Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1020
  • Last Modified:

IPS / IDS signatures to detect Apache Struts Zero-day vulnerability

Anyone know if TrendMicro (or any other IPS like HP IPS) has
released signatures to detect the following & where can I
download them (for TrendMicro & HP Tippg Pt) :

http://struts.apache.org/announce.html#a20140424
http://struts.apache.org/release/2.3.x/docs/s2-021.html
0
sunhux
Asked:
sunhux
  • 2
  • 2
2 Solutions
 
sunhuxAuthor Commented:
A new Zero-day vulnerability was discovered on Saturday, 26 April for Internet Explorer
 (IE) version 6 to 11:

Let me know if the same signature or separate signature is needed to detect
for the above IE's vulnerability.  I'll open a new thread in EE for the above as well
0
 
btanExec ConsultantCommented:
Sourcefire release rule , pse see under here for "Apache Struts"
You can refer to this Apache Struts vulnerability info
0
 
sunhuxAuthor Commented:
Any signature specifically for HP Tipping Point IPS and
TrendMicro's Officescan AV ?
0
 
btanExec ConsultantCommented:
Tippingpoint did not stated any but since snort rule is out, they should not be far behind, further they included in their blog which they reported to Struts2 team and best to get official HP support advices
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Struts2-zero-day-in-the-wild/ba-p/6457502#.U19FFlWSyno

We notified Struts2 team of the zero day being publicly disclosed and showed them the mitigation we were proposing before writing this blog post. Until the Struts2 team releases the fix, please update your excludeParams regular expression to include the following regex for the opening square bracket and capital 'C' cases

TrendMicro mentioned Deep Security and not specific to AV though they will detect the backdoor deployed after exploitation
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-underground-creates-tool-exploiting-apache-struts-vulnerability/

We provide a variety of solutions against these threats. Users of Deep Security have various rules which help block Struts exploits and drop the related malicious packets. In addition, we detect the backdoors planted on affected sites as HKTL_ACTREDIR and JS_SPRAT.SM.
The hash values of the hacking tool sample are as follows:

MD5: 4674D39C5DD6D96DFB9FF1CF1388CE69
SHA1: 9C6D1700CF4A503993F2292CB5A254E4494F5240
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now