Solved: Signature 41846/1 matches on Adobe Site

dmcalbosa88 · ‎02-15-2012

Hi, today I've been noticing that a new signature 41846/1 started matching on differents IPs belonging to

Adobe Systems Inc. or ThePlanet.com Internet Services, Inc.

Here I post some event detected by the IPS:

Severity	Date	Time	Sig. Name	Sig. ID	Attacker IP	Victim IP	Vicitm Port	Threat Rating	Risk Rating
High	02/15/2012	08:56:26	Generic Cross Site Scripting Attack	41846/1	1.2.3.4	66.235.132.152	80	60	95
High	02/15/2012	08:56:27	Generic Cross Site Scripting Attack	41846/1	1.2.3.4	66.235.134.160	80	60	95
High	02/15/2012	08:56:27	Generic Cross Site Scripting Attack	41846/1	1.2.3.4	66.235.139.121	80	60	95
High	02/15/2012	09:00:38	Generic Cross Site Scripting Attack	41846/1	1.2.3.4	66.235.132.152	80	60	95
High	02/15/2012	09:00:38	Generic Cross Site Scripting Attack	41846/1	1.2.3.4	66.235.134.160	80	60	95

The attacker IP "1.2.3.4. would be the proxy's IP.

Analyzing the proxy's log, I've seen that a lot of different computers from my network are trying to reach Adobe's sites to download a new version or update, i.e.:

GET http://swupmf.adobe.com/manifest/50/win/AdobeUpdater.upd HTTP/1.1

GET http://armmf.adobe.com/arm-manifests/win/Reader9Manifest.msi HTTP/1.1

GET http://armdl.adobe.com/pub/adobe/reader/win/9.x/9.5.0/es_ES/AdbeRdr950_es_ES.exe HTTP/1.1

So my first question is why the attempt to reach Adobe's site is matching an IPS signature related to a Cross Site Scripting attempt.

As I've reasearched, signature 41846/1 has been released in order to attend CVE-2012-0017: "Cross-site scripting (XSS) vulnerability in inplview.aspx in Microsoft SharePoint Foundation 2010 Gold and SP1 allows remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL, aka "XSS in inplview.aspx Vulnerability."

Then, my second question would be how is Adobe's site related to CVE-2012-0017

Thanks.

Regards, Dana

JonPBerbee · ‎02-15-2012

Hi Dana,

You and I must have been posting at the same time. We noticed an issue with this signature on one of our sensor's this morning after S625 was applied. The "attacker" addresses are all internal and the "target" addresses are all over the board, some internal and some external. I had to disable this because it was triggering so often, 128 times in the last hour alone. Hopefully the Cisco folks can take a look at this and release an update soon.

View solution in original post

JonPBerbee · ‎02-15-2012

Hi Dana,

You and I must have been posting at the same time. We noticed an issue with this signature on one of our sensor's this morning after S625 was applied. The "attacker" addresses are all internal and the "target" addresses are all over the board, some internal and some external. I had to disable this because it was triggering so often, 128 times in the last hour alone. Hopefully the Cisco folks can take a look at this and release an update soon.

dmcalbosa88 · ‎02-15-2012

You're right, we have the same (or similar) issue.

I haven't disabled it yet, because the signature is just dropping the packets (because of the configuration we have).

Anyway, I do want to know if this is a false positive or not..

In case it keeps matching a lot of events, I will probably disable it.

jason.giambrone · ‎02-15-2012

I am seeing it to, across many sites though not just Adobe. I had to disable it because it was firing too much. I am treating it as a false positive by a bad signiture.

dmcalbosa88 · ‎02-15-2012

Thanks, Jason, for you post.

In my case, there are some pick hours in which this signatures fires, so I think I'll monitor it a couple hours more, and if it keeps on firing I'll just have to disable it.

FrankieDN · ‎02-15-2012

Seeing it too:

sig_id=41846

Sig_name=Generic Cross Site Scripting Attack

Sig_version=s625

Most of the "victim" IPs are to Adobe Systems.

rupadras · ‎02-15-2012

We are looking into this issue. The signature will be updated asap.

sholiday666 · ‎02-15-2012

Same thing happened to us, but it was reporting the victim as an IP address belonging to Webtrendslive.com

Interestingly this coincided with us going from promiscuous mode to inline mode. When we did switch to inline mode it started blocking these packets (and I also had block attacker enabled), and this completely blocked Internet access for these users. About 13 out of 180. Unchecking the "Deny packet inline" and "Deny Attacker Inline" did not give these users Internet access. We eventually had to Shut down the sensor so they could get back on the Internet. What a hassle.

Is there a way to have changes applied in Event Action Overrides to happen right away? Is this normal?

rupadras · ‎02-16-2012

As you may have noticed, the signature was updated in S626 released last night. Hopefully, that resolves the issues you were facing. If you need any further assistance, please let us know or open a TAC case.

dmcalbosa88 · ‎02-17-2012

Yes. I've noticed it.

Problem is now solved, with the signature retired.

thanks

FrankieDN · ‎02-17-2012

Received signature 626, and it has resolved the Generic Cross Site Scripting Attack alerts here.

On a similiar note, Adobe released the following on 15 Feb 2012:

http://www.adobe.com/support/security/bulletins/apsb12-03.html

Thanks

Frank