Vulnerability false positive uptick? 32128

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Vulnerability false positive uptick? 32128

L2 Linker

All of a sudden we've started tripping 32128 Pidgin MSN Integer Overflow Vulnerability. It started yesterday morning. Most of the traffic is coming from live.com to large assortment of our internal users.

I'm guessing that this is a change on Microsoft's part. Any ideas?

Message was edited by: Rand Hall I added a couple of packet captures.

1 accepted solution

Accepted Solutions

L4 Transporter

You can check our Threat Vault for more information on the Threat ID from the Support Portal.

Here's the description for the threat in our database:

Pidgin is prone to a integer overflow vulnerability while parsing certain crafted MSN protocol messages.The vulnerability is due to the lack of proper checks on message header in the MSN protocol , leading to an exploitable overflow. An attacker could exploit the vulnerability by sending a crafted MSN response. A successful attack could lead to remote code execution with the privileges of the current logged-in user.


Other References:

http://secunia.com/advisories/30971/

As per the advisory, this should affect only Pidgin versions earlier to 2.4.3. Please verify and open a case with Support if this is a false positive.

View solution in original post

8 REPLIES 8

L4 Transporter

We've started seeing FPs from this exact same threat too

L4 Transporter

You can check our Threat Vault for more information on the Threat ID from the Support Portal.

Here's the description for the threat in our database:

Pidgin is prone to a integer overflow vulnerability while parsing certain crafted MSN protocol messages.The vulnerability is due to the lack of proper checks on message header in the MSN protocol , leading to an exploitable overflow. An attacker could exploit the vulnerability by sending a crafted MSN response. A successful attack could lead to remote code execution with the privileges of the current logged-in user.


Other References:

http://secunia.com/advisories/30971/

As per the advisory, this should affect only Pidgin versions earlier to 2.4.3. Please verify and open a case with Support if this is a false positive.

Ditto.

Has Palo Alto been seeing any reports as to this as well?

Not applicable

Hello, Where are we with this? Has this been identified as a false positive in the next threat update?

I submitted a false positive report but have not received any feedback thus far.

Hi all,

We have identified an issue with this signature and will be correcting the issue in the next content update on Feb 5th.

L1 Bithead

While awaiting the signature update, could you suggest the recommended way to deal with all of these alerts?  Should I add an exception and change to allow, not alert?

Hi pwoll. I recently had a conversation with a PA Tech and what we did was simply add an exception as you stated. Although you would want to verify that this specific application is not being used on your network before doing so (in my case IM is blocked via another method).

  • 1 accepted solution
  • 9470 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!