TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
961
Signature ID: 35517
Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
Threat Level: Severe
Industry ID: CVE-CVE-2008-1447
Bugtraq: 30132
Signature Description: Cisco products are vulnerable to DNS cache poisoning attacks due to insufficient random DNS
transaction IDs and UDP source ports in the DNS queries through which the attacker can easily forge DNS answers
which can poison DNS caches, Therefore, DNS servers that are only authoritative, or servers where recursion is not
allowed, are not affected.
Signature ID: 35518
Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
Threat Level: Severe
Industry ID: CVE-CVE-2008-1447 Bugtraq: 30132
Signature Description: Cisco products are vulnerable to DNS cache poisoning attacks due to insufficient random DNS
transaction IDs and UDP source ports in the DNS queries. The Domain Name System (DNS) is responsible for
translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected
systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker
to introduce forged DNS information into the cache of a caching name server. The DNS protocol specification includes
a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly
selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully
predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that
fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are
generated by a number of implementations. As part of DNS cache poison attack, the attacker will send lot of DNS
response with increasing number of transaction ID in a span of seconds hoping that one of the packet will match the
transaction ID of request. This rule will hit when 50 DNS Type A RR responses having 3 Resource Record set within 2
seconds duration.
Signature ID: 35519
Crafted packet vulnerabilities exist in the Cisco Firewall Services Module
Threat Level: Warning
Industry ID: CVE-2007-5568
Signature Description: Crafted MGCP Packet vulnerability exist in the Cisco Firewall Services Module (FWSM) can
be exploited remotely without authentication and without user interaction. Successful exploitation of this vulnerability
may cause the affected device to crash and repeated attempts to exploit this vulnerability could result in a sustained
DoS condition. The attack vector for exploitation is through MGCP packets using the MGCP port for gateways for
which UDP port 2427 is the default port. An attacker could exploit this vulnerability through spoofing attacks. This
vulnerability affects the Cisco PIX, ASA appliances and FWSM.
Signature ID: 35520
Cisco IOS PPTP Vulnerability
Threat Level: Warning
Industry ID: CVE-CVE-2001-1183
Bugtraq: 3022
Signature Description: Point to Point Tunneling Protocol (PPTP) allows users to tunnel to an Internet Protocol (IP)
network using a Point to Point Protocol (PPP). By sending a crafted PPTP packet to a port 1723, a control PPTP port, it
is possible to crash the router. This vulnerability does not require special router configuration. Enabling PPTP is
sufficient to expose the vulnerability. The router will crash after it receives a single packet. By repeatedly exploiting
this vulnerability it is possible to cause permanent Denial of Service (DoS). This denial is not only of the PPTP
functionality but the whole router will stop functioning.