Solved

IPS / IDS signatures to detect Apache Struts Zero-day vulnerability

Posted on 2014-04-28
4
958 Views
Last Modified: 2014-05-03
Anyone know if TrendMicro (or any other IPS like HP IPS) has
released signatures to detect the following & where can I
download them (for TrendMicro & HP Tippg Pt) :

http://struts.apache.org/announce.html#a20140424
http://struts.apache.org/release/2.3.x/docs/s2-021.html
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 

Author Comment

by:sunhux
ID: 40026878
A new Zero-day vulnerability was discovered on Saturday, 26 April for Internet Explorer
 (IE) version 6 to 11:

Let me know if the same signature or separate signature is needed to detect
for the above IE's vulnerability.  I'll open a new thread in EE for the above as well
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 40028646
Sourcefire release rule , pse see under here for "Apache Struts"
You can refer to this Apache Struts vulnerability info
0
 

Author Comment

by:sunhux
ID: 40028836
Any signature specifically for HP Tipping Point IPS and
TrendMicro's Officescan AV ?
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40028858
Tippingpoint did not stated any but since snort rule is out, they should not be far behind, further they included in their blog which they reported to Struts2 team and best to get official HP support advices
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Struts2-zero-day-in-the-wild/ba-p/6457502#.U19FFlWSyno

We notified Struts2 team of the zero day being publicly disclosed and showed them the mitigation we were proposing before writing this blog post. Until the Struts2 team releases the fix, please update your excludeParams regular expression to include the following regex for the opening square bracket and capital 'C' cases

TrendMicro mentioned Deep Security and not specific to AV though they will detect the backdoor deployed after exploitation
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-underground-creates-tool-exploiting-apache-struts-vulnerability/

We provide a variety of solutions against these threats. Users of Deep Security have various rules which help block Struts exploits and drop the related malicious packets. In addition, we detect the backdoors planted on affected sites as HKTL_ACTREDIR and JS_SPRAT.SM.
The hash values of the hacking tool sample are as follows:

MD5: 4674D39C5DD6D96DFB9FF1CF1388CE69
SHA1: 9C6D1700CF4A503993F2292CB5A254E4494F5240
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question