Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1216
Views
0
Helpful
1
Replies

Ironport able to detect specially crafted email for Exchange Memory Corruption Vulnerability

Go to solution
aleironport
Level 1
Level 1

‎01-10-2019 01:19 AM

Hi, everybody. 

 

Just yesterday Microsoft announced patches for a series of security vulnerabilities. One of these vulnerabilites is related to Exchange: CVE-2019-0586 – Microsoft Exchange Memory Corruption Vulnerability.


This patch corrects a bug in Exchange that could allow an attacker to take control of an Exchange server just by sending it a specially crafted email.

 

Question is, are Ironport appliances be able to detect and stop such special emails? Will they flag them as malicious? 

 

I have tried searching blogs and forums for an answer, but have not yet found an answer. I have managed to find that Talos has released new SNORT rules which will respond and protect agains mentioned vulnerabilities, but to my knowledge, Ironport does not use SNORT. 

 

I hope someone has a good answer to the question. If Ironport appliances are able to detect and stop the mentioned malicious emails, this will buy time in regards to planing and patching Exchange servers. 

 

Regards,

Aleironport

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎01-23-2019 02:29 AM

The URL filtering feature on the ESA pulls updates from Talos as well, however SNORT rules are not directly integrated with ESA's.

 

From the description available this appears to be related to specially crafted URL's, however without a sample it would be difficult to confirm what Talos would classify that as.

 

You could open a TAC case to have this confirmed by Talos.

 

Regards,

Libin

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎01-23-2019 02:29 AM

The URL filtering feature on the ESA pulls updates from Talos as well, however SNORT rules are not directly integrated with ESA's.

 

From the description available this appears to be related to specially crafted URL's, however without a sample it would be difficult to confirm what Talos would classify that as.

 

You could open a TAC case to have this confirmed by Talos.

 

Regards,

Libin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents