Cisco Threat Defense Bulletin S589 August 17, 2011


CSIO banner left
Globe banner right


In This Issue
Important Notes
Release Summary
Retired Signatures
Sensor Update Information
New Product Announcements
EoL/EoS Announcements
Security Research Library

Microsoft Bulletin Update
Cisco Security Intelligence Operations VoD

Register for the next SIO Threatscape Update

Cisco Remote Management Services for Security
Providing 24x7x365 remote security management, monitoring, and remediation for today's networks.

Don't miss an update!
Get Cisco Text Message Alerts
Get text alerts

Did you know you already have a Cisco IntelliShield account?
IntelliShield banner
Register your free account here

Cisco Security Intelligence Operations
Threat Map
Identify, Analyze, Defend
Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations.

Your feedback makes our bulletin better! Please tell us what you love and what you would change at ips-news@cisco.com.

Please click here to view a web version of this bulletin.

Visit the Cisco Event Response for more information, analysis, and guidance on this month's Microsoft Security Bulletin Release.


Please click here to download the latest IPS signature update package (sensor only).

Please click here to download the latest Cisco Security Manager (CSM) signature update package.

Important Notes


Signature Update version S550 introduced a bad value for one of the signature 23899.0 parameters in addition to retiring and disabling it. This bad parameter was included in signature updates 500-553, 555-559 and 7.0(5). See CSCtn84552.

Because this signature was retired and disabled, the bad parameter does not affect the functionality of the sensor.

Updating to S567 will resolve the problem. Signature 23899.0 has been retired, disabled and obsoleted.

After installing S567, verify that the sensor is seeing traffic by viewing the virtual sensor statistics. There is one condition when the sensor requires a reboot after the update is applied. (If you have modified 23899.0 prior to upgrading to S550 and upgraded to 7.0(5) when at signature update level S557 or less, you must reset the sensor after installing S567.)

If you installed one of the affected updates listed above and then modified 23899.0, you must restore 23899.0 to its default settings before updating to S567. (Note: if you attempt to install 567 prior to resetting 23899.0 to its defaults, the update will fail. If you are using CSM, you must revert the update on the sensor where the update failed prior to resetting 23899.0 to its defaults and then you can install S567.)


Release S589 - August 17, 2011
Release Summary

Vulnerability CVE Severity Risk Rating Signature ID History Status
Apache Web Server mod_... CAN-2004-0492 High 90 3883.0 Enabled Retired
Apple QuickTime QuickT... High 90 5920.0 Enabled Retired
Autonomy KeyView Produ... High 80 7218.0 Enabled Retired
BERBEW Trojan Activity High 90 3143.0 Enabled Retired
Heap Spraying Buffer O... High 95 29619.0 Enabled Retired
HP OpenView Network No... CVE-2009-4176 High 85 23699.0 Enabled Retired
HP OpenView Network No... CVE-2011-0268 High 90 34029.0 Enabled Retired
IBM Installation Manag... CVE-2009-3518 High 90 22780.0 Enabled Retired
Icecast HTTP Header Ov... CAN-2004-1561 High 90 5488.0 Enabled Retired
IOS Command History Ex... High 85 3601.0 Enabled Retired
LizaMoon SQL Script In... High 90 35285.0 Enabled Retired
Microsoft Exchange Out... High 85 6790.1 Enabled Retired
Microsoft Exchange Out... High 85 6790.0 Enabled Retired
Microsoft Visual Basic... High 85 5878.0 Enabled Retired
Microsoft WebDAV Mini-... High 90 6771.0 Enabled Retired
Microsoft Windows Help... CVE-2010-1885 High 90 26599.0 Enabled Retired
Microsoft Windows MHTM... CVE-2011-0096 High 85 33379.0 Enabled Retired
Mozilla Products XSL P... High 90 16219.0 Enabled Retired
nginx HTTP Request Pro... CVE-2009-2629 High 85 21381.0 Enabled Retired
Night Dragon Advanced... High 90 33819.0 Enabled Retired
Novell GroupWise Inter... High 85 15253.0 Enabled Retired
Novell GroupWise Inter... High 90 32419.0 Enabled Retired
Novell GroupWise SMTP... High 90 18380.0 Enabled Retired
Novell iPrint Client i... High 90 33419.1 Enabled Retired
Novell iPrint Client i... CVE-2009-1568 High 90 23860.0 Enabled Retired
Pidgin MSN SLP Message... High 80 7220.0 Enabled Retired
Sendmail prescan buffe... CAN-2003-0161 High 100 3124.0 Enabled Retired
SMTP: Exchange Server... CAN-2003-0714 High 100 3128.0 Enabled Retired
Worm: W32.Waledac High 90 15193.2 Enabled Retired
Microsoft Exchange Ser... CVE-2006-1193 Medium 45 5757.0 Enabled Retired
Squid Web Proxy Cache... Medium 68 21179.0 Enabled Retired
HTTP CONNECT Tunnel Low 43 5237.0 Enabled Retired
SMTP AUTH Brute Force... Low 43 3127.0 Enabled Retired
Suspicious Mail Attach... Low 50 3110.0 Enabled Retired
Adobe Reader and Acrob... CVE-2009-3958 Component 15 23679.2 Enabled Retired
HP OpenView Network No... Component 15 22519.2 Enabled Retired
HP OpenView Network No... CVE-2009-4176 Component 15 23699.1 Enabled Retired
Component 15 23699.2 Enabled Retired
HP OpenView Network No... CVE-2011-0268 Component 15 34029.2 Enabled Retired
IE .asp File Execution Component 15 5500.0 Enabled Retired
Novell iPrint Client i... Component 15 33419.3 Enabled Retired
Novell iPrint Client i... CVE-2009-1568 Component 15 23860.2 Enabled Retired
Component 15 23860.1 Enabled Retired

