Preemptive Protection against Sourcefire Intrusion Sensor and Snort DCE/RPC Preprocessor Buffer Overflow Vulnerability
| Check Point Reference: | CPAI-2007-037 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | SecurityTracker: 1017669 | |
| Industry Reference(s): | CVE-2006-5276 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Snort version 2.6.1 Snort version 2.6.1.1 Snort version 2.6.1.2 Snort version 2.7 beta 1 Sourcefire Intrusion Sensor versions 4.1.x Sourcefire Intrusion Sensor versions 4.5.x Sourcefire Intrusion Sensor versions 4.6.x Sourcefire Intrusion Sensor Software for Crossbeam versions 4.1.x Sourcefire Intrusion Sensor Software for Crossbeam versions 4.5.x Sourcefire Intrusion Sensor Software for Crossbeam versions 4.6.x | ||
| Vulnerability Description A buffer overflow vulnerability has been identified in Sourcefire Intrusion Sensor and in Snort DCE/RPC preprocessor. Sourcefire Snort is an open-source network intrusion detection system. Snort DCE/RPC preprocessor is a plug-in that reassembles fragmented SMB and DCE/RPC packets. A remote attacker can exploit the vulnerability to execute arbitrary code on a target system. |
||
|
Update/Patch Available Upgrade to Snort: http://www.snort.org/dl/ Apply SEU 64 for Sourcefire Intrusion Sensor: https://support.sourcefire.com/ |
|
|
Vulnerability Details The vulnerability is due to a boundary error within the DCE/RPC preprocessor that fails to properly reassemble SMB Write AndX commands. A remote attacker could trigger this flaw via a specially crafted SMB packet. Successful exploitation may allow execution of arbitrary code on a system running Snort. |
Protection Overview
By enabling this protection, SmartDefense will detect and block specially crafted SMB packets. No update is required to address this vulnerability.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Microsoft Networks > Block Null CIFS Sessions.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: CIFS Null Sessions
Attack Information: Malformed CIFS message detected
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Microsoft Networks.
2. Enable the following protection:
Block Null CIFS Sessions
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: CIFS Null Sessions
Attack Information: Malformed CIFS message detected
VPN-1 NG with Application Intelligence R55/R54
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Microsoft Networks.
2. Enable the following protection:
Block Null CIFS Sessions
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: CIFS Null Sessions
Attack Information: Malformed CIFS message detected
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Microsoft Networks.
2. Enable the following protection:
Block Null CIFS Sessions
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: CIFS Null Sessions
Attack Information: Malformed CIFS message detected
InterSpect NGX
How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Microsoft Networks.
3. Enable the following protection:
Block Null CIFS Sessions
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: CIFS Null Sessions
Attack Information: Malformed CIFS message detected
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Microsoft Networks.
2. Enable the following protection:
Block Null CIFS Sessions
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: CIFS Null Sessions
Attack Information: Malformed CIFS message detected
Connectra NGX R62/R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Block Null CIFS Sessions
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: CIFS Null Sessions
Attack Information: Malformed CIFS message detected