Bug 27741 - snort security issues CVE-2020-3299, CVE-2020-3315, CVE-2021-1223, CVE-2021-1224, CVE-2021-1236, CVE-2021-1494, CVE-2021-1495, CVE-2021-34749, CVE-2021-40114
Summary: snort security issues CVE-2020-3299, CVE-2020-3315, CVE-2021-1223, CVE-2021-1...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-04 14:07 CET by Zombie Ryushu
Modified: 2023-03-31 02:14 CEST (History)
6 users (show)

See Also:
Source RPM: snort-2.9.8.0-8.mga9.src.rpm
CVE:
Status comment:


Attachments

Description Zombie Ryushu 2020-12-04 14:07:43 CET
Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured File Policy for HTTP. The vulnerability is due to incorrect detection of modified HTTP packets used in chunked responses. An attacker could exploit this vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass a configured File Policy for HTTP packets and deliver a malicious payload.
Zombie Ryushu 2020-12-04 14:07:55 CET

CVE: (none) => CVE-2020-3299

Comment 1 David Walser 2020-12-04 14:16:52 CET
This is a Cisco vulnerability.

Resolution: (none) => INVALID
Status: NEW => RESOLVED
Source RPM: snort-2.9.8.0-3.mga7.src => snort-2.9.8.0-3.mga7.src.rpm

Comment 2 David Walser 2023-02-13 17:50:59 CET
Debian-LTS has issued an advisory on February 11:
https://www.debian.org/lts/security/2023/dla-3317

The issues are fixed upstream in 2.9.18.

Mageia 8 is also affected.

Whiteboard: (none) => MGA8TOO
Summary: snort security issue CVE-2020-3299 => snort security issues CVE-2020-3299, CVE-2020-3315, CVE-2021-1223, CVE-2021-1224, CVE-2021-1236, CVE-2021-1494, CVE-2021-1495, CVE-2021-34749, CVE-2021-40114
Status comment: (none) => Fixed upstream in 2.9.18
Status: RESOLVED => REOPENED
CVE: CVE-2020-3299 => (none)
Resolution: INVALID => (none)
Source RPM: snort-2.9.8.0-3.mga7.src.rpm => snort-2.9.8.0-8.mga9.src.rpm

Comment 3 Marja Van Waes 2023-02-13 20:01:48 CET
Assigning to all packagers collectively, since "nobody" is the registered maintainer of snort.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 4 Nicolas Salguero 2023-03-20 12:07:46 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured File Policy for HTTP. The vulnerability is due to incorrect detection of modified HTTP packets used in chunked responses. An attacker could exploit this vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass a configured File Policy for HTTP packets and deliver a malicious payload. (CVE-2020-3299)

Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass the configured file policies on an affected system. The vulnerability is due to errors in how the Snort detection engine handles specific HTTP responses. An attacker could exploit this vulnerability by sending crafted HTTP packets that would flow through an affected system. A successful exploit could allow the attacker to bypass the configured file policies and deliver a malicious payload to the protected network. (CVE-2020-3315)

Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect handling of an HTTP range header. An attacker could exploit this vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious payload. (CVE-2021-1223)

Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it is contained at least partially within the TFO connection handshake. An attacker could exploit this vulnerability by sending crafted TFO packets with an HTTP payload through an affected device. A successful exploit could allow the attacker to bypass configured file policy for HTTP packets and deliver a malicious payload. (CVE-2021-1224)

Multiple Cisco products are affected by a vulnerability in the Snort application detection engine that could allow an unauthenticated, remote attacker to bypass the configured policies on an affected system. The vulnerability is due to a flaw in the detection algorithm. An attacker could exploit this vulnerability by sending crafted packets that would flow through an affected system. A successful exploit could allow the attacker to bypass the configured policies and deliver a malicious payload to the protected network. (CVE-2021-1236)

Multiple Cisco products are affected by vulnerabilities in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. These vulnerabilities are due to incorrect handling of specific HTTP header parameters. An attacker could exploit these vulnerabilities by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass a configured file policy for HTTP packets and deliver a malicious payload. (CVE-2021-1494)

Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect handling of specific HTTP header parameters. An attacker could exploit this vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass a configured file policy for HTTP packets and deliver a malicious payload. (CVE-2021-1495)

A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host. This vulnerability is due to inadequate filtering of the SSL handshake. An attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate with an external server. A successful exploit could allow the attacker to execute a command-and-control attack on a compromised host and perform additional data exfiltration attacks. (CVE-2021-34749)

Multiple Cisco products are affected by a vulnerability in the way the Snort detection engine processes ICMP traffic that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper memory resource management while the Snort detection engine is processing ICMP packets. An attacker could exploit this vulnerability by sending a series of ICMP packets through an affected device. A successful exploit could allow the attacker to exhaust resources on the affected device, causing the device to reload. (CVE-2021-40114)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3299
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3315
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1236
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40114
https://www.debian.org/lts/security/2023/dla-3317
========================