+ 43 Retired Signatures
Retired Signatures

Signature ID Previous Status Signature Name Threat Name
3110.0 Enabled Suspicious Mail Attachment Suspicious Mail Attachment
3124.0 Enabled Sendmail prescan Memory Corruption Sendmail prescan buffer overflow
3601.0 Enabled IOS Command History Exploit IOS Command History Exploit
5237.0 Enabled HTTP CONNECT Tunnel HTTP CONNECT Tunnel
3127.0 Enabled SMTP AUTH Brute Force Attempt SMTP AUTH Brute Force Attempt
3143.0 Enabled BERBEW Trojan Activity BERBEW Trojan Activity
5500.0 Enabled IE .asp File Execution IE .asp File Execution
3128.0 Enabled Exchange xexch50 overflow SMTP: Exchange Server extended verb buffer Overflow
3883.0 Enabled Apache mod_proxy Buffer Overflow Apache Web Server mod_proxy Content-Length buffer overflow
5488.0 Enabled Icecast Server HTTP Header Buffer Overflow Icecast HTTP Header Overflow
5757.0 Enabled Microsoft Exchange Server Cross-Site Scripting Microsoft Exchange Server Cross-Site Scripting
5878.0 Enabled VBE Object ID Buffer Overflow Microsoft Visual Basic for Applications Buffer Overflow Vulnerability
6771.0 Enabled Microsoft Windows WebDAV Mini Redirector Microsoft WebDAV Mini-Redirector Heap Overflow Vulnerability
5920.0 Enabled Apple Quicktime VRPanoSampleAtom Heap Overflow Apple QuickTime QuickTime Virtual Reality Movie Handling Buffer Overflow Vulnerability
6790.0 Enabled Outlook Web Access Privilege Escalation Microsoft Exchange Outlook Web Access Script Injection Vulnerability
7218.0 Enabled Lotus Notes Applix Graphics Overflow Autonomy KeyView Products Applix Presents File Buffer Overflow Vulnerability
7220.0 Enabled Pidgin MSN Overflow Pidgin MSN SLP Message Integer Overflow Vulnerability
6790.1 Enabled Outlook Web Access Privilege Escalation Microsoft Exchange Outlook Web Access HTML Parsing Vulnerability
15193.2 Enabled Waledac Trojan Activity Worm: W32.Waledac
15253.0 Enabled Novell GroupWise Internet Agent RCPT Overflow Novell GroupWise Internet Agent Buffer Overflow Vulnerability
16219.0 Enabled Mozilla Firefox XSL Parsing Remote Memory Corruption Mozilla Products XSL Parsing Root Tag Memory Corruption Vulnerability
22519.2 Enabled HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow Vulnerability HP OpenView Network Node Manager CGI Buffer Overflow Vulnerability
18380.0 Enabled Novell GroupWise SMTP Buffer Overflow Novell GroupWise SMTP Processing Code Execution Vulnerability
21381.0 Enabled nginx URI Parsing Buffer Underflow nginx HTTP Request Processing Buffer Overflow Vulnerability
21179.0 Enabled Squid HTTP Data Processing Remote Denial of Service Squid Web Proxy Cache Data Processing Remote Denial of Service Vulnerability
22780.0 Enabled IBM Installation Manager iim:// URI Handling Code Execution IBM Installation Manager iim: URI Remote Code Execution Vulnerability
23679.2 Enabled Adobe Download Manager ActiveX Buffer Overflow Vulnerability Adobe Reader and Acrobat Download Manager Remote Buffer Overflow Vulnerability
23699.0 Enabled HP OpenView Network Node Manager Buffer Overflow HP OpenView Network Node Manager Memory Corruption Vulnerability
23699.1 Enabled HP OpenView Network Node Manager Buffer Overflow HP OpenView Network Node Manager Memory Corruption Vulnerability
23699.2 Enabled HP OpenView Network Node Manager Buffer Overflow HP OpenView Network Node Manager Memory Corruption Vulnerability
23860.2 Enabled Novell iPrint Client ienipp.ocx Remote Buffer Overflow Novell iPrint Client ienipp.ocx Remote Buffer Overflow Vulnerability
23860.0 Enabled Novell iPrint Client ienipp.ocx Remote Buffer Overflow Novell iPrint Client ienipp.ocx Remote Buffer Overflow Vulnerability
23860.1 Enabled Novell iPrint Client ienipp.ocx Remote Buffer Overflow Novell iPrint Client ienipp.ocx Remote Buffer Overflow Vulnerability
26599.0 Enabled Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability
29619.0 Enabled Heap Feng Shui Code Heap Spraying Buffer Overflow Attacks
32419.0 Enabled Novell GroupWise Internet Agent Buffer Overflow Novell GroupWise Internet Agent RRULE Remote Code Execution Vulnerability
33379.0 Enabled Windows MHTML Protocol Handler Script Execution Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability
33419.3 Enabled Novell iPrint Client ienipp.ocx Arbitrary Code Execution Novell iPrint Client ienipp.ocx Arbitrary Code Execution Vulnerability
33419.1 Enabled Novell iPrint Client ienipp.ocx Arbitrary Code Execution Novell iPrint Client ienipp.ocx Arbitrary Code Execution Vulnerability
33819.0 Enabled Backdoor zwShell Command and Control Night Dragon Advanced Persistent Threat Report
34029.2 Enabled HP OpenView nnmRptConfig Remote Code Execution HP OpenView Network Node Manager nnmRptConfig Arbitrary Code Execution Vulnerability
34029.0 Enabled HP OpenView nnmRptConfig Remote Code Execution HP OpenView Network Node Manager nnmRptConfig Arbitrary Code Execution Vulnerability
35285.0 Enabled Lizamoon SQL Injection LizaMoon SQL Script Injection Attacks

* Inline sensor with Event Action Override set to "deny-packet-inline" at Risk Rating 90 (Cisco default configuration)

Sensor Update Information

Signature Updates

Signature updates may be downloaded automatically by Cisco Security Manager (CSM), IPS Manager Express (IME) and Cisco Security Monitoring, Analysis, and Response System (CS-MARS). The following links are for manual downloads.

Sensor Appliance Updates
IPS 4200-series sensors, IDSM2 Catalyst module, AIM-IPS module, ASA-AIP IPS modules

IOS IPS Updates
IOS IPS in Mainline and T-Train Releases prior to 12.4(11)T (Includes NEW Basic and Advanced Set)
IOS IPS in 12.4(11)T or later T-Train
??
Cisco.com FTP Access Change

Cisco will no longer be distributing software that requires a contract or login credentials via ftp.cisco.com from October 2010. Most IPS users will not be affected unless you have manually configured this to download from ftp.cisco.com.

IPS software and signature updates will continue to be available from Cisco.com. These can be retrieved using the built-in authenticated download capabilities in the IDM, IME, MARS and CSM management and monitoring applications or manually from the Software Download area on Cisco.com. Please see the FAQ for more information on manually downloading updates from the Software Download area.

Please direct any questions or concerns regarding this change to ftp_download_feedback@cisco.com.



New Product Announcements


End of Life and End of Sale Announcements

Security Research Library
Increase your knowledge of today's vulnerabilities, tomorrow's threats, and the technology necessary to keep up.
Cisco Security Intelligence Operations
Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations.
Cyber Risk Reports
Weekly strategic intelligence product that highlights current security activity and mid- to long-range perspectives, also available as a podcast.
Listen
Cisco IntelliShield Alerts
Up-to-the-minute, actionable intelligence, in-depth vulnerability analysis, and highly reliable threat validation to assist in proactive prevention.
Cisco Applied Mitigation Bulletins
Techniques that use Cisco product abilities to detect and mitigate the most important security events and vulnerabilities.
Virus Watch
Current virus trends from SenderBase ??
Spam Watch
Current spam trends from SenderBase ??
Security Multimedia Library
Podcasts, video datasheets, webcasts and videos with solutions for today's problems.
Cisco Security Intelligence Operations Best Practices
Guidance on specific technologies and problem sets to help organizations secure business applications and processes by identifying, preventing, and adapting to threats.
Cisco Security Services
Professional services to support your Self-Defending Network.
Cisco Security Solutions
Discover the breadth of Cisco solutions available to solve your organization's security issues.
Cisco Security Blog
Collaborate with the Cisco Security Community and gain insights into emerging security threats, trends, and best practices.


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Contacts | Feedback | Subscribe | Unsubscribe
Terms & Conditions | Privacy Statement | Trademarks of Cisco Systems Inc.

?? 1992-2011 Cisco Systems Inc. All rights reserved.