Update Details

Update #2839 (03/21/2017)

EOL Announcement (January 3, 2017): End-of-Life Notification for Juniper Networks IDP/AppID Signature Releases on EOL products. Please see TSB17019 for more information.

16 new signatures:

HIGH	SSL:TRENDMICRO-ARB-FILE-INCL	SSL: Trend Micro Control Manager lang Parameter Arbitrary File Inclusion
HIGH	HTTP:DOS:URI-PARAM-RANDOM	HTTP: Suspicious Random URI And GET Parameter
HIGH	HTTP:MISC:DISKPULSE-SERVER-BO	HTTP: Disk Pulse Enterprise Server HttpParser Buffer Overflow
HIGH	HTTP:STC:ADOBE:CVE-2017-3001-CE	HTTP: Adobe Flash CVE-2017-3001 Remote Code Execution
HIGH	HTTP:SQL:REQ-URI	HTTP: SQL Commands Detected In HTTP URIs
HIGH	HTTP:TWINCAT-OVERFLOW	HTTP: TwinCAT Scope TCatScopeView.exe Buffer Overflow
HIGH	HTTP:STC:ADOBE:CVE-2017-2997-CE	HTTP: Adobe Flash CVE-2017-2997 Remote Code Execution
HIGH	HTTP:DOS:SUSPICIOUS-URL	HTTP: Suspicious URL Detected
HIGH	HTTP:SQL:TRENDMICRO-CMD-INJCTN	HTTP: Trend Micro SafeSync restartService Command Injection
MEDIUM	HTTP:STC:DL:MAL-WIN-BRIEFCASE-4	HTTP: Windows Briefcase Integer Underflow Vulnerability (4)
HIGH	HTTP:EXPLOIT:URI-CMD-INJ	HTTP: Generic Command Injection Detected In URI
HIGH	HTTP:SQL:TRENDMICRO-COM-INJ	HTTP: Trend Micro SafeSync for Enterprise storage.pm discovery_iscsi_device Command Injection
MEDIUM	HTTP:EXPLOIT:SUSPICIOUS-MUL-PRT	HTTP: Suspicious Multi Part Traffic
HIGH	SSL:TRENDMICRO-COMM-INJTN	HTTP: Trend Micro SafeSync for Enterprise restartService Command Injection
HIGH	APP:ZLIB-COMPRES-LIB-DOS-2	APP: Zlib Compression Library Denial Of Service (2)
HIGH	SSL:TRENDMICRO-SS-CMD-INJ	SSL: Trend Micro SafeSync for Enterprise storage.pm discovery_iscsi_device Command Injection

23 updated signatures:

HIGH	DNS:SAMBA-DNS-REPLY-FLAG-DOS	DNS: Samba DNS Reply Flag Denial of Service
HIGH	HTTP:STC:DL:APPLE-DMG-VOLNAME	HTTP: Apple Computer Finder DMG Volume Name Memory Corruption
HIGH	HTTP:APACHE:STRUTS2-MAL-HYD-RCE	HTTP: Apache Struts 2 Malicious Header Remote Code Execution
HIGH	HTTP:STC:ACTIVEX:ISSYMBOL	HTTP: Advantech Studio ISSymbol Unsafe ActiveX Control Multiple Buffer Overflow
HIGH	SMTP:COMMAND:STARTTLS-CMD	SMTP: Multiple Products STARTTLS Plaintext Command Injection
HIGH	DNS:EXPLOIT:BIND-KEYPARSE-DOS	DNS: ISC BIND DNSSEC Key Parsing Buffer Denial of Service
MEDIUM	HTTP:STC:IE:CVE-2017-0065-ID	HTTP: Microsoft Edge CVE-2017-0065 Information Disclosure
HIGH	APP:NOVELL:NETIQ-EDIR-BOF	HTTP: Novell NetIQ eDirectory Stack Buffer Overflow
HIGH	HTTP:STC:MS-DOTNET-NAMESPACE-BO	HTTP: Microsoft .NET Framework S.DS.P Namespace Method Buffer Overflow
MEDIUM	APP:KERBEROS:MIT-KRB5-KDC-DOS	APP: MIT Kerberos 5 Key Distribution Center Denial of Service
LOW	HTTP:EXT:DOT-UNSAFE	HTTP: Unsafe File Extension
HIGH	HTTP:STC:IE:CVE-2015-2515-UAF	HTTP: Microsoft Internet Explorer CVE-2015-2515 User After Free
HIGH	APP:EMC-ALPHASTORE-CMDEXEC	APP: EMC AlphaStore Mutiple Parameter Parsing Command Injecton
HIGH	HTTP:STC:IE:UTF8-DECODE-OF	HTTP: Internet Explorer HTML Decoding Memory Corruption
HIGH	HTTP:STC:ADOBE:CVE-2017-2960-CE	HTTP: Adobe Acrobat and Reader CVE-2017-2960 Remote Code Execution
HIGH	APP:CAIN-ABEL-CISCO-IOS-BOF	APP: Cain & Abel Cisco IOS Configuration File Buffer Overflow
HIGH	HTTP:STC:DL:MPLAYER-SAMI	HTTP: MPlayer SAMI Subtitle sub_read_line_sami Buffer Overflow
HIGH	APP:IBM:TIVOLI-OF	APP: IBM Tivoli Management Framework Overflow
CRITICAL	SHELLCODE:X86:BASE64-NOOP-80	SHELLCODE: Base64 X86 NOOP Detection Over HTTP
HIGH	APP:TROLLTECH-QT-BMP-OF	APP: Trolltech Qt BMP Handling Overflow
HIGH	HTTP:PHP:FTP-GENLIST-IO	HTTP: PHP FTP Genlist Method Integer Overflow
CRITICAL	SHELLCODE:X86:REVERS-CONECT-80	SHELLCODE: X86 Linux Reverse Connect Detection Over HTTP
MEDIUM	HTTP:EXPLOIT:HOST-RANDOM-3	HTTP: Suspicious Randomized Host Header (3)

