Friday, May 12, 2017

Snort++ Vulnerabilities Found

Thanks go to Bhargava Shastry, who reported several issues to the Snort Team on Github for which two CVEs will be created.  Links to the issues on github are given at the end.  Fixes are on github now, tagged BUILD_233.  The bugs afflict all prior versions so please pull the latest.  Here is a description of the problems:

Ether Type Validation (CVE-2017-6657)

Since valid ether type and IP protocol numbers do not overlap, Snort++ stores all protocol decoders in a singe array.  That makes it possible to craft packets that have IP protocol numbers in the ether type field which will confuse the Snort++ decoder.   For example, an eth:llc:snap:icmp6 packet will cause a crash because there is no ip6 header with which to calculate the icmp6 checksum.  Affected decoders include gre, llc, trans_bridge, ciscometadata, linux_sll, and token_ring.  The fix adds a check in the packet manager to validate the ether type before indexing the decoder array.  An out of range ether type will will raise 116:473.

Buffer Overread (CVE-2017-6658)

Another problem with the decoder array was also discovered.  The size was off by one making it possible read past the end of array with an ether type of 0xFFFF.  Increasing the array size solves this problem.

The links to the github issues are given below.  Thanks again to Bhargava for reporting the issues.

https://github.com/snortadmin/snort3/issues/22
https://github.com/snortadmin/snort3/issues/23
https://github.com/snortadmin/snort3/issues/24
https://github.com/snortadmin/snort3/issues/25
https://github.com/snortadmin/snort3/issues/26
https://github.com/snortadmin/snort3/issues/27