Think you have a false positive on this rule?

Sid 1-50705

Message

OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt

Summary

This event is generated when Microsoft Windows SChannel CertificateVerify buffer overflow attempted.

Impact

Attempted Administrator Privilege Gain

CVE-2014-6321:

CVSS base score 10.0

CVSS impact score 10.0

CVSS exploitability score 10.0

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Detailed information

CVE-2014-6321: Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability."

Affected systems

microsoft windows_7 -
microsoft windows_8 -
microsoft windows_8.1 -
microsoft windows_rt -
microsoft windowsrt8.1 -
microsoft windowsserver2003 *
microsoft windowsserver2008 *
microsoft windowsserver2008 r2
microsoft windowsserver2012 -
microsoft windowsserver2012 r2
microsoft windows_vista -

Ease of attack

CVE-2014-6321:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

False positives

False negatives

Corrective action

Contributors

Cisco Talos Intelligence Group

Additional References

technet.microsoft.com/en-us/security/bulletin/MS14-066