cancel
Showing results for 
Search instead for 
Did you mean: 

NETBIOS-SS: Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)

Hi All,

In our environment we are using McAfee NIPS and getting lots of FP(False Positive) alerts for this Signature. Kindly help me to solve this issue.

Also suggest the match bytes and marker bytes for this signature to compare with the PCAP.

Regards

BB

6 Replies
Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: NETBIOS-SS: Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)

Hi Bharani

On the IPS policies, you should be able to select the attack and see the signature description:

Signature#1

condition 1

[AND] (One Of)

netbios-ss-req-content-text matches "(?{lang=pcre}\xCC\x00\x00\x00\x00\x00\x00\x00.{4}\x00\x00\x00\x00.{16}[\x01-\xFF]\x07)" ( case-sensitive )

[OR] netbios-ss-req-content-text matches "(?{lang=pcre}\xCC\x00\x00\x00\x00\x00\x00\x00.{4}\x00\x00\x00\x00.{16}.[\x08-\xFF])" ( case-sensitive )

[OR] netbios-ss-req-content-text matches "(?{lang=pcre}\xCC\x00\x00\x00\x00\x00\x00\x00.{4}\x00\x00\x00\x00.{16}..[\x01-\xFF])" ( case-sensitive )

[OR] netbios-ss-req-content-text matches "(?{lang=pcre}\xCC\x00\x00\x00\x00\x00\x00\x00.{4}\x00\x00\x00\x00.{16}...[\x01-\xFF])" ( case-sensitive )

[OR] netbios-ss-req-content-text matches "(?{lang=pcre}\xD0\x00\x00\x00\x00\x00\x00\x00.{4}\x00\x00\x00\x00.{4}[\x01-\xFF]\x07)" ( case-sensitive )

[OR] netbios-ss-req-content-text matches "(?{lang=pcre}\xD0\x00\x00\x00\x00\x00\x00\x00.{4}\x00\x00\x00\x00.{4}.[\x08-\xFF])" ( case-sensitive )

[OR] netbios-ss-req-content-text matches "(?{lang=pcre}\xD0\x00\x00\x00\x00\x00\x00\x00.{4}\x00\x00\x00\x00.{4}..[\x01-\xFF])" ( case-sensitive )

[OR] netbios-ss-req-content-text matches "(?{lang=pcre}\xD0\x00\x00\x00\x00\x00\x00\x00.{4}\x00\x00\x00\x00.{4}...[\x01-\xFF])" ( case-sensitive )

netbios-ss-smb2-command == 0x0b ( unsigned )

This should help you analyse the PCAPs - but this is a low BTP signature, so it should not really be generating many FP. Maybe the alerts are TP (True positives, you should be able to match the regex on the description to the pcap) but with no security implication (i.e. the target host is patched).

Regards

David

Re: NETBIOS-SS: Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)

Hi David,

Thanks for the information.

We have a machine with patched installed KB4022722  and KB4022719. But still we are receiving the alert.

Please find the match pattern for the alert. Could you please explain the match pattern is Falsely Triggered.

00000000  00 00 00 44 fe 53 4d 42  40 00 01 00 00 00 00 00 ...D.SMB @.......

00000010  02 00 01 00 08 00 00 00  00 00 00 00 cc 00 00 00 ........ ........

00000020  00 00 00 00 ff fe 00 00  00 00 00 00 01 06 00 94 ........ ........

00000030  b9 04 00 00 9e b9 65 be  09 6a 42 56 f9 6b 5f bb ......e. .jBV.k_.

00000040  46 d4 2f 3a 04 00 00 00                          F./:....

Regards

Bharani

Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: NETBIOS-SS: Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)

Hey Bharani

Yes, it does not seem to match the regex (*I think*). You will need to configure forensic pcap (10 packets post attack packet) and see if you can find the match, else that's a Support Case

Cheers.

David

Re: NETBIOS-SS: Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)

Hi d_aloy,

     Signature 2,3 and 4 matching the pcap pattern. The signature seems to be false. Please provided input to the support team for the false alert signature.

Reliable Contributor mjesmer
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: NETBIOS-SS: Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)

This is also something that I would recommend contacting support on. If this attack signature is generating a lot of noise with a low Benign Trigger Probability (BTP) then they will want to know.

Before you contact support you will need to follow the article listed below:

McAfee Corporate KB - How to submit Network Security Platform false positives and incorrect detectio...

Regards,

Matthew Jesmer

Former Platinum NSP Support

Re: NETBIOS-SS: Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)

Hi mjesmer,

We don't have console access to do the process provided by McAfee. Please help me to provide whether the Signature false or not.

Regards,

Bharani

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community