Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Update Details

Security Intelligence Center
Print

Update #2894 (05/16/2017)

EOL Announcement (January 3, 2017): End-of-Life Notification for Juniper Networks IDP/AppID Signature Releases on EOL products. Please see TSB17019 for more information.

8 new signatures:

HIGHSMB:EMARALDTHREADSMB: Shadow Brokers - EMARALDTHREAD
HIGHSMB:CVE-2008-4250-BOSMB: Microsoft Windows Server Service RPC Request Handling Buffer Overflow
HIGHSMB:ERRATICGOPHERSMB: Shadow Brokers - ERRATICGOPHER
HIGHIMAP:EMPHASISMINEIMAP: Shadow Brokers - EMPHASISMINE
HIGHHTTP:STC:CVE-2017-0290-RCEHTTP: Microsoft Malware Protection Engine Remote Code Execution Vulnerability
INFOSMB:SMBV1-REQSMB: SMBv1 Request Detected
HIGHSMB:EXPLOIT:ANOMALOUS-SMBSMB: Anomalous Behaviour In SMBv1 Protocol
HIGHSMB:EXPLOIT:EDUCATEDSCHOLAR-RCESMB: EducatedScholar SMB Remote Code Execution

4 updated signatures:

HIGHSMB:CVE-2017-0148-RCESMB: Microsoft Windows CVE-2017-0148 Remote Code Execution
MEDIUMSMB:CVE-2017-0147-IDSMB: Microsoft Windows SMB Server CVE-2017-0147 Information Disclosure
HIGHSMB:CVE-2017-0145-RCESMB: Microsoft Windows CVE-2017-0145 Remote Code Execution
HIGHSMB:CVE-2017-0146-OOBSMB: Microsoft Windows SMB Server CVE-2017-0146 Out Of Bounds Write


Details of the signatures included within this bulletin:

SMB:EMARALDTHREAD - SMB: Shadow Brokers - EMARALDTHREAD

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Windows Print Spooler. A successful attack allows attackers to bypass security measures and execute arbitrary remote code.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, mx-11.4, mx-16.1, vmx-11.4, vmx-16.1, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, j-series-9.5, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

SMB:CVE-2008-4250-BO - SMB: Microsoft Windows Server Service RPC Request Handling Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Windows Server service. A successful attack can lead to a buffer overflow and arbitrary remote code execution as SYSTEM.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, mx-11.4, mx-16.1, vmx-11.4, vmx-16.1, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2008-4250

Affected Products:

  • microsoft windows_xp (sp2)
  • microsoft windows_xp (sp2:professional_x64)
  • microsoft windows_server_2003 (sp2:itanium)
  • microsoft windows_server_2008 (:x32)
  • microsoft windows_server_2008 (:x64)
  • microsoft windows_server_2008 (:itanium)
  • microsoft windows_vista (:x64)
  • microsoft windows_vista (sp1)
  • microsoft windows_server_2003 (sp1:itanium)
  • microsoft windows_xp (:professional_x64)
  • microsoft windows_server_2003 (sp2:x64)
  • microsoft windows_vista (sp1:x64)
  • microsoft windows_server_2003 (sp2)
  • microsoft windows_xp (sp3)
  • microsoft windows_server_2003 (:x64)
  • microsoft windows_server_2003 (sp1)
  • microsoft windows_2000 (sp4)

SMB:ERRATICGOPHER - SMB: Shadow Brokers - ERRATICGOPHER

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Windows. A successful attack allows attackers to bypass security measures and execute arbitrary remote code.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, vmx-11.4, idp-4.2.0, idp-5.0.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vmx-16.1, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141597, idp-5.1.110160603

IMAP:EMPHASISMINE - IMAP: Shadow Brokers - EMPHASISMINE

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Windows. A successful attack can lead to arbitrary code execution.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, vmx-11.4, idp-4.2.0, idp-5.0.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vmx-16.1, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141597, idp-5.1.110160603

SMB:CVE-2017-0147-ID - SMB: Microsoft Windows SMB Server CVE-2017-0147 Information Disclosure

Severity: MEDIUM

Description:

This signature detects an attempt to exploit a known vulnerability against Microsoft Windows SMB Server. Successful attack can lead to unauthorized info disclosure.

