Vulnerabilities > CVE-2008-1804 - Unspecified vulnerability in Snort
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Snort
| 19 |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2008-5045.NASL description Fix for CVE-2008-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33117 published 2008-06-09 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33117 title Fedora 7 : snort-2.8.1-3.fc7 (2008-5045) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-5045. # include("compat.inc"); if (description) { script_id(33117); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:27"); script_cve_id("CVE-2008-1804"); script_xref(name:"FEDORA", value:"2008-5045"); script_name(english:"Fedora 7 : snort-2.8.1-3.fc7 (2008-5045)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Fix for CVE-2008-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=447870" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-June/010941.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7015c9fc" ); script_set_attribute(attribute:"solution", value:"Update the affected snort package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:snort"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7"); script_set_attribute(attribute:"patch_publication_date", value:"2008/06/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC7", reference:"snort-2.8.1-3.fc7")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "snort"); }NASL family Fedora Local Security Checks NASL id FEDORA_2008-4986.NASL description update for CVE-2008-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33112 published 2008-06-09 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33112 title Fedora 9 : snort-2.8.1-3.fc9 (2008-4986) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-4986. # include("compat.inc"); if (description) { script_id(33112); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:27"); script_cve_id("CVE-2008-1804"); script_xref(name:"FEDORA", value:"2008-4986"); script_name(english:"Fedora 9 : snort-2.8.1-3.fc9 (2008-4986)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "update for CVE-2008-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=447870" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-June/010899.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?df52fd95" ); script_set_attribute(attribute:"solution", value:"Update the affected snort package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:snort"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9"); script_set_attribute(attribute:"patch_publication_date", value:"2008/06/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC9", reference:"snort-2.8.1-3.fc9")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "snort"); }NASL family Fedora Local Security Checks NASL id FEDORA_2008-5001.NASL description update for CVE-2008-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33114 published 2008-06-09 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33114 title Fedora 8 : snort-2.8.1-3.fc8 (2008-5001) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-5001. # include("compat.inc"); if (description) { script_id(33114); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:27"); script_cve_id("CVE-2008-1804"); script_xref(name:"FEDORA", value:"2008-5001"); script_name(english:"Fedora 8 : snort-2.8.1-3.fc8 (2008-5001)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "update for CVE-2008-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=447870" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-June/010910.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9e154c76" ); script_set_attribute(attribute:"solution", value:"Update the affected snort package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:snort"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:8"); script_set_attribute(attribute:"patch_publication_date", value:"2008/06/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 8.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC8", reference:"snort-2.8.1-3.fc8")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "snort"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-259.NASL description preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment. (CVE-2008-1804) The updated packages have been patched to prevent this. Additionally there were problems with two rules in the snort-rules package for 2008.0 that is also fixed with this update. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers last seen 2020-06-01 modified 2020-06-02 plugin id 42063 published 2009-10-08 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42063 title Mandriva Linux Security Advisory : snort (MDVSA-2009:259-1)
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 29327 CVE(CAN) ID: CVE-2008-1804 Snort是广泛部署的开放源码网络入侵检测系统(IDS)。 Snort没有正确地重组IP报文,远程攻击者可能利用此漏洞绕过检测。 在接收入站碎片时,Snort检查碎片的存活时间(TTL)值并与初始碎片的TTL做比较。如果二者之间的差异大于所配置的量(默认最大值为5)的话,就会丢弃碎片,也无法对其应用规则,这导致Snort无法过滤或检查有效的通讯。 Snort Project Snort 2.8 Snort Project Snort 2.6 临时解决方法: * 在snort.conf文件中将ttl_limit值设置为255: preprocessor frag3_engine: ttl_limit 255 厂商补丁: Snort Project ------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h target=_blank>http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h</a> |
| id | SSV:3318 |
| last seen | 2017-11-19 |
| modified | 2008-05-23 |
| published | 2008-05-23 |
| reporter | Root |
| title | Snort碎片重组TTL值导致漏报漏洞 |
References
- http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11
- http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701
- http://secunia.com/advisories/30348
- http://secunia.com/advisories/30563
- http://secunia.com/advisories/31204
- http://securitytracker.com/id?1020081
- http://www.ipcop.org/index.php?name=News&file=article&sid=40
- http://www.securityfocus.com/bid/29327
- http://www.vupen.com/english/advisories/2008/1602
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42584
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00156.html
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00167.html
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00198.html