topic Re: Sig. 35646-0 SMB Transaction Parsing Vulnerability in Network Security

Sig. 35646-0 SMB Transaction Parsing Vulnerability

deeznuts420 — Sun, 10 Mar 2019 12:34:47 GMT

Hello all, I searched on this one and didn't get any hits so here it goes. I began receiving a flood of warnings from my IPS saying that signature 35646-0 was being triggered. All of the attackers and victims are internal and they all revolve around our internal websites and developers who work on them. All the servers and workstations are coming up clean on AV scans and I don't see any other examples of this signature being triggered. Does anyone have any experience with this particular signature/threat, or any ideas on how I can determine if it's hopefully just a false-positive and not infected machines? Thanks all.

-Adam

Sig. 35646-0 SMB Transaction Parsing Vulnerability

Damian Coverly — Tue, 10 Jan 2012 16:29:19 GMT

Hi Adam,

I have the same issue however, I've narrowed mine down to synchronization software I'm using between a server at my DC and my local network. When I turn the sync app off the alerts stop. I've been running this process for years so this alert came out of the blue and I thought it was an attack at first.

When did yours start? Mine started on Friday afternoon so I'm assuming it is something to do with a signature update pushed out then.

Could anyone else shed any light on this?

Regards, Damian.

Sig. 35646-0 SMB Transaction Parsing Vulnerability

rhermes — Tue, 10 Jan 2012 18:36:50 GMT

If you know what signature pack was applied on that Friday, you can look in the release notes to see if that signature has been added (new signatures are usually the noisiest) or changed. You can also edit the signature to grab a packet capture of the traffic and see if it is doing what the signature is warning you about.

- Bob

Sig. 35646-0 SMB Transaction Parsing Vulnerability

deeznuts420 — Tue, 10 Jan 2012 20:05:50 GMT

Hey Damian, mine began on Thursday, 1/5/12 around 3:00 PM EST. So far, I've narrowed it down to SMB traffic between our web servers, and the web programmers/designers. I have also noticed a few DCs of ours as victims as well, I would assume that was due to SYSVOL access for GP updates, etc by the clients. I do find it interesting that we're showing similar symptoms though.

@rhermes, I actually have our IPS setup to forward me a copy of the offending packet and sure enough I can see the code/text/patterns that are triggering the sig however, it appears to be encrypted and therefore doesn't really shine any light on what could be causing it.

Re: Sig. 35646-0 SMB Transaction Parsing Vulnerability

murphy.brandon — Tue, 10 Jan 2012 21:28:20 GMT

To me, this is a great example of how Cisco is horrible at releasing up-to-date signatures. This signature is for a vulnerability that is approaching a year old now (Microsoft released a security bulletin on April 12st 2011 (1)), and was just released by Cisco last week(2).

If you're like everyone else, your servers should already be patched and this really a non-issue (for impact anyway). But now I'm getting 200 alerts every 10 minutes because Cisco in their infinite wisdom decided to finally release a sig for this.

Being that Cisco hasn't disclosed, or allowed me to see, the regex setting for this STRING-TCP sig, I have no way of knowing what this signature is even alerting on. For all I know, they are looking for "[sS][mM][Bb]" in a packet with a dst port of 139 or 445, which would make this sig total crap. Now I have to go through and figure out what is causing this signature to fire, make sure it's not malicious, and then either tune this sig, or more than likely disable it.

1) https://technet.microsoft.com/en-us/security/bulletin/ms11-020

2) http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=35646&signatureSubId=0&softwareVersion=6.0&releaseVersion=S615

Sig. 35646-0 SMB Transaction Parsing Vulnerability

murphy.brandon — Tue, 10 Jan 2012 23:16:02 GMT

FYI - I've got about 8 packet captures of this, 5 of which have full SMB sessions. I'll be opening a ticket with Cisco tomorrow to figure out why this signature is firing so often, I'm sure there are some benign triggers. I'll keep you guys updated.

Sig. 35646-0 SMB Transaction Parsing Vulnerability

deeznuts420 — Tue, 10 Jan 2012 23:33:34 GMT

That's excellent Brandon, thanks for opening the ticket and keeping us in the loop.

Re: Sig. 35646-0 SMB Transaction Parsing Vulnerability

mitchen — Thu, 12 Jan 2012 10:38:54 GMT

We are also being affected by this one (just came on here to see if there were any answers!) so would definitely be interested in any updates you get - thanks.

