SOPHOS IPS Signature Update Release Notes

Version : 9.16.31 Release Date : 26th September 2019 IPS Signature Update

Release Information

Upgrade Applicable on

IPS Signature Release Version 9.16.30 CR250i, CR300i, CR500i-4P, CR500i-6P, CR500i-8P, CR500ia, CR500ia-RP, CR500ia1F, CR500ia10F, CR750ia, CR750ia1F, CR750ia10F, CR1000i-11P, CR1000i-12P, CR1000ia, CR1000ia10F, CR1500i-11P, CR1500i-12P, CR1500ia, CR1500ia10F Sophos Appliance Models CR25iNG, CR25iNG-6P, CR35iNG, CR50iNG, CR100iNG, CR200iNG/XP, CR300iNG/XP, CR500iNG- XP, CR750iNG-XP, CR2500iNG, CR25wiNG, CR25wiNG-6P, CR35wiNG, CRiV1C, CRiV2C, CRiV4C, CRiV8C, CRiV12C, XG85 to XG450, SG105 to SG650

Upgrade Information Upgrade type: Automatic

Compatibility Annotations: None

Introduction The Release Note document for IPS Signature Database Version 9.16.31 includes support for the new signatures. The following sections describe the release in detail.

New IPS Signatures The Sophos Intrusion Prevention System shields the network from known attacks by matching the network traffic against the signatures in the IPS Signature Database. These signatures are developed to significantly increase detection performance and reduce the false alarms.

Report false positives at [email protected], along with the application details.

September 2019 Page 2 of 15 IPS Signature Update

This IPS Release includes One Hundred(100) signatures to address Eighty Eight(88) vulnerabilities. New signatures are added for the following vulnerabilities:

Name CVE–ID Category Severity

FILE-FLASH CVE-2016- AVC Decoder Memory Multimedia 1 4275 Corruption attempt

FILE-FLASH Adobe Flash ContextMenu Clone CVE-2016- Multimedia 1 memory corruption 4284 vulnerability attempt

FILE-FLASH Adobe Flash CVE-2016-0997 Remote CVE-2016- Multimedia 2 Code Execution 0997 Vulnerability

FILE-FLASH Adobe Flash CVE-2017- malformed FLV heap Multimedia 1 2986 overflow attempt

FILE-FLASH Adobe Flash CVE-2017- Player ActionPush out Multimedia 1 3060 of bounds read attempt

FILE-FLASH Adobe Flash Player BitmapData CVE-2017- Multimedia 1 object out of bounds 3079 access attempt

FILE-FLASH Adobe Flash Player CVE-2016-4273 Malformed Multimedia 1 ActionConstantPool Memory Corruption

FILE-FLASH Adobe Flash Player CVE-2018-15982 CVE-2018- Multimedia 2 Arbitrary Code Injection 15982 Vulnerability

September 2019 Page 3 of 15 IPS Signature Update

FILE-FLASH Adobe Flash Player CVE-2017- determinePreferredLoca Multimedia 1 3082 les out of bounds memory read attempt

FILE-FLASH Adobe Flash Player display list CVE-2017- Multimedia 1 structure memory 2930 corruption attempt

FILE-FLASH Adobe Flash Player FrameLabel CVE-2016- Multimedia 1 memory corruption 6986 attempt

FILE-FLASH Adobe Flash Player invalid FLV CVE-2016- Multimedia 1 header out of bounds 1001 write attempt

FILE-FLASH Adobe Flash Player malformed CVE-2016- Multimedia 1 VideoFrame memory 4274 corruption attempt

FILE-FLASH Adobe Flash CVE-2017- Player memory Multimedia 1 3099 corruption attempt

FILE-FLASH Adobe Flash Player MPEG-4 AVC CVE-2017- Multimedia 1 decoding out of bounds 3076 read attempt

FILE-FLASH Adobe Flash CVE-2019- Player out-of-bounds Multimedia 2 7108 read attempt

