Security Hole in Snort Intrusion Detection / Prevention System

A week ago, Neel Mehta from IBM Internet Security Systems X-Force has reported a vulnerability in Snort, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent over a network that is monitored by Snort .

Successful exploitation allows execution of arbitrary code.

The vulnerability reportedly affects the following versions:

  • Snort 2.6.1,, and
  • Snort 2.7.0 beta 1

Solution is to update to version The vendor recommends that beta users disable the DCE/RPC preprocessor.

This problem has been reported on Snort web site (here) and on Slashdot (here). Sourcefire has not received any reports that this vulnerability has been exploited.

Share this... Tweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Email this to someone

Leave a Reply