« Back
March 2005 Archive
Sourcefire VRT Certified Rule Update
Date: 2005-03-28
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious
vulnerabilities affecting MySQL. In addition, the VRT has leveraged new
detection engine capabilities to provide coverage for an FTP port bounce
attack.
The VRT has also added rules and improved detection capabilities as a
result of ongoing research into serious vulnerabilities affecting
Computer Associates License Server, BrightStor ARCserver and Oracle
database servers.
Details:
A vulnerability exists in MySQL's handling of the CREATE FUNCTION
command, possibly allowing an authenticated user with INSERT and DELETE
privileges for the administrative databases to execute arbitrary code.
A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3528.
The PORT command can be used in an FTP PORT bounce attack to establish
a connection between the FTP server and another machine listening on
an alternative port. This may lead to unauthorized access to a target host
listening on a port not available from outside the protected network.
A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3441.
Computer Associates License software allows a site to maintain and
handle licenses for CA products. A server runs the software to
facilitate this and it communicates with clients/agents on the
network. A vulnerability exists in some GCR messages that exchange
data with a listening server or client.
Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3524, 3525 and 3529.
A vulnerability exists in the way that the BrightStor ARCserve discovery
service processes client messages. Client product information messages
and client slot information messages that contain an overly long client name
or client domain value can cause a buffer overflow.
Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3530 and 3531.
The Oracle XDB UNLOCK command is vulnerable to a buffer overflow
attack. A fixed size buffer is allocated for a parameter associated
with the command. A user-supplied parameter value that is longer than
the allocated buffer can cause a buffer overflow and allow the subsequent
execution of arbitrary commands on a vulnerable server.
A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3526.
Rule Pack Summary:
For a complete list of new and modified rules, click
here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should
upgrade to the latest revision or patch level for Snort to ensure these enhancements are
available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and
prevention experts working to proactively discover, assess and respond
to the latest trends in hacking activity, intrusion attempts and
vulnerabilities. This team is also supported by the vast resources of
the open source Snort community, making it the largest group dedicated
to advances in network security industry.
Posted by on Mar 28, 2005
Sourcefire VRT Certified Rule Update
Date: 2005-03-16
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious
vulnerabilities affecting Oracle database servers, Computer Associates
License server and MySQL MaxDB WebSQL service.
Details
Oracle UTL_FILE commands allow a user to read, write, copy, or delete
files in locations and directories authorized to the user. However,
sufficient checks are not performed to ensure that the user does not
attempt to employ a directory traversal technique to manipulate files
outside the authorized directories.
Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3512 through 3516.
Computer Associates License software allows a site to maintain and
handle licenses for CA products. A server runs the software to
facilitate this and it communicates with clients/agents on the network.
A programming error may present an attacker with the opportunity to
overflow a static buffer and possibly execute code of their choosing on
the affected host.
Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3520 through 3522 and 3517.
The MySQL MaxDB WebSQL service suffers from a programming error that may
allow an attacker to overflow a static buffer by supplying excess data
in the parameter to the password value. The attacker may then be able to
execute code of their choosing on the affected host.
Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3518 and 3519.
Rule Pack Summary
For a complete list of new and modified rules, click
here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should
upgrade to the latest revision or patch level for Snort to ensure these enhancements are
available before using these rules.
About the Sourcefire Vulnerability Research Team
The Sourcefire VRT is a group of leading edge intrusion detection and
prevention experts working to proactively discover, assess and respond
to the latest trends in hacking activity, intrusion attempts and
vulnerabilities. This team is also supported by the vast resources of
the open source Snort community, making it the largest group dedicated
to advances in network security industry.
Posted by on Mar 16, 2005
Sourcefire VRT Certified Rule Update
Date: 2005-03-09
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting Computer Associates BrightStor ARCserver.
The VRT has also added rules and improved detection capabilities of existing rules as a result of ongoing research into vulnerabilities with Microsoft applications using SSL.
Details
A vulnerability exists in the way that the BrightStor ARCserver discovery
service processes client messages. Client product information messages and
client slot information messages that contain an overly long client name or
client domain value can cause a buffer overflow.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3474 through 3485.
Poor error handling routines in the Microsoft Secure Sockets Layer (SSL) library, specifically in the handling of SSL Version 2 requests, present opportunites to cause a DoS condition in various software implementations used on Microsoft operating systems.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3486 through 3511.
Rule Pack Summary
For a complete list of new and modified rules, click
here.
Rules:
VRT Certified Rule Updates are available to users in the following ways:
- Subscribers will receive rulesets in real-time as they are released to Sourcefire customers - 5 days ahead of Registered users
- Registered users will receive rulesets when they are published
- Unregistered users will receive access to a static ruleset containing only the latest rules at the time of each Snort point release.
About the Sourcefire Vulnerability Research Team
The Sourcefire Vulnerability Research Team (VRT) is a group of leading edge intrusion detection and prevention experts working to discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.
Posted by on Mar 09, 2005
