Wednesday, October 19, 2005

Internet Storm Center: "InfoCon Yellow"

From the SANS ISC Incident Handler's Daily Dairy:

Published: 2005-10-19,
Last Updated: 2005-10-19 12:36:48 UTC by Johannes Ullrich (Version: 1)

After some deliberation, we feel that the Snort Back Orifice pre-processor vulnerability could become a big problem very fast. As a result, we turned the Infocon status to 'yellow'.

Why do we think this is a big deal:
  • The exploit is rather easy to write. Yes, its specific to a particular binary, but there are a number of common binaries deployed in large numbers.
  • It uses a single UDP packet, which can lead to very fast spreading worms.
  • The UDP packet can be spoofed, and can use any port combination.
  • Snort is very popular. A fast spreading (noisy) UDP worm could lead to local slowdowns/outages.
The quick fix is to disable the BO preprocessor. Please do so NOW (if you haven't already). Worry about upgrading snort later, after you have done your testing. But going through this myself, its not that hard.

Please let us know if you see exploits posted, or have other details to share. We expect to stay on 'yellow' for about 12-24 hrs unless there are any new developments.

0 Comments:

Post a Comment

<< Home