Update Details

Update #2595 (12/22/2015)

4 new signatures:

HIGH	HTTP:SQL:INJ:MANAGENGINE-RUNQRY	HTTP: ManageEngine EventLog Analyzer runQuery guest user SQL Injection
MEDIUM	HTTP:PHP:SEARCHBLOX-REQ-ID	HTTP: SearchBlox Request Remote Information Disclosure
MEDIUM	HTTP:SCRIPT-INJ-EXP-60	HTTP:SCRIPT-INJ Infection-60
HIGH	HTTP:SQL:INJ:MANAGENGINE-OPMANG	HTTP: ManageEngine OpManager SubmitQuery IntegrationUser SQL Code Execution

6 updated signatures:

MEDIUM	APP:MISC:ARCSERVE-GETBACKUP	APP: Arcserve GetBackupPolicy Information Disclosure
MEDIUM	HTTP:SQL:INJ:REQ-VAR-4	HTTP: SQL Injection Detected on HTTP Request Variable 4
HIGH	APP:NOVELL:PREBOOT-POLICY-BO	APP: Novell ZENworks Configuration Management Preboot Policy Service Buffer Overflow
HIGH	HTTP:STC:ACTIVEX:PANASONIC-API	HTTP: Panasonic Security API SDK Unsafe ActiveX Control
HIGH	HTTP:STC:IE:CVE-2015-6071-CE	HTTP: Microsoft Internet Explorer CVE-2015-6071 Remote Code Execution
MEDIUM	HTTP:STC:DL:EICAR	HTTP: EICAR Antivirus Test File Download

Details of the signatures included within this bulletin:

APP:MISC:ARCSERVE-GETBACKUP - APP: Arcserve GetBackupPolicy Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a vulnerability in Arcserve Unified Data Protection Management Service. This can lead to information disclosure.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141421, idp-5.1.110151004, isg-3.5.141455, idp-5.1.110151117

References:

HTTP:SQL:INJ:REQ-VAR-4 - HTTP: SQL Injection Detected on HTTP Request Variable 4

Severity: MEDIUM

Description:

This signature detects specific characters, typically used in SQL procedures, within an HTTP connection. Because these characters are not normally used in HTTP, this can indicate a SQL injection attack through a procedure. However, it can be a false positive. To reduce False Positives, it is strongly recommended that these signatures only be used to inspect traffic from the Internet to your organization's web servers that use SQL backend databases to generate content and not to inspect traffic going from your organization to the Internet.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141421, idp-5.1.110151004, isg-3.5.141455, idp-5.1.110151117

References:

HTTP:PHP:SEARCHBLOX-REQ-ID - HTTP: SearchBlox Request Remote Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against SearchBlox. A successful attack can lead to information disclosure.

Supported On:

References:

cve: CVE-2015-0969
bugtraq: 74059

HTTP:SQL:INJ:MANAGENGINE-OPMANG - HTTP: ManageEngine OpManager SubmitQuery IntegrationUser SQL Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known SQL Injection vulnerability in ManageEngine OpManager. It is due to insufficient validation of user-supplied input. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

References:

cve: CVE-2015-7766

APP:NOVELL:PREBOOT-POLICY-BO - APP: Novell ZENworks Configuration Management Preboot Policy Service Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Novell. A successful exploit can lead to buffer overflow and remote code execution.

Supported On:

References:

cve: CVE-2015-0786

HTTP:STC:ACTIVEX:PANASONIC-API - HTTP: Panasonic Security API SDK Unsafe ActiveX Control

Severity: HIGH

Description:

This signature detects attempts to use unsafe ActiveX controls in Panasonic Security API SDK. An attacker can create a malicious Web site containing Web pages with dangerous ActiveX controls, which if accessed by a victim, allows the attacker to gain control of the victim's client application.

Supported On:

DI-Client, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141421, idp-5.1.110151004, isg-3.5.141455, idp-5.1.110151117

References:

HTTP:SQL:INJ:MANAGENGINE-RUNQRY - HTTP: ManageEngine EventLog Analyzer runQuery guest user SQL Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known SQL Injection vulnerability in ManageEngine EventLog Analyzer. It is due to insufficient validation of user-supplied input. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

References:

cve: CVE-2015-7387

HTTP:SCRIPT-INJ-EXP-60 - HTTP:SCRIPT-INJ Infection-60

Severity: MEDIUM

Description:

This signature detects an attempt to download exploits from malicious exploit kits that may compromise a computer through various vendor vulnerabilities. Exploit kits are very specific type of toolkits which are being used by cybercriminals to deliver other pieces of malware.

Supported On:

HTTP:STC:IE:CVE-2015-6071-CE - HTTP: Microsoft Internet Explorer CVE-2015-6071 Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. A successful attack can lead to arbitrary code execution.

Update Details

Update #2595 (12/22/2015)

Details of the signatures included within this bulletin:

APP:MISC:ARCSERVE-GETBACKUP - APP: Arcserve GetBackupPolicy Information Disclosure

Severity: MEDIUM

Description:

Supported On:

References:

HTTP:SQL:INJ:REQ-VAR-4 - HTTP: SQL Injection Detected on HTTP Request Variable 4

Severity: MEDIUM

Description:

Supported On:

References:

HTTP:PHP:SEARCHBLOX-REQ-ID - HTTP: SearchBlox Request Remote Information Disclosure

Severity: MEDIUM

Description:

Supported On:

References:

HTTP:SQL:INJ:MANAGENGINE-OPMANG - HTTP: ManageEngine OpManager SubmitQuery IntegrationUser SQL Code Execution

Severity: HIGH

Description:

Supported On:

References:

APP:NOVELL:PREBOOT-POLICY-BO - APP: Novell ZENworks Configuration Management Preboot Policy Service Buffer Overflow

Severity: HIGH

Description:

Supported On:

References:

HTTP:STC:ACTIVEX:PANASONIC-API - HTTP: Panasonic Security API SDK Unsafe ActiveX Control

Severity: HIGH

Description:

Supported On:

References:

HTTP:SQL:INJ:MANAGENGINE-RUNQRY - HTTP: ManageEngine EventLog Analyzer runQuery guest user SQL Injection

Severity: HIGH

Description:

Supported On:

References:

HTTP:SCRIPT-INJ-EXP-60 - HTTP:SCRIPT-INJ Infection-60

Severity: MEDIUM

Description:

Supported On:

HTTP:STC:IE:CVE-2015-6071-CE - HTTP: Microsoft Internet Explorer CVE-2015-6071 Remote Code Execution

Severity: HIGH

Description:

Supported On:

References:

HTTP:STC:DL:EICAR - HTTP: EICAR Antivirus Test File Download

Severity: MEDIUM

Description:

Supported On:

References: