Update Details

Update #2912 (06/05/2017)

6 new signatures:

MEDIUM	APP:MISC:CVE-2006-2371-BO	APP: Microsoft Windows RASMAN Registry Remote Code Execution
MEDIUM	APP:MISC:MS-RPC-BUFF	APP: Microsoft DCERPC Buffer Overflow
HIGH	HTTP:STC:MS-IE-IFRAME-BO	HTTP: Microsoft Internet Explorer Iframe Buffer Overflow
HIGH	HTTP:MISC:MS-IE-ASYNC-AS-1	HTTP: Microsoft Internet Explorer Asynchronous NULL Object Access (1)
LOW	HTTP:MISC:MS-IE-ASYNC-AS-2	HTTP: Microsoft Internet Explorer Asynchronous NULL Object Access (2)
MEDIUM	HTTP:MISC:MS-IE-ASYNC-AS-3	HTTP: Microsoft Internet Explorer Asynchronous NULL Object Access (3)

3 new protocol anomalies:

LOW	HTTP:STC:UTF-ENC-NO-BOM	HTTP: Unicode Response Detected Without BOM
INFO	HTTP:CONTENT_TYPE_MESSAGE	CONTENT_TYPE_MESSAGE
MEDIUM	HTTP:CONTENT_ENCODING_MISMATCH	CONTENT_ENCODING_MISMATCH

7 updated signatures:

HIGH	SMB:CVE-2008-4250-BO	SMB: Microsoft Windows Server Service RPC Request Handling Buffer Overflow
CRITICAL	SMB:EXPLOIT:PRINT-SPOOL-BYPASS	SMB: Windows Print Spooler Authentication Bypass
HIGH	SMB:SAMBA:SID-QUOTA	SMB: Samba SID Parsing Stack Buffer Overflow
MEDIUM	SMB:TIMBUKTU-PLUGHNT-COMMAND	SMB: TImbuktu PlughNTCommand
HIGH	APP:CA:ARCSRV:RPC-TAPE-ENG	APP: Computer Associates ARCServer Tape Engine Overflow
HIGH	SMB:EXPLOIT:CVE-2015-0240-RCE	SMB: Samba CVE-2015-0240 ServerPasswordSet Remote Code Execution
HIGH	SMB:SAMBA:READ-NTTRANS-EA-LIST	SMB: Samba smbd read_nttrans_ea_list Infinite Allocation Loop DOS

1 renamed protocol anomaly:

HTTP:STC:NO_UTF_ENCODING_IN_RESP_BOM

HTTP:STC:NO_UTF_ENC_IN_RESP_BOM

Details of the signatures included within this bulletin:

SMB:CVE-2008-4250-BO - SMB: Microsoft Windows Server Service RPC Request Handling Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Windows Server service. A successful attack can lead to a buffer overflow and arbitrary remote code execution as SYSTEM.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, mx-11.4, mx-16.1, vmx-11.4, vmx-16.1, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

References:

cve: CVE-2008-4250

Affected Products:

microsoft windows_xp (sp2)
microsoft windows_xp (sp2:professional_x64)
microsoft windows_server_2003 (sp2:itanium)
microsoft windows_server_2008 (:x32)
microsoft windows_server_2008 (:x64)
microsoft windows_server_2008 (:itanium)
microsoft windows_vista (:x64)
microsoft windows_vista (sp1)
microsoft windows_server_2003 (sp1:itanium)
microsoft windows_xp (:professional_x64)
microsoft windows_server_2003 (sp2:x64)
microsoft windows_vista (sp1:x64)
microsoft windows_server_2003 (sp2)
microsoft windows_xp (sp3)
microsoft windows_server_2003 (:x64)
microsoft windows_server_2003 (sp1)
microsoft windows_2000 (sp4)

SMB:EXPLOIT:CVE-2015-0240-RCE - SMB: Samba CVE-2015-0240 ServerPasswordSet Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Samba server. A remote, unauthenticated attacker could exploit this vulnerability by sending malicious request to the target Samba user.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, mx-11.4, mx-16.1, vmx-11.4, vmx-16.1, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, j-series-9.5, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

