var-200702-0378
Vulnerability from variot
Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote attackers to execute arbitrary code via crafted SMB traffic. Snort IDS and Sourcefire Intrusion Sensor are prone to a stack-based buffer-overflow vulnerability because the network intrusion detection (NID) systems fail to handle specially crafted 'DCE' and 'RPC' network packets. An attacker can exploit this issue to execute malicious code in the context of the user running the affected application. Failed attempts will likely cause these applications to crash. The software provides functions such as packet sniffing, packet analysis, and packet inspection. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA07-050A
Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow
Original release date: February 19, 2007 Last revised: -- Source: US-CERT
Systems Affected
* Snort 2.6.1, 2.6.1.1, and 2.6.1.2
* Snort 2.7.0 beta 1
* Sourcefire Intrusion Sensors version 4.1.x, 4.5.x, and 4.6x with
SEUs prior to SEU 64
* Sourcefire Intrusion Sensors for Crossbeam version 4.1.x, 4.5.x,
and 4.6x with SEUs prior to SEU 64
Other products that use Snort or Snort components may be affected.
I. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC traffic before passing data to the Snort rules.
The vulnerable code does not properly reassemble certain types of SMB and DCE/RPC packets. An attacker could exploit this vulnerability by sending a specially crafted TCP packet to a host or network monitored by Snort. The DCE/RPC preprocessor is enabled by default, and it is not necessary for an attacker to complete a TCP handshake.
US-CERT is tracking this vulnerability as VU#196240. This vulnerability has been assigned CVE number CVE-2006-5276. Further information is available in advisories from Sourcefire and ISS.
II.
III. Solution
Upgrade
Snort 2.6.1.3 is available from the Snort download site. Sourcefire customers should visit the Sourcefire Support Login site.
Disable the DCE/RPC Preprocessor
To disable the DCE/RPC preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems):
[/etc/snort.conf]
...
#preprocessor dcerpc...
Restart Snort for the change to take effect.
Disabling the preprocessor will prevent Snort from reassembling fragmented SMB and DCE/RPC packets. This may allow attacks to evade the IDS.
IV. References
* US-CERT Vulnerability Note VU#196240 -
<http://www.kb.cert.org/vuls/id/196240>
* Sourcefire Advisory 2007-02-19 -
<http://www.snort.org/docs/advisory-2007-02-19.html>
* Sourcefire Support Login - <https://support.sourcefire.com/>
* Sourcefire Snort Release Notes for 2.6.1.3 -
<http://www.snort.org/docs/release_notes/release_notes_2613.txt>
* Snort downloads - <http://www.snort.org/dl/>
* DCE/RPC Preprocessor -
<http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html>
* IBM Internet Security Systems Protection Advisory -
<http://iss.net/threats/257.html>
* CVE-2006-5276 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276>
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA07-050A.html>
Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA07-050A Feedback VU#196240" in the subject.
For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
Revision History
February 19, 2007: Initial Release
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRdop4+xOF3G+ig+rAQKdtAgAhQY66LRfVlNkH30Q5RI0gIo5Vhu14yDP qulLEyzjDhC7gDHWBGQYdE9eCy9Yf3P4BfKJS0766he/7CFn+BaDs7ohnXaynHQq +kMYNBMBg2RbrGKfOGRLHc0P6X1tSP3w45IppjOv9Yo5SUVDCa7beZWURCIKZyp6 OuYXtnpiGNctHgeU56US0sfuKj8qP7KOd9pCDRDQRhJ3UUd9wDpXee66HBxchh+w RSIQiMxisOX9mMYBW3z4DM/lb7PxXoa2Q7DwjM1NIOe/0tAObCOvF4uYhOLCVyNg +EbcN9123V0PW95FITlHXvJU6K8srnnK+Fhpfyi4vg5bYeEF2WiUrg== =T7v8 -----END PGP SIGNATURE----- . February 19, 2007
Summary:
Sourcefire has learned of a remotely exploitable vulnerability in the Snort DCE/RPC preprocessor. Sourcefire has prepared updates for Snort open-source software to address this issue.
Mitigating Factors:
Users who have disabled the DCE/RPC preprocessor are not vulnerable.
Recommended Actions:
- Open-source Snort 2.6.1.x users are advised to upgrade to Snort 2.6.1.3 (or later) immediately.
- Open-source Snort 2.7 beta users are advised to mitigate this issue by disabling the DCE/RPC preprocessor. This issue will be resolved in Snort 2.7 beta 2.
Workarounds:
Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should reenable the DCE/RPC preprocessor.
Detecting Attacks Against This Vulnerability:
Sourcefire will be releasing a rule pack that provides detection for attacks against this vulnerability.
Has Sourcefire received any reports that this vulnerability has been exploited? - No. Sourcefire has not received any reports that this vulnerability has been exploited.
Acknowledgments:
Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting this issue and working with us to resolve it.
Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Snort-announce mailing list Snort-announce@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-announce .
Resolution
All Snort users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.3"
References
[ 1 ] CVE-2006-5276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200703-01.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-200702-0378", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "snort", "scope": "eq", "trust": 2.4, "vendor": "snort", "version": "2.6.1.1" }, { "model": "snort", "scope": "eq", "trust": 2.4, "vendor": "snort", "version": "2.6.1" }, { "model": "snort", "scope": "eq", "trust": 1.6, "vendor": "snort", "version": "2.7_beta1" }, { "model": "snort", "scope": "eq", "trust": 1.4, "vendor": "snort", "version": "2.6.1.2" }, { "model": "intrusion sensor", "scope": "eq", "trust": 1.0, "vendor": "sourcefire", "version": "4.5" }, { "model": "intrusion sensor", "scope": "eq", "trust": 1.0, "vendor": "sourcefire", "version": "4.6" }, { "model": "intrusion sensor", "scope": "eq", "trust": 1.0, "vendor": "sourcefire", "version": "4.1" }, { "model": "snort", "scope": "lte", "trust": 1.0, "vendor": "snort", "version": "2.6.1.2" }, { "model": null, "scope": null, "trust": 0.8, "vendor": "gentoo linux", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "nortel", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "snort", "version": null }, { "model": null, "scope": null, "trust": 0.8, "vendor": "sourcefire", "version": null }, { "model": "intrusion sensor", "scope": "eq", "trust": 0.8, "vendor": "sourcefire", "version": "4.5.x" }, { "model": "snort", "scope": "eq", "trust": 0.8, "vendor": "snort", "version": "2.7.0 beta 1" }, { "model": "intrusion sensor", "scope": "eq", "trust": 0.8, "vendor": "sourcefire", "version": "for crossbeam version 4.1.x" }, { "model": "intrusion sensor", "scope": "lt", "trust": 0.8, "vendor": "sourcefire", "version": "4.6x of seu 64 earlier versions" }, { "model": "intrusion sensor", "scope": "eq", "trust": 0.8, "vendor": "sourcefire", "version": "version 4.1.x" }, { "model": "project snort", "scope": "eq", "trust": 0.3, "vendor": "snort", "version": "2.6.1.2" }, { "model": "project snort", "scope": "eq", "trust": 0.3, "vendor": "snort", "version": "2.6.1.1" }, { "model": "project snort", "scope": "eq", "trust": 0.3, "vendor": "snort", "version": "2.6.1" }, { "model": "project snort beta", "scope": "eq", "trust": 0.3, "vendor": "snort", "version": "2.7.01" }, { "model": "opensuse", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "10.1" }, { "model": "fedora core7", "scope": null, "trust": 0.3, "vendor": "redhat", "version": null }, { "model": "enterprise linux as", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "4" }, { "model": "networks threat protection system intrusion sensor", "scope": "eq", "trust": 0.3, "vendor": "nortel", "version": "4.1" }, { "model": "networks threat protection system intrusion sensor", "scope": "eq", "trust": 0.3, "vendor": "nortel", "version": "4.6" }, { "model": "networks threat protection system intrusion sensor", "scope": "eq", "trust": 