Update Details
Update #3090 (08/09/2018)
10 deprecated signatures:
| HIGH | DOS:WINDOWS:WINNUKE-NETBIOS | DOS: WinNuke (netbios) | Removal Date: 08/23/2018 | Reason For Deprecation: Very old cve sig for EOS products. |
| LOW | SCAN:CYBERCOP:FINGER-QUERY | SCAN: Cybercop Finger Query | Removal Date: 08/23/2018 | Reason For Deprecation: This signature is for End of support products. |
| HIGH | IP:SRC-ROUTE-OF | IGMP: Source Route Overflow | Removal Date: 08/23/2018 | Reason For Deprecation: This signature is for End of support products. |
| HIGH | DOS:IP:IGMP-OVERSIZE | DOS: IGMP Oversize | Removal Date: 08/23/2018 | Reason For Deprecation: This signature is for End of support products. |
| HIGH | NETBIOS:DOS:RFPOISON | NETBIOS RFPoision DOS Attack | Removal Date: 08/23/2018 | Reason For Deprecation: Very old cve sig for EOS products. |
| MEDIUM | FINGER:USER:ROOT | FINGER: User "root" | Removal Date: 08/23/2018 | Reason For Deprecation: Very old cve sig for EOS products. |
| MEDIUM | HTTP:STC:CLSID:ACTIVEX:WH32-OF | HTTP: WinHelp32.exe Remote Buffer Overrun | Removal Date: 08/23/2018 | Reason For Deprecation: Very old cve sig for EOS products. |
| MEDIUM | SMB:MS-WIN-2000-LANMAN-UDP-DOS | SMB: Microsoft Windows 2000 Lanman UDP Denial of Service | Removal Date: 08/23/2018 | Reason For Deprecation: Very old cve sig for EOS products. |
| MEDIUM | FINGER:USER:SLASH-FILE | FINGER: / File Query | Removal Date: 08/23/2018 | Reason For Deprecation: This signature is for End of support products. |
| INFO | SCAN:MISC:HTTP:FINGER-PROBE | SCAN: Finger Probe | Removal Date: 08/23/2018 | Reason For Deprecation: This signature is for End of support products. |
Customers are suggested to remove the deprecated signatures from the IDP policy, if they are explicitly configured, other than Dynamic groups
2 new signatures:
| MEDIUM | HTTP:MISC:PARTIAL-GZIP-COMP | HTTP: HTTP Payload Not Fully Gzip Compressed |
| MEDIUM | HTTP:STC:SCRIPT:OBFU-VB-SCRIPT | HTTP: Suspicious Obfuscated VBscript detection |
4 updated signatures:
| HIGH | HTTP:INSEC-DSERILZN-1 | HTTP: GE MDS PulseNET Spring Remoting HTTPInvoker Insecure Deserialization |
| HIGH | HTTP:STC:DL:MS-CVE-2018-8345-CE | HTTP: Microsoft Windows CVE-2018-8345 Remote Code Execution |
| HIGH | HTTP:STC:DL:MS-CVE-2018-8406-PE | HTTP: Microsoft Windows CVE-2018-8406 Elevation of Privilege |
| MEDIUM | HTTP:MISC:GWT-INFO-DISC | HTTP: CA ARCserve D2D GWT RPC Request Credentials Disclosure |
Details of the signatures included within this bulletin:
HTTP:STC:SCRIPT:OBFU-VB-SCRIPT - HTTP: Suspicious Obfuscated VBscript detection
Severity: MEDIUM
Description:
This signature will detect Suspicious Obfuscated VB script. This is a technique commonly used by malicious Web sites to hide the malicious nature of the Web pages being accessed by a user. A successful attack allows the Web page creator to take control of the victim's system.
Supported On:
idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1
HTTP:INSEC-DSERILZN-1 - HTTP: GE MDS PulseNET Spring Remoting HTTPInvoker Insecure Deserialization
Severity: HIGH
Description:
This signature detects attempts to exploit insecure deserialization vulnerability against GE MDS PulseNET and PulseNET Enterprise. Successful exploitation can result in arbitrary code execution in the context of the user running PulseNET.
Supported On:
idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1
References:
- cve: CVE-2018-10611
Affected Products:
- Ge mds_pulsenet 3.2.1
HTTP:STC:DL:MS-CVE-2018-8345-CE - HTTP: Microsoft Windows CVE-2018-8345 Remote Code Execution
Severity: HIGH
Description:
This signature detects an attempt to exploit a known vulnerability in Microsoft Windows. Successful exploitation could allow an attacker to execute arbitrary code into the users's context.
Supported On:
idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
- cve: CVE-2018-8345
HTTP:STC:DL:MS-CVE-2018-8406-PE - HTTP: Microsoft Windows CVE-2018-8406 Elevation of Privilege
Severity: HIGH
Description:
This signature detects an attempt to exploit a known vulnerability in Microsoft Windows. Successful exploitation could allow an attacker to run processes in an elevated context.
Supported On:
idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
- cve: CVE-2018-8406
HTTP:MISC:PARTIAL-GZIP-COMP - HTTP: HTTP Payload Not Fully Gzip Compressed
Severity: MEDIUM
Description:
This signature will detect the incomplete gzip compressed HTTP payload.
Supported On:
idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
HTTP:MISC:GWT-INFO-DISC - HTTP: CA ARCserve D2D GWT RPC Request Credentials Disclosure
Severity: MEDIUM
Description:
This signature detects attempts to exploit a known vulnerability against CA ARCserve D2D. A successful attack can result in credentials disclosure and thereafter arbitrary code execution.
Supported On:
idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1
References:
- bugtraq: 48897
- cve: CVE-2011-3011
Affected Products:
- Computer_associates arcserve_backup_for_windows_d2d_option_basic_edition r15
- Computer_associates arcserve_d2d_for_windows_server_standard_edition r15
- Computer_associates arcserve_d2d r15