References:

bugtraq: 72711
url: https://www.samba.org/samba/security/CVE-2015-0240
url: https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/
cve: CVE-2015-0240

Affected Products:

redhat enterprise_linux 7.0
samba 3.5.4
samba 3.6.21
samba 4.0.0
samba 3.5.6
samba 3.6.23
samba 3.5.18
samba 4.0.18
samba 3.5.8
samba 4.1.8
samba 4.1.11
samba 3.6.1
samba 4.1.13
samba 4.1.15
samba 3.5.10
samba 4.1.2
samba 3.5.12
samba 4.1.0
samba 3.6.15
samba 3.5.14
redhat enterprise_linux 5
novell suse_linux_enterprise_server 12
samba 4.1.6
samba 3.6.17
samba 3.5.16
samba 4.1.4
samba 3.6.11
samba 3.6.13
canonical ubuntu_linux 14.04
samba 4.0.17
canonical ubuntu_linux 14.10
samba 4.0.22
samba 3.6.19
samba 4.0.15
samba 3.5.20
samba 4.0.20
samba 4.0.9
samba 4.0.13
samba 3.5.22
samba 4.0.7
samba 4.0.11
samba 3.5.1
samba 4.0.24
samba 4.0.5
samba 3.5.3
samba 3.6.24
samba 4.0.3
samba 3.5.5
redhat enterprise_linux 6
samba 4.0.1
samba 3.5.7
samba 3.6.20
samba 3.5.19
samba 4.0.19
samba 3.5.9
samba 3.6.22
samba 3.6.2
samba 4.1.10
samba 4.2.0
samba 3.6.0
samba 4.1.9
samba 4.1.12
samba 4.1.14
samba 3.5.11
novell suse_linux_enterprise_desktop 12
samba 4.1.16
samba 3.5.13
samba 4.1.3
samba 3.6.14
samba 3.5.15
samba 4.1.1
samba 3.6.16
samba 3.5.17
samba 4.1.7
samba 3.6.10
samba 4.1.5
samba 3.6.12
novell suse_linux_enterprise_software_development_kit 12
samba 3.6.18
samba 4.0.16
samba 4.0.23
samba 4.0.14
samba 3.5.21
samba 4.0.21
samba 4.0.8
samba 4.0.12
canonical ubuntu_linux 12.04
samba 4.0.6
samba 4.0.10
samba 3.5.0
samba 4.0.4
samba 3.5.2
samba 4.0.2

HTTP:CONTENT_ENCODING_MISMATCH - CONTENT_ENCODING_MISMATCH

Severity: MEDIUM

Description:

This protocol anomaly detects if there is a mismatch between the content encoding response header and payload BOM value

Supported On:

vsrx-15.1

HTTP:STC:UTF-ENC-NO-BOM - HTTP: Unicode Response Detected Without BOM

Severity: LOW

Description:

This protocol anomaly detects if there is any UTF encoding in the payload but there is no content type response header and no BOM in the payload

Supported On:

vsrx-15.1

HTTP:CONTENT_TYPE_MESSAGE - CONTENT_TYPE_MESSAGE

Severity: INFO

Description:

This protocol anomaly detects if the content type is message/* and if there is vulnerability

Supported On:

vsrx-15.1

SMB:SAMBA:SID-QUOTA - SMB: Samba SID Parsing Stack Buffer Overflow

Severity: HIGH

Description:

A buffer overflow vulnerability has been reported in Samba. The vulnerability is due to a boundary error when parsing the Security ID (SID) in SMB packets. Remote attackers could exploit this vulnerability by sending a crafted SMB message to a target SMB server. Successful exploitation would allow for arbitrary code injection and execution which might allow the attacker to take complete control of a target host. Code injection that does not result in execution could crash the vulnerable service, and result in a Denial of Service condition.

Supported On:

References:

cve: CVE-2010-3069
bugtraq: 43212

Affected Products:

Avaya Proactive Contact 4.0
Samba 3.0.25 Pre1
Apple Mac OS X Server 10.5.1
Samba 3.0.33
Avaya Messaging Storage Server 1.0
Avaya Messaging Storage Server 2.0
Red Hat Enterprise Linux 5.4.Z Server
Samba 3.0.21
Red Hat Enterprise Linux Desktop 6
Avaya Messaging Storage Server
Avaya Message Networking
Red Hat Enterprise Linux HPC Node Optional 6
Red Hat Enterprise Linux Desktop 5 Client
Red Hat Enterprise Linux Server Optional 6
Ubuntu Ubuntu Linux 6.06 LTS Powerpc
Ubuntu Ubuntu Linux 6.06 LTS I386
Ubuntu Ubuntu Linux 6.06 LTS Amd64
Samba 3.5.1
Samba 3.2.14
Apple Mac OS X Server 10.6.5
Red Hat Enterprise Linux AS 3
Sun Solaris 10 X86
Slackware Linux 10.2.0
Samba 3.4.5
Avaya IQ 5
Samba 3.0.23B
Debian Linux 5.0 S/390
Samba 3.0.23A
Mandriva Linux Mandrake 2009.1
Mandriva Linux Mandrake 2009.1 X86 64
Ubuntu Ubuntu Linux 8.04 LTS Amd64
Ubuntu Ubuntu Linux 8.04 LTS I386
Ubuntu Ubuntu Linux 8.04 LTS Lpia
Ubuntu Ubuntu Linux 8.04 LTS Powerpc
Ubuntu Ubuntu Linux 8.04 LTS Sparc
Red Hat Desktop 3.0.0
Avaya Proactive Contact 3.0.3
Apple Mac OS X 10.5.4
Apple Mac OS X Server 10.5.4
Avaya Aura System Manager 6.0 SP1
Avaya Messaging Storage Server 5.2
Apple Mac OS X Server 10.5.0
Samba 3.2.12
Samba 3.0.23C
Samba 3.0.26A
Avaya Proactive Contact 4.2
Samba 3.0.9
Apple Mac OS X 10.6
Apple Mac OS X Server 10.6
Sun Solaris 10 Sparc
Avaya Aura Presence Services 6.0
Samba 3.0.3
Samba 3.0.4
Samba 3.0.5
Samba 3.0.11
Samba 3.0.12
Samba 3.0.13
Samba 3.0.14
Avaya Aura System Manager 1.0
Samba 3.0.20
Ubuntu Ubuntu Linux 9.10 Amd64
Slackware Linux 13.0
Mandriva Corporate Server 4.0.0 X86 64
Ubuntu Ubuntu Linux 9.10 Powerpc
Samba 3.0.21B
Samba 3.0.21C
Samba 3.0.22
Samba 3.5.2
Samba 3.0.28A
Samba 3.0.29
HP HP-UX B.11.31
Avaya Voice Portal 5.0 SP2
Samba 3.0.14A
Samba 3.0.31
Samba 3.0.30
VMWare ESX Server 3.0.3
Samba 3.0.25 Pre2
Samba 3.0.20A
Ubuntu Ubuntu Linux 9.10 I386
Ubuntu Ubuntu Linux 9.10 Lpia
Samba 3.0.21A
Avaya Voice Portal 5.0
Mandriva Enterprise Server 5 X86 64
Apple Mac OS X 10.5.3
Ubuntu Ubuntu Linux 9.10 Sparc
Avaya Messaging Storage Server 5.2 SP1
