|
|
|
|
|
Microsoft Bulletin Update |
 |
|
|
|
 |
| Providing 24x7x365 remote security management, monitoring, and remediation for today's networks. |
|
| Did you know IPS customers already have Cisco IntelliShield search access? |
 |
| Register your free account here |
|
|
|
|
|
Your feedback makes our bulletin better! Please tell us what you love and what you would change at ips-news@cisco.com.
Please click here to view a web version of this bulletin.
Visit the Cisco Event Response for more information, analysis, and guidance on this month's
Microsoft Security Bulletin Release.
Please click here to download the latest IPS signature update package (sensor only).
Please click here to download the latest Cisco Security Manager (CSM) signature update package.
Download the S641 sensor package (sensor only).
|
Important Notes
|
Signature Update version S639 introduced a bad value for one of the signature 3255.0 parameters. This bad parameter was included in signature updates S639 and S640. See CSCtz29196.
Because this signature, by default, was retired and disabled, the bad parameter does not affect the functionality of the sensor.
If you have modified signature 3255.0, you must restore the signature to its default value prior to applying an update package.
Signature 3255.0 has been obsoleted and has been replaced with signature 3255.1.
Updating to S641 will resolve the problem. |
| |
| |
Supported Sensor Software Versions
|
Signature updates are currently tested on the following sensor software releases according to the terms defined in the End-of-Sale Policy for Signature File Release on Intrusion Detection and Prevention (IDS/IPS) Sensors:
6.0(6) (released 29/MAR/2010)
6.2(4) (released 27/JUN/2011)
7.0(6) (released 13/SEP/2011) (upgrade soon!)
7.0(7) (released 31/JAN/2012) NEW
7.1.(3) (released 05/DEC/2011) (upgrade soon!)
7.1(4) (released 05/MAR/2012) NEW
Please upgrade to one of these sensor software versions to ensure correct sensor operation and effective signature coverage. |
|
| Release S641 - April 17, 2012 |
Release Summary
| Vulnerability |
CVE |
Severity |
Risk Rating |
Signature ID |
History |
Status |
+ 3 Retired Signatures
|
| |
| |
New Vulnerabilities and Exploits with Existing Protection
PHP Command Injection
Vulnerability Disclosed: 4/15/2012
This signature fires upon detecting a php command injection attempt.``PHP versions 4.3.6 and earlier on Win32 platforms such as Windows 2000, Windows XP, and Windows 2003 Server, contain a flaw in two core functions. Because of improper sanitization of user-supplied inputs, the escapeshellarg() and escapeshellcmd() functions can allow crafted input to be passed along to other functions and executed, running with the privileges of the web service.``No exploit code is neccessary for this vulnerability, as any escaped commands are executed natively as shell code.``PHP has released an update in the form of PHP 4.3.7.
| Severity |
Description |
Protected Since |
Signature ID |
Default Action |
 |
PHP Command Injection |
4/5/2012 |
5638.0 |
produce-alert |
More Details:
CAN-2004-0542
Niels Provos libevent API DNS Response Processing Remote Denial of Service Vulnerability
Vulnerability Disclosed: 4/15/2012
Niels Provos libevent application programming interface (API) contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.
The vulnerability is due to an incorrect memory pointer reference while handling a DNS response. A label pointer in the response could reference its own address offset, which may lead to uncontrolled, repeated references to the pointer. These references may consume processor resources.
An unauthenticated, remote attacker could exploit the vulnerability by transmitting crafted DNS response requests to the system. When processed, the response could cause the system to become unresponsive, causing a DoS condition.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
The vendor has not confirmed the vulnerability and software updates are not available.
More Details:
CVE-2007-1030
|
Retired Signatures
|
* Inline sensor with Event Action Override set to "deny-packet-inline" at Risk Rating 90 (Cisco default configuration)
|
|
Sensor Update Information
|
Signature Updates
Signature updates may be downloaded automatically by Cisco Security Manager (CSM), IPS Manager Express (IME) and Cisco Security Monitoring, Analysis, and Response System (CS-MARS). The following links are for manual downloads.
Sensor Appliance Updates
IPS 4200-series sensors, IDSM2 Catalyst module, AIM-IPS module, ASA-AIP IPS modules
IOS IPS Updates
IOS IPS in Mainline and T-Train Releases prior to 12.4(11)T (Includes NEW Basic and Advanced Set)
IOS IPS in 12.4(11)T or later T-Train |
Cisco.com FTP Access Change
Cisco will no longer be distributing software that requires a contract or login credentials via ftp.cisco.com from October 2010. Most IPS users will not be affected unless you have manually configured this to download from ftp.cisco.com.
IPS software and signature updates will continue to be available from Cisco.com. These can be retrieved using the built-in authenticated download capabilities in the IDM, IME, MARS and CSM management and monitoring applications or manually from the Software Download area on Cisco.com. Please see the FAQ for more information on manually downloading updates from the Software Download area.
Please direct any questions or concerns regarding this change to ftp_download_feedback@cisco.com.
|
New Product Announcements
|
End of Life and End of Sale Announcements
|
Security Research Library
|
Increase your knowledge of today's vulnerabilities, tomorrow's threats, and the technology necessary to keep up.
Cisco Security Intelligence Operations
Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations. |
Cyber Risk Reports
Weekly strategic intelligence product that highlights current security activity and mid- to long-range perspectives, also available as a podcast.  |
Cisco IntelliShield Alerts
Up-to-the-minute, actionable intelligence, in-depth vulnerability analysis, and highly reliable threat validation to assist in proactive prevention. |
Cisco Applied Mitigation Bulletins
Techniques that use Cisco product abilities to detect and mitigate the most important security events and vulnerabilities. |
Virus Watch
Current virus trends from SenderBase © |
Spam Watch
Current spam trends from SenderBase © |
Security Multimedia Library
Podcasts, video datasheets, webcasts and videos with solutions for today's problems. |
Cisco Security Intelligence Operations Best Practices
Guidance on specific technologies and problem sets to help organizations secure business applications and processes by identifying, preventing, and adapting to threats. |
Cisco Security Services
Professional services to support your Self-Defending Network. |
Cisco Security Solutions
Discover the breadth of Cisco solutions available to solve your organization's security issues. |
Cisco Security Blog
Collaborate with the Cisco Security Community and gain insights into emerging security threats, trends, and best practices.
|
|
|
|
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
Contacts | Feedback | Subscribe | Unsubscribe
Terms & Conditions | Privacy Statement | Trademarks of Cisco Systems Inc.
© 1992-2012 Cisco Systems Inc. All rights reserved.
|
|
|
