ID: RBSA-2016-001
Name: Vulnerability in Snort related to file inspection
Date: 03/30/2016
CVE names: CVE-2016-1345
Status: Solved by vendor

Summary

A ‘Improper Input Validation’ vulnerability has been discovered in the Snort file inspection features. The vulnerability, which has been identified as CVE-2016-1345, has a high level impact according to the CVSS v3 Base Score.

Description

Snort versions prior to 2.9.8.2 which use the file inspection features are affected and exposed to this risk. These features were introduced in Snort v2.9.6.0 to help to deter malware propagation.

The vulnerability has been classified as ‘Improper Input Validation’ (CWE-20), which means that the program could not be able to validate some improper inputs correctly. Specifically, Snort risks to make an incorrect data validation of HTTP Headers, thereby an attacker could send a crafted HTTP request for the purpose of avoiding the file detection and therefore being able to spread malware.

Snort versions from 2.9.6.0 to 2.9.8.0 are in risk only in the case of file inspection features are enabled, therefore redborder IPS is not affected by this vulnerability.

Affected systems

Snort versions from 2.9.6.0 to 2.9.8.0 inclusive with file inspection features enabled.

Workaround

There is no workaround available.

Solution

For Snort installations with file inspection features enabled, upgrade to Snort v2.9.8.2. For redborder IPS installations no action is needed.

References

Cisco - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160330-fp
CVE-2016-1345 - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1345

Contact

The redBorder CSIRT Group: csirt@redBorder.net