While I'm sending out vulnerabilities, there is a new Snort RPC vulnerability. Sourcefire users have a patch available right now. Those of you that purchased your Sourcefire unit(s) from Anitian can contact me for more detailed instructions or assistance. Here is the Snort text from their web page: --------------------------------------------------- A buffer overflow has been found in the snort RPC normalization routines by ISS X-Force. This can cause snort to execute arbitrary code embedded within sniffed network packets. This preprocessor is enabled by default. Snort 1.9.1 has been released to resolve this issue. For users using CVS HEAD, a fix has been committed to the source tree. If you are in an environment that can not upgrade snort immediately, comment out the line in your snort.conf that begins: preprocessor rpc_decode and replace it with: # preprocessor rpc_decode I guess the ISS X-force has been busy breaking things this week. If you run snort, get the 1.9.1 build if possible. The instructions here just shut off the RPC pre-processor which is a quick temporary fix, but it will make it impossible to monitor fragmented RPC traffic. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation Enterprise Security & Infrastructure Solutions 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________
This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 13:50:18 PST