Update Details

Update #3133 (01/10/2019)

2 new signatures:

HIGH	APP:REMOTE:CVE-2018-15381-RCE	APP: Cisco Unity Express RMI Insecure Deserialization Remote Code Execution
HIGH	HTTP:ORACLE:CVE-2018-3252-RCE	HTTP: Oracle WebLogic Server DeploymentServiceServlet Insecure Deserialization Remote Code Execution

4 updated signatures:

HIGH	HTTP:STC:CHROME:JS-MSGBOX-DOS	HTTP: Google Chrome Java Script Message Box Denial of Service
HIGH	HTTP:STC:ACTIVEX:QTPLUGINX	HTTP: Apple Quicktime QTPlugin.ocx ActiveX Control
MEDIUM	HTTP:STC:ADOBE:CVE-2018-15979ID	HTTP: Adobe Acrobat and Reader PDF GoToE Information Disclosure
HIGH	HTTP:STC:IE:CVE-2016-3326-UAF	HTTP: Microsoft Edge CVE-2016-3326 Use After Free

Details of the signatures included within this bulletin:

HTTP:STC:ACTIVEX:QTPLUGINX - HTTP: Apple Quicktime QTPlugin.ocx ActiveX Control

Severity: HIGH

Description:

This signature detects attempts to use unsafe ActiveX controls in Apple QuickTime. An attacker can create a malicious Web site containing Web pages with dangerous ActiveX controls, which if accessed by a victim, allows the attacker to gain control of the victim's client browser.

Supported On:

idp-5.1.110161014, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, vsrx-19.2, srx-19.2, srx-branch-19.2, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vsrx3bsd-19.2, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2012-3754
bugtraq: 27769
bugtraq: 42841
bugtraq: 53577
cve: CVE-2008-0778
cve: CVE-2010-1818
cve: CVE-2012-0666

Affected Products:

Apple quicktime 7.1.6
Apple quicktime 6.3.0
Apple quicktime 7.6.9
Apple quicktime 7.69.80.9
Apple quicktime 7.2.1
Apple quicktime 4.1.2
Apple quicktime 6.4.0
Apple quicktime 7.5.5
Apple quicktime 6.2.0
Apple quicktime 7.1.1
Apple quicktime 3.0
Apple quicktime 7.1.2
Apple quicktime 7.1.3
Apple quicktime 7.68.75.0
Apple quicktime 5.0.2
Apple quicktime 6.5.1
Apple quicktime 7.3.0
Apple quicktime 7.3.1.70
Apple quicktime 6.5.0
Apple quicktime 7.6.8
Apple quicktime 7.65.17.80
Apple quicktime 7.0.3
Apple quicktime 7.6.7
Apple quicktime 7.3.1
Apple quicktime 6.5.2
Apple quicktime 6.0.0
Apple quicktime 7.6.6
Apple quicktime 7.67.75.0
Apple quicktime 7.60.92.0
Apple quicktime 6.5
Apple quicktime 7.7.0
Apple quicktime 7.4.5
Apple quicktime 7.0.4
Apple quicktime 7.2.0
Apple quicktime 7.5.0
Apple quicktime 5.0.1
Apple quicktime 7.66.71.0
Apple quicktime 7.64.17.73
Apple quicktime 7.1.0
Apple quicktime 7.0.1
Apple quicktime 6.0.2
Apple quicktime 6.1
Apple quicktime 7.1
Apple quicktime up to 7.7.1
Apple quicktime 7.6.2
Apple quicktime 6.1.0
Apple quicktime 7.6.5
Apple quicktime 7.0
Apple quicktime 7.6.1
Apple quicktime 6.1.1
Apple quicktime 7.4.1
Apple quicktime 6.0.1
Apple quicktime 7.3
Apple quicktime 7.6.0
Apple quicktime 7.4.0
Apple quicktime 7.2
Apple quicktime 7.0.0
Apple quicktime 7.1.4
Apple quicktime 6.0
Apple quicktime 7.1.5
Apple quicktime 7.0.2
Apple quicktime 7.4
Apple quicktime 7.62.14.0
Apple quicktime 5.0

HTTP:STC:ADOBE:CVE-2018-15979ID - HTTP: Adobe Acrobat and Reader PDF GoToE Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Reader and Acrobat. Successful exploitation could result in information disclosure.

Supported On:

idp-5.1.110161014, mx-11.4, idp-4.1.0, mx-16.1, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, vsrx-19.2, srx-19.2, srx-branch-19.2, vsrx3bsd-19.2, vsrx-12.1, srx-branch-12.1, srx-branch-19.1, vsrx-15.1, srx-12.1

References:

bugtraq: 105907
url: https://blog.edgespot.io/2018/11/the-case-of-unpatched-variant-of-pdf.html
cve: CVE-2018-15979

APP:REMOTE:CVE-2018-15381-RCE - APP: Cisco Unity Express RMI Insecure Deserialization Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability Cisco Unity Express. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, vsrx-19.2, srx-19.2, srx-branch-19.2, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vsrx3bsd-19.2, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, isg-3.1.134269, vsrx-15.1

References:

bugtraq: 105876
url: https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181107-cue
cve: CVE-2018-15381

HTTP:STC:CHROME:JS-MSGBOX-DOS - HTTP: Google Chrome Java Script Message Box Denial of Service

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Google Chrome. A successful attack can result in a denial-of-service condition.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, vsrx-19.2, srx-19.2, srx-branch-19.2, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vsrx3bsd-19.2, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 34130
url: http://src.chromium.org/viewvc/chrome?revision=13693&view=revision

Affected Products:

Google chrome 1.0.154.48

HTTP:STC:IE:CVE-2016-3326-UAF - HTTP: Microsoft Edge CVE-2016-3326 Use After Free

Severity: HIGH

Description:

This signature detects an attempt to exploit an Use-After-Free Vulnerability in Microsoft Edge. Successful exploitation could allow an attacker to execute arbitrary code into the application's context.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, vsrx-19.2, srx-19.2, srx-branch-19.2, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vsrx3bsd-19.2, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2016-3326

HTTP:ORACLE:CVE-2018-3252-RCE - HTTP: Oracle WebLogic Server DeploymentServiceServlet Insecure Deserialization Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability againstOracle WebLogic Server DeploymentServiceServlet. A successful attack can lead to Remote code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, vsrx-19.2, srx-19.2, srx-branch-19.2, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vsrx3bsd-19.2, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 105613
url: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
cve: CVE-2018-3252

Affected Products:

Oracle weblogic_server 12.2.1.3.0
Oracle weblogic_server 10.3.6.0.0
Oracle weblogic_server 12.1.3.0.0