Cisco Threat Defense Bulletin S591 August 26, 2011


CSIO banner left
Globe banner right


In This Issue
Important Notes
Release Summary
New Vulnerability and Exploit Protections
Retired Signatures
Sensor Update Information
New Product Announcements
EoL/EoS Announcements
Security Research Library

Microsoft Bulletin Update
Cisco Security Intelligence Operations VoD

Register for the next SIO Threatscape Update

Cisco Remote Management Services for Security
Providing 24x7x365 remote security management, monitoring, and remediation for today's networks.

Don't miss an update!
Get Cisco Text Message Alerts
Get text alerts

Did you know you already have a Cisco IntelliShield account?
IntelliShield banner
Register your free account here

Cisco Security Intelligence Operations
Threat Map
Identify, Analyze, Defend
Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations.

Your feedback makes our bulletin better! Please tell us what you love and what you would change at ips-news@cisco.com.

Please click here to view a web version of this bulletin.

Visit the Cisco Event Response for more information, analysis, and guidance on this month's Microsoft Security Bulletin Release.


Please click here to download the latest IPS signature update package (sensor only).

Please click here to download the latest Cisco Security Manager (CSM) signature update package.

Important Notes


Signature Update version S550 introduced a bad value for one of the signature 23899.0 parameters in addition to retiring and disabling it. This bad parameter was included in signature updates 500-553, 555-559 and 7.0(5). See CSCtn84552.

Because this signature was retired and disabled, the bad parameter does not affect the functionality of the sensor.

Updating to S567 will resolve the problem. Signature 23899.0 has been retired, disabled and obsoleted.

After installing S567, verify that the sensor is seeing traffic by viewing the virtual sensor statistics. There is one condition when the sensor requires a reboot after the update is applied. (If you have modified 23899.0 prior to upgrading to S550 and upgraded to 7.0(5) when at signature update level S557 or less, you must reset the sensor after installing S567.)

If you installed one of the affected updates listed above and then modified 23899.0, you must restore 23899.0 to its default settings before updating to S567. (Note: if you attempt to install 567 prior to resetting 23899.0 to its defaults, the update will fail. If you are using CSM, you must revert the update on the sensor where the update failed prior to resetting 23899.0 to its defaults and then you can install S567.)


Release S591 - August 26, 2011
Release Summary

Vulnerability CVE Severity Risk Rating Signature ID History Status
Cisco Digital Media Ma... CVE-2010-0572 High 85 24240.0 New Enabled
Apache Range Retrieval... Medium 60 38846.0 New Enabled
Opera file: URL Buffer... Medium 64 25499.0 New Enabled

