Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2015-05-12

This SRU number: 2015-05-12-002
Previous SRU number: 2015-05-06-001

Applies to:

This SEU number: 1295
Previous SEU: 1292

Applies to:

This is the complete list of rules added in SRU 2015-05-12-002 and SEU 1295.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
134349SERVER-OTHERIBM Tivoli Storage Manager FastBack buffer overflow attemptoffoffdrop
134350SERVER-OTHERIBM Tivoli Storage Manager FastBack buffer overflow attemptoffoffdrop
134351SERVER-OTHERIBM Tivoli Storage Manager FastBack buffer overflow attemptoffoffdrop
134352SERVER-OTHERIBM Tivoli Storage Manager FastBack buffer overflow attemptoffoffdrop
134353SERVER-OTHERIBM Tivoli Storage Manager FastBack buffer overflow attemptoffoffdrop
134354FILE-FLASHAdobe Flash Player NetConnection AS2 arbitrary code execution attemptoffdropdrop
134355FILE-FLASHAdobe Flash Player NetConnection AS2 arbitrary code execution attemptoffdropdrop
134356FILE-FLASHAdobe Flash Player NetConnection AS2 arbitrary code execution attemptoffdropdrop
134357FILE-FLASHAdobe Flash Player NetConnection AS2 arbitrary code execution attemptoffdropdrop
134358SERVER-WEBAPPDell SonicWALL SonicOS macIpSpoofView cross site scripting attemptoffoffoff
134359SERVER-WEBAPPESF pfSense deletefile directory traversal attemptoffoffoff
134360SERVER-WEBAPPESF pfSense deletefile directory traversal attemptoffoffoff
134361SERVER-WEBAPPESF pfSense deletefile directory traversal attemptoffoffoff
134362MALWARE-CNCWin.Trojan.Mantal variant outbound connection attemptoffdropdrop
134363SERVER-WEBAPPNovell ZENworks Configuration Management GetStoredResult.class SQL injection attemptoffoffdrop
134364SERVER-WEBAPPNovell ZENworks Configuration Management rtrlet.class directory traversal attemptoffoffdrop
134365SERVER-WEBAPPMagento remote code execution attemptoffdropdrop
134366MALWARE-CNCWin.Trojan.Mantal variant outbound connection attemptoffdropdrop
134367MALWARE-CNCWin.Trojan.Banload variant outbound connectionoffdropdrop
134368MALWARE-CNCWin.Trojan.Banload variant outbound connectionoffdropdrop
334369SERVER-WEBAPPCisco UCS Central command injection attemptoffdropdrop
134370BLACKLISTDNS request for known malware domain mymoney.000a.de - Win.Trojan.Fareitoffdropdrop
134371FILE-OTHERMicrosoft Journal memory corruption attemptoffdropdrop
134372FILE-OTHERMicrosoft Journal memory corruption attemptoffdropdrop
134373SERVER-OTHERPHP zip_cdir_new function integer overflow file download attemptoffoffoff
134374SERVER-OTHERPHP zip_cdir_new function integer overflow file download attemptoffoffoff
134375SERVER-OTHERPHP zip_cdir_new function integer overflow file download attemptoffoffoff
134376SERVER-OTHERPHP zip_cdir_new function integer overflow file download attemptoffoffoff
134379BROWSER-IEMicrosoft Internet Explorer protected mode sandbox privilege escalation attemptoffdropdrop
134380BROWSER-IEMicrosoft Internet Explorer protected mode sandbox privilege escalation attemptoffdropdrop
134381BROWSER-IEMicrosoft Internet Explorer range use after free attemptoffdropdrop
134382BROWSER-IEMicrosoft Internet Explorer range use after free attemptoffdropdrop
134383BROWSER-IEMicrosoft Internet Explorer memory corruption attemptoffdropdrop
134384BROWSER-IEMicrosoft Internet Explorer memory corruption attemptoffdropdrop
134385FILE-OTHERMicrosoft Journal memory corruption attemptoffdropdrop
134386FILE-OTHERMicrosoft Journal memory corruption attemptoffdropdrop
134387FILE-OTHERMicrosoft Journal out of bounds write attemptoffdropdrop
134388FILE-OTHERMicrosoft Journal out of bounds write attemptoffdropdrop
134389FILE-OTHERMicrosoft Journal out of bounds read attemptoffdropdrop
134390FILE-OTHERMicrosoft Journal out of bounds read attemptoffdropdrop
134391BROWSER-IEMicrosoft Internet Explorer TextData out of bounds read attemptoffdropdrop
134392BROWSER-IEMicrosoft Internet Explorer TextData out of bounds read attemptoffdropdrop
134399FILE-OTHERMicrosoft Journal file exploitation attemptoffdropdrop
134400FILE-OTHERMicrosoft Journal file exploitation attemptoffdropdrop
134401OS-WINDOWSMicrosoft Windows Calendar object heap corruption attemptoffdropdrop
134402OS-WINDOWSMicrosoft Windows Calendar object heap corruption attemptoffdropdrop
134403FILE-OTHERMicrosoft Journal out of bounds read attemptoffdropdrop
134404FILE-OTHERMicrosoft Journal out of bounds read attemptoffdropdrop
134405BROWSER-IEMicrosoft Internet Explorer improper copy buffer access information disclosure attemptoffoffoff
134406BROWSER-IEMicrosoft Internet Explorer improper copy buffer access information disclosure attemptoffoffoff
