VRT Advisories


VRT Rules 2005-03-28

Sourcefire VRT Certified Rule Update

Date: 2005-03-28

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting MySQL. In addition, the VRT has leveraged new detection engine capabilities to provide coverage for an FTP port bounce attack.

The VRT has also added rules and improved detection capabilities as a result of ongoing research into serious vulnerabilities affecting Computer Associates License Server, BrightStor ARCserver and Oracle database servers.

Details:

A vulnerability exists in MySQL's handling of the CREATE FUNCTION command, possibly allowing an authenticated user with INSERT and DELETE privileges for the administrative databases to execute arbitrary code.

A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3528.

The PORT command can be used in an FTP PORT bounce attack to establish a connection between the FTP server and another machine listening on an alternative port. This may lead to unauthorized access to a target host listening on a port not available from outside the protected network.

A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3441.

Computer Associates License software allows a site to maintain and handle licenses for CA products. A server runs the software to facilitate this and it communicates with clients/agents on the network. A vulnerability exists in some GCR messages that exchange data with a listening server or client.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3524, 3525 and 3529.

A vulnerability exists in the way that the BrightStor ARCserve discovery service processes client messages. Client product information messages and client slot information messages that contain an overly long client name or client domain value can cause a buffer overflow.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3530 and 3531.

The Oracle XDB UNLOCK command is vulnerable to a buffer overflow attack. A fixed size buffer is allocated for a parameter associated with the command. A user-supplied parameter value that is longer than the allocated buffer can cause a buffer overflow and allow the subsequent execution of arbitrary commands on a vulnerable server.

A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3526.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.