Cisco Threat Defense Bulletin S603 October 19, 2011


CSIO banner left
Globe banner right


In This Issue
Important Notes
Release Summary
New Vulnerability and Exploit Protections
Sensor Update Information
New Product Announcements
EoL/EoS Announcements
Security Research Library

Microsoft Bulletin Update
Cisco Security Intelligence Operations VoD

Cisco Remote Management Services for Security
Providing 24x7x365 remote security management, monitoring, and remediation for today's networks.

Don't miss an update!
Get Cisco Text Message Alerts
Get text alerts

Did you know you already have a Cisco IntelliShield account?
IntelliShield banner
Register your free account here

Cisco Security Intelligence Operations
Threat Map
Identify, Analyze, Defend
Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations.

Your feedback makes our bulletin better! Please tell us what you love and what you would change at ips-news@cisco.com.

Please click here to view a web version of this bulletin.

Visit the Cisco Event Response for more information, analysis, and guidance on this month's Microsoft Security Bulletin Release.


Please click here to download the latest IPS signature update package (sensor only).

Please click here to download the latest Cisco Security Manager (CSM) signature update package.

Important Notes

Signature Update S601 released Tuesday October 11 aggravated a known issue in older versions of the IPS software. This issue (CSCtn23051) can cause the affected devices to lock up, making them unresponsive and potentially impacting network traffic. Cisco regrets the potential problems that this may bring to your organization.

To resolve this condition, we recommend an upgrade to the sensor software to a recent release. It is important to note that a signature update will NOT resolve the problem. Preferred upgrade versions are:

6.2(4) (released June 2011);
7.0(5a) (released May 2011);
7.0(6) (released Sept 2011).

As the 7.1 software version is not susceptible to this issue there is no need to upgrade.

The problem may not immediately display the symptoms when future signature releases occur. Conditions aligned with sensor configuration, traffic conditions, and available memory can contribute to the problematic instability.

Should you have any further questions about your upgrade needs and to get assistance resolving this issue then please contact your TAC representative.

Release S603 - October 19, 2011
Release Summary

Vulnerability CVE Severity Risk Rating Signature ID History Status
Backdoor:W32/R2D2.A High 90 39866.0 New Enabled
High 90 39866.1 New Enabled
CiscoWorks Common Serv... CVE-2011-3310 High 90 39586.0 New Enabled
High 90 39586.1 New Enabled


New Vulnerability and Exploit Protections

Backdoor:W32/R2D2.A
Vulnerability Disclosed: 10/13/2011
Backdoor:W32/R2D2.A is a trojan that attempts to infect Microsoft Windows platforms. The trojan has features to log keystrokes, take screenshots within regular intervals, record or stream encrypted Skype audio calls, decrypt SSL traffic, anonymize source identifiers using proxy servers, and initiate remote application download. The scuinst.exe variant of the trojan could allow interception of Skype audio calls via an embedded Skype Capture Unit Installer module. The trojan uses a variant of Man-in-the-Middle attack to obtain sensitive key material and cryptographic metadata used by Skype to encrypt and decrypt audio calls. Backdoor:W32/R2D2.A could access the following locations to obtain remote updates or to retrieve additional instructions: 207.158.22.134 83.236.140.90 The trojan infects the Windows kernel driver, winsys32.sys, by injecting a malicious DLL file, mfc42ul.dll, at the following location: C:\windows\system32\ The trojan modifies the following Registry key to initiate autoload during Windows startup: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs Virus definitions are available.
Severity Description Protected Since Signature ID Default Action
High German Federal Trojan 10/19/2011 39866.0 Block*
High German Federal Trojan 10/19/2011 39866.1 Block*


CiscoWorks Common Services Arbitrary Command Execution Vulnerability
Vulnerability Disclosed: 10/19/2011, CVSS Base: 9.0, Temporal: 7.4
CiscoWorks Common Services contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary code on a targeted system with elevated privileges. The vulnerability is due to improper validation of URLs processed by the CiscoWorks Home Page administrative interface. An authenticated, remote attacker could exploit the vulnerability by sending malicious requests to the application. If successful, the attacker could execute commands with elevated privileges on the targeted system. Cisco confirmed the vulnerability in a security advisory and released software updates.
Severity Description Protected Since Signature ID Default Action
High CiscoWorks Common Services Command Injection 10/19/2011 39586.0 Block*
High CiscoWorks Common Services Command Injection 10/19/2011 39586.1 Block*
More Details:
CVE-2011-3310
Cisco PSIRT: cisco-sa-20111019-cs


* Inline sensor with Event Action Override set to "deny-packet-inline" at Risk Rating 90 (Cisco default configuration)

Sensor Update Information

Signature Updates

Signature updates may be downloaded automatically by Cisco Security Manager (CSM), IPS Manager Express (IME) and Cisco Security Monitoring, Analysis, and Response System (CS-MARS). The following links are for manual downloads.

Sensor Appliance Updates
IPS 4200-series sensors, IDSM2 Catalyst module, AIM-IPS module, ASA-AIP IPS modules

IOS IPS Updates
IOS IPS in Mainline and T-Train Releases prior to 12.4(11)T (Includes NEW Basic and Advanced Set)
IOS IPS in 12.4(11)T or later T-Train
���
Cisco.com FTP Access Change

Cisco will no longer be distributing software that requires a contract or login credentials via ftp.cisco.com from October 2010. Most IPS users will not be affected unless you have manually configured this to download from ftp.cisco.com.

IPS software and signature updates will continue to be available from Cisco.com. These can be retrieved using the built-in authenticated download capabilities in the IDM, IME, MARS and CSM management and monitoring applications or manually from the Software Download area on Cisco.com. Please see the FAQ for more information on manually downloading updates from the Software Download area.

Please direct any questions or concerns regarding this change to ftp_download_feedback@cisco.com.



New Product Announcements


End of Life and End of Sale Announcements

Security Research Library
Increase your knowledge of today's vulnerabilities, tomorrow's threats, and the technology necessary to keep up.
Cisco Security Intelligence Operations
Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations.
Cyber Risk Reports
Weekly strategic intelligence product that highlights current security activity and mid- to long-range perspectives, also available as a podcast.
Listen
Cisco IntelliShield Alerts
Up-to-the-minute, actionable intelligence, in-depth vulnerability analysis, and highly reliable threat validation to assist in proactive prevention.
Cisco Applied Mitigation Bulletins
Techniques that use Cisco product abilities to detect and mitigate the most important security events and vulnerabilities.
Virus Watch
Current virus trends from SenderBase ���
Spam Watch
Current spam trends from SenderBase ���
Security Multimedia Library
Podcasts, video datasheets, webcasts and videos with solutions for today's problems.
Cisco Security Intelligence Operations Best Practices
Guidance on specific technologies and problem sets to help organizations secure business applications and processes by identifying, preventing, and adapting to threats.
Cisco Security Services
Professional services to support your Self-Defending Network.
Cisco Security Solutions
Discover the breadth of Cisco solutions available to solve your organization's security issues.
Cisco Security Blog
Collaborate with the Cisco Security Community and gain insights into emerging security threats, trends, and best practices.


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Contacts | Feedback | Subscribe | Unsubscribe
Terms & Conditions | Privacy Statement | Trademarks of Cisco Systems Inc.

��� 1992-2011 Cisco Systems Inc. All rights reserved.