CVE-2009-4019
## Snort IDS/IPS Mitigation Rules (2 rules) The following Emerging Threats Snort rules detect exploitation of this vulnerability: ### Rule 1: SID 2010491 (rev 2) **ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt** > **Note:** This rule is currently disabled in the Emerging Threats ruleset. ```snort #alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"geometrycollectionfromwkb"; distance:0; nocase; pcre:"/SELECT.+geometrycollectionfromwkb/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt; reference:cve,2009-4019; classtype:attempted-dos; sid:2010491; rev:2; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2010_07_30;) ``` --- ### Rule 2: SID 2010492 (rev 3) **ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt** > **Note:** This rule is currently disabled in the Emerging Threats ruleset. ```snort #alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"WHERE"; distance:0; nocase; content:"SELECT"; nocase; content:"INTO"; distance:0; nocase; content:"|60|"; within:50; content:"|60|"; pcre:"/SELECT.+WHERE.+SELECT.+\x60/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt; reference:cve,2009-4019; classtype:attempted-dos; sid:2010492; rev:3; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2010_07_30;) ``` ### Implementation Steps 1. Deploy these rules to your Snort/Suricata IDS/IPS sensors 2. Ensure all rules are enabled in your sensor configuration 3. Monitor for alerts matching the above SIDs 4. For IPS mode, consider changing action from `alert` to `drop`
EPSS 7.67% · 92.0th percentile
Risk Scores
Exploit Intelligence
- ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt [disabled] (emergingthreats)
- ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt [disabled] (emergingthreats)
- ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt [disabled] (emergingthreats)
- ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt [disabled] (emergingthreats)
Timeline
- Nov 30, 2009 CVE Published
- Jul 30, 2010 PoC Published
- Feb 4, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 3, 2023 EPSS Score
- May 25, 2023 EPSS Score
- Jul 17, 2023 EPSS Score
- Jul 24, 2023 EPSS Score
References
- Emerging Threats Snort Rule SID 2010491 mitigation
- https://www.securityfocus.com/bid/37297/info advisory
- https://marc.info/?l=oss-security&m=125881733826437&w=2 advisory
- https://downloads.securityfocus.com/vulnerabilities/exploits/37297.txt advisory
- Emerging Threats Snort Rule SID 2010492 mitigation
- https://downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt advisory