Cisco SEU Update for Sourcefire 3D System

Date: 2017-11-14

This SEU number: 1757
Previous SEU number: 1756
Corresponding SRU number: 2017-11-13-001

Applies to:

3D Sensor versions: 4.10
Cisco FireSIGHT Management Center (formerly Defense Center) versions: 4.10

SEU Change Summary:

Component	Change
Total new rules	56
Total rule modifications	11
Policy change	Yes
Online help change	No
Detection Engine change	No
User Interface change	No

Note: SEU packages are cumulative. The installation of prior SEU packages is not required before installing the current package.

WARNING: The time taken to install the latest SEU will depend on the last time the 3D System was updated with an SEU. Installing SEUs weekly can help lessen the installation time. Additionally, SEUs require 50 Megabytes of free space in /tmp and 250 Megabytes of free space in /var to install successfully.

Synopsis:

Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Details:

Microsoft Vulnerability CVE-2017-11791:
A coding deficiency exists in Microsoft Scripting Engine that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44819 through 44820.

Microsoft Vulnerability CVE-2017-11837:
A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44809 through 44810.

Microsoft Vulnerability CVE-2017-11840:
A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44811 through 44812.

Microsoft Vulnerability CVE-2017-11841:
A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44813 through 44814.

Microsoft Vulnerability CVE-2017-11843:
A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44815 through 44816.

Microsoft Vulnerability CVE-2017-11845:
A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44817 through 44818.

Microsoft Vulnerability CVE-2017-11846:
A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44845 through 44846.

Microsoft Vulnerability CVE-2017-11847:
A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44833 through 44834.

Microsoft Vulnerability CVE-2017-11854:
A coding deficiency exists in Microsoft Word that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44838 through 44839.

Microsoft Vulnerability CVE-2017-11855:
A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44831 through 44832.

Microsoft Vulnerability CVE-2017-11856:
A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44829 through 44830.

Microsoft Vulnerability CVE-2017-11858:
A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44827 through 44828.

Microsoft Vulnerability CVE-2017-11861:
A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44825 through 44826.

Microsoft Vulnerability CVE-2017-11869:
A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44823 through 44824.

Microsoft Vulnerability CVE-2017-11873:
A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44843 through 44844.

Microsoft Vulnerability CVE-2017-11878:
A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44821 through 44822.

Talos also has added and modified multiple rules in the browser-ie, file-image, file-office, file-other, file-pdf, indicator-compromise, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

SEU Summary:

For a complete list of new and modified rules use this link.

Cumulative SEU Release Notes:

SEU packages are cumulative. The installation of prior SEU packages is not required before installing the current package. However, because SEUs are cumulative, issues identified in previous SEUs can require your attention when you import the current SEU. To review a cumulative list of recent feature updates and resolved issues since the last SEU you imported, view the Cumulative SEU Release Notes here.

SEU Application:

SEU installation instructions can be found in the Cumulative SEU Release Notes on the Sourcefire Customer Support Site and in your Sourcefire 3D System user guide.

For Assistance:

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about Cisco ASA devices, see What's New in Cisco Product Documentation.

Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service. If you have any questions or require assistance with Cisco ASA devices, please contact Cisco Support:

Note: To open a TAC request, you must first register for a Cisco.com user ID
Once you have a Cisco.com user ID, you may initiate or check on the status of a service request online or contacting the TAC by phone:

U.S. - 1-800-553-2447 Toll Free
International support numbers

For additional information on obtaining technical support through the TAC, please consult the Technical Support Reference Guide (PDF - 1 MB)

About Talos:

The Talos Security Intelligence and Research Group (Talos) is made up of leading threat researchers supported by sophisticated systems to create threat intelligence for Cisco products that detects, analyzes and protects against both known and emerging threats. Talos maintains the official rule sets of Snort.org, ClamAV, SenderBase.org and SpamCop. The team's expertise spans software development, reverse engineering, vulnerability triage, malware investigation and intelligence gathering.