VRT Advisories

1 2 124 125 126 127 129 131 132


VRT Rules 2005-06-30

Sourcefire VRT Certified Rules Update

Date: 2005-06-30

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of multiple serious vulnerabilities affecting Veritas Backup Exec Server and Agent Software.

Details:

US-CERT Vulnerability Note VU#352625 A vulnerability exists in the Veritas Backup Server handles DCERPC requests that attempt to alter registry values, enabling an attacker to modify the registry. The Backup Server accepts anonymous client requests, but fails to assign the appropriate privileges. This allows an attacker to perform privileged tasks on the server. One such task is altering registry values.

US-CERT Vulnerability Note VU#492105, CAN-2005-0773 A vulnerability exists in Veritas Backup Agent authentication software. This software uses Network Data Management Protocol (NDMP) to communicate between clients and servers. Authentication is required to successfully connect. Errors in processing the authentication credentials can give an attacker the opportunity to overflow a fixed length buffer which may lead to the execution of code of the attackers choosing on the affected host.

US-CERT Vulnerability Note VU#584505, CAN-2005-0771 The Veritas Backup Agent Exec provides backup software. Certain communications are done via the Network Data Management Protocol (NDMP). The agent does not properly handle malformed NDMP protocol requests. Exploitation of this issue is simple and can lead to a Denial of Service (DoS) for the agent.

Rules to detect attacks against these vulnerabilities are included in this rule pack and are identified as sids 3695 through 3812.

References: US-CERT Technical Cyber Security Alert TA05-180A http://www.us-cert.gov/cas/techalerts/TA05-180A.html

VERITAS Security Advisory for Backup Exec for Windows Servers and Backup Exec for NetWare Servers http://seer.support.veritas.com/docs/277428.htm

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Jun 30, 2005



VRT Rules 2005-06-29

Sourcefire VRT Certified Rules Update

Date: 2005-06-29

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting IBM Websphere and Squid HTTP proxy server.

Details:

A Squid proxy server can cache resources to make access to them more efficient. A malformed request sent to a Squid proxy server may be interpreted and processed differently than the actual responding web server. A particular malformed request that contains two "Content-Length" header fields can be used to try to poison the cache by causing the Squid proxy server and an upstream server to process the contents differently.

A Rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3694.

IBM WebSphere may use form-based authentication to permit access to applications. The CGI variables j_username and j_password are used for this authentication process. Overly long values passed to these variables can cause a buffer overflow and the subsequent execution of arbitrary code on the vulnerable server. This is due to a failure in the code to accommodate wide-character expansion for the receiving buffer.

A rule to detect attacks against this vulnerbility is included in this rule pack and is identified as sid 3693.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Jun 29, 2005



VRT Rules 2005-06-15

Sourcefire VRT Certified Rules Update

Date: 2005-06-15

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting various vendor Telnet client software and Microsoft Internet Explorer.

Details:

A telnet client and server can negotiate various options such as the character set to be used in the communication exchange. One particular option allows a client or server to send new environment options. Certain telnet clients will respond to a telnet server that issues a new environment send command for a particular environment variable, such as the current user. This information disclosure can be valuable to a potential attacker. Although this vulnerability affects multiple vendors it is also addressed in the Microsoft advisory MS05-033.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3687 and 3688.

Internet Explorer has an optional feature known as Content Advisor that allows unsuitable content to be blocked. The Content Advisor uses a ratings description file to determine what is considered to be unsuitable content. The ratings description file contains several statements including a name statement. An overly long value supplied to a specific name statement can cause a buffer overflow and the subsequent execution of arbitrary code.

A rule to detect attacks against this vulnerbility is included in this rule pack and is identified as sid 3686.

A vulnerability exists in the way Internet Explorer handles the transparency chunk of a PNG file, enabling a buffer overflow and the subsequent execution of arbitrary code on a vulnerable client. This vulnerability is addressed in the Microsoft advisory MS05-025.

A rule to detect attacks against this vulnerbility is included in this rule pack and is identified as sid 3689.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Jun 15, 2005



VRT Rules 2005-05-31

Sourcefire VRT Certified Rules Update

Date: 2005-05-31

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting MySQL and Ethereal. The VRT has also completed work to normalize older rules to improve the detection capabilities of the Snort engine.

Details:

There are two vulnerabilities associated with MySQL password authentication. The first vulnerability may permit an unauthorized user access to the server if the attacker knows an authorized username and crafts a malicious client password hash. The second vulnerability may cause a denial of service or buffer overflow if an attacker knows an authorized username and crafts an overly long password hash.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3665 and 3672.

An error in the processing of tcp packets in a SIP protocol transaction may lead to a Denial of Service (DoS) condition in Ethereal. The SIP parsing routine does not properly check the length of data supplied to a fixed length buffer in the processing of the SIP data.

Rules to detect attacks against this vulnerbility are included in this rule pack and are identified as sids 3677 and 3678.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on May 31, 2005



VRT Rules 2005-05-18

Sourcefire VRT Certified Rules Update

Date: 2005-05-18

Synopsis:

After continuing research into vulnerabilities affecting BrightStor ARCserve Backup Universal Agent and the CVS daemon, the Sourcefire Vulnerability Research Team (VRT) has released a number of rules to detect attacks against vulnerabilities in these products.

Details:

A vulnerability exists in the way that a the BrightStor ARCserve Backup Universal Agent processes messages with overly long data. The Universal Agent software of the ARCserve Backup suite is used to push backups from individual hosts to the server component. A message with a combination of specific option types, length value ranges and overly long data sent to a Universal Agent listener can cause a buffer overflow and the subsequent execution of arbitrary code with system level privileges on a vulnerable server.

Rules to detect this vulnerability are included in this rule pack and are identified as sids 3658 through 3663.

CVS is the Concurrent Versions System, commonly used to help manage software development. A user with branching privileges can exploit a vulnerability associated with the cvs annotate command to cause a buffer overflow to occur.

Rules to detect this vulnerability are included in this rule pack and are identified as sids 3651 through 3652.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on May 18, 2005



1 2 124 125 126 127 129 131 132