This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

About Microsoft Vulnerability

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

About Microsoft Vulnerability

AdiAINS1982
L1 Bithead

‎03-06-2015 12:06 AM

Hello all,

My customers PA-3020 detected  a few  Microsoft Vulnerability Threat coming from Inside ( Web server ) to Outside  ( Internet ) .

We investigated the cause of this , but could not replicate the issue and finding the cause of it.

We scanned web server for malware , corrupt jpeg files but it was clean.

Detected Vulnerabilities are :


Microsoft Windows Paint JPEG Integer Overflow Vulnerability(32831)

Microsoft DirectShow JPEG Parsing Memory Corruption Vulnerability(36396)

Microsoft Windows Paint JPEG Integer Overflow Vulnerability(32831)

PA-3020 log details:

actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
time_generated: 2015/02/27 08:10:38

flags: 0x400000
proto: tcp
action: alert
cpadding: 0
threatid: Microsoft Windows Paint JPEG Integer Overflow Vulnerability(32831)
category: any
contenttype:
behavior: 0x0500000000000000000000000000000000000000000000000000000000000000
severity: critical
direction: server-to-client




actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1

proto: tcp
action: alert
cpadding: 0
threatid: Microsoft DirectShow JPEG Parsing Memory Corruption Vulnerability(36396)
category: any
contenttype:
behavior: 0x0500000000000000000000000000000000000000000000000000000000000000
severity: critica l
direction: server-to-client
misc:




Could this be a false positive from PA-3020 ?

Has someone seen a similar alert  on their Palo Alto firewall ?

Thank you .

Adrian



0 Likes Likes
2 REPLIES 2

HULK
L7 Applicator

‎03-06-2015 01:15 AM

Hello Adrian,

It looks, the server response is matchingwith PAN firewall's signature database. The direction of the Vulnerability is showing "server-to-Client".

You may check the details of those individual threatID from: https://threatvault.paloaltonetworks.com/

A reference document for threat log direction Threat Logs Show Inverted/Reversed Direction for Source and Destination IP Addresses

Hope this helps.

Thanks

pulukas
L7 Applicator

‎03-07-2015 04:35 AM

Also bear in mind that with server to client vulnerability signature this could be triggered by an attempt by the outside client to use the exploit to compromise the server.  Thus you would not find anything on the server itself but should try to identify the client side of the transaction.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
  • 3114 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks