[Snort-users] CVE-2016-3237 Rule

GPN SACC gpnsacc at ...11827...
Wed Dec 21 06:50:40 EST 2016

Is there a rule to alert for MS16-101?

>From the blog entry (http://blog.talosintel.com/2016/08/ms-tuesday.html)

MS16-101 addresses two elevation of privilege vulnerabilities.
CVE-2016-3300 relates to how Windows Netlogon establishes a secure
connection to systems whose domain controller is running either Windows
Server 2012 or Windows Server 2012 R2. An attacker would require access to
a domain-joined machine that points to one of these systems in order to
leverage the vulnerability and elevate privileges on the domain-joined
machine. CVE-2016-3237 is related to Kerberos reverting to NTLM as the
default authentication protocol after improperly handling a password change
request. In order to exploit this and bypass the Kerberos authentication
mechanism, an attacker would need to launch a man-in-the-middle attack
against the traffic between a target machine and its domain controller.
All supported versions of Windows are affected for the Kerberos elevation
of privilege, while the netlogon vulnerability only affects all versions of
Windows 8.1 and Server 2012.

I searched through the snort rules 39808-39829, 39831-39844 and did not
find a rule for CVE,2016-3237.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161221/0168b034/attachment.html>

More information about the Snort-users mailing list