Samba 3.0.25
Apple Mac OS X 10.5
Mandriva Linux Mandrake 2008.0
Mandriva Linux Mandrake 2008.0 X86 64
Avaya IQ 4.1.0
Apple Mac OS X 10.6.3
Apple Mac OS X Server 10.6.3
Apple Mac OS X Server 10.6.4
Mandriva Linux Mandrake 2010.0 X86 64
Mandriva Linux Mandrake 2010.0
Samba 3.0.23
Apple Mac OS X 10.6.2
Apple Mac OS X Server 10.6.2
Avaya Proactive Contact 4.1
Apple Mac OS X 10.6.5
Red Hat Enterprise Linux Desktop Optional 6
Red Hat Enterprise Linux AS 4.7.Z
Red Hat Enterprise Linux ES 4.7.Z
Apple Mac OS X 10.5.8
Samba 3.0.4 Rc1
Samba 3.0.10
Debian Linux 5.0 Alpha
Samba 3.2.2
Slackware Linux 12.1
Samba 3.2.1
Samba 3.0.0
Samba 3.4.8
Red Hat Fedora 12
Samba 3.0.27
Avaya Voice Portal 5.0 SP1
Samba 3.0.4 -R1
Avaya Messaging Storage Server 5.0
Sun Solaris 9 Sparc
Samba 3.0.7
Samba 3.0.0 Alpha
Red Hat Enterprise Linux HPC Node 6
Samba 3.5.3
Samba 3.5.4
Avaya Message Networking 5.2
Samba 3.0.25 Rc1
Debian Linux 5.0
Avaya Messaging Storage Server 3.1
Debian Linux 5.0 Amd64
Debian Linux 5.0 Arm
Debian Linux 5.0 Hppa
Debian Linux 5.0 Ia-32
Debian Linux 5.0 Ia-64
Debian Linux 5.0 M68k
Debian Linux 5.0 Mips
Debian Linux 5.0 Mipsel
Debian Linux 5.0 Powerpc
Apple Mac OS X Server 10.6.6
Debian Linux 5.0 Sparc
Samba 3.0.0
Samba 3.0.1
Samba 3.0.2
Samba 3.0.2 A
Red Hat Fedora 14
Avaya Proactive Contact 4.1.1
Oracle Enterprise Linux 5
Samba 3.0.8
Avaya Aura System Manager 5.2
Samba 3.2.3
Apple Mac OS X 10.5.0
Red Hat Enterprise Linux ES 3
Mandriva Enterprise Server 5
Red Hat Enterprise Linux Server 6
Mandriva Linux Mandrake 2009.0
Mandriva Linux Mandrake 2009.0 X86 64
Ubuntu Ubuntu Linux 9.04 I386
Ubuntu Ubuntu Linux 9.04 Lpia
Ubuntu Ubuntu Linux 9.04 Powerpc
Ubuntu Ubuntu Linux 9.04 Sparc
Mandriva Corporate Server 4.0
Apple Mac OS X 10.5.7
Apple Mac OS X Server 10.5.7
Avaya Messaging Storage Server 3.1 SP1
Slackware Linux 10.1.0
Red Hat Enterprise Linux Desktop Workstation 5 Client
Red Hat Enterprise Linux 5 Server
Apple Mac OS X 10.6.1
Samba 3.0.34
Slackware Linux 12.0
Red Hat Enterprise Linux WS 3
Samba 3.0.35
Apple Mac OS X Server 10.5
Ubuntu Ubuntu Linux 10.04 I386
SuSE SUSE Linux Enterprise 11
Apple Mac OS X 10.5.2
Slackware Linux -Current
Samba 3.0.23D
Samba 3.3.5
Apple Mac OS X Server 10.5.2
Samba 3.2.4
Samba 3.2.5
Slackware Linux 13.0 X86 64
Samba 3.2.0
Avaya Messaging Storage Server 5.1
Samba 3.4.1
Samba 3.3.7
rPath rPath Linux 2
Samba 3.0.36
Samba 3.4.2
Samba 3.3.8
Samba 3.2.15
Samba 3.0.37
Debian Linux 5.0 Armel
Samba 3.0.6
Gentoo Linux
Red Hat Enterprise Linux Workstation 6
SuSE Moblin 2.1
Red Hat Enterprise Linux AS 4
SuSE SUSE Linux Enterprise 10 SP3
Apple Mac OS X Server 10.6.5
Slackware Linux 10.0.0
Apple Mac OS X 10.5.6
Apple Mac OS X Server 10.5.6
Red Hat Fedora 13
VMWare ESX Server 3.5
Slackware Linux X86 64 -Current
Ubuntu Ubuntu Linux 10.04 Amd64
SuSE SUSE Linux Enterprise 11 SP1
Ubuntu Ubuntu Linux 10.04 Powerpc
Ubuntu Ubuntu Linux 10.04 Sparc
Samba 3.2.13
Samba 3.3.6
Samba 3.3.13
Samba 3.3.11
Avaya Messaging Storage Server MM3.0
Red Hat Enterprise Linux Workstation Optional 6
SuSE SUSE Linux Enterprise Server 9
Sun Solaris 9 X86
Samba 3.0.27A
Samba 3.0.28
Samba 3.2.6
Red Hat Enterprise Linux Desktop Version 4
Samba 3.0.25A
Samba 3.3.10
Samba 3.0.25C
Samba 3.0.26
Avaya Proactive Contact 3.0.2
Samba 3.4.7
Avaya Proactive Contact 4.1.2
Samba 3.3.12
Mandriva Linux Mandrake 2010.1 X86 64
Mandriva Linux Mandrake 2010.1
HP HP-UX B.11.11
Avaya Message Networking MN 3.1
Slackware Linux 11.0
HP HP-UX B.11.23
Apple Mac OS X 10.6.4
Apple Mac OS X 10.5.5
Apple Mac OS X Server 10.5.5
Ubuntu Ubuntu Linux 6.06 LTS Sparc
Apple Mac OS X Server 10.5.8
Ubuntu Ubuntu Linux 9.04 Amd64
SuSE Moblin 2.0
SuSE openSUSE 11.3
Avaya Messaging Storage Server 4.0
Slackware Linux 13.1
Slackware Linux 13.1 X86 64
SuSE openSUSE 11.2
Slackware Linux 12.2
Red Hat Enterprise Linux 5.3.Z Server
Avaya IQ 5.1
Samba 3.0.24
Red Hat Enterprise Linux WS 4
Apple Mac OS X Server 10.6.1
rPath Appliance Platform Linux Service 2
Samba 3.0.25 Rc2
Apple Mac OS X Server 10.5.3
Red Hat Enterprise Linux ES 4
Samba 3.0.20B
Samba 3.0.25 Rc3
Sun Solaris 11 Express
Avaya Message Networking 3.1
Samba 3.0.25B
Apple Mac OS X 10.5.1
SuSE openSUSE 11.1
Avaya Proactive Contact
Samba 3.4.6
Avaya Proactive Contact 3.0
Samba 3.0.32

