- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-06-2015 12:06 AM
Hello all,
My customers PA-3020 detected a few Microsoft Vulnerability Threat coming from Inside ( Web server ) to Outside ( Internet ) .
We investigated the cause of this , but could not replicate the issue and finding the cause of it.
We scanned web server for malware , corrupt jpeg files but it was clean.
Detected Vulnerabilities are :
Microsoft Windows Paint JPEG Integer Overflow Vulnerability(32831)
Microsoft DirectShow JPEG Parsing Memory Corruption Vulnerability(36396)
Microsoft Windows Paint JPEG Integer Overflow Vulnerability(32831)
PA-3020 log details:
actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
time_generated: 2015/02/27 08:10:38
flags: 0x400000
proto: tcp
action: alert
cpadding: 0
threatid: Microsoft Windows Paint JPEG Integer Overflow Vulnerability(32831)
category: any
contenttype:
behavior: 0x0500000000000000000000000000000000000000000000000000000000000000
severity: critical
direction: server-to-client
actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
proto: tcp
action: alert
cpadding: 0
threatid: Microsoft DirectShow JPEG Parsing Memory Corruption Vulnerability(36396)
category: any
contenttype:
behavior: 0x0500000000000000000000000000000000000000000000000000000000000000
severity: critica l
direction: server-to-client
misc:
Could this be a false positive from PA-3020 ?
Has someone seen a similar alert on their Palo Alto firewall ?
Thank you .
Adrian
03-06-2015 01:15 AM
Hello Adrian,
It looks, the server response is matchingwith PAN firewall's signature database. The direction of the Vulnerability is showing "server-to-Client".
You may check the details of those individual threatID from: https://threatvault.paloaltonetworks.com/
A reference document for threat log direction Threat Logs Show Inverted/Reversed Direction for Source and Destination IP Addresses
Hope this helps.
Thanks
03-07-2015 04:35 AM
Also bear in mind that with server to client vulnerability signature this could be triggered by an attempt by the outside client to use the exploit to compromise the server. Thus you would not find anything on the server itself but should try to identify the client side of the transaction.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!