Update Details

Update #3049 (04/03/2018)

13 new signatures:

MEDIUM	DNS:TUNNEL:IODINE-SRV-REQ	DNS: Iodine SRV requests Tunneling Activity
MEDIUM	APP:MISC:OPENVPN-IPV6-DOS	APP: Open Vpn Malformed TCP Header in IPv6 Packet Denial of Service
MEDIUM	DNS:TUNNEL:IODINE-MX-REQ	DNS: Iodine MX requests Tunneling Activity
MEDIUM	DNS:TUNNEL:IODINE-NULL-REQ	DNS: Iodine NULL requests Tunneling Activity
MEDIUM	DNS:TUNNEL:DNS2TCP-1	DNS: DNS2TCP Tunneling Activity 1
MEDIUM	DNS:TUNNEL:IODINE-1	DNS: Iodine Tunneling Activity 1
HIGH	APP:MS-WIN-CREDSSP-MITM-CE	APP: Microsoft Windows CredSSP MITM Code Execution
HIGH	SMTP:DOVECOT-DOMAIN-OOB	SMTP: Dovecot rfc822_parse_domain Out of Bounds Read
HIGH	HTTP:STC:IE:CVE-2018-0891-OOB	HTTP: Microsoft Internet Explorer and Edge Substring New Out of Bounds Read
MEDIUM	DNS:TUNNEL:IODINE-SERVER-ACK	DNS: Iodine DNS Tunneling Handshake Server ACK
MEDIUM	DNS:TUNNEL:IODINE-TXT-REQ	DNS: Iodine TXT requests Tunneling Activity
MEDIUM	DNS:TUNNEL:IODINE-CNAME-REQ	DNS: Iodine CNAME requests Tunneling Activity
MEDIUM	HTTP:STC:MS-EOT-FONT-ENGINE-ID1	HTTP: Microsoft Windows EOT Font Engine Information Disclosure

4 updated signatures:

MEDIUM	DNS:TUNNEL:IODINE	DNS: Iodine Tunneling Activity
HIGH	HTTP:STC:IE:CVE-2018-0835-MC	HTTP: Microsoft Edge Script Engine CVE-2018-0835 Memory Corruption
HIGH	HTTP:STC:ADOBE:CVE-2018-4895RCE	HTTP: Adobe Acrobat and Reader CVE-2018-4895 Remote Code Execution
HIGH	HTTP:STC:ADOBE:CVE-2018-4889RCE	HTTP: Adobe Reader CVE-2018-4889 Remote Code Execution

Details of the signatures included within this bulletin:

DNS:TUNNEL:IODINE-SRV-REQ - DNS: Iodine SRV requests Tunneling Activity

Severity: MEDIUM

Description:

This signature detects the Iodine DNS tunneling tool. This tool allows for data to be sent over fake DNS requests, bypassing some pay-for Internet service that allow DNS requests but not other traffic until payment is made.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1

APP:MISC:OPENVPN-IPV6-DOS - APP: Open Vpn Malformed TCP Header in IPv6 Packet Denial of Service

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in OpenVPN. Successful exploitation would cause an OpenVPN client or server program to terminate, resulting in a denial-of-service conditions.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1

References:

Affected Products:

Openvpn openvpn 2.4.0
Openvpn openvpn 2.4.2
Openvpn openvpn 2.3.16
Openvpn openvpn 2.4.1

DNS:TUNNEL:IODINE-MX-REQ - DNS: Iodine MX requests Tunneling Activity

Severity: MEDIUM

Description:

Supported On:

HTTP:STC:IE:CVE-2018-0835-MC - HTTP: Microsoft Edge Script Engine CVE-2018-0835 Memory Corruption

Severity: HIGH

Description:

This signature detects an attempt to exploit an Memory Corruption Vulnerability in Microsoft Edge. Successful exploitation could allow an attacker to execute arbitrary code in the context of current user.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2018-0835

HTTP:STC:ADOBE:CVE-2018-4889RCE - HTTP: Adobe Reader CVE-2018-4889 Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Reader. A successful attack can lead to Remote Code Execution.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 102996
cve: CVE-2018-4889

HTTP:STC:ADOBE:CVE-2018-4895RCE - HTTP: Adobe Acrobat and Reader CVE-2018-4895 Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Reader.A successful attack can lead to Remote Code Execution.

Supported On:

References:

bugtraq: 102994
cve: CVE-2018-4895

DNS:TUNNEL:IODINE-NULL-REQ - DNS: Iodine NULL requests Tunneling Activity

Severity: MEDIUM

Description:

Supported On:

References:

url: https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

DNS:TUNNEL:IODINE - DNS: Iodine Tunneling Activity

Severity: MEDIUM

Description:

Supported On:

DNS:TUNNEL:DNS2TCP-1 - DNS: DNS2TCP Tunneling Activity 1

Severity: MEDIUM

Description:

This signature detects the DNS2TCP tunneling tool. This tool allows for data to be sent over fake DNS requests, bypassing some pay-for Internet service that allow DNS requests but not other traffic until payment is made.

Supported On:

References:

url: https://community.infoblox.com/t5/Community-Blog/Analysis-on-Popular-DNS-Tunneling-Tools/ba-p/6270

DNS:TUNNEL:IODINE-1 - DNS: Iodine Tunneling Activity 1

Severity: MEDIUM

Description:

Supported On:

References:

APP:MS-WIN-CREDSSP-MITM-CE - APP: Microsoft Windows CredSSP MITM Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft Windows applications that depend on the CredSSP component for authentication. Successful exploitation would allow the attacker to execute arbitrary code under the context of the user.

Supported On:

References:

bugtraq: 103265
cve: CVE-2018-0886

SMTP:DOVECOT-DOMAIN-OOB - SMTP: Dovecot rfc822_parse_domain Out of Bounds Read

Severity: HIGH

Description:

his signature detects attempts to exploit a known vulnerability in Dovecot IMAP server. Successful exploitation may result in information disclosure or denial of service conditions.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.110090709, idp-4.0.110090831, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 103201
cve: CVE-2017-14461

HTTP:STC:IE:CVE-2018-0891-OOB - HTTP: Microsoft Internet Explorer and Edge Substring New Out of Bounds Read

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft Internet Explorer and Edge. Successful exploitation would allow the attacker to gain sensitive information.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 103309
cve: CVE-2018-0891

DNS:TUNNEL:IODINE-SERVER-ACK - DNS: Iodine DNS Tunneling Handshake Server ACK

Severity: MEDIUM

Description:

Supported On:

DNS:TUNNEL:IODINE-TXT-REQ - DNS: Iodine TXT requests Tunneling Activity

Severity: MEDIUM

Description:

Supported On:

References:

url: https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

DNS:TUNNEL:IODINE-CNAME-REQ - DNS: Iodine CNAME requests Tunneling Activity

Severity: MEDIUM

Description:

Supported On:

HTTP:STC:MS-EOT-FONT-ENGINE-ID1 - HTTP: Microsoft Windows EOT Font Engine Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempt to exploit an information disclosure vulnerability which has been reported in the EOT component of Microsoft Windows operating systems. A remote attacker could exploit this vulnerability by enticing a user to open specially crafted document. Successful exploitation could result in information disclosure which could be used to further compromise the target system.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 102952
cve: CVE-2018-0761