SMB:EXPLOIT:PRINT-SPOOL-BYPASS - SMB: Windows Print Spooler Authentication Bypass

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability against Windows Print Spooler. A successful attack allows attackers to bypass security measures and execute arbitrary remote code.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, vmx-11.4, idp-4.2.0, idp-5.0.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vmx-16.1, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141597, idp-5.1.110160603

References:

cve: CVE-2010-2729
bugtraq: 43073
url: http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx

Affected Products:

Microsoft Windows XP Home
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for Itanium-based Systems
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows Vista Business SP2
Microsoft Windows Vista Business 64-bit edition SP2
Microsoft Windows Vista Enterprise 64-bit edition SP2
Microsoft Windows Vista Enterprise SP2
Microsoft Windows Vista Home Basic 64-bit edition SP2
Microsoft Windows Vista Home Basic SP2
Microsoft Windows Vista Home Premium 64-bit edition SP2
Microsoft Windows Vista Home Premium SP2
Microsoft Windows Vista SP2
Microsoft Windows Vista Ultimate 64-bit edition SP2
Microsoft Windows Vista Ultimate SP2
Microsoft Windows Vista x64 Edition SP2
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2003 x64 SP2
Microsoft Windows Vista x64 Edition SP1
Microsoft Windows Vista Business SP1
Microsoft Windows Vista Home Basic SP1
Microsoft Windows Vista Home Premium SP1
Microsoft Windows Vista Enterprise SP1
Microsoft Windows Vista Ultimate SP1
Microsoft Windows Vista Business 64-bit edition SP1
Microsoft Windows Vista Enterprise 64-bit edition SP1
Microsoft Windows Vista Home Basic 64-bit edition SP1
Microsoft Windows Vista Home Premium 64-bit edition SP1
Microsoft Windows Vista Ultimate 64-bit edition SP1
Microsoft Windows Server 2003 x64 SP1
Avaya Aura Conferencing 6.0 Standard
Microsoft Windows Vista x64 Edition
Microsoft Windows Server 2003 Web Edition SP2
Microsoft Windows XP Professional x64 Edition SP2
Microsoft Windows Server 2003 Itanium
Microsoft Windows Server 2003 Itanium SP1
Microsoft Windows Server 2003 Itanium SP2
Microsoft Windows Server 2003 Datacenter x64 Edition SP2
Microsoft Windows Server 2003 Enterprise x64 Edition SP2
Microsoft Windows Server 2003 Standard Edition SP2
Avaya Messaging Application Server
Avaya Messaging Application Server MM 3.0
Avaya Messaging Application Server MM 3.1
Microsoft Windows XP Media Center Edition
Avaya Messaging Application Server MM 1.1
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional x64 Edition SP3
Microsoft Windows XP Professional SP3
Microsoft Windows XP Media Center Edition SP3
Microsoft Windows XP Home SP3
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium
Microsoft Windows Server 2003 Datacenter Edition Itanium
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows Server 2008 for x64-based Systems R2
Microsoft Windows Server 2008 for Itanium-based Systems R2
Avaya Meeting Exchange - Client Registration Server
Avaya Meeting Exchange - Recording Server
Avaya Meeting Exchange - Streaming Server
Avaya Meeting Exchange - Web Conferencing Server
Avaya Meeting Exchange - Webportal
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003 SP2
Avaya Messaging Application Server MM 2.0
Microsoft Windows XP Home SP2
Microsoft Windows XP Professional SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows Vista 1.0
Microsoft Windows Vista SP1
Microsoft Windows Vista Ultimate
Microsoft Windows Vista Home Premium
Microsoft Windows Vista Home Basic
Microsoft Windows Vista Business
Microsoft Windows Vista Enterprise
Microsoft Windows Server 2003 Standard Edition
Avaya CallPilot Unified Messaging
Microsoft Windows XP
Avaya Messaging Application Server 4
Avaya Messaging Application Server 5
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Vista Business 64-bit edition
Microsoft Windows Vista Enterprise 64-bit edition
Microsoft Windows Vista Home Basic 64-bit edition
Microsoft Windows Vista Home Premium 64-bit edition
Microsoft Windows Vista Ultimate 64-bit edition
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows XP

APP:CA:ARCSRV:RPC-TAPE-ENG - APP: Computer Associates ARCServer Tape Engine Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Computer Associates BrightStor ARCserve Backup Tape Engine. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the system.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, vmx-11.4, vmx-16.1, idp-5.0.0, idp-4.2.0, isg-3.5.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, idp-4.0.110090831, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, j-series-9.5, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

References:

cve: CVE-2006-6076
url: http://www.lssec.com/advisories/LS-20060908.pdf
bugtraq: 21221
url: http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp
cve: CVE-2006-6917
cve: CVE-2007-0168
bugtraq: 22010

Affected Products:

Computer Associates BrightStor ARCServe Backup 11.5
Computer Associates BrightStor ARCServe Backup 9.01
Computer Associates Protection Suites r2
Computer Associates BrightStor ARCServe Backup 11.5.0
Computer Associates BrightStor ARCserve Backup for Windows (All) 11.5.0
Computer Associates BrightStor ARCServe Backup 11.1.0
Computer Associates Server Protection Suite r2
Computer Associates Business Protection Suite
Computer Associates Business Protection Suite for Microsoft SBS Std Ed r2
Computer Associates Business Protection Suite for Microsoft SBS Pre ed r2
Computer Associates BrightStor Enterprise Backup 10.5.0

SMB:SAMBA:READ-NTTRANS-EA-LIST - SMB: Samba smbd read_nttrans_ea_list Infinite Allocation Loop DOS

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Samba Server. A successful attack can result in a denial-of-service condition.

