CVE-2008-1804 - Vulnerability Details - OpenCVE

preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Snort	Snort

Configuration 1 [-]

cpe:2.3:a:snort:snort:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11
http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701
http://secunia.com/advisories/30348
http://secunia.com/advisories/30563
http://secunia.com/advisories/31204
http://securitytracker.com/id?1020081
http://www.ipcop.org/index.php?name=News&file=article&sid=40
http://www.securityfocus.com/bid/29327
http://www.vupen.com/english/advisories/2008/1602
https://exchange.xforce.ibmcloud.com/vulnerabilities/42584
https://nvd.nist.gov/vuln/detail/CVE-2008-1804
https://www.cve.org/CVERecord?id=CVE-2008-1804
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00156.html
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00167.html
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00198.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-05-22T10:00:00

Updated: 2024-08-07T08:32:01.432Z

Reserved: 2008-04-15T00:00:00

Link: CVE-2008-1804

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-05-22T13:09:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-1804

Redhat

Severity :

Publid Date: 2008-05-21T00:00:00Z

Links: CVE-2008-1804 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-05-21T00:00:00", "descriptions": [{"lang": "en", "value": "preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "snort-ttl-security-bypass(42584)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42584"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h"}, {"name": "FEDORA-2008-4986", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00156.html"}, {"name": "1020081", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1020081"}, {"name": "ADV-2008-1602", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/1602"}, {"name": "FEDORA-2008-5001", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00167.html"}, {"name": "30348", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30348"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.ipcop.org/index.php?name=News&file=article&sid=40"}, {"name": "29327", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/29327"}, {"name": "20080521 Multiple Vendor Snort IP Fragment TTL Evasion Vulnerability", "tags": ["third-party-advisory", "x_refsource_IDEFENSE"], "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11"}, {"name": "FEDORA-2008-5045", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00198.html"}, {"name": "31204", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31204"}, {"name": "30563", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30563"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-1804", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "snort-ttl-security-bypass(42584)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42584"}, {"name": "http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h", "refsource": "CONFIRM", "url": "http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h"}, {"name": "FEDORA-2008-4986", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00156.html"}, {"name": "1020081", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1020081"}, {"name": "ADV-2008-1602", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/1602"}, {"name": "FEDORA-2008-5001", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00167.html"}, {"name": "30348", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30348"}, {"name": "http://www.ipcop.org/index.php?name=News&file=article&sid=40", "refsource": "CONFIRM", "url": "http://www.ipcop.org/index.php?name=News&file=article&sid=40"}, {"name": "29327", "refsource": "BID", "url": "http://www.securityfocus.com/bid/29327"}, {"name": "20080521 Multiple Vendor Snort IP Fragment TTL Evasion Vulnerability", "refsource": "IDEFENSE", "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701"}, {"name": "http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11", "refsource": "CONFIRM", "url": "http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11"}, {"name": "FEDORA-2008-5045", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00198.html"}, {"name": "31204", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31204"}, {"name": "30563", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30563"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T08:32:01.432Z"}, "title": "CVE Program Container", "references": [{"name": "snort-ttl-security-bypass(42584)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42584"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h"}, {"name": "FEDORA-2008-4986", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00156.html"}, {"name": "1020081", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1020081"}, {"name": "ADV-2008-1602", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/1602"}, {"name": "FEDORA-2008-5001", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00167.html"}, {"name": "30348", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30348"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.ipcop.org/index.php?name=News&file=article&sid=40"}, {"name": "29327", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/29327"}, {"name": "20080521 Multiple Vendor Snort IP Fragment TTL Evasion Vulnerability", "tags": ["third-party-advisory", "x_refsource_IDEFENSE", "x_transferred"], "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11"}, {"name": "FEDORA-2008-5045", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00198.html"}, {"name": "31204", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31204"}, {"name": "30563", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30563"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-1804", "datePublished": "2008-05-22T10:00:00", "dateReserved": "2008-04-15T00:00:00", "dateUpdated": "2024-08-07T08:32:01.432Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:snort:snort:*:*:*:*:*:*:*:*", "matchCriteriaId": "41A284AF-58E7-43A2-85E1-2D26C90E6C8E", "versionEndIncluding": "2.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment."}, {"lang": "es", "value": "preprocessors/spp_frag3.c en Sourcefire Snort before 2.8.1 no identifica adecuadamente los fragmentos de paquetes que tienen valores TTL distintos, esto permite a atacantes remotos evitar las reglas de detecci\u00f3n usando un paquete TTL para cada fragmento."}], "id": "CVE-2008-1804", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-05-22T13:09:00.000", "references": [{"source": "cve@mitre.org", "url": "http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11"}, {"source": "cve@mitre.org", "url": "http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h"}, {"source": "cve@mitre.org", "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/30348"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/30563"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/31204"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1020081"}, {"source": "cve@mitre.org", "url": "http://www.ipcop.org/index.php?name=News&file=article&sid=40"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/29327"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/1602"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42584"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00156.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00167.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00198.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/30348"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/30563"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/31204"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1020081"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ipcop.org/index.php?name=News&file=article&sid=40"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/29327"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2008/1602"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42584"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00156.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00167.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00198.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}