Update Details

Update #2630 (01/26/2016)

2 new signatures:

HIGH	HTTP:STC:DL:REMOTE-DNS-CHANGE	HTTP: Unauthenticated Remote DNS Change Exploit
HIGH	SSH:PACKET-WRITE-WAIT-BO	SSH: Resume Packet Write Wait Buffer Overflow

5 updated signatures:

HIGH	SSL:VULN:CVE-2015-0208-DOS	SSL: OpenSSL Invalid PSS Parameters Denial of Service
MEDIUM	HTTP:SQL:INJ:REQ-VAR-4	HTTP: SQL Injection Detected on HTTP Request Variable 4
HIGH	SSL:OPENSSL-DTLSCLIENTHELLO-DOS	SSL: OpenSSL dtls1 Client Hello Denial of Service
HIGH	SCADA:3S-CODESYS-GWS-DIRTRVRSL	SCADA: 3S CoDeSys Gateway Server Directory Traversal
HIGH	SSL:OPENSSL-DTLS-REC-DOS	SSL: OpenSSL DTLS Recursion Denial of Service

Details of the signatures included within this bulletin:

SSL:VULN:CVE-2015-0208-DOS - SSL: OpenSSL Invalid PSS Parameters Denial of Service

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against OpenSSL while performing signature algorithm extension communication. A successful attack can result in a denial-of-service condition.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141421, idp-5.1.110151004, isg-3.5.141455, idp-5.1.110151117

References:

url: https://www.openssl.org/news/secadv_20150319.txt
cve: CVE-2015-0208

SSL:OPENSSL-DTLS-REC-DOS - SSL: OpenSSL DTLS Recursion Denial of Service

Severity: HIGH

Description:

This signature detects attempts to exploit a known flaw in OpenSSL. The vulnerability is due to the possibility of unbounded recursion in dtls1_get_message_fragment() during the processing of DTLS handshake messages. A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious DTLS handshake to a target. Successful exploitation could lead to a denial-of-service condition.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141421, idp-5.1.110151004, isg-3.5.141455, idp-5.1.110151117

References:

bugtraq: 67901
cve: CVE-2014-0221

SSL:OPENSSL-DTLSCLIENTHELLO-DOS - SSL: OpenSSL dtls1 Client Hello Denial of Service

Severity: HIGH

Description:

This signature detects unusual fragmenting on the DTLS Client Hello handshake messages.Successful exploitation could lead to a denial of service condition.

Supported On:

References:

bugtraq: 69078
cve: CVE-2014-3507

HTTP:SQL:INJ:REQ-VAR-4 - HTTP: SQL Injection Detected on HTTP Request Variable 4

Severity: MEDIUM

Description:

This signature detects specific characters, typically used in SQL procedures, within an HTTP connection. Because these characters are not normally used in HTTP, this can indicate a SQL injection attack through a procedure. However, it can be a false positive. To reduce False Positives, it is strongly recommended that these signatures only be used to inspect traffic from the Internet to your organization's web servers that use SQL backend databases to generate content and not to inspect traffic going from your organization to the Internet.

Supported On:

References:

HTTP:STC:DL:REMOTE-DNS-CHANGE - HTTP: Unauthenticated Remote DNS Change Exploit

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against different D-Link Routers. These are vulnerable to DNS change which exists in the web interface, which is accessible without authentication.

Supported On:

SSH:PACKET-WRITE-WAIT-BO - SSH: Resume Packet Write Wait Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in OpenSSH . A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the targeted daemon.

Supported On:

References:

SCADA:3S-CODESYS-GWS-DIRTRVRSL - SCADA: 3S CoDeSys Gateway Server Directory Traversal

Severity: HIGH

Description:

This signature detects attempts to exploit a known issue in 3S CoDeSys Gateway Server. Successful attack attempts could allow an attacker to view or overwrite sensitive system files.

Supported On:

References:

cve: CVE-2012-4705

Affected Products:

3s-software codesys_gateway-server up to 2.3.9.20
3s-software codesys_gateway-server 2.3.5.2
3s-software codesys_gateway-server 2.3.9.19
3s-software codesys_gateway-server 2.3.8.2
3s-software codesys_gateway-server 2.3.8.1
3s-software codesys_gateway-server 2.3.9.1
3s-software codesys_gateway-server 2.3.9.4
3s-software codesys_gateway-server 2.3.5.1
3s-software codesys_gateway-server 2.3.8.0
3s-software codesys_gateway-server 2.3.7.0
3s-software codesys_gateway-server 2.3.9.18
3s-software codesys_gateway-server 2.3.9.5
3s-software codesys_gateway-server 2.3.9.3
3s-software codesys_gateway-server 2.3.5.3
3s-software codesys_gateway-server 2.3.9.2
3s-software codesys_gateway-server 2.3.6.0
3s-software codesys_gateway-server 2.3.9