134407BROWSER-IEMicrosoft Internet Explorer protected mode sandbox bypass attemptoffdropdrop
134408BROWSER-IEMicrosoft Internet Explorer protected mode sandbox bypass attemptoffdropdrop
134409BROWSER-IEMicrosoft Internet Explorer DOMNodeInserted use-after-free attemptoffdropdrop
134410BROWSER-IEMicrosoft Internet Explorer DOMNodeInserted use-after-free attemptoffdropdrop
134411BROWSER-IEMicrosoft Internet Explorer CSecurityContext type confusion use after free attemptoffdropdrop
134412BROWSER-IEMicrosoft Internet Explorer CSecurityContext type confusion use after free attemptoffdropdrop
134413OS-WINDOWSMicrosoft Windows NtUserGetScrollBarInfo information disclosure attemptoffdropdrop
134414OS-WINDOWSMicrosoft Windows NtUserGetScrollBarInfo information disclosure attemptoffdropdrop
134415BROWSER-IEMicrosoft Internet Explorer dd element use after free attemptoffdropdrop
134416BROWSER-IEMicrosoft Internet Explorer IE8 compatibility mode enable attemptoffoffoff
134417BROWSER-IEMicrosoft Internet Explorer dd element use after free attemptoffdropdrop
134418BROWSER-IEMicrosoft Internet Explorer Element object use-after-free attemptoffdropdrop
134419BROWSER-IEMicrosoft Internet Explorer Element object use-after-free attemptoffdropdrop
134420BROWSER-IEMicrosoft Internet Explorer CDispScroller object use-after-free attemptoffdropdrop
134421BROWSER-IEMicrosoft Internet Explorer CDispScroller object use-after-free attemptoffdropdrop
134422BROWSER-IEMicrosoft Internet Explorer CTitleElement object use-after-free attemptoffdropdrop
134423BROWSER-IEMicrosoft Internet Explorer CTitleElement object use-after-free attemptoffdropdrop
134424BROWSER-IEMicrosoft Internet Explorer compatibility mode use after free attemptoffdropdrop
134425BROWSER-IEMicrosoft Internet Explorer compatibility mode use after free attemptoffdropdrop
134430BROWSER-IEMicrosoft Internet Explorer CTreePos object use after free attemptoffoffdrop
134431BROWSER-IEMicrosoft Internet Explorer CTreePos object use after free attemptoffoffdrop
134432BROWSER-IEMicrosoft Internet Explorer TableGridBlock use after free attemptoffdropdrop
134433BROWSER-IEMicrosoft Internet Explorer TableGridBlock use after free attemptoffdropdrop
134436BROWSER-IEMicrosoft Internet Explorer CTitleElement use after free attemptoffdropdrop
134437BROWSER-IEMicrosoft Internet Explorer CTitleElement use after free attemptoffdropdrop
134438OS-WINDOWSMicrosoft Windows Explorer .msc file stack overflow attemptoffoffdrop
134439OS-WINDOWSMicrosoft Windows Explorer .msc file stack overflow attemptoffoffdrop
134440OS-WINDOWSMicrosoft Windows Win32k TrueType Font parsing out of bounds attemptoffdropdrop
134441OS-WINDOWSMicrosoft Windows Win32k TrueType Font parsing out of bounds attemptoffdropdrop
134444BROWSER-IEMicrosoft Internet Explorer TableGridBlock object use after free attemptoffoffdrop
134445BROWSER-IEMicrosoft Internet Explorer TableGridBlock object use after free attemptoffoffdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
134377OS-WINDOWSMicrosoft Windows NtUserGetComboBoxInfo information disclosure attemptoffdropdrop
134378OS-WINDOWSMicrosoft Windows NtUserGetComboBoxInfo information disclosure attemptoffdropdrop
134393BROWSER-IEMicrosoft Internet Explorer vbscript regular expression information disclosure attemptoffoffdrop
134394BROWSER-IEMicrosoft Internet Explorer vbscript regular expression information disclosure attemptoffoffdrop
134426OS-WINDOWSMicrosoft Windows cng.sys memory leak kernel ASLR bypass attemptoffdropdrop
134427OS-WINDOWSMicrosoft Windows cng.sys memory leak kernel ASLR bypass attemptoffdropdrop
134428FILE-OFFICEMicrosoft Word incorrect ptCount element denial of service attemptoffdropdrop
134429FILE-OFFICEMicrosoft Word incorrect ptCount element denial of service attemptoffdropdrop
134434OS-WINDOWSMicrosoft Windows .NET XML recursive call denial of service attemptoffdropdrop
134435OS-WINDOWSMicrosoft Windows .NET XML recursive call denial of service attemptoffdropdrop
134442OS-WINDOWSMicrosoft Windows NTUserGetTitleBarInfo information disclosure attemptoffdropdrop
134443OS-WINDOWSMicrosoft Windows NTUserGetTitleBarInfo information disclosure attemptoffdropdrop
Low Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
134395FILE-IDENTIFYMicrosoft Journal file attachment detectedoffoffoff
134396FILE-IDENTIFYMicrosoft Journal file attachment detectedoffoffoff
134397FILE-IDENTIFYMicrosoft Journal file download requestoffoffoff
134398FILE-IDENTIFYMicrosoft Journal file download attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.