TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
663
Signature ID: 30050
MySQL Login Packet Information Disclosure Vulnerability
Threat Level: Warning
Industry ID: CVE-2006-1516
CVE-2006-1517 Bugtraq: 17780
Signature Description: MySQL is freely distributed relational database server often used as a back-end for several
applications. MySQL versions 4.1 through 4.1.18 and 5.0 through 5.0.20 could allow a remote attacker to obtain
sensitive information when a malicious Login packet is processed. In a Login packet usually username will be
terminated by a null character. If the packet is constructed without specifying the null character user name will be
copied till a null character is found. Similarly the next entries such as database name will be assigned with some
(internal) memory beyond packet length. An error message will be sent in return since the entries were wrong. By
changing packet length (database length) a malicious user could get sensitive information such as parts of queries and
or response executed by some previously logged user. This vulnerability is fixed in versions 4.0.27, 4.1.19, 5.0.21,
5.1.10.
Signature ID: 30051
MySQL Table Dump Command Request
Threat Level: Warning
Industry ID: CVE-2006-1517 Bugtraq: 17780
Signature Description: This rule triggers when an attempt is made to execute the Table Dump command on a remote
MySQ server. Various commands exist for communication between Master and Slave MySQL servers for database
replication. One of these commands is the COM_TABLE_DUMP command, which is used by the slave server to
retrieve the master table. A stack based buffer overflow vulnerability exists in MySQL versions 5.0.20 and prior, 4.0.26
and prior and 4.1.18 and prior which may allow an attacker to overflow the stack buffer to execute injected code in the
security context of the server. Administrators are advised to monitor the Master/Slave communication if this rule gets
hit. The vendor has issued fixed versions 4.0.27, 4.1.19, 5.0.21, and 5.1.10. This rule gets hit for each table dump
request, but not every table dump request is malicious.
Signature ID: 30052
MySQL Server Date_Format Function Format String Vulnerability
Threat Level: Information
Industry ID: CVE-2006-3469
Bugtraq: 19032
Signature Description: MySQL is a freely distributed relational database server often used as a back-end for several
applications. MySQL versions prior to 4.1.18, 5.0.19 and 5.1.6 are vulnerable to a denial of service vulnerability when
date_format function is used. The vulnerable function does not properly handle the first argument passed to it, which is
supposed to represent the date string. If proper values are not supplied to the format specifiers in date_format function,
the application tries to read the values from the stack which may cause an access violation and terminate the service.
Attackers may exploit this issue in conjunction with latent SQL-injection vulnerabilities in other applications. The
vendor has released fixed versions of MySQL to address this issue. Versions newer than or equal to 4.1.18, 5.0.19, or
5.1.6 include a fix for this issue.
Signature ID: 30053
HP OpenView Client Configuration Manager Authentication Bypass Vulnerability
Threat Level: Warning
Industry ID: CVE-2006-5782
Signature Description: HP OpenView Client Configuration Manager, formally Radia is a desktop management
software designed for Windows and Unix based Operating systems. Radia Notify Daemon (radexecd) in Radia
software is a small server which listens for commands on TCP port 3465 and executes them on behalf of administrator
or other Radia process. An authentication bypass vulnerability exists in Radia Notify daemon service radexecd of the
CCM version 1.0. Authentication credentials are not verified before executing any commands that are present in the