TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
587
BIND versions 8.2.x are vulnerable to buffer overflow while handling Transaction Signatures (TSIG). Transaction
Signatures (TSIG) are used to provide transaction-level authentication for DNS exchanges, adding cryptographic
signatures to the messages sent to the DNS server. When a BIND server receives a request with a TSIG resource record
that contains an invalid secure key, it will bind to error processing code. The code does not check the length of the DNS
request and the number of bytes that can be written to the available memory when framing a response to the client. The
response is composed by appending an error code and a transaction signature to the existing request. The insufficient
checking results in the TSIG response being written beyond the boundaries of the allocated buffer and overwriting
adjacent memory on the stack (UDP request) or heap (TCP request). This rule triggers when a specific inverse query
has been performed against a DNS server. This attempt can be treated as a precursor to exploit Transaction Signature
(TSIG) buffer overflow vulnerabiity.It is strongly recommended to upgrade to BIND version 9.1.0.
Signature ID: 24011
DNS Bind exploit named 8.2->8.2.1 Vulnerability
Threat Level: Severe
Industry ID: CVE-1999-0833
CVE-1999-0851 Bugtraq: 788
Signature Description: BIND is the DNS server software shipped with a number of UNIX and Linux-based operating
systems.Attackers can exploit multiple vulnerabilities in BIND versions between 8.2 and 8.2.1 to obtain remote shell
access.This enables the attacker to execute arbitrary code from the command shell with security privileges of the BIND
DNS daemon (named). If named is running as root, the attacker gains the root privileges of the system.Solution is to
upgrade to the latest version of BIND software.
Signature ID: 24012
DNS EXPLOIT named overflow ADM Vulnerability
Threat Level: Severe
Industry ID: CVE-1999-0833 CVE-1999-0851 Bugtraq: 788
Signature Description: This rule generates an event when buffer overflow associated with incorrect validation of DNS
NXT records is attempted.The DNS server can be compromised allowing the attacker to execute arbitrary commands
with the privileges of the user running BIND. Attckers can launch this exploit to gain remote access to the DNS
server.BIND versions 8.2 up to, but not including, 8.2.2 suffers from this overflow problem.Upgrade to a version of
BIND 8.2.2 or greater, or patch vulnerable versions of BIND.<br><br>
Signature ID: 24013
DNS EXPLOIT named overflow ADMROCKS Vulnerability
Threat Level: Information
Industry ID: CVE-1999-0833
CVE-1999-0851 Bugtraq: 788
Signature Description: BIND is the DNS server software shipped with a number of UNIX and Linux-based operating
systems.BIND 4.9 releases prior to 4.9.7 and BIND 8 releases prior to 8.1.2. do not perform correct bounds checking
when responding to an inverse querries. A maliciously formatted inverse query can cause the DNS server to crash and
allow remote access with the privileges of the user running BIND. This rule generates an event when Buffer overflow
associated with improperly formatted DNS inverse queries is attempted. Upgrade to a version of BIND that is not
vulnerable to this attack.
Signature ID: 24014
DNS EXPLOIT named overflow Vulnerability
Threat Level: Severe
Signature Description: BIND is the DNS server software shipped with a number of UNIX and Linux-based operating
systems.BIND versions upto 8.2 , but not including, 8.2.2. are Vulnerable.<br>Improper validation of DNS NXT
records may allow an attacker to perform a buffer overflow. This can allow execution of arbitrary code with the
privileges of the user running BIND.Upgrade to a version of BIND 8.2.2, or greater or patch vulnerable versions of
BIND.