Cisco Threat Defense Bulletin S479 March 24, 2010

In This Issue

Release Summary

New Vulnerability and Exploit Protections

Sensor Update Information

New Product Announcements

EoL/EoS Announcements

Security Research Library

Cisco Remote Management Services
for Security

Providing 24x7x365 remote security management, monitoring, and remediation for todaybs networks.

Don't miss an update! Get Cisco Text Message Alerts


Did you know you already have a Cisco IntelliShield account?

Register your free account here

Cisco Security Intelligence Operations

Identify, Analyze, Defend Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations.

Your feedback makes our bulletin better! Please tell us what you love and what you would change at ips-news@cisco.com.

Please click here to view a web version of this bulletin.

Please click here to download the latest IPS signature update package (sensor only).
Please click here to download the latest Cisco Security Manager (CSM) signature update package.

Release S479 - March 24, 2010

Release Summary

Vulnerability	CVE	Severity	Signature ID	History	Status
Cisco IOS Software SIP...	CVE-2010-0581	High	24119.0	New	Enabled
Cisco IOS Software Uni...	CVE-2010-0585	High	24781.0	New	Enabled
Cisco IOS Software Uni...	CVE-2010-0586	High	24799.0	New	Enabled
Cisco IOS Software H.3...		Medium	24899.0	New	Enabled
Cisco IOS Software MPL...	CVE-2010-0576	Medium	24780.0	New	Enabled
Cisco IOS Software SIP...	CVE-2010-0580	Medium	24760.0	New	Enabled


Cisco IOS Software SIP...	CVE-2010-0579	Medium	24600.0	New	Disabled

New Vulnerability and Exploit Protections

Cisco IOS Software SIP Message Processing Arbitrary Code Execution Vulnerability
Disclosed: 3/24/2010, CVSS: 7.4

Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper handling of malformed Session Initiation Protocol (SIP) messages. An unauthenticated, remote attacker could exploit this ...

Severity	Description	Protected Since	Signature ID	Default Action
	Cisco IOS SIP DoS		24760.0	produce-alert

More Details:
CVE-2010-0580

Cisco IOS Software MPLS Packet Processing Denial of Service Vulnerability
Disclosed: 3/24/2010, CVSS: 6.4

Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability exists due to improper processing of Multiprotocol Label Switching (MPLS) packets. An unauthenticated, remote attacker could ...

Severity	Description	Protected Since	Signature ID	Default Action
	Cisco IOS Crafted LDP Packet Denial of Service Vulnerability		24780.0	produce-alert

More Details:
CVE-2010-0576

Cisco IOS Software SIP Packet Parsing Arbitrary Code Execution Vulnerability
Disclosed: 3/24/2010, CVSS: 7.4

Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. The vulnerability is due to errors in processing malformed Session Initiation Protocol (SIP) messages by an affected device. An unauthenticated, remote attacker ...

Severity	Description	Protected Since	Signature ID	Default Action
	Cisco CUBE SIP Vulnerability		24119.0	Block*

More Details:
CVE-2010-0581

Cisco IOS Software H.323 Protocol Packet Handling Memory Leak Denial of Service Vulnerability
Disclosed: 3/24/2010, CVSS: 6.4

Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper processing of malformed H.323 packets. An unauthenticated, remote attacker could exploit this ...

Severity	Description	Protected Since	Signature ID	Default Action
	Cisco IOS Software H.323 DoS		24899.0	produce-alert

Cisco IOS Software SIP Message Handling Denial of Service Vulnerability
Disclosed: 3/24/2010, CVSS: 6.4

Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to errors in processing malformed Session Initiation Protocol (SIP) messages. An unauthenticated, remote attacker ...

Severity	Description	Protected Since	Signature ID	Default Action
	Cisco IOS SIP DoS		24600.0	produce-alert

More Details:
CVE-2010-0579

Cisco IOS Software Unified Communications Manager Express SCCP Packet Processing Denial of Service Vulnerability
Disclosed: 3/24/2010, CVSS: 6.4

Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to errors in processing malformed Skinny Client Control Protocol (SCCP) network messages. An unauthenticated, remote ...

Severity	Description	Protected Since	Signature ID	Default Action
	Cisco IOS Malformed SCCP Vulnerability		24781.0	Block*

More Details:
CVE-2010-0585

Cisco IOS Software Unified Communications Manager Express SCCP Request Handling Denial of Service Vulnerability
Disclosed: 3/24/2010, CVSS: 6.4

Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability exists due to errors in processing Skinny Client Control Protocol (SCCP) packets. An unauthenticated, remote attacker could ...

Severity	Description	Protected Since	Signature ID	Default Action
	Cisco IOS Malformed SCCP Vulnerability		24799.0	Block*

More Details:
CVE-2010-0586

* Inline sensor with Event Action Override set to "deny-packet-inline" at Risk Rating 90 (Cisco default configuration)

Sensor Update Information

Signature updates may be downloaded automatically by Cisco Security Manager (CSM), IPS Manager Express (IME) and Cisco Security Monitoring, Analysis, and Response System (CS-MARS). The following links are for manual downloads.