Supported On:

References:

cve: CVE-2013-4124

Affected Products:

novell opensuse 12.3
canonical ubuntu_linux 12.10
novell opensuse 12.2
canonical ubuntu_linux 13.04
redhat enterprise_linux 5
canonical ubuntu_linux 10.04 (-:lts)
fedoraproject fedora 19
canonical ubuntu_linux 12.04 (-:lts)
fedoraproject fedora 18
samba 3.0.25b
samba 3.6.9
samba 3.4.10
samba 3.2.2
samba 4.0.0
samba 3.6.7
samba 3.0.25 (b)
samba 3.4.16
samba 3.2.0
samba 3.5.18
samba 3.0.13
samba 3.6.5
samba 3.4.14
samba 3.2.6
samba 3.3.16
samba 3.6.3
samba 3.2.4
samba 3.5.17
samba 3.3.14
samba 3.6.1
samba 3.0.19
samba 3.3.12
samba 3.0.14a
samba 3.0.15
samba 3.0.9
samba 3.5.10
samba 3.4.0
samba 3.3.10
samba 3.0.25 (c)
samba 3.5.12
samba 3.6.15
samba 3.5.14
samba 3.0.21 (b)
samba 3.5.15
samba 3.0.22
samba 3.0.20 (b)
samba 3.5.16
samba 3.3.9
samba 3.4.8
samba 3.0.1
samba 3.6.11
samba 3.3.7
samba 3.0.25 (rc3)
samba 3.0.3
samba 3.6.13
samba 3.5.11
samba 3.4.4
samba 3.0.21b
samba 3.0.5
samba 3.2.11
samba 3.3.3
samba 3.4.6
samba 3.0.7
samba 3.6.16
samba 3.2.13
samba 3.0.14 (a)
samba 3.3.1
samba 3.0.25 (a)
samba 3.2.15
samba 3.5.20
samba 3.0.26 (a)
samba 3.4.2
samba 3.0.21a
samba 3.0.30
samba 3.0.31
samba 4.0.7
samba 3.0.33
samba 3.0.20b
samba 3.5.1
samba 3.2.9
samba 4.0.5
samba 3.0.2 (a)
samba 3.0.35
samba 3.0.11
samba 3.1
samba 3.0.21 (a)
samba 4.0.3
samba 3.3.8
samba 3.0.25c
samba 3.0.37
samba 3.6.8
samba 3.0.25 (rc1)
samba 3.4.13
samba 4.0.1
samba 3.0.25a
samba 3.6.6
samba 3.4.11
samba 3.2.3
samba 3.5.19
samba 3.0.25 (pre2)
samba 3.6.4
samba 3.4.17
samba 3.0.32
samba 3.2.1
samba 3.0.27 (a)
samba 3.6.2
samba 3.0.23 (b)
samba 3.4.15
samba 3.0.4 (rc1)
samba 3.3.15
samba 3.6.0
samba 3.2.5
samba 3.0.18
samba 3.3.13
samba 3.0.8
samba 3.0.23b
samba 3.0.16
samba 3.3.11
samba 3.0.29
samba 3.0.21c
samba 3.0.23 (c)
samba 3.5.13
samba 3.6.14
samba 3.0.12
samba 3.0.2a
samba 3.0.24
samba 3.0.10
samba 3.0.0
samba 3.6.10
samba 3.0.25 (rc2)
samba 3.0.23 (d)
samba 3.0.26a
samba 3.4.9
samba 3.6.12
samba 3.3.6
samba 3.2.10
samba 3.0.23d
samba 3.3.5
samba 3.3.4
samba 3.4.5
samba 3.0.6
samba 3.2.12
samba 3.3.2
samba 3.4.7
samba 3.0.17
samba 3.2.14
samba 3.0.21 (c)
samba 3.3.0
samba 3.4.1
samba 3.5.21
samba 3.0.23a
samba 3.4.3
samba 3.0.20 (a)
samba 3.0.25 (pre1)
samba 3.0.23c
samba 3.0.20a
samba 3.2.8
samba 4.0.6
samba 3.0.34
samba 3.5.0
samba 3.0
samba 3.0.28 (a)
samba 4.0.4
samba 3.0.36
samba 3.0.23 (a)
samba 3.5.2
samba 3.4.12
samba 4.0.2
samba 3.2.7

