IPS Rule id=1139797
Good morning,
This day many customers are reporting me navigation problems in their infrastructure, when I check the firewall I find that the IPS is generating blockages when they visit a Microsoft site.
Is this a false positive? Is it safe to add the signature to exceptions in the firewall?
0
Sign In to comment.
Comments
Hi @D4rkSeven
It's difficult to say if it's a false positive without seeing the actual traffic. If you'd like to have someone look at the traffic directly, I'd suggest opening a support case. The tech will likely need to look at a packet capture of the HTTP traffic in order to determine if this is an issue.
The specific IPS definition is:
https://securityportal.watchguard.com/threats/detail?ruleId=1139797&sigVers=18
Specifically, traffic with a negative content-length header value
That page suggests it's a rather old exploit. If this just started happening, it's likely something changed on Microsoft's side that triggered it.
-James Carson
WatchGuard Customer Support
My guess is that it is a false positive.
Note that one of the CVE/MITRE references (2017-unknown) is for an unknown ID - and is thus of no value.
Also BUGTRAQ ID links are no longer working.
The oldest of the CVEs for this ID is from 2005 and the newest is 2014.
None of the links I see refer to Windows components.
Hi,
I have the same problem. Only my 3 old T35 in version 1.5.12 have problems. IPS detection 1139797 and 1132012 on all types of sites.
You can add an exception for those IPS IDs.
Configure IPS Exceptions
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/ips/ips_config_exceptions_c.html
I can't find any info on 1132012. Typo?
Sorry ,
1132092 = FILE Invalid XML Version -2 - A buffer overflow vulnerability was found in multiple products, caused by improper bounds checking of the version and encoding attributes inside the XML declaration
Strange ! All sites and only on T35 with 12.5.12.
Ive got ~100 appliances without problem.
Setting up exceptions until a solution is found
Search error on my part...
CVE-2013-7260
Multiple stack-based buffer overflows in RealNetworks RealPlayer before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738, allow remote attackers to execute arbitrary code via a long (1) version number or (2) encoding declaration in the XML declaration of an RMP file, a different issue than CVE-2013-6877.
Looks like a false positive.
Indeed, only T35 devices with Firmware 12.5.2 or earlier are experiencing this problem. The IPS detection of firmware 1139797 is the one that generates the most problems since it blocks all the devices in the network. The signature 1132092 I observed that it generates several blocks but as it is of public addresses, it does not generate greater affectation in the clients.
Temporarily, add the signatures to exceptions.
Caused by a recent update to the IPS sigs on these firewalls???
On my firewall, running V12.10, I see Last Update: Sep 19, 2023, 12:43:22 PM EDT, running version 18.282
You can report false positives here:
https://www.watchguard.com/wgrd-support/security-portal/overview
The Security Portal IPS section reports the latest IPS versions, but not the date that they were created/deployed.
V4.x latest = 4.1424
If you're running into this issue, what we'd need to fix it would be a packet capture of said traffic. If you're running into this I'd suggest opening a support case so that one of our technicians can assist with that.
-James Carson
WatchGuard Customer Support
Contact support and bug :
https://techsearch.watchguard.com/KB?type=Known%20Issues&SFDCID=kA16S000000bydhSAA&lang=en_US
Thanks All
Bug title:
IPS signatures 1139797 and 1132092 block HTTP port 80 traffic after upgrade to v12.5.12
Workaround:
Temporarily add IPS signature exceptions to allow port 80 traffic through the Firebox.
We will update this article after the issue is resolved.