Name: Vulnerability in Snort related to file inspection
CVE names: CVE-2016-1345
Status: Solved by vendor
A ‘Improper Input Validation’ vulnerability has been discovered in the Snort file inspection features. The vulnerability, which has been identified as CVE-2016-1345, has a high level impact according to the CVSS v3 Base Score.
Snort versions prior to 220.127.116.11 which use the file inspection features are affected and exposed to this risk. These features were introduced in Snort v18.104.22.168 to help to deter malware propagation.
The vulnerability has been classified as ‘Improper Input Validation’ (CWE-20), which means that the program could not be able to validate some improper inputs correctly. Specifically, Snort risks to make an incorrect data validation of HTTP Headers, thereby an attacker could send a crafted HTTP request for the purpose of avoiding the file detection and therefore being able to spread malware.
Snort versions from 22.214.171.124 to 126.96.36.199 are in risk only in the case of file inspection features are enabled, therefore redborder IPS is not affected by this vulnerability.
Snort versions from 188.8.131.52 to 184.108.40.206 inclusive with file inspection features enabled.
There is no workaround available.
For Snort installations with file inspection features enabled, upgrade to Snort v220.127.116.11. For redborder IPS installations no action is needed.
The redBorder CSIRT Group: csirt@redBorder.net