Solved

IPS / IDS signatures to detect Apache Struts Zero-day vulnerability

Posted on 2014-04-28
4
857 Views
Last Modified: 2014-05-03
Anyone know if TrendMicro (or any other IPS like HP IPS) has
released signatures to detect the following & where can I
download them (for TrendMicro & HP Tippg Pt) :

http://struts.apache.org/announce.html#a20140424
http://struts.apache.org/release/2.3.x/docs/s2-021.html
0
Comment
Question by:sunhux
  • 2
  • 2
4 Comments
 

Author Comment

by:sunhux
ID: 40026878
A new Zero-day vulnerability was discovered on Saturday, 26 April for Internet Explorer
 (IE) version 6 to 11:

Let me know if the same signature or separate signature is needed to detect
for the above IE's vulnerability.  I'll open a new thread in EE for the above as well
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40028646
Sourcefire release rule , pse see under here for "Apache Struts"
You can refer to this Apache Struts vulnerability info
0
 

Author Comment

by:sunhux
ID: 40028836
Any signature specifically for HP Tipping Point IPS and
TrendMicro's Officescan AV ?
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40028858
Tippingpoint did not stated any but since snort rule is out, they should not be far behind, further they included in their blog which they reported to Struts2 team and best to get official HP support advices
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Struts2-zero-day-in-the-wild/ba-p/6457502#.U19FFlWSyno

We notified Struts2 team of the zero day being publicly disclosed and showed them the mitigation we were proposing before writing this blog post. Until the Struts2 team releases the fix, please update your excludeParams regular expression to include the following regex for the opening square bracket and capital 'C' cases

TrendMicro mentioned Deep Security and not specific to AV though they will detect the backdoor deployed after exploitation
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-underground-creates-tool-exploiting-apache-struts-vulnerability/

We provide a variety of solutions against these threats. Users of Deep Security have various rules which help block Struts exploits and drop the related malicious packets. In addition, we detect the backdoors planted on affected sites as HKTL_ACTREDIR and JS_SPRAT.SM.
The hash values of the hacking tool sample are as follows:

MD5: 4674D39C5DD6D96DFB9FF1CF1388CE69
SHA1: 9C6D1700CF4A503993F2292CB5A254E4494F5240
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now