Vulnerabilities > CVE-2006-6931 - Denial of Service vulnerability in Snort Backtracking
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Algorithmic complexity vulnerability in Snort before 2.6.1, during predicate evaluation in rule matching for certain rules, allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a "backtracking attack."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Snort
| 18 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200702-03.NASL description The remote host is affected by the vulnerability described in GLSA-200702-03 (Snort: Denial of Service) Randy Smith, Christian Estan and Somesh Jha discovered that the rule matching algorithm of Snort can be exploited in a way known as a last seen 2020-06-01 modified 2020-06-02 plugin id 24352 published 2007-02-15 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24352 title GLSA-200702-03 : Snort: Denial of Service code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200702-03. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(24352); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-6931"); script_xref(name:"GLSA", value:"200702-03"); script_name(english:"GLSA-200702-03 : Snort: Denial of Service"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200702-03 (Snort: Denial of Service) Randy Smith, Christian Estan and Somesh Jha discovered that the rule matching algorithm of Snort can be exploited in a way known as a 'backtracking attack' to perform numerous time-consuming operations. Impact : A remote attacker could send specially crafted network packets, which would result in the cessation of the detections and the consumption of the CPU resources. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200702-03" ); script_set_attribute( attribute:"solution", value: "All Snort users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-analyzer/snort-2.6.1.2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:snort"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/02/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/15"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-analyzer/snort", unaffected:make_list("ge 2.6.1.2"), vulnerable:make_list("lt 2.6.1.2"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Snort"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-051.NASL description Algorithmic complexity vulnerability in Snort before 2.6.1, during predicate evaluation in rule matching for certain rules, allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a backtracking attack. Updated packages have been patched to address this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24754 published 2007-03-02 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24754 title Mandrake Linux Security Advisory : snort (MDKSA-2007:051) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2007:051. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(24754); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:49"); script_cve_id("CVE-2006-6931"); script_xref(name:"MDKSA", value:"2007:051"); script_name(english:"Mandrake Linux Security Advisory : snort (MDKSA-2007:051)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Algorithmic complexity vulnerability in Snort before 2.6.1, during predicate evaluation in rule matching for certain rules, allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a backtracking attack. Updated packages have been patched to address this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-bloat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-inline"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-inline+flexresp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-mysql+flexresp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-plain+flexresp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-postgresql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-postgresql+flexresp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-prelude"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-prelude+flexresp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:snort-snmp+flexresp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2007/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"snort-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"snort-bloat-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"snort-inline-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"snort-inline+flexresp-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"snort-mysql-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"snort-mysql+flexresp-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"snort-plain+flexresp-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"snort-postgresql-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"snort-postgresql+flexresp-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"snort-snmp-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"snort-snmp+flexresp-2.3.3-2.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-bloat-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-inline-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-inline+flexresp-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-mysql-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-mysql+flexresp-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-plain+flexresp-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-postgresql-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-postgresql+flexresp-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-prelude-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"snort-prelude+flexresp-2.6.0-3.1mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://lists.immunitysec.com/pipermail/dailydave/2007-January/003954.html
- http://secunia.com/advisories/23716
- http://secunia.com/advisories/24164
- http://secunia.com/advisories/24338
- http://security.gentoo.org/glsa/glsa-200702-03.xml
- http://securitytracker.com/id?1017508
- http://www.acsac.org/2006/abstracts/54.html
- http://www.acsac.org/2006/advance_program.html
- http://www.acsac.org/2006/papers/54.pdf
- http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf
- http://www.cs.wisc.edu/~smithr/pubs/randy_smith_acsac2006.zip
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:051
- http://www.osvdb.org/32096
- http://www.securityfocus.com/bid/21991
- http://www.snort.org/pub-bin/snortnews.cgi
- https://exchange.xforce.ibmcloud.com/vulnerabilities/31430