0.3, "vendor": "nortel", "version": "4.5" }, { "model": "networks threat protection system defense center", "scope": "eq", "trust": 0.3, "vendor": "nortel", "version": "4.1" }, { "model": "networks threat protection system defense center", "scope": "eq", "trust": 0.3, "vendor": "nortel", "version": "4.6" }, { "model": "networks threat protection system defense center", "scope": "eq", "trust": 0.3, "vendor": "nortel", "version": "4.5" }, { "model": "net-analyzer/snort", "scope": "eq", "trust": 0.3, "vendor": "gentoo", "version": "2.6.1" }, { "model": "linux sparc", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux s/390", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux powerpc", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux mipsel", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux mips", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux m68k", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux ia-64", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux ia-32", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux hppa", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux arm", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux amd64", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux alpha", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "linux", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "4.0" }, { "model": "project snort", "scope": "ne", "trust": 0.3, "vendor": "snort", "version": "2.6.1.3" }, { "model": "net-analyzer/snort", "scope": "ne", "trust": 0.3, "vendor": "gentoo", "version": "2.6.1.3" } ], "sources": [ { "db": "CERT/CC", "id": "VU#196240" }, { "db": "BID", "id": "22616" }, { "db": "JVNDB", "id": "JVNDB-2007-000170" }, { "db": "CNNVD", "id": "CNNVD-200702-347" }, { "db": "NVD", "id": "CVE-2006-5276" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "cpe_match": [ { "cpe22Uri": "cpe:/a:snort:snort", "vulnerable": true }, { "cpe22Uri": "cpe:/a:sourcefire:intrusion_sensor", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2007-000170" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Neel Mehta", "sources": [ { "db": "CNNVD", "id": "CNNVD-200702-347" } ], "trust": 0.6 }, "cve": "CVE-2006-5276", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 10.0, "id": "CVE-2006-5276", "impactScore": 10.0, "integrityImpact": "COMPLETE", "severity": "HIGH", "trust": 1.9, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 10.0, "id": "VHN-21384", "impactScore": 10.0, "integrityImpact": "COMPLETE", "severity": "HIGH", "trust": 0.1, "vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C", "version": "2.0" } ], "cvssV3": [], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2006-5276", "trust": 1.0, "value": "HIGH" }, { "author": "CARNEGIE MELLON", "id": "VU#196240", "trust": 0.8, "value": "23.63" }, { "author": "NVD", "id": "CVE-2006-5276", "trust": 0.8, "value": "High" }, { "author": "CNNVD", "id": "CNNVD-200702-347", "trust": 0.6, "value": "CRITICAL" }, { "author": "VULHUB", "id": "VHN-21384", "trust": 0.1, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2006-5276", "trust": 0.1, "value": "HIGH" } ] } ], "sources": [ { "db": "CERT/CC", "id": "VU#196240" }, { "db": "VULHUB", "id": "VHN-21384" }, { "db": "VULMON", "id": "CVE-2006-5276" }, { "db": "JVNDB", "id": "JVNDB-2007-000170" }, { "db": "CNNVD", "id": "CNNVD-200702-347" }, { "db": "NVD", "id": "CVE-2006-5276" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote attackers to execute arbitrary code via crafted SMB traffic. Snort IDS and Sourcefire Intrusion Sensor are prone to a stack-based buffer-overflow vulnerability because the network intrusion detection (NID) systems fail to handle specially crafted \u0027DCE\u0027 and \u0027RPC\u0027 network packets. \nAn attacker can exploit this issue to execute malicious code in the context of the user running the affected application. Failed attempts will likely cause these applications to crash. The software provides functions such as packet sniffing, packet analysis, and packet inspection. