TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
847
Signature ID: 34826
Cisco Phone 7940 remote DOS
Threat Level: Severe
Industry ID: CVE-2007-5583
Bugtraq: 26711
Signature Description: SIP is a protocol part of VoIP devices(IP phones). SIP is an ASCII based INVITE message is
used to initiate and maintain a communication session. An attacker generates the SIP INVITE transactions to victim,
that lead the device to crash, i.e., the Request-URI of the message should have a user name, but the attacker is sending
without user name. In order to drive the device to a DoS state only 6 transactions are required. No remedy available as
of December 2007.
Signature ID: 34831
Three messages SIP Remote DOS on Cisco 7940 SIP Phone
Threat Level: Warning
Industry ID: CVE-2007-4459 Bugtraq: 25378
Signature Description: SIP is an application layer protocol that can establish, modify and terminate multimedia
sessions such as Internet telephone calls. SIP will send INVITE message to initiate session. Cisco 7940/7960 running
firmware 8.6.0 is vulnerable, this product not maintaining any states. Due to flaw in SIP Stack, the device will be
rebooted after receiving a series of three to ten SIP INVITE messages.The INVITE sent has the particularity that the
remote tag is already filled. The following two OPTIONS messages must to have the same Call-ID as the INVITE and
the CSeq number incremented, the device will go to DoS. The vendor has issued a fixed version (firmware 8.7(0)).
Patches are available at cisco website. This signature detects attacks on SIP using UDP. Exploit attempts of this
vulnerability are detected using a combination of four signatures. This is the fourth signature and generates a log
message.
Signature ID: 34835
Three messages SIP Remote DOS on Cisco 7940 SIP Phone
Threat Level: Warning
Industry ID: CVE-2007-4459 Bugtraq: 25378
Signature Description: SIP is an application layer protocol that can establish, modify and terminate multimedia
sessions such as Internet telephone calls. SIP will send INVITE message to initiate session. Cisco 7940/7960 running
firmware 8.6.0 is vulnerable, this product not maintaining any states. Due to flaw in SIP Stack, the device will be
rebooted after receiving a series of three to ten SIP INVITE messages. The INVITE sent has the particularity that the
remote tag is already filled. The following two OPTIONS messages must to have the same Call-ID as the INVITE and
the CSeq number incremented, the device will go to DoS. The vendor has issued a fixed version (firmware 8.7(0)).
Patches are available at cisco website. This signature detects attacks on SIP using TCP. Exploit attempts of this
vulnerability are detected using a combination of four signatures. This is the fourth signature and generates a log
message.
Signature ID: 34840
SQL injection via SIP (part 2) and toll fraud bonus
Threat Level: Severe
Industry ID: CVE-2007-5488
Bugtraq: 26095
Signature Description: SIP is an application layer protocol that can establish, modify and terminate multimedia
sessions such as Internet telephone calls. SIP will send INVITE message to initiate session, this message contains uri of
the destination. SQL injection vulnerabilities in cdr_addon_mysql in Asterisk-Addons before versions of 1.2.8, and
1.4.x before versions of 1.4.4. Some SIP proxies store information gathered from SIP headers into databases used for
billing and accounting purposes. This is the case for the vulnerability, if this information is not properly filtered, once it
will be displayed to the administrator it can perform a second order SQL Injection. Attacker can put SQL commands in