Bug 447870 - (CVE-2008-1804) CVE-2008-1804 snort: IP Fragment TTL Evasion Vulnerability
CVE-2008-1804 snort: IP Fragment TTL Evasion Vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=fulldisclosure,reported=200805...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-22 04:33 EDT by Tomas Hoger
Modified: 2008-06-06 04:01 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-06 04:01:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-05-22 04:33:19 EDT
iDefense released a security advisory for snort:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701

DESCRIPTION
Remote exploitation of a design error vulnerability in Snort, as included in
various vendors' operating system distributions, could allow an attacker to
bypass filter rules.

Due to a design error vulnerability, Snort does not properly reassemble
fragmented IP packets. When receiving incoming fragments, Snort checks the Time
To Live (TTL) value of the fragment, and compares it to the TTL of the initial
fragment. If the difference between the initial fragment and the following
fragments is more than a configured amount, the fragments will be silently
discard. This results in valid traffic not being examined and/or filtered by Snort.

ANALYSIS
Exploitation of this vulnerability allows an attacker to bypass all Snort rules.
In order to exploit this vulnerability, an attacker would have to fragment IP
packets destined for a targeted host, ensuring that the TTL difference is
greater than the configured maximum. By default, the maximum difference is 5.

If an attacker is successful, all fragments with invalid TTL differences will be
dropped. No rules will be applied to them.

DETECTION
iDefense has confirmed the existence of this vulnerability in Snort 2.8 and 2.6.
Snort 2.4 is not vulnerable.

WORKAROUND
In the snort.conf file, set the ttl_limit configuration value to 255 as shown below.

  preprocessor frag3_engine: ttl_limit 255

This will set the allowable difference to the maximum possible value, and
prevent fragments from being dropped.

VENDOR RESPONSE
Sourcefire has addressed this vulnerability by releasing version 2.8.1 of Snort. 

Upstream patches:
http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog.diff?r1=1.544&r2=1.545 (part)
http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=1.50&r2=1.51
http://cvs.snort.org/viewcvs.cgi/snort/src/generators.h.diff?r1=1.63&r2=1.64
http://cvs.snort.org/viewcvs.cgi/snort/etc/gen-msg.map.diff?r1=1.43&r2=1.44
http://cvs.snort.org/viewcvs.cgi/snort/doc/README.frag3.diff?r1=1.7&r2=1.8
http://cvs.snort.org/viewcvs.cgi/snort/doc/snort_manual.tex.diff?r1=1.98&r2=1.99
+ updated version of snort_manual.pdf

Based on Detection part of the advisory, this should affect snort packages in F7
- F9, rawhide already has 2.8.1 which has changes above included.
Comment 1 Fedora Update System 2008-06-04 17:14:28 EDT
snort-2.8.1-3.fc7 has been submitted as an update for Fedora 7
Comment 2 Fedora Update System 2008-06-04 17:27:32 EDT
snort-2.8.1-3.fc8 has been submitted as an update for Fedora 8
Comment 3 Fedora Update System 2008-06-04 17:29:44 EDT
snort-2.8.1-3.fc9 has been submitted as an update for Fedora 9
Comment 4 Fedora Update System 2008-06-06 03:47:14 EDT
snort-2.8.1-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-06-06 03:48:26 EDT
snort-2.8.1-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-06-06 03:51:42 EDT
snort-2.8.1-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.