Microsoft Security Bulletin Coverage (July 14, 2015)

As usual, Microsoft has released security advisories for Month of July, 2015.
So, you have to check that your Security Devices are able to protect below CVE ID or not.
If you are using Dell SonicWall Security Products and they are set to download patches automatically, then no need to worry because of SonicWall Security Team already released the patches to cover these vulnerabilities.
If your devices are not auto-update, then patch them manually.
Check below CVE ID for your reference and awareness,

MS15-058 Vulnerabilities in SQL Server Could Allow Remote Code Execution
  • CVE-2015-1761 SQL Server Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1762 SQL Server Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1763 SQL Server Remote Code Execution Vulnerability
    There are no known exploits in the wild.
MS15-065 Security Update for Internet Explorer 
  • CVE-2015-1729 Internet Explorer Information Disclosure Vulnerability
    IPS: 5962 "Internet Explorer Cross-domain Information Disclosure (MS14-065) 2"
  • CVE-2015-1733 Internet Explorer Memory Corruption Vulnerability
    IPS: 11026 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 10"
  • CVE-2015-1738 Internet Explorer Memory Corruption Vulnerability
    IPS: 11027 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 11"
  • CVE-2015-1767 Internet Explorer Memory Corruption Vulnerability
    IPS: 11028 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 12"
  • CVE-2015-2372 VBScript Memory Corruption Vulnerability
    IPS: 11029 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 13"
  • CVE-2015-2383 Internet Explorer Memory Corruption Vulnerability
    IPS: 11030 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 14"
  • CVE-2015-2384 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2385 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2388 Internet Explorer Memory Corruption Vulnerability
    IPS: 11031 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 15"
  • CVE-2015-2389 Internet Explorer Memory Corruption Vulnerability
    IPS: 11032 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 16"
  • CVE-2015-2390 Internet Explorer Memory Corruption Vulnerability
    IPS: 11033 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 17"
  • CVE-2015-2391 Internet Explorer Memory Corruption Vulnerability
    IPS: 11034 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 18"
  • CVE-2015-2397 Internet Explorer Memory Corruption Vulnerability
    IPS: 7638 "DOM Object Use-After-Free Attack 2"
  • CVE-2015-2398 Internet Explorer XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2401 Internet Explorer Memory Corruption Vulnerability
    IPS: 11036 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 20"
  • CVE-2015-2402 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2403 Internet Explorer Memory Corruption Vulnerability
    IPS: 2175 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 1"
  • CVE-2015-2404 Internet Explorer Memory Corruption Vulnerability
    IPS: 2190 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 2"
  • CVE-2015-2406 Internet Explorer Memory Corruption Vulnerability
    IPS: 2191 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 3"
  • CVE-2015-2408 Internet Explorer Memory Corruption Vulnerability
    IPS: 2192 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 4"
  • CVE-2015-2410 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2411 Internet Explorer Memory Corruption Vulnerability
    IPS: 2198 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 5"
  • CVE-2015-2412 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2413 Internet Explorer Information Disclosure Vulnerability
    IPS: 2207 "Internet Explorer Information Disclosure Vulnerability (MS15-065) 1"
  • CVE-2015-2414 Internet Explorer Information Disclosure Vulnerability
    IPS: 2208 "Internet Explorer Information Disclosure Vulnerability (MS15-065) 2"
  • CVE-2015-2419 Jscript9 Memory Corruption Vulnerability
    IPS: 2209 "Internet Explorer JScript9 Memory Corruption Vulnerability (MS15-065)"
  • CVE-2015-2421 Internet Explorer ASLR Bypass
    IPS: 2210 "Internet Explorer ASLR Bypass Vulnerability (MS15-065)"
  • CVE-2015-2422 Internet Explorer Memory Corruption Vulnerability
    IPS: 2233 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 6"
  • CVE-2015-2425 Internet Explorer Memory Corruption Vulnerability
    IPS: 2234 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 7"
  • CVE-2015-2372 VBScript Memory Corruption Vulnerability
    IPS: 11029 "Internet Explorer Memory Corruption Vulnerability (MS15-065) 13"
  • CVE-2015-2398 Internet Explorer XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2402 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2419 Jscript9 Memory Corruption Vulnerability
    IPS: 2209 "Internet Explorer JScript9 Memory Corruption Vulnerability (MS15-065)"
  • CVE-2015-2421 Internet Explorer ASLR Bypass
    IPS: 2210 "Internet Explorer ASLR Bypass Vulnerability (MS15-065)"
MS15-066 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution
  • CVE-2015-2372 VBScript Memory Corruption Vulnerability
    There are no known exploits in the wild.
MS15-067 Vulnerability in RDP Could Allow Remote Code Execution 
  • CVE-2015-2373 Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability
    There are no known exploits in the wild.
MS15-068 Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution 
  • CVE-2015-2361 Hyper-V Buffer Overflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2362 Hyper-V System Data Structure Vulnerability
    There are no known exploits in the wild.
MS15-069 Vulnerabilities in Windows Could Allow Remote Code Execution 
  • CVE-2015-2368 Windows DLL Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2369 DLL Planting Remote Code Execution Vulnerability
    There are no known exploits in the wild.
MS15-070 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution 
  • CVE-2015-2376 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2377 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2379 Microsoft Office Memory Corruption Vulnerability
    SPY:3107 "Malformed-File doc.MP.24"
  • CVE-2015-2380 Microsoft Office Memory Corruption Vulnerability
    SPY:3106 "Malformed-File doc.MP.23"
  • CVE-2015-2415 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2424 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
MS15-071 Vulnerability in Netlogon Could Allow Elevation of Privilege 
  • CVE-2015-2374 Elevation of Privilege Vulnerability in Netlogon
    There are no known exploits in the wild.
MS15-072 Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege 
  • CVE-2015-2364 Graphics Component EOP Vulnerability
    SPY:3105 "Malformed-File swf.MP.234"
MS15-073 Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege 
  • CVE-2015-2363 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2365 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2366 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2367 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2381 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2382 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
MS15-074 Vulnerability in Windows Installer Service Could Allow Elevation of Privilege 
  • CVE-2015-2371 Windows Installer EoP Vulnerability
    There are no known exploits in the wild.
MS15-075 Vulnerabilities in OLE Could Allow Elevation of Privilege 
  • CVE-2015-2416 OLE Elevation of Privilege Vulnerability
    SPY:3105 "Malformed-File swf.MP.234"
  • CVE-2015-2417 OLE Elevation of Privilege Vulnerability
    SPY:3105 "Malformed-File swf.MP.234"
MS15-076 Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege 
  • CVE-2015-2370 Windows RPC Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
MS15-076 Vulnerability in ATM Font Driver Could Allow Elevation of Privilege 
  • CVE-2015-2387 ATMFD.DLL Memory Corruption Vulnerability
    There are no known exploits in the wild.
Source : SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)

Upatre.SMJ a Malware Hides in encrypted PNG Image

The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Upatre.SMJ actively spreading in the wild. This time attackers used a dropper to download the original Malware that hides in Image (encrypted PNG) files to avoid detection by Firewalls.


Infection Cycle:
The Malware uses the following icon:


Md5:
  • 051e79a2d44a8dba92e98ae9c4be2399 - Major Executable
Dropper:
  • 88ff4cfd4154c9b112a963700dfcd560 - Image PNG file
The Malware adds the following files to the system:
  • Malware.exe

    • %Temp%\tzojedox.exe
    • %Temp%\TZ9D-23.txt
  • Tzojedox.exe
    • %Temp%\kiuwken.exe
    • %Temp%\TZ9D-23.txt
  • Kiuwken.exe
    • C:\WINDOWS\enCSuFWrQQsXBxp.exe
The Malware adds the following key to the Windows registry to ensure persistence upon reboot:




Once the computer is compromised, the malware copies its own executable file to Temp folder.


The file tzojedox.exe is dropped after malware launches on the target system, the malware tries to download PNG encrypted files from its own C&C server such as following domains:


Here is an example of encrypted PNG file:


The malware tries to retrieves your computer name, version of your windows and your IP address then its transfers information to its own C&C server such as following IPs:



Command and Control (C&C) Traffic
Upatre.SMJ performs C&C communication over 443 and 80 ports. The malware sends your system information to its own C&C server via following format, here are some examples:






We have been monitoring varying hits over the past few days for the signature that blocks this threat:


SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
  • GAV: Upatre.SMJ (Trojan)
 
Source : Dell Security Center
 
Have a good time.
(Be knowledgeable, pass it on then)

Adobe Flash Player Heap Zero-Day Vulnerability CVE-2015-3113

Adobe released a Security update for Adobe Flash Player on June 23, 2015 to cover a critical 0day Heap-based buffer overflow vulnerability.

Dell SonicWALL has released the following signature to protect their customers at the same day:

"1040 Malformed-File swf.MP.228"

There was no further activities addressing this vulnerability has been observed as of today since the signature was deployed on Dell SonicWALL GRID system.
However, exploiting this vulnerability could potentially allow an attacker to take control of the affected system, which include systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP. An update of the Adobe Flash Player application is suggested. The following are the list of affected software versions:


  • Adobe Flash Player 18.0.0.161 and earlier versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version 13.0.0.292 and earlier 13.x versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.466 and earlier 11.x versions for Linux

This vulnerability is referred by CVE as CVE-2015-3113.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3113

Have a good time.
(Be knowledgeable, pass it on then)

Steps to configure Site to Site VPN between SonicWalls


Today, I'd like to share the steps to configure IPSec Site to Site VPN Tunnel with IKEv2 Mode between SonicWalls
Please proceed below steps in Local and Remote site SonicWall Firewall to get your VPN Tunnel

- Create Firewall Address Object and Assign them to the correct Zone Assignment
- By default, VPN setting in SonicWall is disable. So, do not forget to Enable it.
- Add VPN Policy with below details in correct.
(
၁။ Policy Type က Site to Site
1> Policy Type must be Site to Site
2> Authentication Method have to be IKE using Preshared Secret
3> Assign VPN name for ease of understanding.
4> IPSec Primary Gateway Name or Address must be the WAN IP Address of Remote Site Firewall
5> Key in complex and secure Shared Secret
6> Put correct Local and Peer (Remote) WAN IP Addresses as IKE ID for IKEv2 Mode in your two Firewalls
7> Local and Destination (Remote) Network Subnet should be correct in your Network Section of VPN Policy
8> Ensure Phase 1 and Phase 2 Proposal Settings are correct
9> Do not forget to Enable Keep Alive setting
10> By default, VPN Access rule are automatically added in your SonicWall once you've created VPN Policy. But create Manually if you didn't see it in your Access Rules.
)

Well...Your IPSec Site to Site VPN Tunnels should up and running in Monitoring Session as Active if you are configure correctly above configuration on both SonicWall Firewalls.

I've attached configuration screen-shots of Local Site Firewall for your reference.

I believe this post will useful for who start to touch SonicWall Firewall.











Have a good time.
(Be knowledgeable, pass it on then)