Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Oracle Critical Patch Update and Security Alert

Published: 2005-10-19
Last Updated: 2005-10-19 22:38:19 UTC
by Deborah Hale (Version: 2)
0 comment(s)
For those that are using Oracle products - you may want to take a look at  US-CERT Technical Cyber Security Alert TA05-292A. It states that  various Oracle products and components are affected by multiple
 vulnerabilities. The impacts of these vulnerabilities include  unauthenticated, remote code execution, information disclosure, and  denial of service.

Oracle released a Critical Patch Update in October 2005 which addresses more than eighty vulnerabilities in different Oracle products and  components.

Oracle Critical Patch Update and Security Alert

0 comment(s)

Infocon Yellow: Snort BO Vulnerability

Published: 2005-10-20
Last Updated: 2005-10-20 01:00:51 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)
After some deliberation, we feel that the Snort Back Orifice pre-processor vulnerability could become a big problem very fast. As a result, we turned the Infocon status to 'yellow'.

A number of exploits for this vulnerability has now been published ranging from denial of service to remote code execution exploits.

You have a problem if you run Snort Version 2.4 (other then 2.4.3), and if you have the  'bo' preprocessor enabled.

Why do we think this is a big deal:
  • The exploit is rather easy to write. Yes, its specific to a particular binary, but there are a number of common binaries deployed in large numbers.
  • It uses a single UDP packet, which can lead to very fast spreading worms.
  • The UDP packet can be spoofed, and can use any port combination.
  • Snort is very popular. A fast spreading (noisy) UDP worm could lead to local slowdowns/outages.
The quick fix is to disable the BO preprocessor. Please do so NOW (if you haven't already). Worry about upgrading snort later, after you have done your testing. But going through this myself, its not that hard.

Snort before version 2.4 is not vulnerable. Neither is any Snort install that does not have the bo preprocessor enabled.

Please let us know if you see exploits posted, or have other details to share. We expect to stay on 'yellow' for about 12-24 hrs unless there are any new developments.

0 comment(s)
Diary Archives