[Snort-sigs] VRT Certified Rule Update

Matthew Watchinski mwatchinski at ...435...
Wed Apr 20 15:39:39 EDT 2005


VRT Certified Rule Update

Synopsis:
The Sourcefire VRT has received reliable reports that a worm is 
being developed that propagates using a vulnerability announced 
in the Microsoft Security Bulletin (MS05-021) released on 
Tuesday April 12 2005. The VRT has released a new rule to detect
possible attempts to exploit this vulnerability, which is 
associated with an extended verb request in Microsoft Exchange  
servers.

Details:
Microsoft Exchange Servers are able to use extensions to the SMTP
protocol to help communicate between Exchange servers. The
"X-Link2State" verb is used to share routing information between
Exchange servers.

A buffer overflow condition in the processing of this command may
present an attacker with the opportunity to execute code of their
choosing on an affected host.

A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3627.

WARNING: This rule will generate false positive events on normal traffic
between Exchange servers. If these extensions are implemented in a
network where Exchange servers are used, administrators should configure
this rule as appropriate for their environment.

References:

Microsoft Security Bulletin MS05-019
http://www.microsoft.com/technet/security/Bulletin/ms05-021.mspx





More information about the Snort-sigs mailing list