TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

381

382

383

384

385

386

387

388

389

390

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

390

Signature ID: 6154

FTP REST command Vulnerability

Threat Level: Critical

Signature Description: The REST command is used to continue an interrupted session and its integer argument

represents the position in the file where transfer should begin. A vulnerability has been discovered in the HP-UX 11

ftpd daemon which can be triggered using the FTP REST command. By specifying a specially calculated numeric

argument to the REST command, it is possible to disclose the contents of that numeric location in process memory.

This issue may be exploited to disclose the contents of sensitive files, such as /etc/passwd.

Signature ID: 6155

FTP RNFR command Buffer overflow Vulnerability

Threat Level: Critical

Bugtraq: 14339

Signature Description: Some of the FTP servers are prone to buffer overruns when handling data supplied to the RNFR

command. An FTP user who supplies excessive input to this command could potentially execute arbitrary code in the

context of the server or cause a denial of service.The issue exists due to lack of sufficient boundary checks performed

on user-supplied data.

Signature ID: 6156

FTP SITE INDEX format string Vulnerability

Threat Level: Information

Signature Description: Format string vulnerability in some FTP servers allows remote attackers to cause a denial of

service (crash) and possibly execute arbitrary code using format string specifiers.The issue exists due to a lack of

sufficient format checks against user-supplied data.A remote attacker may send malicious data as an argument to a

SITE INDEX FTP command.

Signature ID: 7001

Checkpoint FW-1 Identification Attempt

Threat Level: Information

Industry ID: CVE-2001-1303 Bugtraq: 3058 Nessus: 10044,10710

Signature Description: If any host is opened with tcp ports 256, 257 and 258, its very likely that it is a Checkpoint

Firewall/1 software. Letting attackers know that you are running FW/1 will help them to focus their attack or will make

them change their strategy. This rule triggers alarm when any system responds to packet, arrived on the the TCP ports

256, 257 and 258.

Signature ID: 7004

Icmp net mask request

Threat Level: Warning

Industry ID: CVE-1999-0524

Nessus: 10114

Signature Description: The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet

Protocol Suite. If an internal host answers to an ICMP_MASKREQ query, it can lead to more focused attacks. By

determining the net masks of various computers in your network, an attacker can better map your subnet structure and

infer trust relationships. This may help him to bypass your filters.

Signature ID: 7005

Icmp time stamp request

Threat Level: Warning

Industry ID: CVE-1999-0524

Nessus: 10114