Last Updated: 2007-02-20 23:59:40 UTC
by Joel Esler (Version: 3)
There are no publicly available exploits for this vulnerability at this time.
Mitigation for Snort: If, for some reason, you can’t upgrade your version of Snort to v184.108.40.206, you can turn off the DCE/RPC preprocessor in your snort.conf file by commenting it out and restarting Snort. Upgrading to the new version of Snort is highly recommended as soon as possible. The new version of Snort is available here.
Your snort.conf will have an entry like:
preprocessor dcerpc: \
max_frag_size 3000 \
Just comment out these lines like:
#preprocessor dcerpc: \
# autodetect \
# max_frag_size 3000 \
# memcap 100000
and restart Snort. Then upgrade to v220.127.116.11.
If you have a Sourcefire Intrusion Sensor, Sourcefire released SEU 64 today that patches this vulnerability, and this update can be downloaded from the Sourcefire Customer Support Web Site. After downloading and installing SEU 64, you will need to re-push your policies out from your Defense Center.
Mitigation for Sourcefire customers: If, for some reason, you can’t update your SEU, edit your policies, uncheck the DCE/RPC “Enabled” check box, and re-push your policy until you can upgrade.
This vulnerability has been identified as CVE-2006-5276.
The versions of Snort that are affected:
* Snort 2.6.1, 18.104.22.168, and 22.214.171.124
* Snort 2.7.0 beta 1
Update: Sourcefire has released SEU 65 as well as a ruleset for both registered users and VRT subscribers that detect attempts to exploit this vulnerability. These rules are available at www.snort.org
(Yes, I am a Sourcefire employee)