Sig. 35646-0 SMB Transaction Parsing Vulnerability

murphy.brandon — Thu, 12 Jan 2012 16:07:37 GMT

I'll provide a quick update on my ticket. Ticket is open and pcaps have been provided. I specially asked the following questions after getting a disappointing inital response.

-----------------------------------------------------------------------------------

•1) Have you found the specially-crafted SMB requests in any of the packet captures?
•2) If not , can you validate that this signature is firing alerts on benign traffic and are false positives?
•3) If so, can you confirm this traffic is actually malicious in nature and are true positives?

Based on the provided packet captures and the volume of alerts, this signature appears to be susceptible to false positives in windows environments. This is not depicted on the following link, which clearly states “There are no known benign triggers.” and “There are no suggested filters.”

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=35646&signatureSubId=0&softwareVersion=6.0&releaseVersion=S615

----------------------------------------------------------------------------------------

I"m still waiting for a response on that. If there are any other questions anyone has, feel free to let me know and i'll add them to the ticket.

Sig. 35646-0 SMB Transaction Parsing Vulnerability

deeznuts420 — Thu, 12 Jan 2012 16:38:23 GMT

Thanks for the update Brandon - I think those 3 questions you asked should give us a good idea on how to proceed, assuming Cisco can answer them with some authority

Sig. 35646-0 SMB Transaction Parsing Vulnerability

ruppala — Fri, 13 Jan 2012 20:27:00 GMT

The Signature team is currently looking into this issue. I will keep the forum updated with the results.

Sig. 35646-0 SMB Transaction Parsing Vulnerability

lukeprimm — Fri, 13 Jan 2012 20:32:35 GMT

Same with us, looks like they started on 01/05/2012 and have been firing ever since on a daily basis. Anxiously awaiting an answer. Thanks

Sig. 35646-0 SMB Transaction Parsing Vulnerability

mfurgiuele.maiten — Mon, 16 Jan 2012 19:35:35 GMT

Dear,

I am also the same problem, has any news on this issues?. Thanks

Sig. 35646-0 SMB Transaction Parsing Vulnerability

murphy.brandon — Mon, 16 Jan 2012 21:50:52 GMT

Unfortunately there hasn't been much progress made on my ticket. I've requested that the ticket be escalated to signature developers. Hopefully some more progress we made on the ticket soon I will keep you all updated.

Sig. 35646-0 SMB Transaction Parsing Vulnerability

ruppala — Mon, 16 Jan 2012 23:07:10 GMT

The signature team is actively looking into this and will release a sigupdate soon to address this.

Sig. 35646-0 SMB Transaction Parsing Vulnerability

deeznuts420 — Tue, 17 Jan 2012 01:44:47 GMT

Thanks for the update - when you have an ETA on those new sigs, we'd love to hear it.

Sig. 35646-0 SMB Transaction Parsing Vulnerability

rkirkeby — Tue, 17 Jan 2012 11:44:12 GMT

We faced the same issue, in our case the victim was our Windows File server Running of a Windows Server 2008 standard edition. Both the clients and servers are up to date on the patching.

Due to the high alerts and limited time, we tuned the signature so it dropped the offending packets. Soon after we started to receive complaints from the users that they couldnt save files to the file server any more, after removing the drop action the problem was fixed.

Its clear that this is a false-positive, and hope its fixed with the next signature release.

Sig. 35646-0 SMB Transaction Parsing Vulnerability

patricio.biggeri — Fri, 20 Jan 2012 16:36:07 GMT

The Cisco Support Engineer told us: "I would like to let you know that there are some modifications being made to this signature and pushed out in the next release cycle as most of the time it has been a false alarm."

Re: Sig. 35646-0 SMB Transaction Parsing Vulnerability

ruppala — Fri, 20 Jan 2012 19:57:50 GMT

A higher fidelity version of signature 35646-0 is going through the release process and should be out shortly.

Sig. 35646-0 SMB Transaction Parsing Vulnerability

murphy.brandon — Sat, 21 Jan 2012 02:46:52 GMT

While I haven't heard anything regarding the ticket, I did just get a notification of S621, which includes the updated sig.

http://tools.cisco.com/security/center/viewBulletin.x?bId=437&year=2012