[Snort-sigs] VRT Certified Rule Update

Matthew Watchinski mwatchinski at ...435...
Wed Apr 20 15:39:39 EDT 2005

VRT Certified Rule Update

The Sourcefire VRT has received reliable reports that a worm is 
being developed that propagates using a vulnerability announced 
in the Microsoft Security Bulletin (MS05-021) released on 
Tuesday April 12 2005. The VRT has released a new rule to detect
possible attempts to exploit this vulnerability, which is 
associated with an extended verb request in Microsoft Exchange  

Microsoft Exchange Servers are able to use extensions to the SMTP
protocol to help communicate between Exchange servers. The
"X-Link2State" verb is used to share routing information between
Exchange servers.

A buffer overflow condition in the processing of this command may
present an attacker with the opportunity to execute code of their
choosing on an affected host.

A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3627.

WARNING: This rule will generate false positive events on normal traffic
between Exchange servers. If these extensions are implemented in a
network where Exchange servers are used, administrators should configure
this rule as appropriate for their environment.


Microsoft Security Bulletin MS05-019

More information about the Snort-sigs mailing list