Debian Bug report logs -
#381726
CVE-2006-2769: HTTP Inspect preprocessor evasion
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Sun, 6 Aug 2006 20:03:09 UTC
Severity: normal
Tags: security
Fixed in version snort/2.3.3-8
Done: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
:
Bug#381726
; Package snort
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: snort
Severity: grave
Tags: security
Justification: user security hole
A security issue has been found in snort. Cite CVE-2006-2769:
The HTTP Inspect preprocessor (http_inspect) in Snort 2.4.0 through
2.4.4 allows remote attackers to bypass "uricontent" rules via a
carriage return (\r) after the URL and before the HTTP declaration.
AFAICS this problem is also in 2.3.
A patch (for 2.4) is available at
http://www.demarc.com/files/patch_20060531/snort-2.4.4-demarc-patch.diff
Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
:
Bug#381726
; Package snort
.
(full text, mbox, link).
Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>
:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
.
(full text, mbox, link).
Message #10 received at 381726@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 381726 normal
thanks
Demarc reported a security vulnerability to Snort through Bugtraq, this
"security" issue is actually a problem with the HTTP inspector module in
Snort which prevents it from detecting an attack against *Apache* web servers
(not others) because it doesn't take into account that a carriage return
might be included in the request and accepted (even if its not RFC). More
info in the attached text file.
FWI the 2.4.5 changelog of Snort says:
2006-06-05 - Snort 2.4.5 Released
* Fixed potential evasion in URI content buffers
* Fixed potential evasion in Stream4
So, actually, to evasion bugs were fixed in this engine.
I have backported both fixes to the 2.3.3-8 packages and have uploaded
a new snort package. However, I don't think that the 'grave' severity of this
bug stands and I'm downgrading it.
Notice that:
a) it is an evasion issue, not a security vulnerability. That is, it only
affects the ability of Snort to detect attacks (but much in the same way that
an *outdated* ruleset [1] could be considered a security issue)
b) it only affects attacks to Apache web servers
For reference, attached is the 2.4.4 vs. 2.4.5 patch (stripping other info)
which fixes the bug, it is easily backported to the 2.3.3 (there is only one
rejection, easy to solve). [2]
Regards
Javier
[1] Like the one we are providing due to the license change in Snort, post
2.3, with the appearance of the VRT rules
[2] Even if asked to (in #320920) I'm not sure it is reasonable to do
an upgrade to 2.6.0 and provide a Snort package with *no* ruleset (which
means that the Snort service could not be started by default). Since people
now have to download it manually from snort.org as it is not provided
in the GPL package.
[CVE-2006-2769.diff (text/plain, attachment)]
[CVE-2006-2769.text (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Severity set to `normal' from `grave'
Request was from Javier Fernández-Sanguino Peña <jfs@computer.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 381726-close@bugs.debian.org (full text, mbox, reply):
Source: snort
Source-Version: 2.3.3-8
We believe that the bug you reported is fixed in the latest version of
snort, which is due to be installed in the Debian FTP archive:
snort-common_2.3.3-8_all.deb
to pool/main/s/snort/snort-common_2.3.3-8_all.deb
snort-doc_2.3.3-8_all.deb
to pool/main/s/snort/snort-doc_2.3.3-8_all.deb
snort-mysql_2.3.3-8_i386.deb
to pool/main/s/snort/snort-mysql_2.3.3-8_i386.deb
snort-pgsql_2.3.3-8_i386.deb
to pool/main/s/snort/snort-pgsql_2.3.3-8_i386.deb
snort-rules-default_2.3.3-8_all.deb
to pool/main/s/snort/snort-rules-default_2.3.3-8_all.deb
snort_2.3.3-8.diff.gz
to pool/main/s/snort/snort_2.3.3-8.diff.gz
snort_2.3.3-8.dsc
to pool/main/s/snort/snort_2.3.3-8.dsc
snort_2.3.3-8_i386.deb
to pool/main/s/snort/snort_2.3.3-8_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 381726@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@computer.org> (supplier of updated snort package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 10 Aug 2006 00:44:36 +0200
Source: snort
Binary: snort-mysql snort-doc snort-rules-default snort-common snort-pgsql snort
Architecture: source i386 all
Version: 2.3.3-8
Distribution: unstable
Urgency: medium
Maintainer: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Description:
snort - Flexible Network Intrusion Detection System
snort-common - Flexible Network Intrusion Detection System [common files]
snort-doc - Documentation for the Snort IDS [documentation]
snort-mysql - Flexible Network Intrusion Detection System [MySQL]
snort-pgsql - Flexible Network Intrusion Detection System [PostgreSQL]
snort-rules-default - Flexible Network Intrusion Detection System ruleset
Closes: 381726
Changes:
snort (2.3.3-8) unstable; urgency=medium
.
* Fix security issue CVE-2006-2769, potential evasion in URI content
buffers. This evasion only applies to Apache protected servers since
that server supports some characters. The patch used is from 2.4.5
and is *not* the one provided by Demarc (which is not fully
comprehensive and is much more intrusive).
Since this is an evasion issue and not a real security issue
thus the 'medium' urgency even though it fixes security bug (Closes:
#381726)
.
From upstream (snort.org webpage, News item "Possible Evasion in
http_inspect"):
.
«The Apache web server supports special characters in HTTP requests that
do not affect the processing of the particular request. The current
target-based profiles for Apache in the http_inspect preprocessor do not
properly handle these requests, resulting in the possibility that an
attacker can bypass detection of rules that use the "uricontent" keyword
by embedding special characters in a HTTP request.»
.
«It is important to note that this is an evasion and not a vulnerability.
This means that while it is possible for an attacker to bypass detection,
Snort sensors and the networks they protect are not at a heightened risk
of other attacks.»
.
* Backport fix of another (different) potential evasion in Stream4 (also in
the Snort 2.4.5 release, no CVE name)
* Relocate Czech translation, it was not under debian/po
* Add a warning in /etc/default/snort that the SNORT_USER will be
modified (with usermod) every time you reinstall the package
(don't change it to 'root'!)
Files:
5815a2ce3d8dc39fec057394fce1081e 961 net optional snort_2.3.3-8.dsc
6cfe673ee3abbdf96d5003fec30527a4 350526 net optional snort_2.3.3-8.diff.gz
24ee623d75c35c83514efe797997c759 94450 net optional snort-common_2.3.3-8_all.deb
27f0b6579372d7aefc8889ee69f12fac 1800212 doc optional snort-doc_2.3.3-8_all.deb
932993d0f895485512c1f976ff6ae402 233212 net optional snort-rules-default_2.3.3-8_all.deb
db30e71458afba97b1c363675b4a98c0 358890 net optional snort_2.3.3-8_i386.deb
705fd479250a20cc875f60ca83be25c5 365824 net extra snort-mysql_2.3.3-8_i386.deb
e14329f507a72b07708c4144368f0609 365098 net optional snort-pgsql_2.3.3-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iQCVAwUBRNp1jPtEPvakNq0lAQJ6ygQAqohT7fCplPjPJBRZG2TYDTEuHaALknvC
bPikj1gUa+1Wy8QQeApJLpUqIMDIriTM9CA0+5OXc7npl59EymjhfwtKl2PpP0aP
W93GRhw7bQc9GkEXMD/9AWTBO57qNE3lvKJhOUCby9SE2x9MYTgZtJGWReFT8MfF
8QpKZA8jQH8=
=rpyL
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jun 2007 23:56:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:07:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.