TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
673
of the vendors that use vulnerable OpenSSL has released patches. This rule hits when attack pattern towards SMTP
Server.
Signature ID: 30089
OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-3738 CVE-2007-5135 Bugtraq: 20249
Signature Description: OpenSSL is an open source implementation of the SSL protocol. A remotely exploitable buffer
overflow vulnerability exists in OpenSSL versions 0.9.7-0.9.8. The vulnerability specifically exists in the function
SSL_Get_Shared_Ciphers function which extracts the cipher codes from the ClientHello message. A remote attacker
can exploit this vulnerability by sending a specially crafted ClientHello message that contains a long list of cipher
codes to the target server. Successful exploitation would allow for executing arbitrary code with the privileges of the
application using the OpenSSL library. Upgrade to the latest version of OpenSSL (0.9.7l or 0.9.8d or later). Also most
of the vendors that use vulnerable OpenSSL has released patches. This signature will detect, if attack pattern is coming
on TLSv1 or SSlv3 version.
Signature ID: 30090
OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-3738 CVE-2007-5135 Bugtraq: 20249
Signature Description: OpenSSL is an open source implementation of the SSL protocol. A remotely exploitable buffer
overflow vulnerability exists in OpenSSL versions 0.9.7-0.9.8. The vulnerability specifically exists in the function
SSL_Get_Shared_Ciphers function which extracts the cipher codes from the ClientHello message. A remote attacker
can exploit this vulnerability by sending a specially crafted ClientHello message that contains a long list of cipher
codes to the target server. Successful exploitation would allow for executing arbitrary code with the privileges of the
application using the OpenSSL library. Upgrade to the latest version of OpenSSL (0.9.7l or 0.9.8d or later). Also most
of the vendors that use vulnerable OpenSSL has released patches. This rule hits for the attack pattern is observed
towards the destination port 443, and for the attack pattern sequence "16 03", "01", "03" , "00" followed with a two
byte value that is more than 256 as specified in the rule distance limitations.
Signature ID: 30091
Apache mod_ssl Plain HTTP Request Denial of Service Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0113
Bugtraq: 9826 Nessus: 14142,12525,12100
Signature Description: Apache HTTP Server versions 2.0.35 through 2.0.48 are vulnerable to a denial of service attack,
caused by a memory leak in the mod_ssl authentication module. If a vulnerable server is enabled for SSL, a remote
attacker could send plain HTTP requests to the SSL port to cause the daemon to crash. Upgrade to the latest version of
Apache HTTP Server (2.0.49-dev or later), available from the Apache HTTP Server Web site. Also vendors who
supply Apache has released patches.
Signature ID: 30094
Microsoft Office XP HTML Link Processing Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-0848
Bugtraq: 12480
Signature Description: A remote buffer overflow vulnerability affects Microsoft Office XP. If a HTML link which
points to a .doc or .rtf file is clicked, Microsoft Internet Explorer can open these files in an IE window. This
vulnerability can be exploited by constructing a web page or HTML e-mail which contains a malicious link such as
http://www.xyz.com/abc.doc%00<long string>. When the user clicks on the link IE requests "abc.doc" but passes
abc.doc along with the "long string" to Microsoft Word (the program associated with the ".doc" extension), which