[Snort-sigs] VRT Certified Rule Update
mwatchinski at ...435...
Wed Apr 20 15:39:39 EDT 2005
VRT Certified Rule Update
The Sourcefire VRT has received reliable reports that a worm is
being developed that propagates using a vulnerability announced
in the Microsoft Security Bulletin (MS05-021) released on
Tuesday April 12 2005. The VRT has released a new rule to detect
possible attempts to exploit this vulnerability, which is
associated with an extended verb request in Microsoft Exchange
Microsoft Exchange Servers are able to use extensions to the SMTP
protocol to help communicate between Exchange servers. The
"X-Link2State" verb is used to share routing information between
A buffer overflow condition in the processing of this command may
present an attacker with the opportunity to execute code of their
choosing on an affected host.
A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3627.
WARNING: This rule will generate false positive events on normal traffic
between Exchange servers. If these extensions are implemented in a
network where Exchange servers are used, administrators should configure
this rule as appropriate for their environment.
Microsoft Security Bulletin MS05-019
More information about the Snort-sigs