TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

751

752

753

754

755

756

757

758

759

760

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

755

Signature ID: 32734

LanDesk AOLSRVR.EXE Overflow

Threat Level: Severe

Industry ID: CVE-2007-1674

Bugtraq: 23483

Signature Description: The specific flaw exists in the Alert Service listening on UDP port 65535. The Aolnsrvr.exe

process accepts user-supplied data and performs an inline memory copy into a 268 byte stack-based buffer. Supplying

additional data results in a buffer overflow and SEH overwrite. This vulnerability allows attackers to execute arbitrary

code on vulnerable installations of LANDesk Management Suite. User interaction is not required to exploit this

vulnerability.

Signature ID: 32737

HTTP IBM Tivoli Provisioning Manager Stack Overflow vulnerability

Threat Level: Severe

Industry ID: CVE-2007-1868 Bugtraq: 23264

Signature Description: This vulnerability specifically exists in the TFTP protocol implementation. When processing a

read request (RRQ), an integer division by zero error can be triggered by supplying an invalid "blksize" argument. This

exception is not handled and will result in the rembo.exe service terminating. No authentication is required to access

the vulnerable code. The attacker need only be able to send a specially crafted request to the HTTP (8080) or HTTP-

SSL (443) port of the management service.

Signature ID: 32743

UDP Empty Message packet

Threat Level: Severe

Industry ID: CVE-2007-4753 CVE-1999-0063 CVE-2004-0352 CVE-2007-0648 Bugtraq: 25464,675,9806,22330

Signature Description: User Datagram Protocol (UDP) is one of the core protocols of the Internet protocol suite. UDP

is a message-oriented transport layer protocol that keeps the header fields to a bare minimum. UDP is used as transport

layer protocol for many application including Syslog, SIP,etc. Port scanners and Denial of Service attacks on certain

servers send UDP packets with no application data in them. This signature detects and drops such packets. The

Thomson ST 2030 is a VoIP phone that is SIP/MGCP compliant and can be used with any SIP compliant PBX,

Softswitch or IP Centrex solutions of the market. A denial of service attack can be accomplished by sending an empty

packet to it's default listen port - 5060 on UDP protocol. CISCO IOS is the operating system used on the vast majority

of Cisco Systems routers and all current Cisco network switches.Certain versions of Cisco IOS software may crash or

hang when they receive invalid user datagram protocol (UDP) packets sent to their syslog ports (port 514). Repeated

attacks could result in an extended denial of service condition. This signature detects UDP packets without any

application data.

Signature ID: 32744

HTTP Apache Web Server Mod_Cache DoS (max-age)

Threat Level: Warning

Industry ID: CVE-2007-1863 Bugtraq: 24649

Signature Description: Cache-Control header is used to signal how long a representation can be cached. mod_cache

has a defect which can cause the httpd process to crash when cache is enabled and a maliciously formed Cache-Control

request header is received. mod_cache does not sanity check certain parts of the request, and can crash the active child

process when processing certain invalid requests. If a threaded Multi-Processing Module is used, this can result in

denial of service conditions.It cause a segmentation fault if one of the Cache-Control header "max-age" has no value

assigned.