Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Profile

Snare Agents Advisory – Agent Denial of Service

by

New agents released on June 30th please see release notes available at the client login page

A vulnerability exists in some versions of the Snare Agents, which can be triggered to terminate the Snare service. The exploit attempts to overflow an input buffer in the remote management interface, and can be performed by an unauthenticated user using a custom crafted URL.

Impact
This vulnerability does not allow the attacker to gain privileged access, but it does affect the operation of the agent.

Vulnerable Products
This affects the following the Snare Enterprise products:
– Snare Enterprise Agent for Windows
– Snare Enterprise Agent for MSSQL
– Snare Enterprise Epilog for Windows
– Snare Enterprise Epilog for Unix
– Snare Enterprise Agent for OSX
– Snare OpenSource Agents

Countermeasures
– Disabling the remote control interface (GUI) will block this issue. Note that disabling the remote control interface will also disable the ability of the agent management console, to manage the affected agent.
– Appropriate network firewall controls, will limit the sources from which this exploit can be triggered.
– Some Unix operating systems can detect the attack as a potential SYN flood and block the source system.

Vulnerable Versions
The following versions of Snare Enterprise agents, and all versions prior to these versions, should be considered vulnerable to this issue:
– Snare Enterprise Agent for Windows v4.2.12
– Snare Enterprise Agent for MSSQL v1.3.4
– Snare Enterprise Epilog for Windows v1.7.12
– Snare Enterprise Epilog for Unix v1.5.5
– Snare Enterprise Agent for OSX v1.1.3

All versions of the listed OpenSource/SnareLite agents, and prior versions, should be considered vulnerable to this issue:
– Snare OpenSource Agent for Windows v4.0.2.0
– Snare OpenSource Epilog for Windows v1.6.0
– Snare OpenSource Epilog for Unix v1.5.0

Patched Versions
The following versions of the Snare Enterprise agents have been patched, and are no longer vulnerable to this issue:
– Snare Enterprise Agent for Windows v4.3.0
– Snare Enterprise Agent for MSSQL v1.4.0
– Snare Enterprise Epilog for Windows v1.8.0
– Snare Enterprise Epilog for Unix v1.5.6
– Snare Enterprise Agent for OSX v1.1.4

For users who are running the OpenSource/SnareLite agents, it is recommended that the remote control interface be disabled. There is no schedule for fixes to the OpenSource/SnareLite agents at this time.