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n\n National Cyber Alert System\n\n Technical Cyber Security Alert TA07-050A\n\n\nSourcefire Snort DCE/RPC Preprocessor Buffer Overflow\n\n Original release date: February 19, 2007\n Last revised: --\n Source: US-CERT\n\n\nSystems Affected\n\n * Snort 2.6.1, 2.6.1.1, and 2.6.1.2\n * Snort 2.7.0 beta 1\n * Sourcefire Intrusion Sensors version 4.1.x, 4.5.x, and 4.6x with\n SEUs prior to SEU 64\n * Sourcefire Intrusion Sensors for Crossbeam version 4.1.x, 4.5.x,\n and 4.6x with SEUs prior to SEU 64\n\n Other products that use Snort or Snort components may be affected. \n\n\nI. The DCE/RPC\n preprocessor reassembles fragmented SMB and DCE/RPC traffic before\n passing data to the Snort rules. \n\n The vulnerable code does not properly reassemble certain types of\n SMB and DCE/RPC packets. An attacker could exploit this\n vulnerability by sending a specially crafted TCP packet to a host\n or network monitored by Snort. The DCE/RPC preprocessor is enabled\n by default, and it is not necessary for an attacker to complete a\n TCP handshake. \n\n US-CERT is tracking this vulnerability as VU#196240. This\n vulnerability has been assigned CVE number CVE-2006-5276. Further\n information is available in advisories from Sourcefire and ISS. \n\n\nII. \n\n\nIII. Solution\n\nUpgrade\n\n Snort 2.6.1.3 is available from the Snort download site. Sourcefire\n customers should visit the Sourcefire Support Login site. \n\nDisable the DCE/RPC Preprocessor\n\n To disable the DCE/RPC preprocessor, comment out the line that loads\n the preprocessor in the Snort configuration file (typically\n /etc/snort.conf on UNIX and Linux systems):\n\n [/etc/snort.conf]\n ... \n #preprocessor dcerpc... \n \n Restart Snort for the change to take effect. \n\n Disabling the preprocessor will prevent Snort from reassembling\n fragmented SMB and DCE/RPC packets. This may allow attacks to evade\n the IDS. \n\n\nIV. References\n\n * US-CERT Vulnerability Note VU#196240 -\n \u003chttp://www.kb.cert.org/vuls/id/196240\u003e\n\n * Sourcefire Advisory 2007-02-19 -\n \u003chttp://www.snort.org/docs/advisory-2007-02-19.html\u003e\n\n * Sourcefire Support Login - \u003chttps://support.sourcefire.com/\u003e\n\n * Sourcefire Snort Release Notes for 2.6.1.3 -\n \u003chttp://www.snort.org/docs/release_notes/release_notes_2613.txt\u003e\n\n * Snort downloads - \u003chttp://www.snort.org/dl/\u003e\n\n * DCE/RPC Preprocessor -\n \u003chttp://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html\u003e\n\n * IBM Internet Security Systems Protection Advisory -\n \u003chttp://iss.net/threats/257.html\u003e\n\n * CVE-2006-5276 -\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276\u003e\n\n\n ____________________________________________________________________\n\n The most recent version of this document can be found at:\n\n \u003chttp://www.us-cert.gov/cas/techalerts/TA07-050A.html\u003e\n ____________________________________________________________________\n\n Feedback can be directed to US-CERT Technical Staff. Please send\n email to \u003ccert@cert.org\u003e with \"TA07-050A Feedback VU#196240\" in the\n subject. \n ____________________________________________________________________\n\n For instructions on subscribing to or unsubscribing from this\n mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n ____________________________________________________________________\n\n Produced 2007 by US-CERT, a government organization. \n\n Terms of use:\n\n \u003chttp://www.us-cert.gov/legal.html\u003e\n ____________________________________________________________________\n\n\nRevision History\n\n February 19, 2007: Initial Release\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.2.1 (GNU/Linux)\n\niQEVAwUBRdop4+xOF3G+ig+rAQKdtAgAhQY66LRfVlNkH30Q5RI0gIo5Vhu14yDP\nqulLEyzjDhC7gDHWBGQYdE9eCy9Yf3P4BfKJS0766he/7CFn+BaDs7ohnXaynHQq\n+kMYNBMBg2RbrGKfOGRLHc0P6X1tSP3w45IppjOv9Yo5SUVDCa7beZWURCIKZyp6\nOuYXtnpiGNctHgeU56US0sfuKj8qP7KOd9pCDRDQRhJ3UUd9wDpXee66HBxchh+w\nRSIQiMxisOX9mMYBW3z4DM/lb7PxXoa2Q7DwjM1NIOe/0tAObCOvF4uYhOLCVyNg\n+EbcN9123V0PW95FITlHXvJU6K8srnnK+Fhpfyi4vg5bYeEF2WiUrg==\n=T7v8\n-----END PGP SIGNATURE-----\n. February 19, 2007\n\nSummary:\n\nSourcefire has learned of a remotely exploitable vulnerability in the \nSnort DCE/RPC preprocessor. Sourcefire \nhas prepared updates for Snort open-source software to address this issue. \n\n\nMitigating Factors:\n\nUsers who have disabled the DCE/RPC preprocessor are not vulnerable. \n\n\nRecommended Actions:\n\n* Open-source Snort 2.6.1.x users are advised to upgrade to Snort \n2.6.1.3 (or later) immediately. \n* Open-source Snort 2.7 beta users are advised to mitigate this issue by \ndisabling the DCE/RPC preprocessor. \n This issue will be resolved in Snort 2.7 beta 2. \n\n\nWorkarounds:\n\nSnort users who cannot upgrade immediately are advised to disable the \nDCE/RPC preprocessor by removing the DCE/RPC preprocessor directives \nfrom snort.conf and restarting Snort. However, be advised that disabling \nthe DCE/RPC preprocessor reduces detection capabilities for attacks in \nDCE/RPC traffic. After upgrading, customers should reenable the DCE/RPC \npreprocessor. \n\n\nDetecting Attacks Against This Vulnerability:\n\nSourcefire will be releasing a rule pack that provides detection for \nattacks against this vulnerability. \n\nHas Sourcefire received any reports that this vulnerability has been \nexploited?\n- No. Sourcefire has not received any reports that this vulnerability \nhas been exploited. \n\n\nAcknowledgments:\n\nSourcefire would like to thank Neel Mehta from IBM X-Force for reporting \nthis issue and working with us to resolve it. \n\n\n-------------------------------------------------------------------------\nTake Surveys. Earn Cash. Influence the Future of IT\nJoin SourceForge.net\u0027s Techsay panel and you\u0027ll get the chance to share your\nopinions on IT \u0026 business topics through brief surveys-and earn cash\nhttp://www.techsay.com/default.php?page=join.php\u0026p=sourceforge\u0026CID=DEVDEV\n_______________________________________________\nSnort-announce mailing list\nSnort-announce@lists.sourceforge.net\nhttps://lists.sourceforge.net/lists/listinfo/snort-announce\n. \n\nResolution\n==========\n\nAll Snort users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-analyzer/snort-2.6.1.3\"\n\nReferences\n==========\n\n [ 1 ] CVE-2006-5276\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-200703-01.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttp://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2007 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n", "sources": [ { "db": "NVD", "id": "CVE-2006-5276" }, { "db": "CERT/CC", "id": "VU#196240" }, { "db": "JVNDB", "id": "JVNDB-2007-000170" }, { "db": "BID", "id": "22616" }, { "db": "VULHUB", "id": "VHN-21384" }, { "db": "VULMON", "id": "CVE-2006-5276" }, { "db": "PACKETSTORM", "id": "54569" }, { "db": "PACKETSTORM", "id": "54522" }, { "db": "PACKETSTORM", "id": "54834" } ], "trust": 3.06 }, "exploit_availability": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=3609", "trust": 0.4, "type": "exploit" }, { "reference": "https://www.scap.org.cn/vuln/vhn-21384", "trust": 0.1, "type": "unknown" } ], "sources": [ { "db": "VULHUB", "id": "VHN-21384" }, { "db": "VULMON", "id": "CVE-2006-5276" } ] }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "CERT/CC", "id": "VU#196240", "trust": 