FILE-FLASH Adobe Flash CVE-2017- Player tvsdk object use Multimedia 1 11225 after free attempt

September 2019 Page 4 of 15 IPS Signature Update

FILE-FLASH Adobe Flash CVE-2019- Player use after free Multimedia 2 7837 attempt

FILE-FLASH Adobe Standalone Flash Player AS3 Primetime timeline CVE-2016- Multimedia 1 ShimContentResolver 6983 out of bounds read attempt

FILE-IDENTIFY ZSoft PCX Application 4 file download request and Software

FILE-IMAGE Pro CVE-2017- CVE-2017- Multimedia 2 16381 SampleFormat 16381 heap overflow attempt

FILE-IMAGE Adobe Acrobat TIFF malformed CVE-2017- YCbCrCoefficients Multimedia 2 16382 values memory corruption attempt

FILE-MULTIMEDIA Adobe Acrobat CVE-2017- Multimedia 4 ImageConversion EMF 11308 Integer Overflow

FILE-MULTIMEDIA Adobe Flash Player MP4 CVE-2017- Multimedia 1 stsz atom memory 2926 corruption attempt

FILE-OFFICE LibreOffice CVE-2019- LibreLogo Arbitrary Office Tools 1 9848 Code Execution

FILE-OTHER Adobe CVE-2014- Application 2 Acrobat CVE-2017- 0529 and Software 16395 EMF conversion

September 2019 Page 5 of 15 IPS Signature Update

heap buffer overflow attempt

FILE-OTHER Adobe Acrobat CVE-2017- CVE-2017- Application 16407 ImageConversion 1 16407 and Software EMF BMP Out of Bounds Read II

FILE-OTHER Adobe Acrobat CVE-2017- CVE-2017- Application 16407 ImageConversion 1 16407 and Software EMF BMP Out of Bounds Read

FILE-OTHER Adobe Acrobat EMFPlus out of CVE-2017- Application 1 bounds buffer overflow 16404 and Software attempt

FILE-OTHER Adobe CVE-2019- Application Acrobat out-of-bounds 2 7122 and Software read attempt

FILE-OTHER Adobe Acrobat Pro EMF CVE-2018- Application 2 EmfPlusDrawString out 4879 and Software of bounds read attempt

FILE-OTHER Adobe CVE-2018- Application Acrobat Pro EMF out of 1 4895 and Software bounds write attempt

FILE-OTHER Adobe Acrobat Pro PDX CVE-2018- Application malformed index out of 1 4984 and Software bounds memory read attempt

FILE-OTHER Adobe CVE-2017- Application 2 Acrobat Pro 16411 and Software WebCapture out of

September 2019 Page 6 of 15 IPS Signature Update

bounds read attempt

FILE-OTHER Adobe Acrobat Reader CVE- CVE-2019- Application 2 2019-7125 Arbitrary 7125 and Software Code Execution

FILE-OTHER Adobe Acrobat Reader JP2 CVE-2018- Application 2 CVE-2018-4990 Double 4990 and Software Free Code Execution

FILE-OTHER Adobe Flash Player CVE-2016-0967 CVE-2016- Application Unsupported Video 2 0967 and Software Encoding Remote Code Execution

FILE-OTHER Adobe Flash CVE-2017- Application Player h264 decoder 1 2984 and Software heap overflow attempt

FILE-OTHER Adobe CVE-2019- Application Reader CVE-2019-7818 2 7818 and Software Out Of Bounds Read

FILE-PDF Adobe Acrobat and Reader CVE-2017- CVE-2017- Application 4 16374 JPEG2000 Parsing 16374 and Software Out of Bounds Read

FILE-PDF Adobe Acrobat CVE-2018- Application EMF BMP Heap Buffer 1 12788 and Software Overflow

FILE-PDF Adobe Acrobat malformed JPEG 2000 CVE-2017- Application 2 codestream width out 3033 and Software of bounds read attempt

CVE-2018- Application FILE-PDF Adobe Acrobat 2 Reader CVE-2018-4948 4948 and Software

