
<http://security.debian.org/pool/updates/main/s/snort/snort-doc_1.8.4beta1-3.1_all.deb> Size/MD5 checksum: 344358 5d15c2a2ffc2e085a4dacfc8226ba336
<http://security.debian.org/pool/updates/main/s/snort/snort-rules-default_1.8.4beta1-3.1_all.deb> Size/MD5 checksum: 59674 76c3416b6a5e97c4b82e984255ee62a6

Alpha architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_alpha.deb> Size/MD5 checksum: 218862 e289d2ac6a97c3c729575af2608d62da
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_alpha.deb> Size/MD5 checksum: 35798 7d1a116fc1c00006914e48019ba68a4b
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_alpha.deb> Size/MD5 checksum: 222492 589db8d591013c098a4d51981464b21e

ARM architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_arm.deb> Size/MD5 checksum: 178156 f37eb2c6b75176be30aaae92cfd699ea
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_arm.deb> Size/MD5 checksum: 35820 4977d033364e56ec0d66266918b5ddfb
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_arm.deb> Size/MD5 checksum: 181128 d7d40fc33fd3e51b54e4293ed7617c70

Intel IA-32 architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_i386.deb> Size/MD5 checksum: 162048 f26f7562fae5f8761834d4cabe3ed17c
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_i386.deb> Size/MD5 checksum: 35802 548afa7fde8557dcd40bf235f38074dc
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_i386.deb> Size/MD5 checksum: 165354 911fd22a147390c8cf5d4694b4e2b18b

Intel IA-64 architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_ia64.deb> Size/MD5 checksum: 271778 12be6ab4ac58909148a8c9625ebefb99
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_ia64.deb> Size/MD5 checksum: 35798 57f0772e114cc1130c5c2639fc64be71
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_ia64.deb> Size/MD5 checksum: 275284 a8489c8f41fa49d532c0afa67928ee61

HP Precision architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_hppa.deb> Size/MD5 checksum: 201916 91c8ee56127b14c92736d7d418bc05ca
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_hppa.deb> Size/MD5 checksum: 35816 a5718f767ebc93178eb820dc5a190579
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_hppa.deb> Size/MD5 checksum: 205334 00eb158e0b034dbb6e16e42223f5855b

Motorola 680x0 architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_m68k.deb> Size/MD5 checksum: 150320 3c205732845c14274bd9d8520f8ba806
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_m68k.deb> Size/MD5 checksum: 35850 3b8e1da42a9c796a0ecf74f1e7ca2ac1
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_m68k.deb> Size/MD5 checksum: 153552 f97f6f155c93f042f01a9f2e40aff91d

Big endian MIPS architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_mips.deb> Size/MD5 checksum: 198172 75e4fef830c00e952f05cf4139bc264f
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_mips.deb> Size/MD5 checksum: 35822 aadad43bcef00f74acc754302e3557fc
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_mips.deb> Size/MD5 checksum: 201404 9fa10daa290890849df6762b66825024

Little endian MIPS architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_mipsel.deb> Size/MD5 checksum: 199732 040b188aeb253aa4ec4a6903c3f6f792
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_mipsel.deb> Size/MD5 checksum: 35818 467f455bb8b2c59630470417673e9856
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_mipsel.deb> Size/MD5 checksum: 202972 755df8c2d9b7e2bc01fec9a0b2259f4d

PowerPC architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_powerpc.deb> Size/MD5 checksum: 174508 3b5d1ebec2d40949e49746b4365c0a81
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_powerpc.deb> Size/MD5 checksum: 35804 60575d5c1998634b6bb3d2a9696f95c6
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_powerpc.deb> Size/MD5 checksum: 177562 c8cdeaab4e7c41c01a435933103fe6dd

IBM S/390 architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_s390.deb> Size/MD5 checksum: 173002 ff71b2925e1020c278d7d33eed8f8e6d
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_s390.deb> Size/MD5 checksum: 35794 5207eb80204af25cdbd77dca4b6cc09e
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_s390.deb> Size/MD5 checksum: 176296 2cc04f18ee550e4595e1680b43c2bf3e

Sun Sparc architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_sparc.deb> Size/MD5 checksum: 176202 6f1325e6c45e06d3f769b18a9ce98274
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_sparc.deb> Size/MD5 checksum: 35806 91ada09e5b9386b803184417ecbd953c
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_sparc.deb> Size/MD5 checksum: 179444 deb6b8580ef04cabecfec3972f4519dd

These files will probably be moved into the stable distribution on its next revision.