3.8 }, { "db": "NVD", "id": "CVE-2006-5276", "trust": 3.2 }, { "db": "BID", "id": "22616", "trust": 2.9 }, { "db": "USCERT", "id": "TA07-050A", "trust": 2.7 }, { "db": "SECUNIA", "id": "24272", "trust": 2.6 }, { "db": "SECUNIA", "id": "24190", "trust": 2.6 }, { "db": "SECUNIA", "id": "24235", "trust": 2.6 }, { "db": "SECUNIA", "id": "24239", "trust": 1.8 }, { "db": "SECUNIA", "id": "26746", "trust": 1.8 }, { "db": "SECUNIA", "id": "24240", "trust": 1.8 }, { "db": "SECTRACK", "id": "1017669", "trust": 1.8 }, { "db": "SECTRACK", "id": "1017670", "trust": 1.8 }, { "db": "EXPLOIT-DB", "id": "3362", "trust": 1.8 }, { "db": "VUPEN", "id": "ADV-2007-0668", "trust": 1.8 }, { "db": "VUPEN", "id": "ADV-2007-0656", "trust": 1.8 }, { "db": "OSVDB", "id": "32094", "trust": 1.8 }, { "db": "XF", "id": "31275", "trust": 1.4 }, { "db": "JVNDB", "id": "JVNDB-2007-000170", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-200702-347", "trust": 0.7 }, { "db": "CERT/CC", "id": "TA07-050A", "trust": 0.6 }, { "db": "GENTOO", "id": "GLSA-200703-01", "trust": 0.6 }, { "db": "MILW0RM", "id": "3362", "trust": 0.6 }, { "db": "ISS", "id": "20070219 SOURCEFIRE SNORT REMOTE BUFFER OVERFLOW", "trust": 0.6 }, { "db": "BUGTRAQ", "id": "20070303 ERRATA: [ GLSA 200703-01 ] SNORT: REMOTE EXECUTION OF ARBITRARY CODE", "trust": 0.6 }, { "db": "FEDORA", "id": "FEDORA-2007-2060", "trust": 0.6 }, { "db": "EXPLOIT-DB", "id": "3609", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "54522", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "54569", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "54834", "trust": 0.2 }, { "db": "SEEBUG", "id": "SSVID-72771", "trust": 0.1 }, { "db": "EXPLOIT-DB", "id": "18723", "trust": 0.1 }, { "db": "EXPLOIT-DB", "id": "3391", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "111677", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "54632", "trust": 0.1 }, { "db": "VULHUB", "id": "VHN-21384", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2006-5276", "trust": 0.1 } ], "sources": [ { "db": "CERT/CC", "id": "VU#196240" }, { "db": "VULHUB", "id": "VHN-21384" }, { "db": "VULMON", "id": "CVE-2006-5276" }, { "db": "BID", "id": "22616" }, { "db": "JVNDB", "id": "JVNDB-2007-000170" }, { "db": "PACKETSTORM", "id": "54569" }, { "db": "PACKETSTORM", "id": "54522" }, { "db": "PACKETSTORM", "id": "54834" }, { "db": "CNNVD", "id": "CNNVD-200702-347" }, { "db": "NVD", "id": "CVE-2006-5276" } ] }, "id": "VAR-200702-0378", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-21384" } ], "trust": 0.01 }, "last_update_date": "2024-11-29T22:58:37.276000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Latest changelog : 2.6.1.3", "trust": 0.8, "url": "http://www.snort.org/dl/" }, { "title": "2007-02-19 Sourcefire Advisory: Vulnerability in Snort DCE/RPC Preprocessor", "trust": 0.8, "url": "http://www.snort.org/docs/advisory-2007-02-19.html" }, { "title": "Sourcefire Support Login", "trust": 0.8, "url": "https://support.sourcefire.com/" }, { "title": "Top Page", "trust": 0.8, "url": "http://www.sourcefire.com/" }, { "title": "Detection for Vulnerability in Snort DCE/RPC Pre-processor", "trust": 0.8, "url": "http://www.sourcefire.com/services/advisories/sa022007.html" }, { "title": "vrt-rules-2007-02-20", "trust": 0.8, "url": "http://www.snort.org/vrt/advisories/vrt-rules-2007-02-20.html" }, { "title": "LinuxFlaw", "trust": 0.1, "url": "https://github.com/mudongliang/LinuxFlaw " } ], "sources": [ { "db": "VULMON", "id": "CVE-2006-5276" }, { "db": "JVNDB", "id": "JVNDB-2007-000170" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-Other", "trust": 1.0 } ], "sources": [ { "db": "NVD", "id": "CVE-2006-5276" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 3.0, "url": "http://www.kb.cert.org/vuls/id/196240" }, { "trust": 