Cisco SEU Update for Sourcefire 3D System

Date: 2017-03-14

This SEU number: 1629
Previous SEU number: 1627
Corresponding SRU number: 2017-03-14-002

Applies to:

3D Sensor versions: 4.10
Cisco FireSIGHT Management Center (formerly Defense Center) versions: 4.10

SEU Change Summary:

Component	Change
Total new rules	77
Total rule modifications	62
Policy change	Yes
Online help change	No
Detection Engine change	No
User Interface change	No

Note: SEU packages are cumulative. The installation of prior SEU packages is not required before installing the current package.

WARNING: The time taken to install the latest SEU will depend on the last time the 3D System was updated with an SEU. Installing SEUs weekly can help lessen the installation time. Additionally, SEUs require 50 Megabytes of free space in /tmp and 250 Megabytes of free space in /var to install successfully.

Synopsis:

Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Details:

Microsoft Security Bulletin MS17-006:
Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41575 through 41576, 41585 through 41590, and 41625 through 41626.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41954 through 41957.

Microsoft Security Bulletin MS17-007:
Microsoft Edge suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41553 through 41554, 41557 through 41562, 41573 through 41574, 41583 through 41584, 41593 through 41594, 41605 through 41606, and 41625 through 41626.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41936 through 41939, 41942 through 41945, 41948 through 41953, 41958 through 41959, 41968 through 41969, and 41987 through 41988.

Microsoft Security Bulletin MS17-009:
A coding deficiency exists in Microsoft Windows PDF Library that may lead to remote code execution.

Microsoft Security Bulletin MS17-010:
A coding deficiency exists in Microsoft Windows SMB Server that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 41978 and 41983 through 41984.

Microsoft Security Bulletin MS17-011:
A coding deficiency exists in Microsoft Uniscribe that may lead to remote code execution.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41934 through 41935, 41940 through 41941, 41960 through 41961, 41966 through 41967, 41972 through 41975, 41985 through 41986, and 41991 through 41992.

Microsoft Security Bulletin MS17-012:
A coding deficiency exists in Microsoft Windows that may lead to remote code execution.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41989 through 41990.

Microsoft Security Bulletin MS17-013:
A coding deficiency exists in Microsoft Graphics Component that may lead to remote code execution.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41932 through 41933, 41946 through 41947, 41970 through 41971, and 41993 through 41994.

Microsoft Security Bulletin MS17-014:
A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41565 through 41566, 41577 through 41578, 41581 through 41582, 41597 through 41598, and 41797 through 41798.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41962 through 41965, 41976 through 41977, and 41979 through 41982.

Microsoft Security Bulletin MS17-017:
A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Microsoft Security Bulletin MS17-018:
A coding deficiency exists in Microsoft Windows Kernel-Mode Drivers that may lead to an escalation of privilege.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41926 through 41931 and 41995 through 41998.

Microsoft Security Bulletin MS17-021:
A coding deficiency exists in Microsoft DirectShow that may lead to information disclosure.

Microsoft Security Bulletin MS17-022:
A coding deficiency exists in Microsoft XML Core Services that may lead to information disclosure.

Talos also has added and modified multiple rules in the browser-ie, file-executable, file-flash, file-image, file-office, file-other, file-pdf, os-other, os-windows and server-samba rule sets to provide coverage for emerging threats from these technologies.

SEU Summary:

For a complete list of new and modified rules use this link.

Cumulative SEU Release Notes:

SEU packages are cumulative. The installation of prior SEU packages is not required before installing the current package. However, because SEUs are cumulative, issues identified in previous SEUs can require your attention when you import the current SEU. To review a cumulative list of recent feature updates and resolved issues since the last SEU you imported, view the Cumulative SEU Release Notes here.

SEU Application:

SEU installation instructions can be found in the Cumulative SEU Release Notes on the Sourcefire Customer Support Site and in your Sourcefire 3D System user guide.

For Assistance:

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about Cisco ASA devices, see What's New in Cisco Product Documentation.

Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service. If you have any questions or require assistance with Cisco ASA devices, please contact Cisco Support:

Note: To open a TAC request, you must first register for a Cisco.com user ID
Once you have a Cisco.com user ID, you may initiate or check on the status of a service request online or contacting the TAC by phone:

U.S. - 1-800-553-2447 Toll Free
International support numbers

For additional information on obtaining technical support through the TAC, please consult the Technical Support Reference Guide (PDF - 1 MB)

About Talos:

The Talos Security Intelligence and Research Group (Talos) is made up of leading threat researchers supported by sophisticated systems to create threat intelligence for Cisco products that detects, analyzes and protects against both known and emerging threats. Talos maintains the official rule sets of Snort.org, ClamAV, SenderBase.org and SpamCop. The team's expertise spans software development, reverse engineering, vulnerability triage, malware investigation and intelligence gathering.