Sensor Appliance Updates
IPS 4200-series sensors, IDSM2 Catalyst module, AIM-IPS module, ASA-AIP IPS modules

IOS IPS Updates
IOS IPS in Mainline and T-Train Releases prior to 12.4(11)T (Includes NEW Basic and Advanced Set)
IOS IPS in 12.4(11)T or later T-Train

New Product Announcements

IPS Engine Update 4 (E4) Scheduled for March 29, 2010

Cisco plans to release the next IPS Engine Update (E4) on March 29, 2010. This engine release will be available for all currently supported platforms and software versions including 6.0(6), 6.2(2) and 7.0(2).
New features in E4 include:

IPS Appliances and Modules
P2P engine enhancements
META engine enhancements
Domain-name matching in Service.DNS

IOS IPS for Integrated Services Routers

New IOS IPS protocol decode engines

Important Information Regarding E4

After the release of Engine Update E4, all subsequent Cisco IPS Signature updates will only install on sensors running E4. To ensure continued protection, users will be required to upgrade to E4 when it becomes available. Support for IPS version 6.1 ended on 12/31/2009. Any 6.1 users must upgrade to 6.2(2) or 7.0(2) to continue to receive signature updates after E4 is released.

Installing the E4 update is straightforward and requires no more effort than a signature update. Users who wish to test the E4 update in their environment prior to the release date can take advantage of the E4 Open Beta described below.

Open Beta Announcement for IPS Engine Update 4 (E4)

Cisco is pleased to announce availability of open beta software for the E4 Engine Update. This update is being made available to allow you to familiarize yourself with the features of the E4 release and facilitate a smooth transition once E4 is released. For more information on E4 please see the "Early Notification of IPS Engine Update 4 (E4)" section of this Bulletin.

Please note that although the E4 beta is a release candidate, the E4 Beta is not meant for production systems and cannot be upgraded to the final release version.

The beta version includes all E4 functionality with the following exceptions:

E4 beta releases cannot be upgraded (system will require re-image)
No signature updates will be released for the E4 beta release
The beta version cannot be installed via CSM, see README for CSM installation notes
Test systems must be on signature release S447 or lower to install E4 as an upgrade

E4 Engine Update Open Beta files including README are available at here. Beta participation is subject to customer acceptance of Cisco's Multiple Use Beta Test Agreement (MUBTA) and approval by Cisco due to export restrictions.

IOS IPS Signature Subscription Licensing Change

Please note that routers running IOS 15.0(1)M1 or later release will need to have a valid IPS Signature Subscription license installed to be able to load signature package after April 15, 2010. IOS IPS Signature Subscription licenses require a current Cisco Services for IPS contract purchased for the router. License keys can be retrieved at Cisco.com/go/license or via the Cisco License Manger.

Detailed information on Cisco Services for IPS can be found here.

IOS IPS Compressed Update Package Availability

Beginning in April 2010, the IOS IPS Signature Update package will be posted in a compressed format in addition to the current un-compressed format. The router will accept the compressed signature update and automatically decompress it when it is applied.

Announcing Availability of IPS Manager Express 7.0.2

Your favorite IPS tool got even better!

The IPS Manager Express version 7.0.2 from Cisco now supports management for up to 10 IPS devices on your network.
Cisco IPS Manager Express (IME) is a powerful and free all-in-one IPS management application designed to meet the needs of small and medium-sized businesses. With one application, you can provision, monitor, troubleshoot, and generate reports for as many as ten Cisco IPS sensors.

For more details and download links, please visit www.cisco.com/go/ime.

End of Life and End of Sale Announcements

End of Sale and End of Life Announcement for Cisco IPS Sensor Software Version 6.1

Cisco announces the end-of-sale and end-of life dates for Cisco IPS Sensor Software Version 6.1. After December 14, 2009, signatures and engine updates will no longer be released for Cisco IPS Sensor Software Version 6.1. Customers are encouraged to migrate to Sensor Software Version 6.2 or Sensor Software Version 7.0 with Global Correlation. Click here to download sensor software updates.

IPS Sensor Software v6.1 End of Sale Page on Cisco.com

Security Research Library

Increase your knowledge of today's vulnerabilities, tomorrow's threats, and the technology necessary to keep up.

Cisco Security Intelligence Operations Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations.	Cyber Risk Reports Weekly strategic intelligence product that highlights current security activity and mid- to long-range perspectives, also available as a podcast.
Cisco IntelliShield Alerts Up-to-the-minute, actionable intelligence, in-depth vulnerability analysis, and highly reliable threat validation to assist in proactive prevention.	Cisco Applied Mitigation Bulletins Techniques that use Cisco product abilities to detect and mitigate the most important security events and vulnerabilities.
Virus Watch Current virus trends from SenderBase	Spam Watch Current spam trends from SenderBase
Security Multimedia Library Podcasts, video datasheets, webcasts and videos with solutions for today's problems.	Cisco Security Intelligence Operations Best Practices Guidance on specific technologies and problem sets to help organizations secure business applications and processes by identifying, preventing, and adapting to threats.
Cisco Security Services Professional services to support your Self-Defending Network.	Cisco Security Solutions Discover the breadth of Cisco solutions available to solve your organization's security issues.
Cisco Security Blog Collaborate with the Cisco Security Community and gain insights into emerging security threats, trends, and best practices.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Contacts | Feedback | Subscribe | Unsubscribe
Terms & Conditions | Privacy Statement | Trademarks of Cisco Systems Inc.

© 1992-2009 Cisco Systems Inc. All rights reserved.
To ensure delivery to your inbox, please add ids@emessage.cisco.com to your email address book or approved senders list.