Update Details
Update #3075 (06/19/2018)
4 deprecated signatures:
| MEDIUM | FINGER:EXPLOIT:DOT-AT-HOST | FINGER: .@host Exploit | Removal Date: 07/16/2018 | Reason For Deprecation: This signature is for EOS products. |
| HIGH | HTTP:STC:DL:HELP-IMG-HEAP | HTTP: Microsoft Windows HLP File Handling Heap Buffer Overflow | Removal Date: 07/23/2018 | Reason For Deprecation: This signature is for EOS products. |
| MEDIUM | APP:TUN:TEREDO-INFO | APP: Windows Firewall Teredo Information Disclosure | Removal Date: 07/23/2018 | Reason For Deprecation: This signature is for EOS products. |
| CRITICAL | ICMP:EXPLOIT:MIP-ROUTE-OF | ICMP: Mobile IP Route Overflow | Removal Date: 07/23/2018 | Reason For Deprecation: This signature is for EOS products. |
Customers are suggested to remove the deprecated signatures from the IDP policy, if they are explicitly configured, other than Dynamic groups
7 new signatures:
| MEDIUM | HTTP:STC:SCRIPT:OBFUSCATION-2 | HTTP: Suspicious Javascript Obfuscation Attempt 2 |
| HIGH | HTTP:CTS-CVE-2018-7890-CMD-INJ | HTTP: Zoho ManageEngine Application Manager Command Injection |
| MEDIUM | SSL:VULN:OPENSSL-DH-DOS | SSL: OpenSSL Large DH Parameter Denial of Service |
| HIGH | HTTP:STC:ADOBE:CVE-2018-5002OOB | HTTP: Adobe Flash Player CVE-2018-5002 Out Of Bound Write |
| HIGH | HTTP:STC:SCRIPT:EVAL-OBFUSC-1 | HTTP: Javascript eval Obfuscation Technique (1) |
| HIGH | HTTP:APACHE:JSON-PRIV-ESC | HTTP: Apache CouchDB JSON Remote Privilege Escalation |
| MEDIUM | HTTP:JS-OBFUSC-ENCODE-1 | HTTP: Java Script Obfuscation Attempt |
2 updated signatures:
| HIGH | HTTP:STC:SCRIPT:JS-OB-IFRAMER | HTTP: Javascript Obfuscation IFRAMEr Tool Technique |
| HIGH | HTTP:STC:CLSID:SCRRUN-FILE-ACT | HTTP: Microsoft Windows 10 Active-X Creation Deletion Issue |
1 renamed signature:
| HTTP:SCRIPT-OBFUSC-GENERIC-1 | -> | HTTP:JS-OBFUSC-ENCODE-1 |
Details of the signatures included within this bulletin:
HTTP:STC:SCRIPT:EVAL-OBFUSC-1 - HTTP: Javascript eval Obfuscation Technique (1)
Severity: HIGH
Description:
This signature detects scripts obfuscated (made unclear) with JavaScript. This is a technique commonly used by malicious Web sites to hide the malicious nature of the Web pages being downloaded by a user. A successful attack allows the Web page creator to take control of the victim's system.
Supported On:
isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1
HTTP:STC:SCRIPT:JS-OB-IFRAMER - HTTP: Javascript Obfuscation IFRAMEr Tool Technique
Severity: HIGH
Description:
This signature detects scripts obfuscated (made unclear) with JavaScript. This is a technique commonly used by malicious Web sites to hide the malicious nature of the Web pages being downloaded by a user. A successful attack allows the Web page creator to take control of the victim's system.
Supported On:
isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1
HTTP:STC:CLSID:SCRRUN-FILE-ACT - HTTP: Microsoft Windows 10 Active-X Creation Deletion Issue
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability against Microsoft Windows 10. Successful attack could to deletion, creation of folder and creation a text file.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Client, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1
References:
HTTP:APACHE:JSON-PRIV-ESC - HTTP: Apache CouchDB JSON Remote Privilege Escalation
Severity: HIGH
Description:
This signature detects an attempt to exploit a privilege escalation vulnerability which has been reported in CouchDB. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request to a vulnerable server. Successful exploitation could result in an unauthorized user gaining access to CouchDB.
Supported On:
isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1
References:
- bugtraq: 101868
- cve: CVE-2017-12635
Affected Products:
- Apache couchdb 2.0.0
- Apache couchdb 1.0.2
- Apache couchdb 1.5.0
- Apache couchdb 1.1.1
- Apache couchdb 1.1.0
- Apache couchdb 1.2.1
- Apache couchdb 1.0.1
- Apache couchdb 1.0.4
- Apache couchdb 1.2.0
- Apache couchdb 1.0.0
- Apache couchdb 1.0.3
- Apache couchdb 1.1.2
HTTP:STC:SCRIPT:OBFUSCATION-2 - HTTP: Suspicious Javascript Obfuscation Attempt 2
Severity: MEDIUM
Description:
This signature detects obfuscated JavaScript files. This is a technique commonly used by malicious Web sites to hide the malicious nature of the Web pages being accessed by a user. A successful attack allows the Web page creator to take control of the victim's system.
Supported On:
isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1
HTTP:CTS-CVE-2018-7890-CMD-INJ - HTTP: Zoho ManageEngine Application Manager Command Injection
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability against Zoho Manage Engine. Successful exploitation can result in remote command execution conditions.
Supported On:
isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1
References:
- cve: CVE-2018-7890
- url: https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/
- url: https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager
- bugtraq: 103358
SSL:VULN:OPENSSL-DH-DOS - SSL: OpenSSL Large DH Parameter Denial of Service
Severity: MEDIUM
Description:
This signature detects denial of service attempts against the OpenSSL. Successful exploitation will cause the OpenSSL client, which may be a server application, to use up high CPU resources in computing DH keys using the maliciously crafted DH prime, leading to resource exhaustion and cause denial of service.
Supported On:
isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1
References:
- bugtraq: 104442
- cve: CVE-2018-0732
- url: http://securitytracker.com/id?1041090
HTTP:STC:ADOBE:CVE-2018-5002OOB - HTTP: Adobe Flash Player CVE-2018-5002 Out Of Bound Write
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability against Adobe Flash Player. A successful attack can be performed to corrupt sensitive data or execute arbitrary code.
Supported On:
isg-3.5.141652, idp-5.1.110161014, mx-11.4, idp-4.1.0, mx-16.1, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, vsrx3bsd-18.2, srx-18.2, j-series-9.5, srx-12.1, srx-branch-12.1, vsrx-12.1, vsrx-15.1
References:
- cve: CVE-2018-5002
HTTP:JS-OBFUSC-ENCODE-1 - HTTP: Java Script Obfuscation Attempt
Severity: MEDIUM
Description:
This signature detects javascript obfuscation attempt.
Supported On:
isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1