Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-03-14

This SRU number: 2017-03-14-002
Previous SRU number: 2017-03-09-002

Applies to:

This SEU number: 1629
Previous SEU: 1627

Applies to:

This is the complete list of rules added in SRU 2017-03-14-002 and SEU 1629.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
141924FILE-OTHERNotepad++ scilexer.dll dll-load exploit attemptoffoffoff
141925FILE-OTHERNotepad++ scilexer.dll dll-load exploit attemptoffoffoff
141926OS-WINDOWSMicrosoft Win32u NtUserThunkedMenuItemInfo use after free attemptoffdropdrop
141927OS-WINDOWSMicrosoft Win32u NtUserThunkedMenuItemInfo use after free attemptoffdropdrop
141928OS-WINDOWSMicrosoft Win32k DDI use after free attemptoffdropdrop
141929OS-WINDOWSMicrosoft Win32k DDI use after free attemptoffdropdrop
141930OS-WINDOWSMicrosoft Win32k DDI use after free attemptoffdropdrop
141931OS-WINDOWSMicrosoft Win32k DDI use after free attemptoffdropdrop
141932FILE-OTHERMicrosoft Windows Uniscribe privilege escalation attemptoffdropdrop
141933FILE-OTHERMicrosoft Windows Uniscribe privilege escalation attemptoffdropdrop
141934FILE-OTHERMicrosoft Windows Uniscribe privilege escalation attemptoffdropdrop
141935FILE-OTHERMicrosoft Windows Uniscribe privilege escalation attemptoffdropdrop
141936BROWSER-IEMicrosoft Edge TypedArray setter arbitrary write attemptoffdropdrop
141937BROWSER-IEMicrosoft Edge TypedArray setter arbitrary write attemptoffdropdrop
141938BROWSER-IEMicrosoft Edge reverse helper heap buffer overflow attemptoffdropdrop
141939BROWSER-IEMicrosoft Edge reverse helper heap buffer overflow attemptoffdropdrop
141940OS-WINDOWSMicrosoft Windows TrueTypeFont post table out of bounds write attemptoffdropdrop
141941OS-WINDOWSMicrosoft Windows TrueTypeFont post table out of bounds write attemptoffdropdrop
141942BROWSER-IEMicrosoft Edge EntrySimpleSlotGetter use after free attemptoffdropdrop
141943BROWSER-IEMicrosoft Edge EntrySimpleSlotGetter use after free attemptoffdropdrop
141944BROWSER-IEMicrosoft Edge scripting engine security bypass css attemptoffdropdrop
141945BROWSER-IEMicrosoft Edge scripting engine security bypass css attemptoffdropdrop
141946FILE-IMAGEMicrosoft GDI+ malformed EMF description out of bounds read attemptoffoffoff
141947FILE-IMAGEGDI+ malformed EMF description out of bounds read attemptoffoffoff
141950BROWSER-IEMicrosoft Edge WebAssembly memory corruption attemptoffdropdrop
141951BROWSER-IEMicrosoft Edge WebAssembly memory corruption attemptoffdropdrop
141952BROWSER-IEMicrosoft Edge local file read information leak attemptoffdropdrop
141953BROWSER-IEMicrosoft Edge local file read information leak attemptoffdropdrop
141954BROWSER-IEMicrosoft Internet Explorer textarea type confusion attemptoffdropdrop
141955BROWSER-IEMicrosoft Internet Explorer textarea type confusion attemptoffdropdrop
141956BROWSER-IEMicrosoft Internet Explorer arguments type confusion attemptoffdropdrop
141957BROWSER-IEMicrosoft Internet Explorer arguments type confusion attemptoffdropdrop
141958BROWSER-IEMicrosoft Edge malformed UTF-8 decode arbitrary read attemptoffdropdrop
141959BROWSER-IEMicrosoft Edge malformed UTF-8 decode arbitrary read attemptoffdropdrop
141960OS-WINDOWSMicrosoft Windows TrueType Font LookupTable out of bounds write attemptoffdropdrop
141961OS-WINDOWSMicrosoft Windows TrueType Font LookupTable out of bounds write attemptoffdropdrop
141962FILE-OFFICEMicrosoft Office Word template remote code execution attemptoffdropdrop
