TIP: Identify/Reconnect Vulnerability Exploit Attempt
This signature detects RECONNECT requests from a TIP client to a TIP server. A variety of vulnerabilities in TIP can be exploited by a malicious IDENTIFY followed by a RECONNECT command. Do not use this signature to monitor traffic between trusted TIP servers. Hits on this signature where either is not a known trusted TIP server should be analyzed.
Extended Description
The Microsoft Windows MSDTC (Microsoft Distribution Transaction Coordinator) service is prone to a denial of service vulnerability. The vulnerability exists in the TIP (Transaction Internet Protocol) functionality that is provided by MSDTC. This vulnerability may be exploited by a remote attacker to deny the availability of services that depend on MSDTC. This issue only exists on operating systems that have support for the TIP protocol enabled. This vulnerability is remotely exploitable on default configurations on Windows 2000. TIP is not enabled by default on Windows XP and Windows Server 2003 even if the MSDTC service is running. Update: Microsoft reports several systems have experienced one or more problems after installing the critical update from Microsoft Security Bulletin MS05-051 for this issue. For a more detailed explanation of these problems please see the attached microsoft knowledge base article 909444.
Affected Products
Avaya s8100_media_servers,Microsoft windows_xp_media_center_edition
Short Name
TIP:RECONNECT
Severity
Minor
Recommended
False
Recommended Action
None
Category
TIP
Keywords
Attempt CVE-2005-1979 Exploit Identify/Reconnect Vulnerability bid:15058
Release Date
10/11/2005
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3727
Port
TCP/3372
False Positive
Unknown
Vendors
Nortel_networks
Microsoft
Avaya
CVSS Score
5.0