TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
420
Signature ID: 10228
Multiple Vendor Telnet Client LINEMODE SLC Sub-Option Remote Buffer Overflow
Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-0469 Bugtraq: 12918
Signature Description: Multiple Telnet client implementations are vulnerable to a flaw which may allow arbitrary code
to be executed on the connected client. The Telnet server may supply a specially crafted reply containing a larger
number of LINEMODE "Set Local Character" (SLC) sub option commands, which are not checked for proper length
before being stored into a fixed length buffer. Affected Telnet clients possibly include the BSD Telnet implementation
and the MIT Kerberos distribution. The Telnet LINEMODE mode is enabled by default in a majority of modern Telnet
clients and servers, and is often negotiated automatically before user input is required. Therefore, an attacker may be
able to launch a vulnerable client, for example, through commands embedded in web pages such as an IFRAME with a
"telnet: URL, and exploit this flaw requiring only minimal or no user interaction.
Signature ID: 10229
Veritas Backup Exec Agent Invalid Error Status Remote Denial of Service Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-0772 Bugtraq: 14021
Signature Description: VERITAS Backup Exec is a data backup and recovery solution with support for over the
network backup. The Veritas Backup Exec server component uses the Network Data Management Protocol (NDMP) to
communicate with listening Backup Exec Agents (the client) on TCP port 10000. Veritas Backup Exec Remote Agent
is prone to a remotely exploitable denial of service vulnerability. The vulnerability specifically exists because of
improper handling of request packets with an "Error Status" value other than zero. Attackers may construct and submit
malicious NMDP packets with invalid error status value to the Backup Agent and this causes a NULL pointer
dereference while parsing the NDMP header resulting in an unhandled exception which leads to crash of the program.
Administrators are advised to close the port 10000 for external users.
Signature ID: 10230
Veritas Backup Exec Agent CONNECT_CLIENT_AUTH Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-0773
Bugtraq: 14022
Signature Description: VERITAS Backup Exec is a data backup and recovery solution with support for over the
network backup. The Veritas Backup Exec server component uses the Network Data Management Protocol (NDMP) to
communicate with listening Backup Exec Agents (the client) on TCP port 10000. The NMDP protocol allows multiple
authentication types, including support for Windows user credentials (authorization type 3 on Backup Exec Servers).
CONNECT_CLIENT_AUTH requests (0x0901) are used by NMDP to transport authentication data. A remotely
exploitable stack based buffer overflow vulnerability exists in Veritas Backup Exec Agent due to a boundary checking
error. If a type 3 CONNECT_CLIENT_AUTH authentication packet that contain a overly long password parameter is
sent to the agent buffer overflow occurs. Successful exploitation of the vulnerability may gain administrative access
enabling them to execute arbitrary code. Administrators are advised to close the port 10000 for external users.
Signature ID: 10231
Veritas Backup Exec Server Remote Registry Access Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-0771
Bugtraq: 14020 Nessus: 19397
Signature Description: VERITAS Backup Exec is a data backup and recovery solution with support for over the
network backup. Distributed Component Object Model (DCOM) is a Microsoft proprietary technology for software
components distributed across several networked computers to communicate with each other. Remote Procedure Call
(RPC) is a protocol designed to enable a program to request a service from another program located on a remote