2 renamed signatures:

HTTP:STC:DL:MAL-WIN-BRIEFCASE-2	->	HTTP:STC:DL:MAL-WIN-BRIEFCASE-3
HTTP:STC:ACTIVEX:CVE-2017-002	->	HTTP:STC:ACTIVEX:CVE-2017-0022

Details of the signatures included within this bulletin:

SSL:TRENDMICRO-ARB-FILE-INCL - SSL: Trend Micro Control Manager lang Parameter Arbitrary File Inclusion

Severity: HIGH

Description:

An arbitrary file inclusion vulnerability has been reported in Trend Micro Control Manager. Successful exploitation results in arbitrary code execution.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, idp-5.0.0, isg-3.4.0, isg-3.5.0, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, isg-3.4.140032, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

HTTP:MISC:DISKPULSE-SERVER-BO - HTTP: Disk Pulse Enterprise Server HttpParser Buffer Overflow

Severity: HIGH

Description:

This signature attempts to detect buffer overflow vulnerability in the web server component of Disk Pulse Enterprise Server. Successful exploitation allows the attacker to execute arbitrary code in the security context of system.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, idp-5.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, isg-3.4.140032, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

APP:NOVELL:NETIQ-EDIR-BOF - HTTP: Novell NetIQ eDirectory Stack Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Novell NetIQ eDirectory. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the vulnerable application.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, idp-5.0.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, isg-3.4.140032, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

References:

bugtraq: 57038
cve: CVE-2012-0432

Affected Products:

netiq edirectory 8.8.7.1
netiq edirectory 8.8.7.0

HTTP:STC:ADOBE:CVE-2017-3001-CE - HTTP: Adobe Flash CVE-2017-3001 Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Flash Player. A successful attack can lead to arbitrary code execution.

Supported On:

isg-3.5.141652, srx-branch-12.1, mx-11.4, idp-5.1.110161014, idp-4.1.0, mx-16.1, vsrx-12.1, vsrx-15.1, srx-12.1, j-series-9.5, isg-3.5.141597, idp-5.1.110160603

References:

cve: CVE-2017-3001

HTTP:STC:ADOBE:CVE-2017-2997-CE - HTTP: Adobe Flash CVE-2017-2997 Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Flash Player. A successful attack can lead to arbitrary code execution.

Supported On:

isg-3.5.141652, srx-branch-12.1, mx-11.4, idp-5.1.110161014, idp-4.1.0, mx-16.1, vsrx-12.1, vsrx-15.1, idp-5.1.110160603, j-series-9.5, isg-3.5.141597, srx-12.1

References:

cve: CVE-2017-2997

HTTP:STC:DL:MAL-WIN-BRIEFCASE-3 - HTTP: Windows Briefcase Integer Underflow Vulnerability (3)

Severity: CRITICAL

Description:

This signature detects attempts to exploit a know problem in Windows Briefcase. Windows Briefcase is a feature that will synchronize the contents of two folders. A successful exploit can lead to arbitrary code execution in the security context of the affected user.

Supported On:

References:

cve: CVE-2012-1528

Affected Products:

microsoft windows_xp - (sp2:x64)
microsoft windows_8 - (-:x86)
microsoft windows_server_2008 (sp2:x64)
microsoft windows_8 - (-:x64)
microsoft windows_xp (sp3)
microsoft windows_server_2003 (sp2:x64)
microsoft windows_server_2012 -
microsoft windows_7 (:x86)
microsoft windows_7 (sp1:x64)
microsoft windows_7 (:x64)
microsoft windows_vista (sp2:x64)
microsoft windows_server_2008 (r2:x64)
microsoft windows_server_2008 r2 (sp1:x64)
microsoft windows_7 (sp1:x86)
microsoft windows_server_2008 (sp2:x86)
microsoft windows_server_2003 (sp2:itanium)

APP:KERBEROS:MIT-KRB5-KDC-DOS - APP: MIT Kerberos 5 Key Distribution Center Denial of Service

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against MIT Kerberos 5 Key Distribution Center. A successful attack can result in a denial-of-service condition.

Supported On:

References:

url: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt
bugtraq: 50273
cve: CVE-2011-1527

Affected Products:

mit kerberos 5-1.9.1
mit kerberos 5-1.9

SHELLCODE:X86:REVERS-CONECT-80 - SHELLCODE: X86 Linux Reverse Connect Detection Over HTTP

Severity: CRITICAL

Description:

This signature detects payloads being transferred over network that have been using x86 linux reserve connect. This may be an indication of someone trying to evade anti-virus/IPS solutions and possibly drop malicious code.

