Update Details

Update #3056 (04/17/2018)

4 new signatures:

MEDIUM	HTTP:APACHE:HTTPD-MOD-CACHE-DOS	HTTP: Apache HttpD Mod Cache SoCache Denial of Service
HIGH	HTTP:STC:IE:CVE-2018-1001-RCE	HTTP: Microsoft CVE-2018-1001 Scripting Engine Memory Corruption Vulnerability
MEDIUM	HTTP:STC:CVE-2018-6794	HTTP: Suricata TCP Handshake Content Detection Bypass
HIGH	HTTP:DRUPAL-FORM-RNDR-RCE	HTTP: Drupal Core Form Rendering Remote Code Execution

2 updated signatures:

HIGH	HTTP:STC:IE:CVE-2018-1003-RCE	HTTP: Microsoft Jet Database Engine CVE-2018-1003 Remote Code Execution
HIGH	HTTP:FORTINET-HELLO-MSG-BOF	HTTP: Fortinet Single Sign On Message Dispatcher Buffer Overflow

Details of the signatures included within this bulletin:

HTTP:APACHE:HTTPD-MOD-CACHE-DOS - HTTP: Apache HttpD Mod Cache SoCache Denial of Service

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Apache HTTPD mod_cache_socache. A successful attack can result in a denial-of-service condition.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-branch-x49, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1, vsrx-x49, srx-x49

References:

url: https://httpd.apache.org/security/vulnerabilities_24.html
cve: CVE-2018-1303
bugtraq: 103522
url: http://securitytracker.com/id?1040572

HTTP:STC:IE:CVE-2018-1003-RCE - HTTP: Microsoft Jet Database Engine CVE-2018-1003 Remote Code Execution

Severity: HIGH

Description:

This signature detects an attempt to exploit an Buffer Overflow Vulnerability in Microsoft Windows. Successful exploitation could allow an Remote Code Execution

Supported On:

isg-3.5.141652, idp-5.1.110161014, mx-11.4, idp-4.1.0, mx-16.1, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, vsrx-x49, srx-x49, srx-branch-x49, j-series-9.5, srx-12.1, srx-branch-12.1, vsrx-12.1, vsrx-15.1

References:

cve: CVE-2018-1003

HTTP:STC:IE:CVE-2018-1001-RCE - HTTP: Microsoft CVE-2018-1001 Scripting Engine Memory Corruption Vulnerability

Severity: HIGH

Description:

This signature detects an attempt to exploit an Memory Corruption Vulnerability in Microsoft Internet Explorer. Successful exploitation could allow an attacker to execute arbitrary code into the application's context.

Supported On:

References:

cve: CVE-2018-1001

HTTP:STC:CVE-2018-6794 - HTTP: Suricata TCP Handshake Content Detection Bypass

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Suricata IDS/IPS. Successful exploitation could result in a bypass of security policies.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, srx-branch-x49, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1, vsrx-x49, srx-x49

References:

url: https://github.com/kirillwow/ids_bypass
url: https://redmine.openinfosecfoundation.org/issues/2427
cve: CVE-2018-6794

HTTP:FORTINET-HELLO-MSG-BOF - HTTP: Fortinet Single Sign On Message Dispatcher Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Fortinet Single Sign On. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the Fortinet.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, srx-branch-x49, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1, vsrx-x49, srx-x49

References:

bugtraq: 73206
cve: CVE-2015-2281

Affected Products:

Fortinet single_sign_on 4.3

HTTP:DRUPAL-FORM-RNDR-RCE - HTTP: Drupal Core Form Rendering Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Drupal. A successful attack can lead to arbitrary code execution.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, srx-branch-x49, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1, vsrx-x49, srx-x49

References:

cve: CVE-2018-7600
url: https://www.exploit-db.com/exploits/44448/
bugtraq: 103534