topic Re: Vulnerability false positive uptick? 32128 in General Topics

Vulnerability false positive uptick? 32128

MCmgt — Thu, 24 Jan 2013 18:08:48 GMT

All of a sudden we've started tripping 32128 Pidgin MSN Integer Overflow Vulnerability. It started yesterday morning. Most of the traffic is coming from live.com to large assortment of our internal users.

I'm guessing that this is a change on Microsoft's part. Any ideas?

Message was edited by: Rand Hall I added a couple of packet captures.

Re: Vulnerability false positive uptick? 32128

ericgearhart — Thu, 24 Jan 2013 18:40:32 GMT

We've started seeing FPs from this exact same threat too

Re: Vulnerability false positive uptick? 32128

apasupulati — Fri, 25 Jan 2013 05:58:10 GMT

You can check our Threat Vault for more information on the Threat ID from the Support Portal.

Here's the description for the threat in our database:

Pidgin is prone to a integer overflow vulnerability while parsing certain crafted MSN protocol messages.The vulnerability is due to the lack of proper checks on message header in the MSN protocol , leading to an exploitable overflow. An attacker could exploit the vulnerability by sending a crafted MSN response. A successful attack could lead to remote code execution with the privileges of the current logged-in user.

Other References:

http://secunia.com/advisories/30971/

As per the advisory, this should affect only Pidgin versions earlier to 2.4.3. Please verify and open a case with Support if this is a false positive.

Re: Vulnerability false positive uptick? 32128

dciccone — Mon, 28 Jan 2013 15:40:37 GMT

Ditto.

Has Palo Alto been seeing any reports as to this as well?

Re: Vulnerability false positive uptick? 32128

yurilychacz — Mon, 28 Jan 2013 17:33:58 GMT

Hello, Where are we with this? Has this been identified as a false positive in the next threat update?

Re: Vulnerability false positive uptick? 32128

MCmgt — Mon, 28 Jan 2013 17:38:01 GMT

I submitted a false positive report but have not received any feedback thus far.

Re: Vulnerability false positive uptick? 32128

tettema — Mon, 28 Jan 2013 19:14:08 GMT

Hi all,

We have identified an issue with this signature and will be correcting the issue in the next content update on Feb 5th.

Re: Vulnerability false positive uptick? 32128

pwoll — Mon, 28 Jan 2013 20:57:39 GMT

While awaiting the signature update, could you suggest the recommended way to deal with all of these alerts? Should I add an exception and change to allow, not alert?

Re: Vulnerability false positive uptick? 32128

dciccone — Mon, 28 Jan 2013 21:01:23 GMT

Hi pwoll. I recently had a conversation with a PA Tech and what we did was simply add an exception as you stated. Although you would want to verify that this specific application is not being used on your network before doing so (in my case IM is blocked via another method).