Signature Detail

UDP: Snort frag3 Preprocessor Fragmented IP Packet Detection Evasion

This signature detects attempts to exploit a known vulnerability against Snort's frag3 preprocessor. The vulnerability is caused due to improper processing of IP Options of fragmented IP packets in the vulnerable preprocessor. An attacker may exploit this vulnerability by sending crafted fragmented IP packets to bypass Snort's detection or terminate the Snort process in certain circumstances. In an attack case, the attacker will be successful in delivering a malicious payload to the target system, which is normally recognizable by the Snort IDS, without raising an alert. There will be no discernible difference in behaviour of the target host as the exploitation of this vulnerability results in a detection bypass only. In a special attack case aiming at denial of service, the Snort process will terminate. Thus the IDS functionality will be terminated as a result. All detectable malicious traffic sent to the target protected by the Snort IDS will not be detected until the Snort process is restarted manually.

Extended Description

The frag3 preprocessor in Sourcefire Snort 2.4.3 does not properly reassemble certain fragmented packets with IP options, which allows remote attackers to evade detection of certain attacks, possibly related to IP option lengths.

Affected Products

• sourcefire snort 2.4.3

References

• BugTraq: 16705
• CVE: CVE-2006-0839