- --------------------------------------------------------------------------------- For apt-get: deb <http://security.debian.org/> stable/updates main For dpkg-ftp: <ftp://security.debian.org/debian-security> dists/stable/updates/main Mailing list: [email protected] Package info: apt-cache show <pkg>’ and <http://packages.debian.org/&gt;&lt;pkg&gt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+sR1ZW5ql+IAeqTIRApAdAKC1eQYjEpX7v5t4fdBeDh7CK5y6awCfdUpd
YqHF6Rz3zXbDFPWbU5uuPac=
=EfYw
-----END PGP SIGNATURE-----
`

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Gentoo Linux __ Affected

Notified: March 06, 2003 Updated: May 19, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

`- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200304-06

---

PACKAGE : snort
SUMMARY : Multiple Vulnerabilities in Snort Preprocessors DATE : 2003-04-28 07:07 UTC
EXPLOIT : remote VERSIONS AFFECTED : <snort-2.0.0
FIXED VERSION : >=snort-2.0.0 CVE : CAN-2003-0209 CAN-2003-0033
- - - ---------------------------------------------------------------------
New (and correct) ID and updated CVE link.
- - From advisories:
“The Sourcefire Vulnerability Research Team has learned of an integer overflow
in the Snort stream4 preprocessor used by the Sourcefire Network Sensor
product line. The Snort stream4 preprocessor (spp_stream4) incorrectly
calculates segment size parameters during stream reassembly for certain
sequence number ranges which can lead to an integer overflow that can be
expanded to a heap overflow.
The Snort stream4 flaw may lead to a denial of service (DoS) attack or
remote command execution on a host running Snort. This attack can be launched
by crafting TCP stream packets and transmitting them over a network segment
that is being monitored by a vulnerable Snort implementation. In its
default configuration, certain versions of snort are vulnerable to this
attack, as is the default configuration of the Snort IDS.”
“Remote attackers may exploit the buffer overflow condition to run
arbitrary code on a Snort sensor with the privileges of the Snort IDS
process, which typically runs as the superuser. The vulnerable
preprocessor is enabled by default. It is not necessary to establish an
actual connection to a RPC portmapper service to exploit this
vulnerability.”
Read the full advisories at:
http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
<http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951&gt;
<http://www.snort.org/advisories/snort-2003-04-16-1.txt&gt;
SOLUTION
It is recommended that all Gentoo Linux users who are running
net-analyzer/snort upgrade to snort-2.0.0 as follows:
emerge sync
emerge snort
emerge clean
- - - ---------------------------------------------------------------------
[email protected] - GnuPG key is available at <http://cvs.gentoo.org/~aliz&gt;

---

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+rNNLfT7nyhUpoZMRAk3cAJ41kN/5iZoa3IOtmoTwP+E7JRZZdACdFiE6
c8JLrnnQbuVE2ASytyK0N48=
=V4iq
-----END PGP SIGNATURE-----`

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Guardian Digital Inc. __ Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Guardian Digital has published EnGarde Secure Linux Security Advisory ESA-20030307-007 to address this vulnerability. For more information, please see

http://www.linuxsecurity.com/advisories/engarde_advisory-2944.html

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

MandrakeSoft __ Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has published Mandrake Linux Security Update Advisory MDKSA-2003:029 to address this vulnerability. For more information, please see

http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:029

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

SmoothWall __ Affected

Notified: March 07, 2003 Updated: April 21, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The SmoothWall firewall is affected by this vulnerability; for more information, please see

<http://www.smoothwall.org/beta/bugs/mallard-005.html&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Snort __ Affected

