The vendor said in a its Sourcefire advisory that the flaw is in the Snort DCE/RPC preprocessor. "This preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow attackers to execute code with the same privileges as the Snort binary," the company said.
The problem affects Snort 2.6.1, 18.104.22.168, and 22.214.171.124; and Snort 2.7. beta 1. Users are advised to neutralize the flaw by upgrading to Snort version 126.96.36.199 or 2.7 beta 2.
The French Security Incident Response Team (FrSIRT) described the flaw as a critical buffer overflow error within the DCE/RPC preprocessor -- enabled by default -- that surfaces when malformed data is processed via the "ReassembleSMBWriteX()" and "ReassembleDCERPCRequest()" functions. This "could be exploited by attackers to compromise a vulnerable system by sending specially crafted packets to a network being monitored by a vulnerable application," FrSIRT said.
Sourcefire, based in Columbia, Md., commercialized the widely popular Snort tool and has made inroads the last couple of years in the emerging intrusion prevention market. The company announced late last year that it had filed with the U.S. Securities and Exchange Commission to raise up to $75 million in an initial public offering (IPO) of stock.
The company ran into controversy in 2005 when Check Point announced plans to acquire it for $225 million in cash.
The deal was unpopular among die-hard Snort users. Some feared Check Point would allow Snort to languish, as some feel it has done since it acquired the popular free ZoneAlarm desktop firewall application as part of its $205 million purchase of Zone Labs in 2003. Others worried that Check Point would seek to further monetize Snort by no longer allowing it to be an open source product.
The Israeli enterprise security company ran into trouble with the Committee on Foreign Investment in the United States (CFIUS), which scrutinized the deal amid concerns that foreign ownership of Snort would threaten U.S. national security.
It became a moot point last March, when Check Point withdrew its application to acquire Sourcefire.