Solved

IPS / IDS signatures to detect Apache Struts Zero-day vulnerability

Posted on 2014-04-28
4
941 Views
Last Modified: 2014-05-03
Anyone know if TrendMicro (or any other IPS like HP IPS) has
released signatures to detect the following & where can I
download them (for TrendMicro & HP Tippg Pt) :

http://struts.apache.org/announce.html#a20140424
http://struts.apache.org/release/2.3.x/docs/s2-021.html
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 

Author Comment

by:sunhux
ID: 40026878
A new Zero-day vulnerability was discovered on Saturday, 26 April for Internet Explorer
 (IE) version 6 to 11:

Let me know if the same signature or separate signature is needed to detect
for the above IE's vulnerability.  I'll open a new thread in EE for the above as well
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40028646
Sourcefire release rule , pse see under here for "Apache Struts"
You can refer to this Apache Struts vulnerability info
0
 

Author Comment

by:sunhux
ID: 40028836
Any signature specifically for HP Tipping Point IPS and
TrendMicro's Officescan AV ?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40028858
Tippingpoint did not stated any but since snort rule is out, they should not be far behind, further they included in their blog which they reported to Struts2 team and best to get official HP support advices
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Struts2-zero-day-in-the-wild/ba-p/6457502#.U19FFlWSyno

We notified Struts2 team of the zero day being publicly disclosed and showed them the mitigation we were proposing before writing this blog post. Until the Struts2 team releases the fix, please update your excludeParams regular expression to include the following regex for the opening square bracket and capital 'C' cases

TrendMicro mentioned Deep Security and not specific to AV though they will detect the backdoor deployed after exploitation
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-underground-creates-tool-exploiting-apache-struts-vulnerability/

We provide a variety of solutions against these threats. Users of Deep Security have various rules which help block Struts exploits and drop the related malicious packets. In addition, we detect the backdoors planted on affected sites as HKTL_ACTREDIR and JS_SPRAT.SM.
The hash values of the hacking tool sample are as follows:

MD5: 4674D39C5DD6D96DFB9FF1CF1388CE69
SHA1: 9C6D1700CF4A503993F2292CB5A254E4494F5240
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question