01-24-2013 10:08 AM
All of a sudden we've started tripping 32128 Pidgin MSN Integer Overflow Vulnerability. It started yesterday morning. Most of the traffic is coming from live.com to large assortment of our internal users.
I'm guessing that this is a change on Microsoft's part. Any ideas?
Message was edited by: Rand Hall I added a couple of packet captures.
01-24-2013 09:58 PM
You can check our Threat Vault for more information on the Threat ID from the Support Portal.
Here's the description for the threat in our database:
Pidgin is prone to a integer overflow vulnerability while parsing certain crafted MSN protocol messages.The vulnerability is due to the lack of proper checks on message header in the MSN protocol , leading to an exploitable overflow. An attacker could exploit the vulnerability by sending a crafted MSN response. A successful attack could lead to remote code execution with the privileges of the current logged-in user.
Other References:
| http://secunia.com/advisories/30971/ |
As per the advisory, this should affect only Pidgin versions earlier to 2.4.3. Please verify and open a case with Support if this is a false positive.
01-24-2013 10:40 AM
We've started seeing FPs from this exact same threat too
01-24-2013 09:58 PM
You can check our Threat Vault for more information on the Threat ID from the Support Portal.
Here's the description for the threat in our database:
Pidgin is prone to a integer overflow vulnerability while parsing certain crafted MSN protocol messages.The vulnerability is due to the lack of proper checks on message header in the MSN protocol , leading to an exploitable overflow. An attacker could exploit the vulnerability by sending a crafted MSN response. A successful attack could lead to remote code execution with the privileges of the current logged-in user.
Other References:
| http://secunia.com/advisories/30971/ |
As per the advisory, this should affect only Pidgin versions earlier to 2.4.3. Please verify and open a case with Support if this is a false positive.
01-28-2013 07:40 AM
Ditto.
Has Palo Alto been seeing any reports as to this as well?
01-28-2013 09:33 AM
Hello, Where are we with this? Has this been identified as a false positive in the next threat update?
01-28-2013 09:38 AM
I submitted a false positive report but have not received any feedback thus far.
01-28-2013 11:14 AM
Hi all,
We have identified an issue with this signature and will be correcting the issue in the next content update on Feb 5th.
01-28-2013 12:57 PM
While awaiting the signature update, could you suggest the recommended way to deal with all of these alerts? Should I add an exception and change to allow, not alert?
01-28-2013 01:01 PM
Hi pwoll. I recently had a conversation with a PA Tech and what we did was simply add an exception as you stated. Although you would want to verify that this specific application is not being used on your network before doing so (in my case IM is blocked via another method).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
