Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-11-21

This SRU number: 2017-11-20-002
Previous SRU number: 2017-11-15-001

Applies to:

This SEU number: 1760
Previous SEU: 1758

Applies to:

This is the complete list of rules added in SRU 2017-11-20-002 and SEU 1760.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
144886BLACKLISTUser-Agent known malicious user-agent string - Win.Trojan.Volgmeroffdropdrop
144887FILE-FLASHAdobe Flash Player bitmap hitTest integer overflow attemptoffdropdrop
144888FILE-FLASHAdobe Flash Player bitmap hitTest integer overflow attemptoffdropdrop
144889BLACKLISTUser-Agent known malicious user-agent string - WidgiToolbaroffdropdrop
144890SERVER-OTHERCouchDB remote privilege escalation attemptoffoffdrop
144891FILE-FLASHAdobe Flash Player determinePreferredLocales memory corruption attemptoffdropdrop
144892FILE-FLASHAdobe Flash Player determinePreferredLocales memory corruption attemptoffdropdrop
144893FILE-OTHERAdobe Professional EMF out of bounds read attemptoffoffdrop
144894FILE-OTHERAdobe Professional EMF out of bounds read attemptoffoffdrop
144895MALWARE-CNCWin.Trojan.CoinMiner inbound request attemptoffdropdrop
144896MALWARE-CNCWin.Trojan.CoinMiner outbound request attemptoffdropdrop
144897MALWARE-CNCWin.Trojan.CoinMiner outbound request attemptoffdropdrop
144898MALWARE-CNCWin.Trojan.CoinMiner outbound request attemptoffdropdrop
144899MALWARE-CNCWin.Trojan.CoinMiner inbound request attemptoffdropdrop
144900FILE-PDFAdobe Reader PDF embedded javascript events use after free attemptoffdropdrop
144901FILE-PDFAdobe Reader PDF embedded javascript events use after free attemptoffdropdrop
144902FILE-FLASHAdobe Flash Player PSDK Metadata memory corruption attemptoffdropdrop
144903FILE-FLASHAdobe Flash Player PSDK Metadata memory corruption attemptoffdropdrop
144904FILE-PDFAdobe Acrobat untrusted pointer dereference attemptoffoffoff
144905FILE-PDFAdobe Acrobat untrusted pointer dereference attemptoffoffoff
144906FILE-PDFAdobe Acrobat Reader javscript use after free attemptoffoffoff
144907FILE-PDFAdobe Acrobat Reader javscript use after free attemptoffoffoff
344908FILE-OTHERKeyView SDK WordPerfect parsing stack buffer overflow attemptoffoffdrop
344909FILE-OTHERKeyView SDK WordPerfect parsing stack buffer overflow attemptoffoffdrop
344910SERVER-OTHERAltiris Express Server Engine stack buffer overflow attemptoffoffdrop
144911MALWARE-CNCOsx.Trojan.Fruitfly variant outbound connection detectedoffdropdrop
144912FILE-IMAGEAdobe Acrobat Pro invalid APP13 marker size attemptoffdropdrop
144913FILE-IMAGEAdobe Acrobat Pro invalid APP13 marker size attemptoffdropdrop
144914FILE-PDFAdobe Acrobat Reader PrintParams out of bounds array index attemptoffoffoff
144915FILE-PDFAdobe Acrobat Reader PrintParams out of bounds array index attemptoffoffoff
144916SERVER-WEBAPPManageEngine Applications Manager GraphicalView.do SQL injection attemptoffoffdrop
144917SERVER-WEBAPPManageEngine Applications Manager GraphicalView.do SQL injection attemptoffoffdrop
144918SERVER-WEBAPPManageEngine Applications Manager GraphicalView.do SQL injection attemptoffoffdrop
144919FILE-OTHERAdobe Acrobat Pro EmfPlusRectF out of bounds read attemptoffoffoff
144920FILE-OTHERAdobe Acrobat Pro EmfPlusRectF out of bounds read attemptoffoffoff
144921SERVER-WEBAPPManageEngine Applications Manager manageApplications.do SQL injection attemptoffoffdrop
144922SERVER-WEBAPPManageEngine Applications Manager manageApplications.do SQL injection attemptoffoffdrop
144923FILE-OTHERAdobe Acrobat EMF Bezier curve out of bounds read attemptoffoffdrop
144924FILE-OTHERAdobe Acrobat EMF Bezier curve out of bounds read attemptoffoffdrop
144929FILE-IMAGEAdobe Acrobat Pro EMF out of bounds write attemptoffdropdrop
144930FILE-IMAGEAdobe Acrobat Pro EMF out of bounds write attemptoffdropdrop
144931FILE-OTHERAdobe Acrobat Pro XPS file embedded JPEG invalid SOS data memory corruption attemptoffoffoff
144932FILE-OTHERAdobe Acrobat Pro XPS file embedded JPEG invalid SOS data memory corruption attemptoffoffoff
144933FILE-PDFAdobe Acrobat Reader untrusted pointer dereference attemptoffoffdrop
144934FILE-PDFAdobe Acrobat Reader untrusted pointer dereference attemptoffoffdrop
144935FILE-OTHERAdobe Acrobat Pro XPS out of bounds read attemptoffoffoff
144936FILE-OTHERAdobe Acrobat Pro XPS out of bounds read attemptoffoffoff
144937FILE-OTHERAdobe Acrobat EMFPlus out of bounds buffer overflow attemptoffoffdrop
144938FILE-OTHERAdobe Acrobat EMFPlus out of bounds buffer overflow attemptoffoffdrop
144939FILE-PDFAdobe Acrobat field dictionary value Unicode buffer overflow attemptoffdropdrop
144940FILE-PDFAdobe Acrobat field dictionary value Unicode buffer overflow attemptoffdropdrop
