cbcvebase.
CVE-2006-3838
published 2006-07-27

CVE-2006-3838: Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.15%
99.4th percentile
Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe).

Affected

1 ranges
VendorProductVersion rangeFixed in
eiqnetworksenterprise_security_analyzer<= 2.4.0

Detection & IOCsextracted from sources · hover to see the quote

port10616
port10628
processsyslogserver.exe
processTopology.exe
processEnterpriseSecurityAnalyzer.exe
processMonitoring.exe
commandLICMGR_ADDLICENSE&<payload>
commandDELETEDEVICE&<payload>
  • Monitor TCP port 10616 (License Manager / EnterpriseSecurityAnalyzer.exe) for connections sending oversized LICMGR_ADDLICENSE commands; payload buffer offsets of 494 or 1262 bytes are used in known exploits.
  • Monitor TCP port 10628 (Topology server / Topology.exe) for connections sending oversized DELETEDEVICE commands; a 128-byte alphanumeric filler followed by a return address and NOP sled is the known exploit pattern.
  • Alert on network traffic to port 10616 or 10628 containing the literal strings LICMGR_ADDLICENSE& or DELETEDEVICE& with arguments exceeding normal length bounds.
  • Bad characters for LICMGR_ADDLICENSE exploit payloads are null byte, LF, CR, @, and &; encoded shellcode avoiding these bytes should be flagged in oversized command arguments.
  • Bad characters for DELETEDEVICE exploit payloads are null byte, LF, CR, and space; encoded shellcode avoiding these bytes should be flagged in oversized DELETEDEVICE arguments on port 10628.
  • The DELETEDEVICE exploit prepends a stack-pivot encoder stub (\x81\xc4\xff\xef\xff\xff\x44) before the payload; detect this byte sequence in traffic to port 10628.
  • The LICMGR_ADDLICENSE exploit also prepends the same stack-pivot encoder stub (\x81\xc4\xff\xef\xff\xff\x44); detect this byte sequence in traffic to port 10616.
  • Monitor syslogserver.exe for receipt of oversized DELTAINTERVAL, LOGFOLDER, DELETELOGS, FWASERVER, SYSLOGPUBLICIP, GETFWAIMPORTLOG, GETFWADELTA, DELETERDEPDEVICE, COMPRESSRAWLOGFILE, GETSYSLOGFIREWALLS, ADDPOLICY, or EDITPOLICY commands.
  • Monitor Monitoring.exe for receipt of oversized TRACE or QUERYMONITOR commands.
  • ·Exploits were tested only against ESA v2.1.13; return addresses and offsets may differ on other versions or OEM rebrands.
  • ·Multiple OEM-rebranded products share the same vulnerable codebase and the same exploit port/command structure; detection rules should cover all branded variants.
  • ·Two distinct payload buffer sizes (494 and 1262 bytes) are used depending on the target OEM variant; detection thresholds should account for both.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.