Deep Throat Backdoor R... High 100 4607.6 Not Retired Retired
High 100 4607.7 Not Retired Retired
High 100 4607.8 Not Retired Retired
High 100 4607.9 Not Retired Retired
Microsoft SQL Server R... CAN-2002-0649 High 85 4704.0 Not Retired Retired
SNMP Community String... High 75 5513.0 Not Retired Retired
Tftp Passwd File CVE-1999-0183 High 75 5509.0 Not Retired Retired
CVE-2000-0015
Active Directory Faile... Medium 64 5726.1 Not Retired Retired
Back Orifice Ping Medium 64 5506.0 Not Retired Retired
Medium 64 5506.1 Not Retired Retired
Bagle B Worm DNS Lookup Medium 64 4615.2 Not Retired Retired
Medium 64 4615.3 Not Retired Retired
Beagle (Bagle) Virus D... Medium 60 4602.3 Not Retired Retired
Medium 60 4602.4 Not Retired Retired
BERBEW Trojan Activity Medium 64 3143.3 Not Retired Retired
Medium 64 3143.4 Not Retired Retired
Cisco CSS 11000 Malfor... Medium 64 4062.0 Not Retired Retired
Cisco SNMP Message Pro... Medium 64 5512.0 Not Retired Retired
Invalid Netbios Name CAN-2003-0825 Medium 56 3357.0 Not Retired Retired
Orinoco SNMP Info Leak Medium 64 4609.1 Not Retired Retired
Quake Server Connect DoS Medium 60 5518.0 Not Retired Retired
TCP Connection Window... Medium 56 3051.0 Not Retired Retired
Medium 56 3051.1 Not Retired Retired
ATH Modem DoS CVE-1999-1228 Low 33 5541.0 Not Retired Retired
Cisco IP Phone TFTP Co... CVE-1999-0183 Low 43 4612.1 Not Retired Retired
CVE-2000-0015
DoS NBT Stream Low 38 4068.0 Not Retired Retired
Dot Dot Slash in HTTP... Low 38 5337.0 Not Retired Retired
KaZaA v2 UDP Client Pr... Low 50 5534.2 Not Retired Retired
Kerberos 4 User Recon CVE-1999-1099 Low 43 4610.1 Not Retired Retired
Malformed IGMP DoS CVE-1999-0918 Low 38 2201.0 Not Retired Retired
Low 38 2202.0 Not Retired Retired
NetBIOS NBTSTAT Scan Low 50 3301.0 Not Retired Retired
Overnet Client Scan Low 43 5535.0 Not Retired Retired
AIM Client DNS request Info 25 5538.0 Not Retired Retired
ARP Inbalance-of-Reque... Info 19 7105.0 Not Retired Retired
ARP MacAddress-Flip-Fl... Info 19 7104.0 Not Retired Retired
DHCP Discover Info 25 5530.0 Not Retired Retired
DHCP Offer Info 25 4605.1 Not Retired Retired
DHCP Request Info 25 4604.1 Not Retired Retired
Fragmented ICMP Traffic CVE-1999-0128 Info 25 2150.0 Not Retired Retired
ICQ Client DNS Request Info 25 5537.0 Not Retired Retired
Large ICMP Packet Info 25 2151.0 Not Retired Retired
MSN Messenger Client D... Info 25 5540.0 Not Retired Retired
Yahoo Messenger Client... Info 25 5539.0 Not Retired Retired

+ 52 Retired Signatures
New Vulnerability and Exploit Protections

Cisco Digital Media Manager User Credential Information Disclosure Vulnerability
Vulnerability Disclosed: 3/3/2010, CVSS Base: 7.1, Temporal: 5.9
Cisco Digital Media Manager versions prior to 5.2 contain a vulnerability that could allow an authenticated, remote attacker to view sensitive information. This vulnerability is due to unsafe handling of user credentials. An authenticated, remote attacker could exploit this vulnerability by viewing error logs or in-use memory that may contain stored user credentials. If successful, the attacker could obtain usernames and passwords of other system users. Cisco has confirmed this vulnerability in a security advisory and released updated software.
Severity Description Protected Since Signature ID Default Action
High Cisco Digital Media Manager Vulnerability 8/26/2011 24240.0 produce-alert
More Details:
CVE-2010-0572
Cisco PSIRT: 111578
: cisco-sa-20100303-dmm


Opera file: URL Buffer Overflow Vulnerability
Vulnerability Disclosed: 11/20/2008, CVSS Base: 9.3, Temporal: 6.9
Opera versions 9.62 and prior contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability is due to an input validation error when processing file: URLs. An attacker could cause a buffer overflow by launching a malicious file: URL from a local file on the user's system. Alternatively, the attacker could convince a user to manually enter the malicious URL. The buffer overflow could cause a DoS condition or allow the attacker to execute arbitrary code. Opera has confirmed the vulnerability and released updated software.
Severity Description Protected Since Signature ID Default Action
Medium Opera URL Buffer Overflow 8/26/2011 25499.0 produce-alert


Apache Range Retrieval Request Processing Denial of Service Vulnerability
Vulnerability Disclosed: 1/4/2007
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. The vulnerability exists because the affected software incorrectly processes a Range Retrieval Request header received via an HTTP request. Due to the flaw, on receiving a request with a 0-byte range or overlapping byte ranges, the affected software erroneously allocates a bucket for each byte requested and stores them in a brigade. An unauthenticated, remote attacker could exploit this vulnerability by submitting HTTP requests to the targeted system. Processing such requests could result in excessive memory consumption to process a large number of buckets, leading to a DoS condition. Proof-of-concept code that exploits this vulnerability is publicly available. Administrators are advised to contact the vendor regarding future updates and releases. Until updates can be applied, administrators are advised to configure connection throttling or filtering of repetitive, abusive connection requests. Apache has not confirmed the vulnerability and updated software is not available.
Severity Description Protected Since Signature ID Default Action
Medium Apache Range Remote Denial of Service 8/26/2011 38846.0 produce-alert


