« Back
June 2005 Archive
Sourcefire VRT Certified Rules Update
Date: 2005-06-30
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of multiple
serious vulnerabilities affecting Veritas Backup Exec Server and Agent
Software.
Details:
US-CERT Vulnerability Note VU#352625
A vulnerability exists in the Veritas Backup Server handles DCERPC requests that attempt to alter registry values, enabling an attacker to modify the registry. The Backup Server accepts anonymous client requests, but fails to assign the appropriate privileges. This allows an attacker to perform privileged tasks on the server. One such task is altering registry values.
US-CERT Vulnerability Note VU#492105, CAN-2005-0773
A vulnerability exists in Veritas Backup Agent authentication software. This software uses Network Data Management Protocol (NDMP) to communicate between clients and servers. Authentication is required to successfully connect. Errors in processing the authentication credentials can give an attacker the opportunity to overflow a fixed length buffer which may lead to the execution of code of the attackers choosing on the affected host.
US-CERT Vulnerability Note VU#584505, CAN-2005-0771
The Veritas Backup Agent Exec provides backup software. Certain communications are done via the Network Data Management Protocol (NDMP). The agent does not properly handle malformed NDMP protocol requests. Exploitation of this issue is simple and can lead to a Denial of Service (DoS) for the agent.
Rules to detect attacks against these vulnerabilities are included in this
rule pack and are identified as sids 3695 through 3812.
References:
US-CERT Technical Cyber Security Alert TA05-180A
http://www.us-cert.gov/cas/techalerts/TA05-180A.html
VERITAS Security Advisory for Backup Exec for Windows Servers and Backup Exec for NetWare Servers
http://seer.support.veritas.com/docs/277428.htm
Rule Pack Summary:
For a complete list of new and modified rules,
click here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should
upgrade to the latest revision or patch level for Snort to ensure these enhancements are
available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and
prevention experts working to proactively discover, assess and respond
to the latest trends in hacking activity, intrusion attempts and
vulnerabilities. This team is also supported by the vast resources of
the open source Snort community, making it the largest group dedicated
to advances in network security industry.
Posted by on Jun 30, 2005
Sourcefire VRT Certified Rules Update
Date: 2005-06-29
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting IBM Websphere and Squid HTTP proxy server.
Details:
A Squid proxy server can cache resources to make access to them more efficient. A malformed request sent to a Squid proxy server may be interpreted and processed differently than the actual responding web server. A particular malformed request that contains two "Content-Length" header fields can be used to try to poison the cache by causing the Squid proxy server and an upstream server to process the contents differently.
A Rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3694.
IBM WebSphere may use form-based authentication to permit access to applications. The CGI variables j_username and j_password are used for this authentication process. Overly long values passed to these variables can cause a buffer overflow and the subsequent execution of arbitrary code on the vulnerable server. This is due to a failure in the code to accommodate wide-character expansion for the receiving buffer.
A rule to detect attacks against this vulnerbility is included in this rule pack and is identified as sid 3693.
Rule Pack Summary:
For a complete list of new and modified rules,
click here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should
upgrade to the latest revision or patch level for Snort to ensure these enhancements are
available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and
prevention experts working to proactively discover, assess and respond
to the latest trends in hacking activity, intrusion attempts and
vulnerabilities. This team is also supported by the vast resources of
the open source Snort community, making it the largest group dedicated
to advances in network security industry.
Posted by on Jun 29, 2005
Sourcefire VRT Certified Rules Update
Date: 2005-06-15
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting various vendor Telnet client software and Microsoft Internet Explorer.
Details:
A telnet client and server can negotiate various options such as the character set to be used in the communication exchange. One particular option allows a client or server to send new environment options. Certain telnet clients will respond to a telnet server that issues a new environment send command for a particular environment variable, such as the current user. This information disclosure can be valuable to a potential attacker. Although this vulnerability affects multiple vendors it is also addressed in the Microsoft advisory MS05-033.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3687 and 3688.
Internet Explorer has an optional feature known as Content Advisor that allows unsuitable content to be blocked. The Content Advisor uses a ratings description file to determine what is considered to be unsuitable content. The ratings description file contains several statements including a name statement. An overly long value supplied to a specific name statement can cause a buffer overflow and the subsequent execution of arbitrary code.
A rule to detect attacks against this vulnerbility is included in this rule pack and is identified as sid 3686.
A vulnerability exists in the way Internet Explorer handles the transparency chunk of a PNG file, enabling a buffer overflow and the subsequent execution of arbitrary code on a vulnerable client. This vulnerability is addressed in the Microsoft advisory MS05-025.
A rule to detect attacks against this vulnerbility is included in this rule pack and is identified as sid 3689.
Rule Pack Summary:
For a complete list of new and modified rules,
click here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should
upgrade to the latest revision or patch level for Snort to ensure these enhancements are
available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and
prevention experts working to proactively discover, assess and respond
to the latest trends in hacking activity, intrusion attempts and
vulnerabilities. This team is also supported by the vast resources of
the open source Snort community, making it the largest group dedicated
to advances in network security industry.
Posted by on Jun 15, 2005