Updated packages in core/updates_testing:
========================
snort-2.9.20-1.mga8
snort-bloat-2.9.20-1.mga8
snort-devel-2.9.20-1.mga8
snort-inline-2.9.20-1.mga8
snort-inline+flexresp-2.9.20-1.mga8
snort-mysql-2.9.20-1.mga8
snort-mysql+flexresp-2.9.20-1.mga8
snort-plain+flexresp-2.9.20-1.mga8
snort-postgresql-2.9.20-1.mga8
snort-postgresql+flexresp-2.9.20-1.mga8
snort-prelude-2.9.20-1.mga8
snort-prelude+flexresp-2.9.20-1.mga8

from SRPM:
snort-2.9.20-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status: REOPENED => ASSIGNED
Version: Cauldron => 8
Status comment: Fixed upstream in 2.9.18 => (none)
CC: (none) => nicolas.salguero

Comment 5 Thomas Andrews 2023-03-26 21:39:06 CEST
I downloaded the above packages into a VirtualBox Plasma guest with qarepo, and used urpmi to install snort and dependencies. There were no installation issues, as far as I could tell.

No previous updates that were useful, so I consulted the Web for guidance, quickly learning that my youthful experience at feeding and watering swine did not prepare me for this kind of snorting.

I attempted to follow some tutorials, like https://www.securityarchitecture.com/learning/intrusion-detection-systems-learning-with-snort/configuring-snort-on-linux/ and https://www.howtogeek.com/devops/how-to-use-the-snort-intrusion-detection-system-on-linux/ but did not get very far when it came to editing the snort.conf file. 

I was able to set the Home Network IP all right, and found the path to the rules, but could not find any path to "so_rules" or "preproc_rules" at all. A search in MCC on file names couldn't find them, either. Something missing, or user inexperience? No idea. So, I tried anyway.

$ snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.20 GRE (Build 82) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.10.2 (with TPACKET_V3)
           Using PCRE version: 8.44 2020-02-12
           Using ZLIB version: 1.2.12

That much seemed to work, but when I tried to do something serious (specifying "porn.rules" as something easy to violate if I got that far...)

# snort -d -l /var/log/snort/ -h 10.0.2.15/24  -A console -c /etc/snort/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
ERROR: /etc/snort/snort.conf(104) Missing argument to /etc/snort/rules/porn.rules
Fatal Error, Quitting..

Even "snort -h" gave me an argument before listing the help information. Looking at that help file, I've gone as far as I can go. It's just TOO much to try to learn to use just for QA purposes.

It appears to be working as designed. Except for the two files/directories that I couldn't find, I believe the fatal errors I encountered were due to my inexperience, and even those might be from that inexperience, too. If what I have done is enough to send it on, I won't object to an OK. If not, someone with some experience is going to have to test this.

CC: (none) => andrewsfarm

Comment 6 Herman Viaene 2023-03-28 16:18:23 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
With a little experience on pigs (spent several summer holidays at a farm in France), tried my hand on it.
Found (more luck?) https://linuxhint.com/intrusion_detection_snort_tutorial/ and followed that (skipped the part of registering for official rules).
Launching the command 
# snort -A fast -c /etc/snort/snort.conf
brought me xxx numbers of aborts, since the default snort.conf refered to some 20 files in /etc/snort/rules that simply weren't there.
I commented out those lines, including the ones for whitelist and blacklist and then the command launched giving a looong list of feedbacks, but no error.
It remained active until I terminated it with Ctrl-C and that caused more feedback.^C*** Caught Int-Signal
===============================================================================
Run time for packet processing was 255.208669 seconds
Snort processed 18838 packets.
Snort ran for 0 days 0 hours 4 minutes 15 seconds
   Pkts/min:         4709
   Pkts/sec:           73
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       44195840
  Bytes in mapped regions (hblkhd):      22392832
  Total allocated space (uordblks):      39135712
  Total free space (fordblks):           5060128
  Topmost releasable block (keepcost):   131296
and a load more, but again no errors.

Apparently the thing works OK, I'm just not sure about the large difference of rules listed active in the /etc/snort/snort.conf file and the actual list of rule files in /etc/snort/rules/.
This is clearly stuff for network administrators, so we might suppose such person knows what to do for the missing files.

TJ,
If you feel this is adequate, then you shove it out.

CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2023-03-28 20:32:45 CEST
According to the description of snort-rules in MCC, "These rules were taken from the snortrules-pr-2.4.tar.gz tar ball and all non GPL rules were removed, then the tar ball was repackaged. Please read the relevant changelog entry from debian that explains this." 

And if you look at our changelog for this package, all you see is two entries, one a mass-rebuild for Mageia 8; the other a mass-rebuild for Mageia 7.

It may be that you saw the error you saw because these rules are simply incomplete and out-of-date. Perhaps our rules package should be updated, but from that description an update would still be incomplete, since they are only the GPL rules. It seems that updated rules packages are available online, so maybe an update of our rules isn't needed. I leave it to others to decide.

It's been many years, but as I recall, shoving pigs is not the most efficient way to get them where you want them to go. A carrot-and-stick approach, carefully executed, usually works better. But again I leave those mechanics to others. 

Giving this an OK, and validating. Advisory in comment 4.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2023-03-29 15:34:25 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2023-03-31 02:14:57 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0117.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.