About Microsoft Vulnerability

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

About Microsoft Vulnerability

L1 Bithead

Hello all,

My customers PA-3020 detected  a few  Microsoft Vulnerability Threat coming from Inside ( Web server ) to Outside  ( Internet ) .

We investigated the cause of this , but could not replicate the issue and finding the cause of it.

We scanned web server for malware , corrupt jpeg files but it was clean.

Detected Vulnerabilities are :


Microsoft Windows Paint JPEG Integer Overflow Vulnerability(32831)

Microsoft DirectShow JPEG Parsing Memory Corruption Vulnerability(36396)

Microsoft Windows Paint JPEG Integer Overflow Vulnerability(32831)

PA-3020 log details:

actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
time_generated: 2015/02/27 08:10:38

flags: 0x400000
proto: tcp
action: alert
cpadding: 0
threatid: Microsoft Windows Paint JPEG Integer Overflow Vulnerability(32831)
category: any
contenttype:
behavior: 0x0500000000000000000000000000000000000000000000000000000000000000
severity: critical
direction: server-to-client




actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1

proto: tcp
action: alert
cpadding: 0
threatid: Microsoft DirectShow JPEG Parsing Memory Corruption Vulnerability(36396)
category: any
contenttype:
behavior: 0x0500000000000000000000000000000000000000000000000000000000000000
severity: critica l
direction: server-to-client
misc:




Could this be a false positive from PA-3020 ?

Has someone seen a similar alert  on their Palo Alto firewall ?

Thank you .

Adrian



2 REPLIES 2

L7 Applicator

Hello Adrian,

It looks, the server response is matchingwith PAN firewall's signature database. The direction of the Vulnerability is showing "server-to-Client".

You may check the details of those individual threatID from: https://threatvault.paloaltonetworks.com/

A reference document for threat log direction Threat Logs Show Inverted/Reversed Direction for Source and Destination IP Addresses

Hope this helps.

Thanks

L7 Applicator

Also bear in mind that with server to client vulnerability signature this could be triggered by an attempt by the outside client to use the exploit to compromise the server.  Thus you would not find anything on the server itself but should try to identify the client side of the transaction.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 3156 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!