Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2743
Views
25
Helpful
8
Replies

Microsoft MSHTML RCE - CVE-2021-40444 : how Cisco replies?

00urb57x9u0O6CPE25d6
Level 1
Level 1

‎09-09-2021 05:47 AM

In a new advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444), Microsoft mentions (normal, their product) that Microsoft Defender... provide detection and protections for the known vulnerability. Also... alerts will be displayed as: “Suspicious Cpl File Execution”.

What is Cisco's behaviour in regards to this one?

 

Tks.

4 people had this problem
Labels:
8 Replies 8

DaphneG
Cisco Employee
Cisco Employee

‎09-09-2021 09:23 AM

Our Research and Efficacy team is currently investigating this vulnerability. We'll share the findings as soon as it's available. 

0 Helpful

DaphneG
Cisco Employee
Cisco Employee
In response to DaphneG

‎09-09-2021 12:48 PM

We have signature-based coverage since yesterday. Our team is working on adding more coverage through Behavioral Protection engine and Cloud IOCs.

DaphneG
Cisco Employee
Cisco Employee
In response to DaphneG

‎09-09-2021 01:10 PM

I meant to include earlier that for those interested Cisco Talos also released new SNORT rules for this CVE: https://blog.talosintelligence.com/2021/09/talos-release-protection-against-zero.html#more
0 Helpful

ITGuyCSI25
Level 1
Level 1
In response to DaphneG

‎09-09-2021 08:25 PM

Talos mentions deploying "ClamAV signature Doc.Exploit.CVE_2012_40444-9891528-0" is this something we as AMP administrators need to do or is this already done for us? 

 

Otherwise, it would be great if Cisco would provide some Custom Detections - Advanced Signature sets we could use in the meantime.

 

mnarayandas
Level 1
Level 1

‎09-10-2021 04:04 PM

Is there anything to be done on Cisco AMP side?  Does this vulnerability covered under Tetra signatures of Cisco AMP?

reubooke
Cisco Employee
Cisco Employee
In response to mnarayandas

‎09-13-2021 08:24 AM

Also would like information regarding what needs to be done on the Cisco AMP side 

0 Helpful

DaphneG
Cisco Employee
Cisco Employee

‎09-13-2021 10:44 AM

Sorry for the delay in the response. AMP has released the following Cloud IOCs and Behavioral Protection (BP) signature since Thursday afternoon:

 

W32.WinwordLaunchedControl.ioc (Cloud IOC)
W32.SuspiciousControl_RunDLLExecution.ioc (Cloud IOC)
Suspicious Control Process Pattern (BP signature)

 

The details of each can be found in the Indicators page: https://console.amp.cisco.com/indicators

 

You might want to monitor and investigate the endpoints that triggered these events. 

0 Helpful
Customers Also Viewed These Support Documents