September 2019 Page 7 of 15 IPS Signature Update

Heap Overflow Attempt

FILE-PDF Adobe Acrobat CVE-2019- Application Reader CVE-2019-7113 2 7113 and Software PDF Heap Overflow

FILE-PDF Adobe Acrobat Reader javascript CVE-2017- Application 1 engine stack overflow 3037 and Software attempt

FILE-PDF Adobe Acrobat XFA engine heap CVE-2017- Application 2 memory corruption 11219 and Software attempt

FILE-PDF Adobe PDF CFF font parsing memory CVE-2017- Application 2 corruption vulnerability 16362 and Software attempt

FILE-PDF Adobe Reader CVE-2018- Application CVE-2018-5036 Heap 2 5036 and Software Overflow

FILE-PDF Adobe Reader CVE-2018- Application CVE-2018-5037 Heap 2 5037 and Software Overflow

FILE-PDF Adobe Reader CVE-2018- Application CVE-2018-5041 Heap 2 5041 and Software Overflow

FILE-PDF Adobe Reader CVE-2018- Application CVE-2018-5045 2 5045 and Software Overflow

FILE-PDF Adobe Reader CVE-2019- Application CVE-2019-7822 Out Of 4 7822 and Software Bounds Read

FILE-PDF Adobe Reader CVE-2016- Application 1

September 2019 Page 8 of 15 IPS Signature Update

JavaScript recursive calls 6970 and Software memory corruption attempt

OS-SOLARIS Oracle Operating CVE-2001- Solaris LPD overflow System and 1 1583 attempt Services

OS-WINDOWS Operating Microsoft Windows CVE-2019- System and 2 DHCP Client CVE-2019- 0547 Services 0547 Code Execution

SERVER-APACHE Apache CouchDB CVE-2017- CVE-2017- Apache HTTP 2 12635 JSON Remote 12635 Server Privilege Escalation

SERVER-APACHE Apache CVE-2019- Apache HTTP httpd mod_remoteip 1 10097 Server Buffer Overflow

SERVER-APACHE Apache Solr xmlparser external CVE-2017- Apache HTTP 2 doctype or entity 12629 Server expansion attempt

SERVER-APACHE Apache Struts 2 namespace CVE-2018- Apache HTTP Expression Language 2 11776 Server Injection CVE-2018- 11776

SERVER-APACHE Apache CVE-2017- Apache HTTP Struts 2 Struts 1 Plugin 2 9791 Server Remote Code Execution

SERVER-APACHE Apache CVE-2017- Apache HTTP Subversion svn-ssh URL 1 9800 Server Command Execution

SERVER-APACHE Apache CVE-2019- Apache HTTP 2

September 2019 Page 9 of 15 IPS Signature Update

Tomcat HTTP2 10072 Server Connection Window Exhaustion Denial Of Service

SERVER-APACHE httpd mod_mime content- CVE-2017- Apache HTTP 1 type buffer overflow 7679 Server attempt

SERVER-ORACLE Oracle Database GoldenGate Manager CVE-2018- Management 1 Command Tab Parsing 2912 System Denial of Service

SERVER-ORACLE Oracle Database Solaris RPC CVE-2017- CVE-2017- Management 2 3623 Heap Buffer 3623 System Overflow

SERVER-OTHER HPE Data Protector CVE-2016- Other Web 1 EXEC_BAR domain 2006 Server Buffer Overflow

SERVER-OTHER HPE Data Protector CVE-2016- Other Web 1 EXEC_BAR username 2005 Server Buffer Overflow

SERVER-OTHER IBM Informix Dynamic CVE-2017- Other Web Server index.php 3 1092 Server testconn Heap Buffer Overflow

SERVER-OTHER IBM Tivoli Storage Manager CVE-2015- Other Web 1 Fastback buffer 8520 Server overflow attempt

SERVER-OTHER IBM CVE-2015- Other Web 1 Tivoli Storage Manager

September 2019 Page 10 of 15 IPS Signature Update

Fastback buffer 8521 Server overflow attempt

SERVER-OTHER IBM WebSphere Application CVE-2015- Other Web Server Commons- 1 7450 Server Collections Library Remote Code Execution

SERVER-OTHER Microsoft Windows CVE-2019- Other Web 4 DHCP Server Failover 0785 Server Remote Code Execution

SERVER-OTHER Microsoft Windows CVE-2019- Other Web 4 DHCP Server Remote 0725 Server Code Execution

SERVER-WEBAPP Adobe Web Services ColdFusion CFFILE CVE-2019- and 2 Upload Action 7838 Applications Unrestricted File Upload

SERVER-WEBAPP HPE Intelligent Management Web Services CVE-2019- Center dbman Opcode and 1 5355 10003 Filename Denial Applications of Service

SERVER-WEBAPP HPE Intelligent Management Web Services CVE-2017- Center getSelInsBean and 2 12490 Expression Language Applications Injection

SERVER-WEBAPP HPE Intelligent Management Web Services Center CVE-2019- and 1 IctTableExportToCSVBea 5370 Applications n Expression Language Injection

September 2019 Page 11 of 15 IPS Signature Update

SERVER-WEBAPP HPE Intelligent Management Web Services Center CVE-2019- and 1 PlatNavigationToBean 5387 Applications URL Expression Language Injection

SERVER-WEBAPP HP Web Services IMC guiDataDetail Java CVE-2017- and 1 expression language 12523 Applications injection attempt

SERVER-WEBAPP HP IMC Web Services iccSelectDeviceSeries CVE-2017- and 1 Java expression 12510 Applications language injection attempt

SERVER-WEBAPP HP IMC wmiConfigContent Web Services CVE-2017- Java expression and 1 12526 language injection Applications attempt

SERVER-WEBAPP IBM OpenAdmin Tool SOAP Web Services CVE-2017- welcomeService.php and 1 1092 PHP code injection Applications attempt

SERVER-WEBAPP Web Services Joomba component CVE-2018- and 2 Article Factory Manager 17380 Applications SQL injection attempt

SERVER-WEBAPP Joomla component Web Services CVE-2018- Timetable Schedule and 2 17394 3.6.8 SQL injection Applications attempt

September 2019 Page 12 of 15 IPS Signature Update

SERVER-WEBAPP Oracle Web Services Identity Manager CVE- CVE-2017- and 3 2017-10151 Default 10151 Applications Credentials II

SERVER-WEBAPP Oracle Weblogic CVE-2019- Web Services CVE-2019- 2647 and 1 2647 ForeignRecoveryContext Applications External Entity Injection

SERVER-WEBAPP Oracle Web Services Weblogic CVE-2019- and 2 WsrmSequenceContext 2650 Applications External Entity Injection

SERVER-WEBAPP Oracle Weblogic Web Services CVE-2019- WsrmServerPayloadCon and 2 2648 text External Entity Applications Injection

September 2019 Page 13 of 15 IPS Signature Update

 Name: Name of the Signature

 CVE–ID: CVE Identification Number - Common Vulnerabilities and Exposures (CVE) provides reference of CVE Identifiers for publicly known information security vulnerabilities.

 Category: Class type according to threat

 Severity: Degree of severity - The levels of severity are described in the table below:

Severity Level Severity Criteria

1 Low

2 Moderate

3 High

4 Critical

September 2019 Page 14 of 15 IPS Signature Update

Important Notice Sophos Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Sophos Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Sophos Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.

RESTRICTED RIGHTS

©1997 - 2019 Sophos Ltd. All rights reserved. All rights reserved. Sophos, Sophos logo are trademark of Sophos Technologies Pvt. Ltd.

Corporate Headquarters Sophos Technologies Pvt. Ltd. Reg. Office: Sophos House, Saigulshan Complex, Beside White House, Panchvati Cross Road, Ahmedabad – 380006, INDIA Phone: +91-79-66216666 Fax: +91-79-26407640 Web site: www.sophos.com

September 2019 Page 15 of 15