Retired Signatures

Signature ID Previous Status Signature Name Threat Name
2150.0 Disabled Fragmented ICMP Traffic Fragmented ICMP Traffic
2151.0 Disabled Large ICMP Traffic Large ICMP Packet
5541.0 Disabled Modem DoS ATH Modem DoS
3301.0 Disabled NETBIOS Stat NetBIOS NBTSTAT Scan
5506.0 Disabled Back Orifice Ping Back Orifice Ping
5506.1 Disabled Back Orifice Ping Back Orifice Ping
5509.0 Disabled Tftp Passwd File Tftp Passwd File
5530.0 Disabled DHCP Discover DHCP Discover
4604.1 Disabled DHCP Request DHCP Request
4605.1 Disabled DHCP Offer DHCP Offer
4607.6 Disabled Deep Throat Response Deep Throat Backdoor Response
4607.7 Disabled Deep Throat Response Deep Throat Backdoor Response
4607.8 Disabled Deep Throat Response Deep Throat Backdoor Response
4607.9 Disabled Deep Throat Response Deep Throat Backdoor Response
4609.1 Disabled Orinoco SNMP Info Leak Orinoco SNMP Info Leak
4610.1 Disabled Kerberos 4 User Recon Kerberos 4 User Recon
4612.1 Disabled Cisco IP Phone TFTP Config Retrieve Cisco IP Phone TFTP Config Retrieve
5337.0 Disabled Dot Dot Slash in HTTP Arguments Dot Dot Slash in HTTP Arguments
7104.0 Disabled ARP MacAddress-Flip-Flop-Response ARP MacAddress-Flip-Flop-Response
7105.0 Disabled ARP Inbalance-of-Requests ARP Inbalance-of-Requests
5534.2 Disabled KaZaA UDP Client Probe KaZaA v2 UDP Client Probe
5535.0 Disabled Overnet Client Scan Overnet Client Scan
4602.3 Disabled Beagle (Bagle) Virus DNS Lookup Beagle (Bagle) Virus DNS Lookup
4602.4 Disabled Beagle (Bagle) Virus DNS Lookup Beagle (Bagle) Virus DNS Lookup
5538.0 Disabled AIM Client DNS request AIM Client DNS request
5539.0 Disabled Yahoo Messenger Client DNS Request Yahoo Messenger Client DNS Request
5540.0 Disabled MSN Messenger Client DNS Request MSN Messenger Client DNS Request
4615.2 Disabled Beagle.B (Bagle.B) Virus DNS Lookup Bagle B Worm DNS Lookup
4615.3 Disabled Beagle.B (Bagle.B) Virus DNS Lookup Bagle B Worm DNS Lookup
4062.0 Disabled Cisco CSS 11000 Malformed UDP DoS Cisco CSS 11000 Malformed UDP DoS
3051.0 Disabled TCP Connection Window Size RST DoS TCP Connection Window Size RST DoS
3051.1 Disabled TCP Connection Window Size RST DoS TCP Connection Window Size RST DoS
5512.0 Disabled Cisco SNMP Message Processing DoS Cisco SNMP Message Processing DoS
3143.3 Disabled BERBEW Trojan Activity BERBEW Trojan Activity
3143.4 Disabled BERBEW Trojan Activity BERBEW Trojan Activity
5513.0 Disabled SNMP Community String Public SNMP Community String Public
5537.0 Disabled ICQ Client DNS Request ICQ Client DNS Request
5518.0 Disabled Quake Server Connect DoS Quake Server Connect DoS
4068.0 Disabled DoS NBT Stream DoS NBT Stream
3357.0 Disabled Invalid Netbios Name Invalid Netbios Name
5726.1 Disabled Active Directory Failed Login Active Directory Failed Login
2201.0 Disabled IGMP over fragmented IP Malformed IGMP DoS
2202.0 Disabled IGMP Invalid Packet DoS Malformed IGMP DoS
4704.0 Disabled MSSQL Resolution Service Heap Overflow Microsoft SQL Server Resolution Service Heap Overflow (Slammer/Sapphire worm)
17264.0 New FTP FlashGet 'PWD' Response Denial of Service Vulnerability FlashGet FTP PWD Response Buffer Overflow Vulnerability
23339.0 New IBM Director CIM Server Denial of Service Vulnerability IBM Director CIM Server Denial of Service Vulnerability
16193.0 New Microsoft PicturePusher ActiveX AddString() File Upload Vulnerability Microsoft Digital Image Suite PicturePusher ActiveX Cross-Site File Upload Vulnerability
16193.1 New Microsoft PicturePusher ActiveX AddString() File Upload Vulnerability Microsoft Digital Image Suite PicturePusher ActiveX Cross-Site File Upload Vulnerability
16193.2 New Microsoft PicturePusher ActiveX AddString() File Upload Vulnerability Microsoft Digital Image Suite PicturePusher ActiveX Cross-Site File Upload Vulnerability
16193.3 New Microsoft PicturePusher ActiveX AddString() File Upload Vulnerability Microsoft Digital Image Suite PicturePusher ActiveX Cross-Site File Upload Vulnerability
15004.0 New DataApples BeyondRemote Activity Data Apples Beyond Remote Support Client Sensitive Information Disclosure Issue
15004.1 New DataApples BeyondRemote Activity Data Apples Beyond Remote Support Client Sensitive Information Disclosure Issue