144943MALWARE-CNCWin.Trojan.FallChill variant outbound connectionoffdropdrop
144944MALWARE-CNCWin.Trojan.FallChill variant outbound connectionoffdropdrop
144945MALWARE-CNCWin.Trojan.FallChill variant outbound connectionoffdropdrop
144946MALWARE-CNCWin.Trojan.FallChill variant outbound connectionoffdropdrop
144947FILE-PDFAdobe Acrobat Reader double free attemptoffoffoff
144948FILE-PDFAdobe Acrobat Reader double free attemptoffoffoff
144949FILE-PDFAcrobat TrueTypeFont file out of bounds read attemptoffdropdrop
144950FILE-PDFAcrobat TrueTypeFont file out of bounds read attemptoffdropdrop
144951FILE-FLASHAdobe Flash Player Primetime SDK use after free attemptoffoffdrop
144952FILE-FLASHAdobe Flash Player Primetime SDK use after free attemptoffoffdrop
144953FILE-OTHERAdobe Acrobat EMF out of bounds buffer overflow attemptoffoffdrop
144954FILE-OTHERAdobe Acrobat EMF out of bounds buffer overflow attemptoffoffdrop
144955FILE-PDFAdobe Acrobat Reader JavaScript infinite recursion heap overflow attemptoffdropdrop
144956FILE-PDFAdobe Acrobat Reader JavaScript infinite recursion heap overflow attemptoffdropdrop
144957FILE-PDFAdobe Acrobat malformed XObject use after free attemptoffoffoff
144958FILE-PDFAdobe Acrobat malformed XObject use after free attemptoffoffoff
144959FILE-IMAGEAdobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attemptoffdropdrop
144960FILE-IMAGEAdobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attemptoffdropdrop
144961FILE-PDFAdobe Acrobat Reader untrusted pointer dereference attemptoffoffdrop
144962FILE-PDFAdobe Acrobat Reader untrusted pointer dereference attemptoffoffdrop
144963FILE-FLASHAdobe Flash Player tvsdk object use after free attemptoffdropdrop
144964FILE-FLASHAdobe Flash Player tvsdk object use after free attemptoffdropdrop
144965FILE-OTHERAdobe Acrobat Pro security bypass attemptoffoffdrop
144966FILE-OTHERAdobe Acrobat Pro security bypass attemptoffoffdrop
144967FILE-PDFAcrobat malformed html tag out of bounds read attemptoffdropdrop
144968FILE-PDFAcrobat malformed html tag out of bounds read attemptoffdropdrop
144969FILE-IMAGEAdobe Acrobat Pro EMF EmfPlusFont memory corruption attemptoffdropdrop
144970FILE-IMAGEAdobe Acrobat Pro EMF EmfPlusFont memory corruption attemptoffdropdrop
144971SERVER-OTHERQNAP transcode server command injection attemptoffoffoff
144972MALWARE-CNCWin.Trojan.Ramnit variant outbound connection attemptoffdropdrop
144973MALWARE-CNCWin.Trojan.Ramnit variant outbound connection attemptoffdropdrop
144975MALWARE-CNCPhp.Dropper.Mayhem cnc communication attemptoffdropdrop
144976FILE-PDFAdobe Reader ActualText attribute type confusion attemptoffoffdrop
144977FILE-PDFAdobe Reader ActualText attribute type confusion attemptoffoffdrop
144978BROWSER-FIREFOXMozilla Firefox browser engine memory corruption attemptoffoffoff
144981MALWARE-OTHERWin.Ransomware.Kristina encryption over SMB attemptoffdropdrop
144982MALWARE-OTHERWin.Ransomware.Kristina encryption over SMB attemptoffdropdrop
144983FILE-OTHERAdobe Acrobat Pro TIFF embedded XPS file out of bounds read attemptoffdropdrop
144984FILE-OTHERAdobe Acrobat Pro TIFF embedded XPS file out of bounds read attemptoffdropdrop
144987FILE-PDFAdobe Acrobat PDF font character encoding out of bounds write attemptoffdropdrop
144988FILE-PDFAdobe Acrobat PDF font character encoding out of bounds write attemptoffdropdrop
144989FILE-OFFICEMicrosoft Office Equation Editor object with automatic execution embedded in RTF attemptoffdropdrop
144990FILE-OFFICEMicrosoft Office Equation Editor object with automatic execution embedded in RTF attemptoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
144925FILE-PDFAdobe Acrobat thermometer object untrusted pointer dereference attemptoffdropdrop
144926FILE-PDFAdobe Acrobat thermometer object untrusted pointer dereference attemptoffdropdrop
144974SERVER-OTHERCisco IOS Smart Install identification attemptoffoffoff
144979FILE-PDFFoxit Reader util printf information disclosure attemptoffoffoff
144980FILE-PDFFoxit Reader util printf information disclosure attemptoffoffoff
144985SERVER-OTHERGalil RIO-47100 denial of service attemptoffoffoff
344986SERVER-OTHERTRUFFLEHUNTER TALOS-2017-0486 attack attemptoffoffoff
Low Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
144927FILE-OTHERAdobe Acrobat Pro WebCapture out of bounds read attemptoffdropdrop
144928FILE-OTHERAdobe Acrobat Pro WebCapture out of bounds read attemptoffdropdrop
144941FILE-OTHERAdobe Acrobat Reader FDF file security bypass attemptoffoffoff
144942FILE-OTHERAdobe Acrobat Reader FDF file security bypass attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.