Notified: February 28, 2003 Updated: April 17, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Snort Vulnerability Advisory [SNORT-2003-001]
Date: 2003-03-03
Affected Snort Versions:
Any version starting with version 1.8 to those before 2003-03-03 1PM/ US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta)
Synopsis:
A buffer overflow has been found in the snort RPC normalization routines by ISS X-Force. This can cause snort to execute arbitrary code embedded within sniffed network packets. This preprocessor is enabled by default.
Snort 1.9.1 has been released to resolve this issue. For users using CVS HEAD, a fix has been committed to the source tree.
Mitigation:
If you are in an environment that can not upgrade snort immediately, comment out the line in your snort.conf that begins:
preprocessor rpc_decode
and replace it with
# preprocessor rpc_decode
Details:
When the rpc decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size.
The rpc decoder in Snort 1.9.1 and above contains new alert options that can be used to help detect this attack
Option Default State
alert_fragments INACTIVE alert_large_fragments ACTIVE alert_incomplete ACTIVE alert_multiple_requests ACTIVE

The first option will alert on any rpc fragmented record it finds. Large fragments will alert when the reassembled fragment record will exceed the current packet length. The incomplete record will alert when there is a partial record found. The alert_multiple_requests will alert when we find more than one RPC request per packet ( or reassembled packet ).
Download Locations:
Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Binaries are currently not available, this is a source release only at this time. As new binaries become available they will be added to the site.
Source code: <http://www.snort.org/dl/snort-1.9.1.tar.gz> GPG Signatures: <http://www.snort.org/dl/snort-1.9.1.tar.gz.asc>
CVS HEAD (Snort 2.0beta) has been fixed as well.
- -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure [email protected] - <http://www.sourcefire.com> Snort: Open Source Network IDS - <http://www.snort.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (Darwin)
iD8DBQE+Y5gfqj0FAQQ3KOARAkENAJ0Zf0tGT/BilYA32bIuQF0Te/A2bgCfWRu2 OoXy1dQb8B/1/AEbTDqjxSA= =NQ8d -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

An updated version of Snort (1.9.1) is available from:

<http://www.snort.org/dl/snort-1.9.1.tar.gz&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Apple Computer Inc. __ Not Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Not Affected

Vendor Statement

Snort is not shipped with Mac OS X or Mac OS X Server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Fujitsu __ Not Affected

Notified: April 16, 2003 Updated: May 19, 2003

Status

Not Affected

Vendor Statement

Fujitsu’s UXP/V o.s. is not affected by the problem in VU#139129 and [VU#]916785 because it does not support the Snort.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Ingrian Networks __ Not Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Not Affected

Vendor Statement

Ingrian Networks products are not susceptible to VU#139129 and VU#916785 since they do not use Snort.

Ingrian customers who are using the IDS Extender Service Engine to mirror cleartext data to a Snort-based IDS should upgrade their IDS software.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

NetBSD __ Not Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Not Affected

Vendor Statement

NetBSD does not include snort in the base system.

Snort is available from the 3rd party software system, pkgsrc. Users who have installed net/snort, net/snort-mysql or net/snort-pgsql should update to a fixed version. pkgsrc/security/audit-packages can be used to keep up to date with these types of issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Red Hat Inc. __ Not Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Not Affected

Vendor Statement

Red Hat does not ship Snort in any of our supported products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

SGI __ Not Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Not Affected

Vendor Statement

SGI does not ship snort as part of IRIX.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

BSDI Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Cray Inc. Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Data General Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

FreeBSD Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Hewlett-Packard Company Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

IBM Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

MontaVista Software Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

NEC Corporation Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Nokia Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

OpenBSD Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Openwall GNU/*/Linux Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Sequent Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Sony Corporation Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

SuSE Inc. Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Sun Microsystems Inc. Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

The SCO Group (SCO Linux) Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

The SCO Group (SCO UnixWare) Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Unisys Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Wind River Systems Inc. Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

Wirex Unknown

Notified: April 16, 2003 Updated: April 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23916785 Feedback>).

View all 33 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951&gt;
• <http://www.snort.org/dl/snort-1.9.1.tar.gz&gt;
• http://marc.theaimsgroup.com/?l=bugtraq&m=104673386226064&w=2
• <http://www.iss.net/security_center/static/10956.php&gt;

Acknowledgements

Thanks to ISS X-Force for discovering this vulnerability, and to Martin Roesch for his assistance in developing this document.

This document was written by Cory F. Cohen.

Other Information

CVE IDs:	CVE-2003-0033
CERT Advisory:	CA-2003-13 Severity Metric: