Vulnerabilities > CVE-2008-1804 - Unspecified vulnerability in Snort

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
snort
nessus

Summary

preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-5045.NASL
    descriptionFix for CVE-2008-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33117
    published2008-06-09
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33117
    titleFedora 7 : snort-2.8.1-3.fc7 (2008-5045)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2008-5045.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33117);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:27");
    
      script_cve_id("CVE-2008-1804");
      script_xref(name:"FEDORA", value:"2008-5045");
    
      script_name(english:"Fedora 7 : snort-2.8.1-3.fc7 (2008-5045)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Fix for CVE-2008-1804
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=447870"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2008-June/010941.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7015c9fc"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected snort package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:snort");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/06/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC7", reference:"snort-2.8.1-3.fc7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "snort");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-4986.NASL
    descriptionupdate for CVE-2008-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33112
    published2008-06-09
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33112
    titleFedora 9 : snort-2.8.1-3.fc9 (2008-4986)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2008-4986.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33112);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:27");
    
      script_cve_id("CVE-2008-1804");
      script_xref(name:"FEDORA", value:"2008-4986");
    
      script_name(english:"Fedora 9 : snort-2.8.1-3.fc9 (2008-4986)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "update for CVE-2008-1804
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=447870"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2008-June/010899.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?df52fd95"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected snort package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:snort");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/06/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC9", reference:"snort-2.8.1-3.fc9")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "snort");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-5001.NASL
    descriptionupdate for CVE-2008-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33114
    published2008-06-09
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33114
    titleFedora 8 : snort-2.8.1-3.fc8 (2008-5001)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2008-5001.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33114);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:27");
    
      script_cve_id("CVE-2008-1804");
      script_xref(name:"FEDORA", value:"2008-5001");
    
      script_name(english:"Fedora 8 : snort-2.8.1-3.fc8 (2008-5001)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "update for CVE-2008-1804
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=447870"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2008-June/010910.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9e154c76"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected snort package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:snort");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:8");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/06/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 8.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC8", reference:"snort-2.8.1-3.fc8")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "snort");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-259.NASL
    descriptionpreprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment. (CVE-2008-1804) The updated packages have been patched to prevent this. Additionally there were problems with two rules in the snort-rules package for 2008.0 that is also fixed with this update. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen2020-06-01
    modified2020-06-02
    plugin id42063
    published2009-10-08
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42063
    titleMandriva Linux Security Advisory : snort (MDVSA-2009:259-1)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 29327 CVE(CAN) ID: CVE-2008-1804 Snort是广泛部署的开放源码网络入侵检测系统(IDS)。 Snort没有正确地重组IP报文,远程攻击者可能利用此漏洞绕过检测。 在接收入站碎片时,Snort检查碎片的存活时间(TTL)值并与初始碎片的TTL做比较。如果二者之间的差异大于所配置的量(默认最大值为5)的话,就会丢弃碎片,也无法对其应用规则,这导致Snort无法过滤或检查有效的通讯。 Snort Project Snort 2.8 Snort Project Snort 2.6 临时解决方法: * 在snort.conf文件中将ttl_limit值设置为255: preprocessor frag3_engine: ttl_limit 255 厂商补丁: Snort Project ------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&amp;tr1=1.46.2.4&amp;r2=text&amp;tr2=1.46.2.5&amp;diff_format=h target=_blank>http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&amp;tr1=1.46.2.4&amp;r2=text&amp;tr2=1.46.2.5&amp;diff_format=h</a>
idSSV:3318
last seen2017-11-19
modified2008-05-23
published2008-05-23
reporterRoot
titleSnort碎片重组TTL值导致漏报漏洞

References