FILE-OTHER Multiple Products SGI ZSIZE handling buffer overflow attempt

the message indicates an attempt to exploit a buffer overflow in the SGI ZSIZE handling in multiple products. The rule matches on TCP traffic with specific content in the file data that indicates a potential buffer overflow attempt.

ID Number

43608

Signature

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple Products SGI ZSIZE handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|01 DA 01|"; depth:3; byte_test:2,>,4,7,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19507; reference:cve,2006-4144; reference:cve,2018-5040; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:43608; rev:5;)

Severity

medium

Recommendations/Investigative actions

Check if the affected products or software components have security patches or updates available from their respective vendors. Apply the latest patches promptly to address the buffer overflow vulnerability.Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection, If there are internet IP's involved check if there are more alerts that this IP is involved, block the IP's in the FW and investigate the relevant IP address.