Cisco IPS Active Update Bulletin – 04/30/09

Thursday, April 30th, 2009 - 7:05 pm - IT Newsletters


	Greetings! This bulletin describes updates to the Cisco IPS product line. Additional information, tips and expert advice is available in the Cisco IPS User’s Forum at: http://www.cisco.com/discuss/security. For technical support, sales or other issues, please contact your authorized Cisco reseller or Cisco TAC.

IN THIS ISSUE:

1. Announcing the S397 Signature Update for IPS

The S397 signature update contains the following new signatures:

PLATFORM	SIGID	SIGNAME	ENGINE	SEVERITY	ENABLED
5.x,6.x	7420.0	Microsoft Help Workshop HPJ OPTIONS Section Buffer Overflow	string-tcp	medium	false
5.x,6.x	6430.0	Microsoft Internet Explorer CSS Memory Corruption	string-tcp	medium	false
5.x,6.x	6133.0	Microsoft Excel Cell Length Buffer Overflow CVE-2004-0846	string-tcp	high	false
5.x,6.x	6457.0	Lotus Notes URI Handler Argument Injection	string-tcp	high	false
5.x,6.x	6466.0	Squid WCCP Message Parsing Denial of Service	atomic-ip	low	false
5.x,6.x	6467.0	Mozilla Firefox Click Event Classification Vulnerability	string-tcp	low	false
5.x,6.x	6468.0	Multiple Vendor AV Gateway Virus Detection Bypass	string-tcp	high	false
5.x,6.x	6141.0	Macromedia JRun 4.x Server File Disclosure	service-http	low	false
5.x,6.x	6165.0	nfs-utils TCP Connection Termination Denial of Service	string-tcp	medium	false
5.x,6.x	6170.0	Novell eDirectory evtFilteredMonitorEventsRequest Function Overflow	string-tcp	high	false
5.x,6.x	6496.0	Microsoft Internet Explorer URL Spoofing Vulnerability Details	string-tcp	high	false
5.x,6.x	6173.0	Empty DNS Query	atomic-ip	medium	false
5.x,6.x	6710.0	Macromedia Flash Player LoadMovie DoS	string-tcp	medium	false
5.x,6.x	6727.0	Nullsoft Winamp Midi File Header Handling Buffer Overflow	string-tcp	high	false
5.x,6.x	6727.1	Nullsoft Winamp Midi File Header Handling Buffer Overflow	string-tcp	high	false
5.x,6.x	6245.0	IBM Tivoli Storage Manager Initial Sign-on Request Buffer Overflow	string-tcp	high	false
5.x,6.x	6247.0	Sun Microsystems Java GIF File Handling Memory Corruption	string-tcp	high	false
5.x,6.x	6248.0	HP Mercury Loadrunner Agent Command Processing Buffer Overflow	string-tcp	high	false
5.x,6.x	15012.0	Oracle BEA WebLogic Server Apache Connector Buffer Overflow	service-http	medium	true
5.x,6.x	15574.0	SoftEther P2P Activity	fixed-tcp	informational	false
5.x,6.x	16035.0	Iseemedia LPViewer ActiveX Buffer Overflows	meta	high	false
5.x,6.x	16035.1	Iseemedia LPViewer ActiveX Buffer Overflows	string-tcp	informational	false
5.x,6.x	16038.0	Adobe Flash Insufficient Data Validation Buffer Overflow	string-tcp	high	false
5.x,6.x	16096.0	IBM SolidDB Format String Bug	string-tcp	medium	false
5.x,6.x	16553.0	MailEnable SMTP Service VRFY/EXPN Command DoS	string-tcp	low	true
5.x,6.x	3408.1	Telnet Client LINEMODE SLC Option Overflow	string-tcp	high	false
5.x,6.x	16793.0	Adobe Reader getAnnots() Remote Code Execution	meta	high	true
5.x,6.x	16793.1	Adobe Reader getAnnots() Remote Code Execution	string-tcp	informational	true
5.x,6.x	16813.0	Adobe Reader customDictionaryOpen Buffer Overflow	meta	high	true
5.x,6.x	16813.1	Adobe Reader customDictionaryOpen Buffer Overflow	string-tcp	informational	true

The S397 signature update contains the following modified signatures:

PLATFORM	SIGID	SIGNAME	ENGINE	SEVERITY	ENABLED
5.x,6.x	3527.1	UW imapd Overflows	string-tcp	high	false
5.x,6.x	5435.0	Crystal Reports Remote Code Execution	string-tcp	high	false
5.x,6.x	3406.0	Solaris TTYPROMPT /bin/login Overflow	string-tcp	high	true
5.x,6.x	3169.0	FTP SITE EXEC tar	string-tcp	high	true
5.x,6.x	3527.4	UW imapd Overflows	string-tcp	high	false
5.x,6.x	3884.0	Cfengine Authentication Heap Based Buffer Overflow	string-tcp	high	true
5.x,6.x	6969.0	Microsoft Word Smart Tag Corruption Exploit	string-tcp	high	true
5.x,6.x	3333.0	SMB MSRPC Messenger Overflow	string-tcp	high	true
5.x,6.x	3347.2	Windows ASN.1 Library Bit String Heap Corruption	service-http	high	true
5.x,6.x	5464.1	Computer Associates License Suite Network Buffer Overflow	string-tcp	high	false
5.x,6.x	2158.0	Nachi Worm ICMP Echo Request	atomic-ip	high	true
5.x,6.x	3143.0	BERBEW Trojan Activity	string-tcp	high	true
5.x,6.x	3178.0	Denial Of Service in Microsoft SMS Client	string-tcp	high	true
5.x,6.x	3342.0	Windows NetDDE Overflow	service-smb	high	true
5.x,6.x	3342.1	Windows NetDDE Overflow	string-tcp	high	true
5.x,6.x	5455.0	Arkeia Type 77 Request Buffer Overflow	string-tcp	high	false
5.x,6.x	5469.0	TrackerCam PHP Argument Overflow	service-http	high	false
5.x,6.x	5487.0	IA WebMail Buffer Overflow	service-http	high	false
5.x,6.x	6222.0	HP OpenView Client Configuration Manager Radia Notify Daemon Code Execution	string-tcp	high	false
5.x,6.x	5438.0	Cisco IOS Call Processing Solutions DoS	string-tcp	medium	false
5.x,6.x	5825.0	SIP Malformed Invite Packet	atomic-ip	medium	false
5.x,6.x	5684.0	Malformed SIP Packet	atomic-ip	medium	false

Modified signature details: None.

IMPORTANT NOTES:

All signature updates are cumulative. The S397 signature update contains all previously released signature updates.

You must have a valid Cisco Services for IPS contract per sensor to receive and use software upgrades including

signature updates from Cisco.com.

A Cisco Services for IPS Services License is required for the installation of all signature updates. The Cisco Services

for IPS Services License can be requested from http://www.cisco.com/go/license for all sensors covered by a

maintenance contract.

To manage your maintenance contracts use the Service Contract Center:

http://www.cisco.com/cgi-bin/front.x/scccibdispatch?AppName=ContractAgent

SUPPORTED PLATFORMS:

The S397 signature update can ONLY be applied to E3 sensors.

IPS S397 Software Update Files:

Please note that the signature update download location has changed.

Sensor appliances, IDSM2, NM-CIDS, ASA-SSM-AIP modules: click here

IOS IPS in 12.4(11)T or later T-Train Releases:

http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup

Note: Posting of signature release files for IOS IPS may take a few additional days.

CISCO SECURITY MANAGER (CSM) NOTICE:

Note 1:

You can only apply the IPS-CS-MGR-sig-S397-req-E3.zip signature update file to CSM 3.0 or later and IPS MC version 2.2 or

later. The E3 Engine Update packages for sensors are deployed automatically the first time a signature set that requires

E3 is deployed by CSM. E3 updates are not listed or available for selection in the Apply Update Wizard and cannot be

applied independently by CSM. To ensure that the E3 update is applied to your sensors, please ensure

that you push the S366 package to your sensors.

