Ubuntu
snort package

[CVE-2008-1804] Snort IP fragment TTL evasion vulnerability

Bug #235901 reported by Till Ulen
256
Affects Status Importance Assigned to Milestone
snort (Ubuntu)
Fix Released
Low
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: snort

CVE-2008-1804 description:

"Remote exploitation of a design error vulnerability in Snort [...] could allow an attacker to bypass filter rules.

Due to a design error vulnerability, Snort does not properly reassemble fragmented IP packets. When receiving incoming fragments, Snort checks the Time To Live (TTL) value of the fragment, and compares it to the TTL of the initial fragment. If the difference between the initial fragment and the following fragments is more than a configured amount, the fragments will be silently discard. This results in valid traffic not being examined and/or filtered by Snort."
[...]
"iDefense has confirmed the existence of this vulnerability in Snort 2.8 and 2.6. Snort 2.4 is not vulnerable. "

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701

"preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1804

Related branches

lp:ubuntu/karmic/snort

CVE References

Luca Falavigna (dktrkranz)
Changed in snort:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snort - 2.7.0-19ubuntu1

---------------
snort (2.7.0-19ubuntu1) intrepid; urgency=low

  * src/preprocessors/flow/portscan/server_stats.c:
    - Specify mode permission during open call, fix FTBFS.
  * Apply patch from upstream CVS to let frag3 to remove enforcement of
    ttl_limit. Add preprocessor alert for min_ttl anomaly (LP: #235901).
  * References:
    - CVE-2008-1804
    - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1804

snort (2.7.0-19) unstable; urgency=low

  * Make the snort_rules_update example script use bash instead of sh.
    (Closes: #489662)

snort (2.7.0-18) unstable; urgency=low

  * Romain debconf translation provided by Eddy Petrior (Closes: 486137)
  * Swedish debconf translation provided by Martin Bagge (Closes: 491785)

 -- Luca Falavigna <email address hidden> Mon, 15 Sep 2008 21:22:19 +0200

Changed in snort:
status: Confirmed → Fix Released
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in snort (Ubuntu Gutsy):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in snort (Ubuntu Hardy):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.