Supported On:

srx-branch-12.1, isg-3.5.141652, mx-11.4, idp-5.1.110161014, idp-4.1.0, mx-16.1, vsrx-12.1, vsrx-15.1, idp-5.1.110160603, j-series-9.5, isg-3.5.141597, srx-12.1

SHELLCODE:X86:BASE64-NOOP-80 - SHELLCODE: Base64 X86 NOOP Detection Over HTTP

Severity: CRITICAL

Description:

This signature detects payloads being transferred over network that have been using base64 x86 NOOP. This may be an indication of someone trying to evade anti-virus/IPS solutions and possibly drop malicious code.

Supported On:

srx-branch-12.1, isg-3.5.141652, mx-11.4, idp-5.1.110161014, idp-4.1.0, mx-16.1, vsrx-12.1, vsrx-15.1, idp-5.1.110160603, j-series-9.5, isg-3.5.141597, srx-12.1

APP:ZLIB-COMPRES-LIB-DOS-2 - APP: Zlib Compression Library Denial Of Service (2)

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Zlib Compression Library. A successful attack can result in a denial-of-service condition.

Supported On:

isg-3.5.141652, srx-branch-12.1, mx-11.4, idp-5.1.110161014, idp-4.1.0, mx-16.1, vsrx-12.1, vsrx-15.1, srx-12.1, j-series-9.5, isg-3.5.141597, idp-5.1.110160603

References:

bugtraq: 11051
cve: CVE-2004-0797

Affected Products:

gnu zlib 1.2.1

HTTP:EXT:DOT-UNSAFE - HTTP: Unsafe File Extension

Severity: LOW

Description:

This signature detects a HTTP request for downloading a file with an "unsafe" extension using Internet Explorer. Microsoft has announced that using Internet Explorer to download files with certain extensions can be unsafe. See the references for more information.

Supported On:

References:

url: http://www.cknow.com/vtutor/FileExtensions.html
url: http://support.microsoft.com/?kbid=291369
bugtraq: 42154
cve: CVE-2010-2709

DNS:SAMBA-DNS-REPLY-FLAG-DOS - DNS: Samba DNS Reply Flag Denial of Service

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Samba DNS Reply Flag. The server fails to check the reply flag of DNS packets, making it vulnerable to reply to a spoofed reply. This could result in a "ping-pong" type attack where two vulnerable servers attack each other. An attacker could exploit this vulnerability by sending a DNS query to a vulnerable server with a spoofed source IP address of another vulnerable server. Successful exploitation could result in excessive consumption of resources on both vulnerable servers, possibly causing a denial of service condition.

Supported On:

References:

bugtraq: 67691
cve: CVE-2014-0239

Affected Products:

samba 4.0.15
samba 4.0.6
samba 4.0.10
samba 4.0.1
samba 4.0.14
samba 4.0.5
samba 4.0.9
samba 4.0.13
samba 4.0.4
samba 4.0.17
samba 4.0.8
samba 4.0.12
samba 4.0.3
samba 4.0.16
samba 4.0.7
samba 4.0.11
samba 4.0.2

HTTP:STC:DL:MAL-WIN-BRIEFCASE-4 - HTTP: Windows Briefcase Integer Underflow Vulnerability (4)

Severity: MEDIUM

Description:

Supported On:

References:

cve: CVE-2012-1528

Affected Products:

microsoft windows_xp - (sp2:x64)
microsoft windows_8 - (-:x86)
microsoft windows_server_2008 (sp2:x64)
microsoft windows_8 - (-:x64)
microsoft windows_xp (sp3)
microsoft windows_server_2003 (sp2:x64)
microsoft windows_server_2012 -
microsoft windows_7 (:x86)
microsoft windows_7 (sp1:x64)
microsoft windows_7 (:x64)
microsoft windows_vista (sp2:x64)
microsoft windows_server_2008 (r2:x64)
microsoft windows_server_2008 r2 (sp1:x64)
microsoft windows_7 (sp1:x86)
microsoft windows_server_2008 (sp2:x86)
microsoft windows_server_2003 (sp2:itanium)

HTTP:STC:DL:APPLE-DMG-VOLNAME - HTTP: Apple Computer Finder DMG Volume Name Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a vulnerability in the Apple Computer Mac OSX Finder application. By supplying a specially crafted DMG file, an attacker can cause arbitrary code to be executed on the victim host.

Supported On:

References:

cve: CVE-2007-0197
url: http://projects.info-pull.com/moab/MOAB-09-01-2007.html
bugtraq: 21980

Affected Products:

Apple Mac OS X 10.4.8
Apple Mac OS X Server 10.4.8

HTTP:SQL:TRENDMICRO-COM-INJ - HTTP: Trend Micro SafeSync for Enterprise storage.pm discovery_iscsi_device Command Injection

Severity: HIGH

Description:

A command injection vulnerability exists in Trend Micro's SafeSync for Enterprise storage.pm page. Successful exploitation could lead to arbitrary command execution under the security context of root.

Supported On:

HTTP:APACHE:STRUTS2-MAL-HYD-RCE - HTTP: Apache Struts 2 Malicious Header Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Apache Struts. A successful attack can lead to arbitrary code execution.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, idp-5.0.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, DI-Base, mx-11.4, DI-Server, isg-3.4.140032, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

References:

url: https://cwiki.apache.org/confluence/display/WW/S2-045
cve: CVE-2017-5638

SSL:TRENDMICRO-COMM-INJTN - HTTP: Trend Micro SafeSync for Enterprise restartService Command Injection

Severity: HIGH

Description:

A command injection vulnerability exists in Trend Micro's SafeSync for Enterprise. Successful exploitation could lead to arbitrary command execution under the security context of the root.

Supported On:

HTTP:SQL:TRENDMICRO-CMD-INJCTN - HTTP: Trend Micro SafeSync restartService Command Injection

Severity: HIGH

Description:

A command injection vulnerability exists in Trend Micro's SafeSync for Enterprise.Successful exploitation could lead to arbitrary command execution under the security context of the root.

Supported On:

SSL:TRENDMICRO-SS-CMD-INJ - SSL: Trend Micro SafeSync for Enterprise storage.pm discovery_iscsi_device Command Injection

Severity: HIGH

Description:

Supported On:

HTTP:STC:ACTIVEX:ISSYMBOL - HTTP: Advantech Studio ISSymbol Unsafe ActiveX Control Multiple Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Advantech Studio. An attacker can create a Web site containing Web pages with dangerous ActiveX calls, which if accessed by a victim, allows the attacker to gain control of the victim's client browser.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, idp-5.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, isg-3.4.140032, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

References:

cve: CVE-2011-0342
bugtraq: 49403
bugtraq: 47596
cve: CVE-2011-0340
url: http://www.advantech.com/products/Advantech-Studio/mod_3D1B45B0-B0AF-405C-A9CC-A27B35774634.aspx
url: http://www.indusoft.com/hotfixes/hotfixes.php
url: http://www.indusoft.com/indusoftart.php?catid=1&name=IWS/webstudio

Affected Products:

Advantech Advantech Studio 6.1 SP6 Build 61.6.0
Indusoft Thin Client 7.0
Indusoft Web Studio 7.0B2

HTTP:STC:IE:UTF8-DECODE-OF - HTTP: Internet Explorer HTML Decoding Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. A successful attack could allow the attacker to execute arbitrary code on the targeted system. Failed exploit attempts could result in a denial of service condition.

Supported On:

References:

cve: CVE-2006-2382
url: http://www.ietf.org/rfc/rfc2279.txt
url: http://home-4.tiscali.nl/~t876506/utf8tbl.html
bugtraq: 18309
cve: CVE-2008-0016

Affected Products:

Microsoft Internet Explorer 5.5 SP1
Microsoft Internet Explorer 5.0.1 SP4
Microsoft Internet Explorer 7.0 Beta1
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 7.0 Beta2
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 5.0.1 SP1
Microsoft Internet Explorer 5.0.1 For Windows 95
Microsoft Internet Explorer 5.0.1 For Windows 98
Microsoft Internet Explorer 5.0.1 For Windows NT 4.0
Microsoft Internet Explorer 5.0.1 For Windows 2000
Microsoft Internet Explorer 5.0.1 SP2
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.5 Preview

HTTP:DOS:URI-PARAM-RANDOM - HTTP: Suspicious Random URI And GET Parameter

Severity: HIGH

Description:

This signature detects a suspicious HTTP URL. This kind of behavior is mostly observed when someone is trying to scan and send malicious traffic against a network security device using various traffic generation tools. This signature may trigger false-positives inside the Intranet traffic, so it is suggested to avoid using it for inspecting such traffic. This signature is highly recommended to protect web servers and devices deployed at a data centre.

Supported On:

References:

cve: CVE-2016-5360
url: http://www.openwall.com/lists/oss-security/2016/06/09/5

Affected Products:

haproxy 1.6.3
haproxy 1.6.4
haproxy 1.6.0
haproxy 1.6.5
haproxy 1.6.1
canonical ubuntu_linux 16.04
haproxy 1.6.2

HTTP:DOS:SUSPICIOUS-URL - HTTP: Suspicious URL Detected

Severity: HIGH

Description:

This signature detects a suspicious HTTP URL value. This kind of behavior is mostly observed when someone is trying to scan and send malicious traffic against a network security device using various traffic generation tools. This signature may trigger false-positives inside the Intranet traffic, so it is suggested to avoid using it for inspecting such traffic. This signature is highly recommended to protect web servers and devices deployed at a data centre.

Supported On:

References:

cve: CVE-2015-2515

Affected Products:

microsoft windows_rt_8.1 -
microsoft windows_rt -
microsoft windows_vista -
microsoft windows_8 -
microsoft windows_8.1 -
microsoft windows_server_2008 r2
microsoft windows_server_2012 -
microsoft windows_7 -
microsoft windows_10 -
microsoft windows_server_2008 -
microsoft windows_server_2012 r2

HTTP:STC:ADOBE:CVE-2017-2960-CE - HTTP: Adobe Acrobat and Reader CVE-2017-2960 Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Acrobat and Reader. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 95345
cve: CVE-2017-2960

HTTP:SQL:REQ-URI - HTTP: SQL Commands Detected In HTTP URIs

Severity: HIGH

Description:

This signature detects specific characters, typically used in SQL procedures, within an HTTP connection. Because these characters are not normally used in HTTP, this can indicate a SQL injection attack through a procedure.

