Risk: High
The widely-deployed, open-source network intrusion detection system (IDS), Snort and its components used in other IDS products, notably Sourcefire Intrusion Sensors, and a number of operating system distributions, has been found vulnerable to a buffer overflow flaw.
Snort pre-processors are modular plug-ins that extend functionality by operating on packets before the detection engine is run. The Back Orifice pre-processor decodes packets to determine if they contain Back Orifice ping messages. The ping detection code does not adequately limit the amount of data that is read from the packet into a fixed-length buffer, thus creating the potential for a buffer overflow.
The vulnerable code will process any UDP packet that is not destined to or sourced from the default Back Orifice port (31337/udp). An attacker could exploit this vulnerability by sending a specially crafted UDP packet to a host or network monitored by Snort.
A remote attacker who can send UDP packets to a Snort sensor may be able to execute arbitrary code. Snort typically runs with root or SYSTEM privileges, so an attacker could take complete control of a vulnerable system. An attacker does not need to target a Snort sensor directly; the attacker can target any host or network monitored by Snort.
Mitigation procedure and workaround are available from the websites referenced below.