TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
457
buffer overflow vulnerability exists in Novell eDirectory version 8.8 iMonitor version 2.4. A remote attacker can
exploit this vulnerability via a specially-crafted HTTP request. Successful exploitation of this vulnerability may cause
execution of arbitrary code or cause the system to crash. Administrators are advised to close the external port 8028 for
external users.
Signature ID: 12124
EIQnetworks Enterprise Security Analyzer License Manager Remote Buffer Overflow
Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-3838 Bugtraq: 19163
Signature Description: EIQnetworks Enterprise Security Analyzer (ESA) is a Security Information Management (SIM)
solution that enables organizations to proactively detect security breaches, identify corporate violations and eliminate
false positives before incidents occur. eIQnetworks Enterprise Security Analyzer (ESA) version prior to 2.5.0 is
vulnerable to a stack-based buffer overflow in the EnterpriseSecurityAnalyzer.exe service when adding a new license.
ESA protocol is a very simple plaintext protocol where requests take the form
[REQUEST_COMMAND]&[ARG1]&[ARG2]&[ARG3]&....&[ARGn]. The License Manager component in
EnterpriseSecurityAnalyzer.exe listens on TCP port 10616 and is used to protect against unauthorized use of a software
product. By sending an overly long LICMGR_ADDLICENSE command to TCP port 10616, a remote attacker could
overflow a buffer and execute arbitrary code on the system. Authentication is not required to exploit this vulnerability.
Administrators are advised to close the port 10616 for external users. Upgrade to the latest version of the software
(2.5.0 or later).
Signature ID: 12125
Session Initiation Protocol INVITE method overflow Vulnerability
Threat Level: Severe
Signature Description: Session Intiation Protocol (SIP) is an ASCII-based application layer protocol used to establish,
maintain, and terminate calls between two or more endpoints. SIP uses requests and responses to establish
communication among various components of the network. The SIP request contains a method name, a Request-URI,
and the protocol version. This rule looks for a request that contains INVITE method or OPTIONS method that is too
long. A malformed INVITE or OPTIONS message to the SIP proxy/registrar can crash the process. The crash is caused
by an assertion failure that occurs when the domain name in the request line URI is too long (> 256 bytes).
Signature ID: 12126
Session Initiation Protocol Request with Large Max-Forwards Value
Threat Level: Warning
Signature Description: Session Intiation Protocol (SIP) is an ASCII-based application layer protocol used to establish,
maintain, and terminate calls between two or more endpoints. SIP uses requests and responses to establish
communication among various components of the network. A specially-crafted SIP request with a large max-forwards
value could potentially consume SIP proxy resources resulting in a DoS. Refer RFC 3261 for further details. This
signature generate log for SIPUDP session.
Signature ID: 12127
Session Initiation Protocol Request with Invalid SIP Version
Threat Level: Warning
Signature Description: Session Intiation Protocol (SIP) is an ASCII-based application layer protocol used to establish,
maintain, and terminate calls between two or more endpoints. SIP uses requests and responses to establish
communication among various components of the network. A specially-crafted SIP request with invalid SIP version
could potentially consume SIP proxy resources resulting in a DoS. Exploit is demonstrated in protos sip.