* Inline sensor with Event Action Override set to "deny-packet-inline" at Risk Rating 90 (Cisco default configuration)

Sensor Update Information

Signature Updates

Signature updates may be downloaded automatically by Cisco Security Manager (CSM), IPS Manager Express (IME) and Cisco Security Monitoring, Analysis, and Response System (CS-MARS). The following links are for manual downloads.

Sensor Appliance Updates
IPS 4200-series sensors, IDSM2 Catalyst module, AIM-IPS module, ASA-AIP IPS modules

IOS IPS Updates
IOS IPS in Mainline and T-Train Releases prior to 12.4(11)T (Includes NEW Basic and Advanced Set)
IOS IPS in 12.4(11)T or later T-Train
��
Cisco.com FTP Access Change

Cisco will no longer be distributing software that requires a contract or login credentials via ftp.cisco.com from October 2010. Most IPS users will not be affected unless you have manually configured this to download from ftp.cisco.com.

IPS software and signature updates will continue to be available from Cisco.com. These can be retrieved using the built-in authenticated download capabilities in the IDM, IME, MARS and CSM management and monitoring applications or manually from the Software Download area on Cisco.com. Please see the FAQ for more information on manually downloading updates from the Software Download area.

Please direct any questions or concerns regarding this change to ftp_download_feedback@cisco.com.



New Product Announcements


End of Life and End of Sale Announcements

Security Research Library
Increase your knowledge of today's vulnerabilities, tomorrow's threats, and the technology necessary to keep up.
Cisco Security Intelligence Operations
Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations.
Cyber Risk Reports
Weekly strategic intelligence product that highlights current security activity and mid- to long-range perspectives, also available as a podcast.
Listen
Cisco IntelliShield Alerts
Up-to-the-minute, actionable intelligence, in-depth vulnerability analysis, and highly reliable threat validation to assist in proactive prevention.
Cisco Applied Mitigation Bulletins
Techniques that use Cisco product abilities to detect and mitigate the most important security events and vulnerabilities.
Virus Watch
Current virus trends from SenderBase ��
Spam Watch
Current spam trends from SenderBase ��
Security Multimedia Library
Podcasts, video datasheets, webcasts and videos with solutions for today's problems.
Cisco Security Intelligence Operations Best Practices
Guidance on specific technologies and problem sets to help organizations secure business applications and processes by identifying, preventing, and adapting to threats.
Cisco Security Services
Professional services to support your Self-Defending Network.
Cisco Security Solutions
Discover the breadth of Cisco solutions available to solve your organization's security issues.
Cisco Security Blog
Collaborate with the Cisco Security Community and gain insights into emerging security threats, trends, and best practices.


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Contacts | Feedback | Subscribe | Unsubscribe
Terms & Conditions | Privacy Statement | Trademarks of Cisco Systems Inc.

�� 1992-2011 Cisco Systems Inc. All rights reserved.