thr3ads.net - Secure testing team - [Secure-testing-team] Bug#483160: CVE-2008-1804: possibility to bypass detection rules [May 2008]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Steffen Joeris

2008-May-27 15:11 UTC

[Secure-testing-team] Bug#483160: CVE-2008-1804: possibility to bypass detection rules

Package: snort
Severity: grave
Tags: security
Justification: user security hole

Hi

The following CVE(0) has been issued against snort.

CVE-2008-1804:

preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not
properly identify packet fragments that have dissimilar TTL values,
which allows remote attackers to bypass detection rules by using a
different TTL for each fragment.

The upstream patch is here(1), but I guess it has to be backported.


In case you fix this issue by an upload, please mention the CVE id in
your changelog.

Cheers
Steffen

(0): http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1804

(1):
http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h

Secure testing team - May 2008 - Bug#483160: CVE-2008-1804: possibility to bypass detection rules

[Secure-testing-team] Bug#483160: CVE-2008-1804: possibility to bypass detection rules