TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

491

492

493

494

495

496

497

498

499

500

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

500

Signature ID: 16038

Ypupdated service vulnerability

Threat Level: Warning

Industry ID: CVE-1999-0208 Bugtraq: 1749 Nessus: 10243

Signature Description: Ypupdated is a daemon that updates information in the Network Information Service (NIS)

databases. It is activated at system startup when the NIS_MASTER_SERVER variable is set to 1 in

/etc/rc.config.d/namesvrs file on the NIS master server. ypupdated consults the file updaters in the directory /var/yp to

determine which NIS maps should be updated and how to change them. Ypupdated is vulnerable to a security threat in

the future. This signature generates an event, when an attacker try to identify whether Ypupdated service is running.

Administrators are advised to disable the Ypupdated service if it is not needed. This signature specifically detects when

an attacker send request on portmap service by using RPC-UDP service.

Signature ID: 16042

SnmpXdmid buffer overflow UDP

Threat Level: Severe

Industry ID: CVE-2001-0236 Bugtraq: 2417 Nessus: 10659

Signature Description: The snmpXdmid daemon is used to map SNMP management requests to DMI requests and vice

versa. and is installed with root privileges. The snmpXdmid RPC service on Solaris versions 2.6, 7,and 8 are vulnerable

to a stack based buffer overflow. This vulnerability is due to insufficient bounds checking of user supplied date. A

successful exploitation of this issue allow an attacker to execute arbitrary commands on the vulnerable system.

Administrators are advised to apply the patches are available from vendors web site. This signature detects when an

attacker send malicious pattern by using RPC-UDP service.

Signature ID: 16044

Rpc.admind security level Vulnerability

Threat Level: Information

Signature Description: An attacker may probe to identify whether the Solaris' rpc.admind service exists. This service is

a network service designed to allow remote administration capabilities to network administrators. This daemon comes

by default in insecure mode, meaning it requires virtually no authentication for remote users. This allows remote users

to append or change critical system information, including user accounts. This signature detects when an attacker send

specially-crafted pattern on UDP RPC.

Signature ID: 16045

Rpc.pcnfsd execution vulnerability

Threat Level: Information

Signature Description: The Rpc.pcnfsd daemon handles requests from PC-NFS clients for authentication services on

remote machines. These services include authentication for mounting and for print spooling. When a PC-NFS client

makes a request, the inetd daemon starts the Rpc.pcnfsd daemon. The Rpc.pcnfsd daemon reads the /etc/pcnfsd.conf

configuration file, if present, then services RPC requests directed to program number 150001. After the Rpc.pcnfsd

daemon is started, all print requests go to the default print spooling directory. Rpc.pcnfsd is vulnerable to a security

threat in the future. This signature generates an event, when an attacker try to identify whether Rpc.pcnfsd service is

running. Administrators are advised to disable the Rpc.pcnfsd service if it is not needed. This signature specifically

detects when an attacker send request by using RPC-UDP.

Signature ID: 16046

"rpc.ugidd" service Vulnreability

Threat Level: Information

Signature Description: Rpc.ugidd is a RPC-based server. This package contains the UID mapping daemon which is