141963FILE-OFFICEMicrosoft Office Word template remote code execution attemptoffdropdrop
141964FILE-OFFICEMicrosoft Word 2010 use-after-free memory corruption vulnerability attemptoffoffdrop
141965FILE-OFFICEMicrosoft Word 2010 use-after-free memory corruption vulnerability attemptoffoffdrop
141966OS-WINDOWSMicrosoft Windows TrueTypeFont GSUB table out of bounds write attemptoffdropdrop
141967OS-WINDOWSMicrosoft Windows TrueTypeFont GSUB table out of bounds write attemptoffdropdrop
141968BROWSER-IEMicrosoft Edge JavascriptProxy SetPropertyTrap type confusion attemptoffoffoff
141969BROWSER-IEMicrosoft Edge JavascriptProxy SetPropertyTrap type confusion attemptoffoffoff
141970FILE-IMAGEGDI+ malformed EMF comment heap access violation attemptoffdropdrop
141971FILE-IMAGEGDI+ malformed EMF comment heap access violation attemptoffdropdrop
141972OS-WINDOWSMicrosoft Windows TrueType Font out of bounds write attemptoffdropdrop
141973OS-WINDOWSMicrosoft Windows TrueType Font out of bounds write attemptoffdropdrop
141974OS-WINDOWSMicrosoft Windows TrueType Font out of bounds write attemptoffdropdrop
141975OS-WINDOWSMicrosoft Windows TrueType Font out of bounds write attemptoffdropdrop
141976FILE-OFFICEMicrosoft Excel shared strings memory corruption attemptoffdropdrop
141977FILE-OFFICEMicrosoft Excel shared strings memory corruption attemptoffdropdrop
141978SERVER-SAMBAMicrosoft Windows Samba buffer overflow attemptoffdropdrop
141979FILE-OFFICEMicrosoft Excel shared strings memory corruption attemptoffdropdrop
141980FILE-OFFICEMicrosoft Excel shared strings memory corruption attemptoffdropdrop
141981FILE-OFFICEMicrosoft Office Word out of bounds read attemptoffoffdrop
141982FILE-OFFICEMicrosoft Office Word out of bounds read attemptoffoffdrop
141983OS-WINDOWSMicrosoft Windows SMBv1 identical MID and FID type confusion attemptoffoffdrop
141984OS-WINDOWSMicrosoft Windows SMBv1 identical MID and FID type confusion attemptoffoffdrop
141985OS-WINDOWSMicrosoft Windows TrueTypeFont post table out of bounds write attemptoffdropdrop
141986OS-WINDOWSMicrosoft Windows TrueTypeFont post table out of bounds write attemptoffdropdrop
141987BROWSER-IEMicrosoft Edge web address spoofing attemptoffoffoff
141988BROWSER-IEMicrosoft Edge web address spoofing attemptoffoffoff
141989FILE-EXECUTABLEMicrosoft Windows Com Session Moniker pivilege escalation attemptoffoffoff
141990FILE-EXECUTABLEMicrosoft Windows Com Session Moniker pivilege escalation attemptoffoffoff
141991FILE-OTHERMicrosoft Windows TTF file out of bounds access attemptoffdropdrop
141992FILE-OTHERMicrosoft Windows TTF file out of bounds access attemptoffdropdrop
141993OS-WINDOWSMicrosoft Windows GDI WMF out of bounds read attemptoffdropdrop
141994OS-WINDOWSMicrosoft Windows GDI WMF out of bounds read attemptoffdropdrop
141995OS-WINDOWSMicrosoft Windows DDI privilege escalation attemptoffoffdrop
141996OS-WINDOWSMicrosoft Windows DDI privilege escalation attemptoffoffdrop
141997OS-WINDOWSMicrosoft GDI+ privilege escalation attemptoffoffoff
141998OS-WINDOWSMicrosoft GDI+ privilege escalation attemptoffoffdrop
341999OS-OTHERTRUFFLEHUNTER TALOS-2017-0296 attack attemptoffdropdrop
342000SERVER-OTHERTRUFFLEHUNTER TALOS-2017-0293 attack attemptoffoffoff
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
141948BROWSER-IEMicrosoft Edge fetch API same origin policy bypass attemptoffoffoff
141949BROWSER-IEMicrosoft Edge fetch API same origin policy bypass attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.