We are happy to announce two SD Script updates for eyeInspect:
- Host and Link Add Ons v1.33
This SD Script extends the fingerprinting capabilities of the HLI module of SilentDefense/eyeInspect by inspecting protocol-specific messages.
- Threat Detection Add Ons v.1.1
This SD Script extends the detection capabilities of the ITL module of SilentDefense/eyeInspect by inspecting protocol-specific messages.
In this update, the Threat Detection Add Ons v1.1 provides additional detection capability for multiple AMNESIA:33 related vulnerabilities. For more information on what the AMNESIA:33 vulnerabilities are, and how they may affect your organization, please visit https://www.forescout.com/amnesia33.
Download and install the Host and Link Add Ons v1.33 to gain the following additional capabilities:
- Fingerprinting of SIPROTEC 4 IEDs using the DIGSI4 protocol.
- New SNMP fingerprints for Comtrol RocketLinx devices.
- Improved SNMP fingerprinting logic, now properly handling SNMPv2c exception codes.
Download and install the Threat Detection Add Ons v1.1 to gain the following additional capabilities:
- Implemented the detection of malformed DNS packets potentially exploiting multiple vulnerabilities in DNS clients of several embedded TCP/IP stacks, covering multiple AMNESIA:33 vulnerabilities.
- CVE-2020-24335 (FSCT-2020-0026)
- CVE-2020-24338, CVE-2020-24339 (FSCT-2020-0028)
- CVE-2020-24340 (FSCT-2020-0029)
- CVE-2020-24334 (FSCT-2020-0030)
- CVE-2020-25107, CVE-2020-25108, CVE-2020-25109, CVE-2020-25110, CVE-2020-25111 (FSCT-2020-0031)
- CVE-2020-11901 (Found by JSOF and part of Ripple20)
- ThreadX DNS resolver vulnerability discovered by JSOF
This content update is supported by the following releases:
- SilentDefense/eyeInspect version 3.13.0 and up
The SD Script profile must be uploaded in the eyeInspect Command Center. For the Threat Detection Add Ons, the accompanying CVS file with new Event Type IDs must be uploaded in the eyeInspect Command Center. Please be advised that this CSV comes in two versions: a US regional version, and a global version. Upload the version matching your system regional settings.
Download the module and related documentation from the Downloads / Resources section of the OT Customer portal, https://portal.secmatters.com/.