TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

501

502

503

504

505

506

507

508

509

510

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

510

systems. This vulnerability is due to insufficient validation of user supplied data via on TCP RPC. A successful

exploitation of this vulnerability allow an attacker to execute remote code on the vulnerable system.

Signature ID: 16104

Automountd service portmap request vulnerability

Threat Level: Warning

Industry ID: CVE-1999-0704

CVE-1999-0210 Bugtraq: 614,235 Nessus: 10212

Signature Description: Automounter daemon(amd) is a daemon that automatically mounts filesystems whenever a file

or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have

become quiescent. Automounter daemon is vulnerable to a buffer overflow under solaris operating system. This

vulnerability is due to insufficient validation of user supplied data via on TCP RPC. A successful exploitation of this

vulnerability allow an attacker to execute remote code on the vulnerable system.

Signature ID: 16105

Rpc_cmsd Vulnerability

Threat Level: Information

Industry ID: CVE-1999-0320 CVE-2002-0391 CVE-1999-0696 Bugtraq: 428 Nessus: 10213

Signature Description: The 'xdr_array()' procedure is used by client/server applications implementing Sun RPC to filter

between local C representations of variable length arrays and their machine-independent external data representations

(XDR). 'xdr_array()' procedure is vulnerability to a buffer overflow. This signature detects when an attacker send a

large number of arguments to xdr_array through RPC service such as rpc.cmsd via on TCP RPC. A successful

exploitation of this vulnerability allow an attacker to execute commands on the vulnerable system.

Signature ID: 16107

Etherstatd service Vulnerability

Threat Level: Information

Industry ID: CVE-1999-0530 Nessus: 10215

Signature Description: The rpc.etherstatd service puts a specified Ethernet interface into promiscuous mode and

provides traffic statistics to remote programs. This program registers itself with the RPC protmapper as program

100010. A remote attacker can use this exploit to perform packet sniffing. The Administrators are advised to disabled

the 'etherstatd' service, if it is not necessary. This signature detects when an attacker send specially-crafted pattern on

TCPRPC.

Signature ID: 16108

Fam service access

Threat Level: Warning

Industry ID: CVE-1999-0059 Bugtraq: 353 Nessus: 10216

Signature Description: The fam service, RPC program 391002, is used by other programs to keep track of file

modifications. When a program initially connects to the fam server, it passes the fam server the name of a file or

directory to watch. If the fam server receives a directory name, it returns the client a complete list of files and sub

directories in that directory. fam service is listen on both tcp and udp ports. This signature generates an event when an

attacker try to identify whether fam service is running. Administrators are advised to disable the fam service if it is not

needed. This signature specifically detects when an attacker send request by using tcp service.

Signature ID: 16109

Keyserv service access

Threat Level: Information

Nessus: 10217

Signature Description: Registers with the RPC portmapper as program 100029. This service is necessary to exploit