APP:MISC:CVE-2006-2371-BO - APP: Microsoft Windows RASMAN Registry Remote Code Execution

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Routing and Remote Access. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the targeted daemon.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, vmx-11.4, idp-4.2.0, idp-5.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vmx-16.1, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141597, idp-5.1.110160603

References:

cve: CVE-2006-2371

Affected Products:

microsoft windows_2000 (sp2)
microsoft windows_xp (sp2:tablet_pc)
microsoft windows_2003_server r2
microsoft windows_2000 (sp2:datacenter_server)
microsoft windows_2000 (:professional)
microsoft windows_2003_server datacenter_edition_64-bit (sp1)
microsoft windows_2000 (sp3:server)
microsoft windows_2003_server r2 (:datacenter_64-bit)
microsoft windows_2000 (sp1:server)
microsoft windows_2003_server datacenter_edition (sp1)
microsoft windows_xp (sp1)
microsoft windows_2000 (sp4:professional)
microsoft windows_xp (sp2:media_center)
microsoft windows_2000 (sp4)
microsoft windows_xp (sp2)
microsoft windows_2000 (sp3:professional)
microsoft windows_2000 (sp1:professional)
microsoft windows_2000 (sp3:datacenter_server)
microsoft windows_2000 (sp4:advanced_server)
microsoft windows_2000 (sp2:advanced_server)
microsoft windows_2000 (sp3:advanced_server)
microsoft windows_2000 (:datacenter_server)
microsoft windows_2000 (sp2:server)
microsoft windows_2000 (sp3)
microsoft windows_2003_server enterprise_edition (sp1)
microsoft windows_2003_server standard_64-bit
microsoft windows_2000 (:advanced_server)
microsoft windows_xp (sp1:media_center)
microsoft windows_2003_server enterprise_64-bit
microsoft windows_xp (gold)
microsoft windows_2003_server web (sp1)
microsoft windows_xp (sp1:home)
microsoft windows_2003_server sp1 (:enterprise)
microsoft windows_xp (sp2:home)
microsoft windows_xp (:media_center)
microsoft windows_2000 (sp4:server)
microsoft windows_xp (:64-bit)
microsoft windows_2003_server enterprise_edition_64-bit (sp1)
microsoft windows_xp (:home)
microsoft windows_2003_server sp1
microsoft windows_2000 (sp1)
microsoft windows_2000 (sp1:advanced_server)
microsoft windows_2000 (sp4:datacenter_server)
microsoft windows_2000 (sp2:professional)
microsoft windows_2003_server standard (sp1)
microsoft windows_2000 (:server)
microsoft windows_2000 (sp1:datacenter_server)
microsoft windows_xp (gold:professional)

APP:MISC:MS-RPC-BUFF - APP: Microsoft DCERPC Buffer Overflow

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft RRAS. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the targeted daemon.

Supported On:

References:

url: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb

HTTP:STC:MS-IE-IFRAME-BO - HTTP: Microsoft Internet Explorer Iframe Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. A successful attack can lead to arbitrary code execution.

Supported On:

HTTP:MISC:MS-IE-ASYNC-AS-1 - HTTP: Microsoft Internet Explorer Asynchronous NULL Object Access (1)

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. A successful attack can lead to arbitrary code execution.

Supported On:

HTTP:MISC:MS-IE-ASYNC-AS-2 - HTTP: Microsoft Internet Explorer Asynchronous NULL Object Access (2)

Severity: LOW

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. A successful attack can lead to arbitrary code execution.

Supported On:

HTTP:MISC:MS-IE-ASYNC-AS-3 - HTTP: Microsoft Internet Explorer Asynchronous NULL Object Access (3)

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. A successful attack can lead to arbitrary code execution.

Supported On:

SMB:TIMBUKTU-PLUGHNT-COMMAND - SMB: TImbuktu PlughNTCommand

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Motorola Timbuktu Pro 8.6.5 for Windows. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the server. This signature can detect binding of the vulnerable named pipe, but cannot determine if it is malicious in nature.