Users login

Create an account »


Users login

Home » Hacking News » Snort leaves networks open to intrusion

Snort leaves networks open to intrusion

by Nikola Strahija on October 20th, 2005 Security researchers discovered that Snort could leave networks open to attack. Snort component used to handle packets from the Back Orifice hacking tool is to blame for this.

The bug allows an attacker to take complete control of a Snort sensor, granting root priveleges and allowing for further system compromise, according to Internet Security Systems (ISS), which originally discovered the flaw.

Snort is widely used, and is also the basis for many commercial IDS and IPS products, which are also likely to be affected, ISS said. The bug can be triggered with a single UDP packet targeting nearly any port, which could make it easier to get around perimeter firewalls.

An attacker doesn't need to target a particular Snort installation, but just to aim at a network that may be monitored by Snort, ISS said. These factors mean the bug is likely to be exploited by a worm, the company said.
-Due to the trivial nature of this vulnerability and its potential to bypass perimeter firewalls, there is grave concern that this issue might be exploited as part of a network-based worm, said ISS in its advisory.

ISS, US-CERT and Sourcefire, company that produced Snort, all published advisories on the flaw on Tuesday, along with a patched version of Snort and instructions for reducing the danger from the flaw.

Sourcefire disagreed with ISS over the severity of the flaw: -It is more likely that an attacker could use the vulnerability as a denial of service attack, it stated.

The bug affects all Snort versions since 2.4.0, and has been fixed in the new version 2.4.3

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »