Solved

IPS / IDS signatures to detect Apache Struts Zero-day vulnerability

Posted on 2014-04-28
4
923 Views
Last Modified: 2014-05-03
Anyone know if TrendMicro (or any other IPS like HP IPS) has
released signatures to detect the following & where can I
download them (for TrendMicro & HP Tippg Pt) :

http://struts.apache.org/announce.html#a20140424
http://struts.apache.org/release/2.3.x/docs/s2-021.html
0
Comment
Question by:sunhux
  • 2
  • 2
4 Comments
 

Author Comment

by:sunhux
ID: 40026878
A new Zero-day vulnerability was discovered on Saturday, 26 April for Internet Explorer
 (IE) version 6 to 11:

Let me know if the same signature or separate signature is needed to detect
for the above IE's vulnerability.  I'll open a new thread in EE for the above as well
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40028646
Sourcefire release rule , pse see under here for "Apache Struts"
You can refer to this Apache Struts vulnerability info
0
 

Author Comment

by:sunhux
ID: 40028836
Any signature specifically for HP Tipping Point IPS and
TrendMicro's Officescan AV ?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40028858
Tippingpoint did not stated any but since snort rule is out, they should not be far behind, further they included in their blog which they reported to Struts2 team and best to get official HP support advices
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Struts2-zero-day-in-the-wild/ba-p/6457502#.U19FFlWSyno

We notified Struts2 team of the zero day being publicly disclosed and showed them the mitigation we were proposing before writing this blog post. Until the Struts2 team releases the fix, please update your excludeParams regular expression to include the following regex for the opening square bracket and capital 'C' cases

TrendMicro mentioned Deep Security and not specific to AV though they will detect the backdoor deployed after exploitation
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-underground-creates-tool-exploiting-apache-struts-vulnerability/

We provide a variety of solutions against these threats. Users of Deep Security have various rules which help block Struts exploits and drop the related malicious packets. In addition, we detect the backdoors planted on affected sites as HKTL_ACTREDIR and JS_SPRAT.SM.
The hash values of the hacking tool sample are as follows:

MD5: 4674D39C5DD6D96DFB9FF1CF1388CE69
SHA1: 9C6D1700CF4A503993F2292CB5A254E4494F5240
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question