TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

511

512

513

514

515

516

517

518

519

520

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

515

Signature Description: Ypbind finds the server for NIS domains and maintains the NIS binding information. The client

(normally the NIS routines in the standard C library)could get the information over RPC from Ypbind or read the

binding files. The binding files resides in the directory /var/yp/bind-ing. Ypbind is vulnerable to a security threat in the

future. This signature generates an event, when an attacker try to identify whether Ypbind service is running.

Administrators are advised to disable the Ypbind service if it is not needed. This signature specifically detects when an

attacker send request on portmap service by using tcp service.

Signature ID: 16131

Yppasswd service vulnerability

Threat Level: Information

Nessus: 10242,11021

Signature Description: The Yppasswdd server is used to handle password change requests from Yppasswd and modify

the NIS password file. Yppasswdd is vulnerable to a security threat in the future. This signature generates an event,

when an attacker try to identify whether Yppasswdd service is running. Administrators are advised to disable the

Yppasswdd service if it is not needed. This signature specifically detects when an attacker send request on portmap

service by using tcp service.

Signature ID: 16132

Ypupdated service vulnerability

Threat Level: Warning

Industry ID: CVE-1999-0208 Bugtraq: 1749 Nessus: 10243

Signature Description: Ypupdated is a daemon that updates information in the Network Information Service (NIS)

databases. It is activated at system startup when the NIS_MASTER_SERVER variable is set to 1 in

/etc/rc.config.d/namesvrs file on the NIS master server. ypupdated consults the file updaters in the directory /var/yp to

determine which NIS maps should be updated and how to change them. Ypupdated is vulnerable to a security threat in

the future. This signature generates an event, when an attacker try to identify whether Ypupdated service is running.

Administrators are advised to disable the Ypupdated service if it is not needed. This signature specifically detects when

an attacker send request on portmap service by using RPC-TCP service.

Signature ID: 16133

SnmpXdmid buffer overflow TCP

Threat Level: Severe

Industry ID: CVE-2001-0236 Bugtraq: 2417 Nessus: 10659

Signature Description: The snmpXdmid daemon is used to map SNMP management requests to DMI requests and vice

versa. and is installed with root privileges. The snmpXdmid RPC service on Solaris versions 2.6, 7,and 8 are vulnerable

to a stack based buffer overflow. This vulnerability is due to insufficient bounds checking of user supplied date. A

successful exploitation of this issue allow an attacker to execute arbitrary commands on the vulnerable system.

Administrators are advised to apply the patches are available from vendors web site. This signature detects when an

attacker send malicious pattern by using RPC-TCP service.

Signature ID: 16135

Rpc.admind security level Vulnerability

Threat Level: Information

Signature Description: An attacker may probe to identify whether the Solaris' rpc.admind service exists. This service is

a network service designed to allow remote administration capabilities to network administrators. This daemon comes

by default in insecure mode, meaning it requires virtually no authentication for remote users. This allows remote users

to append or change critical system information, including user accounts. This signature detects when an attacker send

specially-crafted pattern to TCP RPC.