Supported On:

HTTP:TWINCAT-OVERFLOW - HTTP: TwinCAT Scope TCatScopeView.exe Buffer Overflow

Severity: HIGH

Description:

This signature detects the attempt to exploit the buffer overflow vulnerability on TCatScopeView.exe when processing malicious svw or wsm file extension. A successful attack can lead to arbitrary code execution

Supported On:

References:

bugtraq: 52294

APP:EMC-ALPHASTORE-CMDEXEC - APP: EMC AlphaStore Mutiple Parameter Parsing Command Injecton

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against EMC AlphaStore. Attackers can inject and execute arbitrary commands on the targeted system.

Supported On:

References:

cve: CVE-2013-0928

Affected Products:

emc alphastor 4.0

HTTP:PHP:FTP-GENLIST-IO - HTTP: PHP FTP Genlist Method Integer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the PHP's ftp_genlist Method. Successful exploitation could lead to arbitrary code execution

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, idp-5.0.0, isg-3.5.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, idp-4.0.110090831, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

References:

url: http://php.net/changelog-5.php#5.6.9
cve: CVE-2015-4022
url: http://securitytracker.com/id?1032433

Affected Products:

php 5.5.1
php 5.6.0
php 5.5.0
php 5.5.19
php 5.6.2
php 5.5.18
php 5.6.3
php 5.4.39
php 5.6.4
php 5.6.5
php 5.6.6
php 5.5.22
php 5.6.7
php 5.5.23
php 5.5.14
php 5.5.20
php 5.5.9
php 5.5.13
php 5.5.21
php 5.6.8
php 5.5.8
php 5.5.12
php 5.5.7
php 5.5.11
php 5.5.10
php 5.5.6
php 5.4.40
php 5.5.24
php 5.5.5
php 5.5.4
php 5.5.3
php 5.5.2

HTTP:STC:DL:MPLAYER-SAMI - HTTP: MPlayer SAMI Subtitle sub_read_line_sami Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in MPlayer. Specifically, the vulnerability is due a stack buffer overflow when reading a long caption from a SAMI subtitle file. A remote, unauthenticated attacker could exploit this vulnerability by enticing a target user to download a crafted SAMI file, resulting in the execution of arbitrary code in the security context of the target user.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, idp-5.0.0, isg-3.5.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, idp-4.0.110090831, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

APP:IBM:TIVOLI-OF - APP: IBM Tivoli Management Framework Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known flaw in IBM Tivoli Management Framework. An attacker can send an overly long parameter, which could result in arbitrary code execution or a denial of service.

Supported On:

References:

cve: CVE-2011-1220
bugtraq: 48049

Affected Products:

IBM Tivoli Management Framework 4.1.1
IBM Tivoli Management Framework 4.1
IBM Tivoli Management Framework 4.3.1

SMTP:COMMAND:STARTTLS-CMD - SMTP: Multiple Products STARTTLS Plaintext Command Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against several mail transfer agents (MTA's). A successful attack can lead to arbitrary command injection.

Supported On:

References:

cve: CVE-2014-3556
cve: CVE-2011-1926
cve: CVE-2011-0411
bugtraq: 46767

Affected Products:

