Vulnerability in Snort 2.4.0 and Older

I read this news about a vulnerability in Snort 2.4.0 and older versions. You're affected if you process a malicious packet while in verbose mode. This means running Snort using the -v switch. Typically this is only used to visually inspect traffic and not for intrusion detection purposes.

Through the FrSIRT advisory I learned about the discovery of this vulnerability by A. Alejandro Hernández Hernández. An exploit is available to crash Snort. Interrupting program flow to control the system is not indicated at this time. The researcher used Fuzzball2 to send weird packets with Selective ACKnowledgement (SACK) options through Snort and find the exploit condition.

I am impressed by Sourcefire's response to this issue, as shown by the disclosure timeline:

• Flaw Discovered: 20/08/2005.
• 
  
• Vendor Notification: 22/08/2005.


• Vendor Response: 23/08/2005.


• Date Published: 11/09/2005.

Sourcefire should have credited the researcher in their vulnerability announcement, however.

You can either upgrade via CVS, wait for Snort 2.4.1, or not run Snort in verbose mode.