Supported On:

isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, vmx-11.4, idp-4.2.0, idp-5.0.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-4.1.110110719, idp-5.0.110130325, mx-11.4, isg-3.4.140032, idp-5.1.110161014, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, j-series-9.5, vsrx-15.1, idp-4.1.110110609, vmx-16.1, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2017-0147

SMB:CVE-2017-0146-OOB - SMB: Microsoft Windows SMB Server CVE-2017-0146 Out Of Bounds Write

Severity: HIGH

Description:

This signature detects an attempt to exploit an out-of-bounds write vulnerability in Microsoft Windows SMB server. Successful exploitation could allow an attacker to execute arbitrary code into the application's context.

Supported On:

isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, vmx-11.4, idp-4.2.0, idp-5.0.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vmx-16.1, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2017-0146

HTTP:STC:CVE-2017-0290-RCE - HTTP: Microsoft Malware Protection Engine Remote Code Execution Vulnerability

Severity: HIGH

Description:

The Microsoft Malware Protection Engine does not properly scan a specially crafted file leading to memory corruption.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, vmx-11.4, idp-4.2.0, idp-5.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, vmx-16.1, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2017-0290

SMB:CVE-2017-0148-RCE - SMB: Microsoft Windows CVE-2017-0148 Remote Code Execution

Severity: HIGH

Description:

This signature detects an attempt to exploit a known vulnerability against Microsoft Windows. Successful exploitation of this issue may grant an attacker remote code execution.

Supported On:

isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, vmx-11.4, idp-4.2.0, idp-5.0.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-4.1.110110719, idp-5.0.110130325, mx-11.4, isg-3.4.140032, idp-5.1.110161014, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, vsrx-15.1, idp-4.1.110110609, vmx-16.1, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2017-0148

SMB:SMBV1-REQ - SMB: SMBv1 Request Detected

Severity: INFO

Description:

This signature is written to block the SMBv1 requests.

Supported On:

isg-3.5.141652, idp-5.1.110161014, DI-Client, idp-4.1.110110719, DI-Worm, idp-4.0.0, mx-11.4, DI-Base, idp-4.1.0, mx-16.1, vmx-11.4, vmx-16.1, idp-5.0.0, idp-4.2.0, isg-3.5.0, isg-3.0.0, DI-Server, isg-3.1.135801, isg-3.4.0, idp-4.0.110090831, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, j-series-9.5, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.2.110100823, isg-3.5.141597, idp-5.1.110160603

SMB:EXPLOIT:ANOMALOUS-SMB - SMB: Anomalous Behaviour In SMBv1 Protocol

Severity: HIGH

Description:

This signatures can be used to detect anomalous behavior within the SMBv1 protocol.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, mx-11.4, mx-16.1, vmx-11.4, vmx-16.1, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, j-series-9.5, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

SMB:CVE-2017-0145-RCE - SMB: Microsoft Windows CVE-2017-0145 Remote Code Execution

Severity: HIGH

Description:

his signature detects an attempt to exploit a known vulnerability against Microsoft Windows. Successful exploitation of this issue may grant an attacker remote code execution.

Supported On:

isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, vmx-11.4, idp-4.2.0, idp-5.0.0, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-4.1.110110719, idp-5.0.110130325, mx-11.4, isg-3.4.140032, idp-5.1.110161014, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, j-series-9.5, vsrx-15.1, idp-4.1.110110609, vmx-16.1, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2017-0145

SMB:EXPLOIT:EDUCATEDSCHOLAR-RCE - SMB: EducatedScholar SMB Remote Code Execution

Severity: HIGH

Description:

This signatures can be used to detect anomalous behavior within the SMBv1 protocol.

Supported On:

isg-3.5.141652, idp-5.1.110161014, idp-4.1.110110719, mx-11.4, mx-16.1, vmx-11.4, vmx-16.1, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, j-series-9.5, vsrx-15.1, idp-4.1.110110609, isg-3.5.141597, idp-5.1.110160603

References:

  • url: https://sigdb.secteam.juniper.net//tickets/ticket/25478/
  • url: https://sigdb.secteam.juniper.net/tickets/ticket/25464/
Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out