Debian Linux 5.0 Hppa
Kerio Mailserver 6.0.9
Avaya Messaging Storage Server 5.1
Kerio Mailserver 6.6.0
Kerio Mailserver 6.0.10
Kerio Mailserver 6.7.0 Patch 1
Kerio Mailserver 6.6.2 Patch 3
Kerio Mailserver 6.6.1
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux Desktop Optional 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux HPC Node Optional 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Server Optional 6
Red Hat Enterprise Linux Workstation 6
Red Hat Enterprise Linux Workstation Optional 6
Ubuntu Ubuntu Linux 6.06 LTS Amd64
Apple Mac Os X 10.6.5
Apple Mac OS X Server 10.6.5
Ipswitch IMail 7.0.6
SuSE openSUSE 11.2
Ipswitch IMail 8.0.5
Wietse Venema Postfix 2.0.0
Debian Linux 5.0 Powerpc
ISC INN 2.4.1
Ipswitch IMail 8.1.0
Ipswitch IMail 8.13.0
Debian Linux 5.0 S/390
Ipswitch IMail 5.0.8
Ipswitch IMail 7.12.0
Kerio Mailserver 6.7.0
Ubuntu Ubuntu Linux 8.04 LTS Amd64
Ubuntu Ubuntu Linux 8.04 LTS I386
Ubuntu Ubuntu Linux 8.04 LTS Lpia
Ubuntu Ubuntu Linux 8.04 LTS Powerpc
Ubuntu Ubuntu Linux 8.04 LTS Sparc
Kerio Mailserver 6.0.4
Debian Linux 4.0 Armel
Ipswitch IMail 5.0.5
Avaya Aura Communication Manager 6.0
Kerio Mailserver 5.6.3
Kerio Mailserver 5.7.7
Ipswitch IMail 8.20.0
Avaya Message Networking 5.2.2
Avaya Messaging Storage Server 5.2.2
Kerio Mailserver 5.7.6
Avaya Message Networking 5.2 SP1
qmail-smtpd-auth netqmail
Ipswitch IMail
Avaya Messaging Storage Server 5.2
Ipswitch IMail 6.0.2
Wietse Venema Postfix 2.4.8
Wietse Venema Postfix 2.8
Wietse Venema Postfix 2.5.5
Avaya Messaging Storage Server 5.2.8
Wietse Venema Postfix 2.6-20080902
Apple Mac OS X 10.6
Apple Mac OS X Server 10.6
Kerio Mailserver 5.7.3
Wietse Venema Postfix 2.5.4 Patchlevel 4
Wietse Venema Postfix 2.5.4
Red Hat Enterprise Linux Desktop 5 Client
Ubuntu Ubuntu Linux 9.10 Amd64
Ubuntu Ubuntu Linux 9.10 I386
Mandriva Corporate Server 4.0.0 X86 64
Ubuntu Ubuntu Linux 9.10 Powerpc
Ubuntu Ubuntu Linux 9.10 Sparc
Ubuntu Ubuntu Linux 6.06 LTS I386
Ipswitch IMail 6.1.0
Kerio Mailserver 6.0.2
Pardus Linux 2011
Ipswitch IMail 8.15.0 Hotfix 1
Kolab Kolab Groupware Server 2.2 Beta3
Wietse Venema Postfix 2.1.3
Ubuntu Ubuntu Linux 9.10
Ipswitch IMail 7.0.5
Kolab Kolab Groupware Server 2.0.2
Kolab Kolab Groupware Server 2.0.1
Kolab Kolab Groupware Server 2.0.3
Wietse Venema Postfix 20010228
Wietse Venema Postfix 20011115
Wietse Venema Postfix 19991231
Wietse Venema Postfix 19990906
Ipswitch IMail 6.0.5
SuSE SUSE Linux Enterprise 10 SP2
Avaya Messaging Storage Server 5.2 SP1
Cyrus Cyrus IMAP Server 2.4.6
Cyrus Cyrus IMAP Server 2.4
Pure-FTPd 1.0.29
Kerio Mailserver 6.0.5
Ipswitch IMail 8.2.0
Ipswitch IMail 8.2.0 Hotfix 2
Apple Mac OS X 10.6.3
Apple Mac OS X Server 10.6.3
Kolab Kolab Groupware Server 2.2 -Rc2
Avaya Messaging Storage Server 5.2 SP2
Ubuntu Ubuntu Linux 10.10 amd64
Ubuntu Ubuntu Linux 10.10 powerpc
Apple Mac OS X 10.6.5
Apple Mac Os X 10.6.8
Avaya Messaging Storage Server 5.2 SP3
Apple Mac OS X 10.6.2
Apple Mac OS X Server 10.6.2
Ipswitch IMail 5.0.0
Ubuntu Ubuntu Linux 9.10 Lpia
Kerio Mailserver 6.1.3
Kerio Mailserver 6.1.3 Patch 1
Avaya Messaging Storage Server 5.1 SP1
Ipswitch IMail 8.0.3
Kerio Kerio Connect 7.1.4 build 2985
Debian Linux 6.0
Ubuntu Ubuntu Linux 10.10 i386
Kolab Kolab Groupware Server 2.2.4
Avaya Messaging Storage Server 5.1 SP2
Avaya Aura Communication Manager 6.0.1
Kerio Mailserver 5.6.4
Kerio Mailserver 5.6.5
Wietse Venema Postfix 2.1.5
Wietse Venema Postfix 2.2.4
Kerio Mailserver 6.4.1
Avaya Messaging Storage Server 5.0
Debian Linux 4.0 Mipsel
Mandriva Linux Mandrake 2009.0 X86 64
SCO SCOoffice Server
Wietse Venema Postfix 2.2.10
Debian Linux 4.0 Powerpc
Avaya Message Networking 5.2
Kerio Mailserver 6.0.3
Debian Linux 5.0
Debian Linux 5.0 Alpha
Avaya Message Networking 3.1
Debian Linux 5.0 Arm
WatchGuard XCS 9.1
Debian Linux 5.0 Ia-32
Debian Linux 5.0 Ia-64
Kerio Mailserver 6.4.2
Debian Linux 5.0 Mips
Debian Linux 5.0 Mipsel
Apple Mac Os X 10.6.6
Apple Mac OS X Server 10.6.6
Debian Linux 5.0 Sparc
Kolab Kolab Groupware Server 2.2-Rc1
Kolab Kolab Groupware Server 2.2 Beta1
Ubuntu Ubuntu Linux 9.10 ARM
Ubuntu Ubuntu Linux 10.04 ARM
Ubuntu Ubuntu Linux 10.10 ARM
SuSE openSUSE 11.4
Red Hat Fedora 14
Avaya Message Networking 5.2.1
Wietse Venema Postfix 2.1.0
Kerio Mailserver 5.7.0 .0
Red Hat Fedora 13
Ipswitch IMail 8.01
Ipswitch IMail 8.11
Mandriva Enterprise Server 5
Mandriva Linux Mandrake 2009.0
spamdyke 4.2
Mandriva Corporate Server 4.0
Ipswitch IMail 8.14.0
SuSE SUSE Linux Enterprise 10 SP4
Red Hat Enterprise Linux Desktop Workstation 5 Client
Red Hat Enterprise Linux 5 Server
Ipswitch IMail 7.1.0
Ipswitch IMail 7.0.7
Ubuntu Ubuntu Linux 10.04 Amd64
Ipswitch IMail 6.0.0
Kolab Kolab Groupware Server 2.2.3
Kolab Kolab Groupware Server 2.2-Rc3
SuSE SUSE Linux Enterprise 11 SP1
Kolab Kolab Groupware Server 2.0.4
Kolab Kolab Groupware Server 2.1Beta2
Kerio Mailserver 5.1.0
Kerio Mailserver 5.1.1
Apple Mac OS X Server 10.6.1
Ubuntu Ubuntu Linux 6.06 LTS Powerpc
Kolab Kolab Groupware Server 2.3.1
Gentoo Linux
Kolab Kolab Groupware Server 2.1.0
Avaya Messaging Storage Server 4.0
Ubuntu Ubuntu Linux 10.04 LTS
Kerio Mailserver 6.3.1
ISC INN 2.3.0
Kerio Mailserver 6.7.3
ISC INN 2.5.2
Kerio Mailserver 7.0.0
Apple Mac OS X Server 10.6.5
Debian Linux 4.0 Alpha
Debian Linux 4.0 Amd64
Debian Linux 4.0 Arm
Debian Linux 4.0 Hppa
Debian Linux 4.0 Ia-32
Debian Linux 4.0 Ia-64
Debian Linux 4.0 M68k
Debian Linux 4.0 Mips
SuSE SUSE Linux Enterprise 10 SP3
Ipswitch IMail 6.3.0
Debian Linux 4.0 S/390
Debian Linux 4.0 Sparc
Debian Linux 4.0
Kerio Mailserver 5.7.8
Kolab Kolab Groupware Server 2.2.2
Ipswitch IMail 7.0.4
Ipswitch IMail 7.0.3
Ipswitch IMail 7.0.2
Ipswitch IMail 7.0.1
Ubuntu Ubuntu Linux 10.04 I386
Ubuntu Ubuntu Linux 10.04 Powerpc
Ubuntu Ubuntu Linux 10.04 Sparc
Kerio Mailserver 6.6.1 Build 7069
Kerio Mailserver 6.6.2
Kolab Groupware Server 2.1.Beta3
Sun Java System Messaging Server 6.3
Ipswitch IMail 6.2.0
Sun Java System Messaging Server 7.0
Ipswitch IMail 6.4.0
SuSE SUSE Linux Enterprise Server 9
Ipswitch IMail 8.22.0
Red Hat Enterprise Linux AS 4
ISC INN 2.4.0 .0
ISC INN 2.3.1
Red Hat Enterprise Linux Desktop Version 4
Kerio Mailserver 5.7.9
ISC INN 2.3.2
Kerio Mailserver 6.2.2
Mandriva Linux Mandrake 2010.1 X86 64
Mandriva Linux Mandrake 2010.1
Kolab Kolab Groupware Server 2.2.0
Ipswitch IMail 5.0.6
Ipswitch IMail 5.0.7
Kerio Mailserver 5.7.5
Kerio Mailserver 5.7.4
Wietse Venema Postfix 2.2.3
Kerio Mailserver 5.7.2
Kerio Mailserver 5.7.1
IETF STARTTLS
Kerio Mailserver 6.0.1
Kerio Mailserver 5.0.0
Apple Mac OS X 10.6.4
Apple Mac OS X Server 10.6.4
ISC INN 2.3.3
Ubuntu Ubuntu Linux 6.06 LTS Sparc
Ipswitch IMail 2006.2
SuSE openSUSE 11.3
Mandriva Enterprise Server 5 X86 64
Debian Linux 5.0 M68k
Red Hat Enterprise Linux ES 4
Apple Mac Os X Server 10.6.8
Pardus Linux 2009
Wietse Venema Postfix 2.4.9
Red Hat Enterprise Linux WS 4
Wietse Venema Postfix 1.1.11
Wietse Venema Postfix 1.1.12
Apple Mac OS X 10.6.1
Apple Mac Os X 10.6.7
Apple Mac Os X Server 10.6.7
Wietse Venema Postfix 1.0.21
Wietse Venema Postfix 1.1.13
Kerio Mailserver 5.7.10
Kerio Mailserver 6.0.0
Debian Linux 5.0 Amd64
Kerio Mailserver 6.5.0
Debian Linux 5.0 Armel
Ipswitch IMail 6.0.1
WatchGuard XCS 9.0
Ipswitch IMail 6.0.3
Ipswitch IMail 6.0.4
Ipswitch IMail 6.0.6
Wietse Venema Postfix 2.6