2. Cisco IDS 4235 and IDS 4250 sensors approaching end of signature support

Cisco IDS 4235 and IDS 4250 sensors approaching end of signature support Last day of signature support for IDS 4250 SX and IDS 4250 XL sensors is May 24, 2009. Last day of signature support for IDS 4235 and IDS 4250 TX sensors is May 31, 2009. If you are still using IDS 4235 and IDS 4250 sensors, please contact your Cisco sales representative regarding migration plans to newer Cisco IPS sensors. More information including recommended migration options is available at this web page: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_eol_notices_list.html

3. Cisco IPS Signature correlation available in the Cisco. Security IntelliShield Alert Manager Service Search Access Feature

The Cisco IPS Team is pleased to announce the correlation of Cisco IPS Signature information within the IntelliShield Alert Manager Search Access Feature. Cisco Services for IPS clients that subscribe to the service now have access to perform targeted searches to display Cisco IPS Signatures associated with different alerts to ensure they have the most up to date intelligence. Subscribers can view a new IPS Signature list page that is searchable and will display Cisco IPS Signatures associated with IntelliShield Alerts. IntelliShield Alerts also contain the associated Cisco IPS Signature information within each alert.

The IntelliShield Alert Manager Search Access Feature provides clients with access to one of the most extensive collections of vendor-neutral security intelligence alerts in the industry. Clients can access a fully indexed and searchable database that extends back over six years and contains more than 1700 vendors, 5500 products, and 20,000 distinct versions of applications.

To obtain access to the IntelliShield Alert Manager Search Access Feature, each user is required to provide either a valid IPS License File or a valid IPS Serial Number to authorize the creation of this user account. Only one user account is permitted for each IPS License File or IPS Serial Number. Please proceed to the registration page at the following link to obtain your access:

https://intellishield.cisco.com/security/alertmanager/intelliShieldSearch

Email support is available for users of the Cisco Security IntelliShield Alert Manager Service Search Access Feature at intellishieldsearch-support@cisco.com . Support is provided by Cisco during the hours of 7:00 a.m. and 7:00 p.m. Eastern Time.

4. Subscribe to the Product Alert Tool for IPS Related Field Issues

Interested in knowing the latest on field notices, product alerts, and end-of-sale information relating to your IDS and IPS hardware? We have recently updated the Cisco Product Alert Tool to include IDS and IPS appliances.

Simply visit: http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do and follow these steps:

- Select Create a new Alert Profile.

- Name your profile anything you would like.

- Under Select Your Product, select: Intrusion Prevention System

- Click Add so that “Intrusion Prevention System” is added to the “Products in your profile” list

- Select the message types you wish to receive

- Confirm your email address

- Click Submit.

You will be kept up to date with the latest news on your IPS hardware appliances.

5. Subscription Information

If you wish to receive this bulletin, you can subscribe now.

Your opinions are important to us. If you have feedback about the Active Update Bulletin, please contact us at ips-news@cisco.com. For technical support, sales or other issues, please contact your authorized Cisco reseller or Cisco TAC. Please note that technical support or sales questions sent to this address will not be answered or redirected.

Additional Information

Links

Software Center – Download the latest Cisco IPS software.
User Forum – Participate in the IPS Forum, part of our Networking Professionals Connection.
Home Page – Visit our Cisco IPS home page for product literature, news, and awards.
Cisco Security Center- Visit the Cisco Security Center site for information on emerging threats and the Cisco network IPS signatures available to protect your network..
CRMS – Cisco Remote Managed Services for Security
Training – Learn about available IPS training courses and Cisco Security Certifications.
IPS Technical Documentation – Visit our Cisco IPS Technical Documentation site for configuration guides, maintenance guides, release and installation notes and more
IntelliShield Alert Manager Search Access Feature – Search through an extensive collection of security intelligence reports. Registration required.

Systech Solutions LTD.