UDP: Snort frag3 Preprocessor Fragmented IP Packet Detection Evasion
This signature detects attempts to exploit a known vulnerability against Snort's frag3 preprocessor. The vulnerability is caused due to improper processing of IP Options of fragmented IP packets in the vulnerable preprocessor. An attacker may exploit this vulnerability by sending crafted fragmented IP packets to bypass Snort's detection or terminate the Snort process in certain circumstances. In an attack case, the attacker will be successful in delivering a malicious payload to the target system, which is normally recognizable by the Snort IDS, without raising an alert. There will be no discernible difference in behaviour of the target host as the exploitation of this vulnerability results in a detection bypass only. In a special attack case aiming at denial of service, the Snort process will terminate. Thus the IDS functionality will be terminated as a result. All detectable malicious traffic sent to the target protected by the Snort IDS will not be detected until the Snort process is restarted manually.
Extended Description
The frag3 preprocessor in Sourcefire Snort 2.4.3 does not properly reassemble certain fragmented packets with IP options, which allows remote attackers to evade detection of certain attacks, possibly related to IP option lengths.
Affected Products
Sourcefire snort
Short Name
UDP:SNORT-FRAG3-DETECTION
Severity
Major
Recommended
False
Recommended Action
None
Category
UDP
Keywords
CVE-2006-0839 Detection Evasion Fragmented IP Packet Preprocessor Snort bid:16705 frag3
Release Date
06/12/2015
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
UDP/9999
False Positive
Unknown
Vendors
Sourcefire
CVSS Score
5.0