HTTP:EXPLOIT:HOST-RANDOM-3 - HTTP: Suspicious Randomized Host Header (3)

Severity: MEDIUM

Description:

This signature detects a suspicious HTTP host header. This kind of behavior is mostly observed when someone is trying to scan and send malicious traffic against a network security device using various traffic generation tools. This signature may trigger false-positives inside the Intranet traffic, so it is suggested to avoid using it for inspecting such traffic. This signature is highly recommended to protect web servers and devices deployed at a data centre.

Supported On:

APP:TROLLTECH-QT-BMP-OF - APP: Trolltech Qt BMP Handling Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a flaw in the Trolltech Qt image handling subsystem, which is used by the KDE Graphical Environment, commonly found in Linux and other Unix-based systems. A known vulnerability exists in the read_dib function that does not perform proper bounds checking of RLE data from a BMP file. An attacker could exploit this flaw to crash a system or possibly install malicious software when a user attempts to view a specially crafted BMP.

Supported On:

References:

cve: CVE-2004-0691
url: http://www.juniper.net/security/auto/vulnerabilities/vuln1718.html
url: http://rhn.redhat.com/errata/RHSA-2004-414.html
bugtraq: 10977

Affected Products:

Red Hat Linux 7.3.0 I686
Trolltech Qt 3.3.2
Red Hat Advanced Workstation for the Itanium Processor 2.1.0
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux ES 3
Red Hat Enterprise Linux WS 3
Trolltech Qt 3.3.0 .0
Red Hat Advanced Workstation for the Itanium Processor 2.1.0 IA64
Trolltech Qt 3.0.3
Red Hat Linux 7.3.0
Red Hat Linux 7.3.0 I386
Red Hat Linux 9.0.0 I386
Red Hat Enterprise Linux ES 2.1
Trolltech Qt 2.3.1
Avaya Intuity LX
Trolltech Qt 3.0.0
Avaya Modular Messaging (MSS) 1.1.0
Avaya Modular Messaging (MSS) 2.0.0
Avaya MN100
Gentoo Linux 1.4.0
Red Hat Fedora Core1
Trolltech Qt 3.1.2
Red Hat Desktop 3.0.0
SuSE Linux Personal 9.0.0
Trolltech Qt 3.1.1
Trolltech Qt 3.0.5
Trolltech Qt 3.2.1
SuSE Linux 8.1.0
SuSE Linux Personal 8.2.0
Sun Java Desktop System (JDS) 2003
Trolltech Qt 3.1.0
Red Hat Enterprise Linux WS 2.1
Red Hat Enterprise Linux AS 2.1
SuSE SUSE Linux Enterprise Server 8
Trolltech Qt 3.3.1
Sun Java Desktop System (JDS) 2.0.0
Red Hat Enterprise Linux WS 2.1 IA64
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux ES 2.1 IA64
Trolltech Qt 3.2.3
SuSE Linux Desktop 1.0.0

HTTP:EXPLOIT:SUSPICIOUS-MUL-PRT - HTTP: Suspicious Multi Part Traffic

Severity: MEDIUM

Description:

This signature detects a suspicious HTTP MULTI-PART data traffic, where "Boundary" string is missing to mark the initiation of boundary. This kind of behavior is mostly observed when someone is trying to scan and send malicious traffic against a network security device using various traffic generators.

Supported On:

References:

cve: CVE-2015-2321
bugtraq: 76503

Affected Products:

job_manager 0.7.22

HTTP:EXPLOIT:URI-CMD-INJ - HTTP: Generic Command Injection Detected In URI

Severity: HIGH

Description:

This signature detects attempts to request arbitrary commands in URL. A successful attack can lead to arbitrary code execution.

Supported On:

APP:CAIN-ABEL-CISCO-IOS-BOF - APP: Cain & Abel Cisco IOS Configuration File Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Cain & Abel Cisco IOS. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the affected application.

Supported On:

HTTP:STC:ACTIVEX:CVE-2017-0022 - HTTP: Microsoft XML Core Services CVE-2017-0022 Unsafe ActiveX Control

Severity: MEDIUM

Description:

This signature detects attempts to use an unsafe ActiveX control in Microsoft XML Core Services. An attacker can create a malicious Web site containing Web pages with dangerous ActiveX controls, which if accessed by a victim, allows the attacker to gain control of the victim's client browser.

Supported On:

References:

cve: CVE-2017-0022

HTTP:STC:MS-DOTNET-NAMESPACE-BO - HTTP: Microsoft .NET Framework S.DS.P Namespace Method Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft .NET framework. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 57114
cve: CVE-2013-0003

Affected Products:

microsoft .net_framework 3.5
microsoft .net_framework 3.5.1
microsoft .net_framework 4.5
microsoft .net_framework 2.0 (sp2)
microsoft .net_framework 4.0

DNS:EXPLOIT:BIND-KEYPARSE-DOS - DNS: ISC BIND DNSSEC Key Parsing Buffer Denial of Service

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against ISC BIND. Attackers can send crafted malicious data to cause denial of service condition to the target service.

Supported On:

References:

bugtraq: 76605
url: http://securitytracker.com/id?1033452
cve: CVE-2015-5722

Affected Products:

isc bind 9.10.2
isc bind 9.9.7

HTTP:STC:IE:CVE-2017-0065-ID - HTTP: Microsoft Edge CVE-2017-0065 Information Disclosure

Severity: MEDIUM

Description:

This signature detects an attempt to exploit a known vulnerability against Microsoft Edge. Successful attack can lead to unauthorized info disclosure.

Supported On:

References:

cve: CVE-2017-0065

HTTP:STC:IE:CVE-2015-2515-UAF - HTTP: Microsoft Internet Explorer CVE-2015-2515 User After Free

Severity: HIGH

Description:

This signature detects an attempt to exploit an Use-After-Free Vulnerability in Microsoft Internet Explorer. Successful exploitation could allow an attacker to execute arbitrary code into the application's context.

Supported On:

References:

cve: CVE-2015-2515

Affected Products:

microsoft windows_rt_8.1 -
microsoft windows_rt -
microsoft windows_vista -
microsoft windows_8 -
microsoft windows_8.1 -
microsoft windows_server_2008 r2
microsoft windows_server_2012 -
microsoft windows_7 -
microsoft windows_10 -
microsoft windows_server_2008 -
microsoft windows_server_2012 r2