TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
566
Signature ID: 21073
Microsoft SSL v3 DoS or SSL PCT buffer overflow attempt
Threat Level: Critical
Industry ID: CVE-2004-0120 CVE-2003-0719 Bugtraq: 10115,10116 Nessus: 12209,12209
Signature Description: A vulnerability exists in the Microsoft Secure Sockets Layer (SSL) library. This library is
unable to handle a specially crafted SSL messages, and causes Denial of Service (DOS). The client, during SSL Hello
packet, sends the possible cipher suites, with their length (number of suites*3 bytes). Presently there are about 30
different suites. but when an attacker supplies more then 1000 suites, Windows is unable to handle them and SSL
service becomes unavailable. This vulnerability could cause the affected system to stop accepting SSL connections in
Windows 2000 and in Windows XP. The vulnerability in Windows Server 2003 could cause the affected system to
automatically restart. Due to this, all programs that use SSL could be affected. Although SSL is generally associated
with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected
platform is likely to be vulnerable. Some of the Microsoft services which are vulnerable are Microsoft Internet
Information Services 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1,
Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft
Analysis Services 2000 (included with SQL Server 2000). A buffer overrun vulnerability exists in the Private
Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer library.
Signature ID: 21074
Microsoft SSL v2 DoS or SSL PCT buffer overflow attempt
Threat Level: Critical
Industry ID: CVE-2004-0120 CVE-2003-0719 Bugtraq: 10115,10116 Nessus: 12209,12209
Signature Description: A vulnerability exists in the Microsoft Secure Sockets Layer (SSL) library. This library is
unable to handle a specially crafted SSL messages, and causes Denial of Service (DOS). The client, during SSL Hello
packet, sends the possible cipher suites, with their length (number of suites*3 bytes). Presently there are about 30
different suites. but when an attacker supplies more then 1000 suites, Windows is unable to handle them and SSL
service becomes unavailable. This vulnerability could cause the affected system to stop accepting SSL connections in
Windows 2000 and in Windows XP. The vulnerability in Windows Server 2003 could cause the affected system to
automatically restart. Due to this, all programs that use SSL could be affected. Although SSL is generally associated
with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected
platform is likely to be vulnerable. This includes but is not limited to, Microsoft Internet Information Services 4.0,
Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server
5.5, Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included
with SQL Server 2000). A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol,
which is part of the Microsoft Secure Sockets Layer (SSL) library. (MS04-011)
Signature ID: 21075
Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow
Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-2120 Bugtraq: 15065 Nessus: 20000
Signature Description: Plug and Play (PnP) is a computer feature that allows the addition of a new device, normally a
peripheral, without requiring reconfiguration or manual installation of device drivers. In Microsoft Windows, this
functionality is implemented through UMPNPMGR.DLL. Microsoft Windows Plug and Play is prone to a buffer
overflow vulnerability. This is due to failure of the service to properly bounds check user-supplied data prior to
copying it to an insufficiently sized memory buffer. A remote attacker can exploit this vulnerability by binding to
UMPNPMGR interface using DCERPC and requesting one of the functions PNP_GetDeviceList (opnum 10) or
PNP_GetDeviceListSize (opnum 11) with parameters containing arbitrary lengths of consecutive backslashes; for
example, "HTREE\ROOT\\\\0\\\\\\\\". While processing these the user input is validated only for whether or not it