2.9, "url": "http://www.snort.org/docs/advisory-2007-02-19.html" }, { "trust": 2.6, "url": "http://iss.net/threats/257.html" }, { "trust": 2.6, "url": "http://www.securityfocus.com/bid/22616" }, { "trust": 2.6, "url": "http://www.us-cert.gov/cas/techalerts/ta07-050a.html" }, { "trust": 1.9, "url": "http://security.gentoo.org/glsa/glsa-200703-01.xml" }, { "trust": 1.8, "url": "http://www116.nortelnetworks.com/pub/repository/clarify/document/2007/08/021923-01.pdf" }, { "trust": 1.8, "url": "http://fedoranews.org/updates/fedora-2007-206.shtml" }, { "trust": 1.8, "url": "https://bugzilla.redhat.com/show_bug.cgi?id=229265" }, { "trust": 1.8, "url": "http://www.osvdb.org/32094" }, { "trust": 1.8, "url": "http://www.securitytracker.com/id?1017669" }, { "trust": 1.8, "url": "http://www.securitytracker.com/id?1017670" }, { "trust": 1.8, "url": "http://secunia.com/advisories/24190" }, { "trust": 1.8, "url": "http://secunia.com/advisories/24235" }, { "trust": 1.8, "url": "http://secunia.com/advisories/24239" }, { "trust": 1.8, "url": "http://secunia.com/advisories/24240" }, { "trust": 1.8, "url": "http://secunia.com/advisories/24272" }, { "trust": 1.8, "url": "http://secunia.com/advisories/26746" }, { "trust": 1.7, "url": "http://www130.nortelnetworks.com/go/main.jsp?cscat=bltndetail\u0026documentoid=540173" }, { "trust": 1.4, "url": "http://xforce.iss.net/xforce/xfdb/31275" }, { "trust": 1.2, "url": "http://www.securityfocus.com/archive/1/461810/100/0/threaded" }, { "trust": 1.2, "url": "https://www.exploit-db.com/exploits/3362" }, { "trust": 1.2, "url": "http://www.vupen.com/english/advisories/2007/0656" }, { "trust": 1.2, "url": "http://www.vupen.com/english/advisories/2007/0668" }, { "trust": 1.2, "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31275" }, { "trust": 0.9, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276" }, { "trust": 0.8, "url": "https://support.sourcefire.com/" }, { "trust": 0.8, "url": "http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html" }, { "trust": 0.8, "url": "http://www.snort.org/docs/release_notes/release_notes_2613.txt" }, { "trust": 0.8, "url": "http://www.snort.org/dl/" }, { "trust": 0.8, "url": "http://secunia.com/advisories/24235/" }, { "trust": 0.8, "url": "http://secunia.com/advisories/24190/" }, { "trust": 0.8, "url": "http://secunia.com/advisories/24272/" }, { "trust": 0.8, "url": "http://jvn.jp/cert/jvnta07-050a/index.html" }, { "trust": 0.8, "url": "http://jvn.jp/tr/trta07-050a/index.html" }, { "trust": 0.8, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2006-5276" }, { "trust": 0.6, "url": "http://www.securityfocus.com/archive/1/archive/1/461810/100/0/threaded" }, { "trust": 0.6, "url": "http://www.milw0rm.com/exploits/3362" }, { "trust": 0.6, "url": "http://www.frsirt.com/english/advisories/2007/0668" }, { "trust": 0.6, "url": "http://www.frsirt.com/english/advisories/2007/0656" }, { "trust": 0.3, "url": "https://www.it-isac.org/postings/cyber/alertdetail.php?id=4108\u0026menutype=menupublic" }, { "trust": 0.3, "url": "http://www.snort.org/" }, { "trust": 0.3, "url": "http://www130.nortelnetworks.com/go/main.jsp?cscat=bltndetail\u0026documentoid=540173\u0026renditionid=\u0026poid=null" }, { "trust": 0.3, "url": "https://nvd.nist.gov/vuln/detail/cve-2006-5276" }, { "trust": 0.1, "url": "http://www130.nortelnetworks.com/go/main.jsp?cscat=bltndetail\u0026amp;documentoid=540173" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/.html" }, { "trust": 0.1, "url": "https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2006-5276" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://www.rapid7.com/db/modules/exploit/multi/ids/snort_dce_rpc" }, { "trust": 0.1, "url": "https://www.exploit-db.com/exploits/3609/" }, { "trust": 0.1, "url": "http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html\u003e" }, { "trust": 0.1, "url": "http://www.us-cert.gov/cas/techalerts/ta07-050a.html\u003e" }, { "trust": 0.1, "url": "http://iss.net/threats/257.html\u003e" }, { "trust": 0.1, "url": "http://www.us-cert.gov/cas/signup.html\u003e." }, { "trust": 0.1, "url": "https://support.sourcefire.com/\u003e" }, { "trust": 0.1, "url": "http://www.kb.cert.org/vuls/id/196240\u003e" }, { "trust": 0.1, "url": "http://www.snort.org/dl/\u003e" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276\u003e" }, { "trust": 0.1, "url": "http://www.us-cert.gov/legal.html\u003e" }, { "trust": 0.1, "url": "http://www.snort.org/docs/advisory-2007-02-19.html\u003e" }, { "trust": 0.1, "url": "http://www.snort.org/docs/release_notes/release_notes_2613.txt\u003e" }, { "trust": 0.1, "url": "http://www.techsay.com/default.php?page=join.php\u0026p=sourceforge\u0026cid=devdev" }, { "trust": 0.1, "url": "https://lists.sourceforge.net/lists/listinfo/snort-announce" }, { "trust": 0.1, "url": "http://bugs.gentoo.org." }, { "trust": 0.1, "url": "http://creativecommons.org/licenses/by-sa/2.5" }, { "trust": 0.1, "url": "http://security.gentoo.org/" } ], "sources": [ { "db": "CERT/CC", "id": "VU#196240" }, { "db": "VULHUB", "id": "VHN-21384" }, { "db": "VULMON", "id": "CVE-2006-5276" }, { "db": "BID", "id": "22616" }, { "db": "JVNDB", "id": "JVNDB-2007-000170" }, { "db": "PACKETSTORM", "id": "54569" }, { "db": "PACKETSTORM", "id": "54522" }, { "db": "PACKETSTORM", "id": "54834" }, { "db": "CNNVD", "id": "CNNVD-200702-347" }, { "db": "NVD", "id": "CVE-2006-5276" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CERT/CC", "id": "VU#196240" }, { "db": "VULHUB", "id": "VHN-21384" }, { "db": "VULMON", "id": "CVE-2006-5276" }, { "db": "BID", "id": "22616" }, { "db": "JVNDB", "id": "JVNDB-2007-000170" }, { "db": "PACKETSTORM", "id": "54569" }, { "db": "PACKETSTORM", "id": "54522" }, { "db": "PACKETSTORM", "id": "54834" }, { "db": "CNNVD", "id": "CNNVD-200702-347" }, { "db": "NVD", "id": "CVE-2006-5276" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2007-02-19T00:00:00", "db": "CERT/CC", "id": "VU#196240" }, { "date": "2007-02-20T00:00:00", "db": "VULHUB", "id": "VHN-21384" }, { "date": "2007-02-20T00:00:00", "db": "VULMON", "id": "CVE-2006-5276" }, { "date": "2007-02-19T00:00:00", "db": "BID", "id": "22616" }, { "date": "2007-04-01T00:00:00", "db": "JVNDB", "id": "JVNDB-2007-000170" }, { "date": "2007-02-23T03:05:45", "db": "PACKETSTORM", "id": "54569" }, { "date": "2007-02-20T01:23:04", "db": "PACKETSTORM", "id": "54522" }, { "date": "2007-03-06T06:25:25", "db": "PACKETSTORM", "id": "54834" }, { "date": "2007-02-19T00:00:00", "db": "CNNVD", "id": "CNNVD-200702-347" }, { "date": "2007-02-20T01:28:00", "db": "NVD", "id": "CVE-2006-5276" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2008-01-30T00:00:00", "db": "CERT/CC", "id": "VU#196240" }, { "date": "2018-10-17T00:00:00", "db": "VULHUB", "id": "VHN-21384" }, { "date": "2018-10-17T00:00:00", "db": "VULMON", "id": "CVE-2006-5276" }, { "date": "2007-11-15T00:38:00", "db": "BID", "id": "22616" }, { "date": "2007-04-01T00:00:00", "db": "JVNDB", "id": "JVNDB-2007-000170" }, { "date": "2007-05-16T00:00:00", "db": "CNNVD", "id": "CNNVD-200702-347" }, { "date": "2024-11-21T00:18:34.630000", "db": "NVD", "id": "CVE-2006-5276" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "PACKETSTORM", "id": "54569" }, { "db": "CNNVD", "id": "CNNVD-200702-347" } ], "trust": 0.7 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Sourcefire Snort DCE/RPC preprocessor does not properly reassemble fragmented packets", "sources": [ { "db": "CERT/CC", "id": "VU#196240" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "buffer overflow", "sources": [ { "db": "CNNVD", "id": "CNNVD-200702-347" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.