• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Snort/Sourcefire DCE/RPC Packet Reassembly Stack Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Snort is a freely available, open-source NID system. It is available for UNIX, Linux, and Microsoft Windows platforms. Sourcefire Intrusion Sensor is also a NID system for UNIX, Linux, and Microsoft Windows.

Remote attackers may trigger this vulnerability by sending specially crafted SMB network data by way of specially crafted 'DCE' and 'RPC' network packets to a vulnerable instance of these applications. Server message block (SMB) is a network protocol that is commonly used by Windows systems and by SMS to transfer files between computers.

Since no verification is done to ensure that TCP traffic is part of a valid TCP session, and because multiple 'Write AndX' requests may be aggregated in the same TCP segment, a single TCP 'PDU' (Protocol Data Unit) will trigger this vulnerability.

An attacker can exploit this issue to execute malicious code in the context of the user running the affected application. Failed attempts will likely cause these applications to crash.

Affected Products:

• Debian Linux 4.0
• Debian Linux 4.0 alpha
• Debian Linux 4.0 amd64
• Debian Linux 4.0 arm
• Debian Linux 4.0 hppa
• Debian Linux 4.0 ia-32
• Debian Linux 4.0 ia-64
• Debian Linux 4.0 m68k
• Debian Linux 4.0 mips
• Debian Linux 4.0 mipsel
• Debian Linux 4.0 powerpc
• Debian Linux 4.0 s/390
• Debian Linux 4.0 sparc
• Gentoo net-analyzer/snort 2.6.1
• Nortel Networks Threat Protection System Defense Center 4.1.0
• Nortel Networks Threat Protection System Defense Center 4.5
• Nortel Networks Threat Protection System Defense Center 4.6
• Nortel Networks Threat Protection System Intrusion Sensor 4.1.0
• Nortel Networks Threat Protection System Intrusion Sensor 4.5
• Nortel Networks Threat Protection System Intrusion Sensor 4.6
• RedHat Enterprise Linux AS 4
• RedHat Fedora Core7
• S.u.S.E. openSUSE 10.1
• Snort Project Snort 2.6.1
• Snort Project Snort 2.6.1.1
• Snort Project Snort 2.6.1.2
• Snort Project Snort 2.7.0 beta 1

References:

• CVE: CVE-2006-5276
• IT-ISAC: IBM X-Force: Sourcefire Snort Remote Buffer Overflow
• Nortel Networks: [ BULLETIN ] Security vulnerability in TPS DCE/RPC preprocessor (CVE-2006-5276)
• Snort: 2007-02-19 Sourcefire Advisory: Vulnerability in Snort DCE/RPC Preprocessor
• Snort: Snort Homepage
• US-CERT: Vulnerability Note VU#196240 - Vulnerability Note VU#196240

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.