Cisco Threat Defense Bulletin S1017 April 25, 2018

CSIO banner left
Globe banner right


In This Issue
News and Important Notices
Release Summary
New Vulnerability and Exploit Protections
Retired Signatures
Security Research Library

Cisco Security
Threat Map
Identify, Analyze, Defend
Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations.


 
View the web version of this bulletin.

Download the S1017 sensor package (sensor only).


Click
here to subscribe or unsubscribe; you can also use the links at the end of the bulletin.

News and Important Notices


Signature Updates for all legacy Cisco IPS Systems will cease April 26. 2018.

CIPS End of Sale Announcement, please visit:
End-of-Sale for Cisco Services for Intrusion Prevention System Support Program

For the list of products currently past their End of Support Date, please visit:
End of Service/End of Life for Signature Services for Intrusion Detection and Prevention

For information about migration options from legacy IPS products to the Firepower line, please visit:
Cisco Intrusion Prevention System (CIPS) Migration Path Awareness Communication for End of Life/End of Sale ASA/IPS Product Lines

Cisco IPS Signature Service End-Of-Service FAQ





Release S1017 - April 25, 2018
Release Summary
Vulnerability CVE Severity Risk Rating Signature ID History Status
Microsoft Edge Code Ex... CVE-2018-0995 High 85 8226.0 New Enabled
Microsoft Edge Code Ex... CVE-2018-0994 High 85 8227.0 New Enabled
Microsoft Edge Code Ex... CVE-2018-0993 High 85 8228.0 New Enabled
Western Digital My Clo... CVE-2017-17560 High 90 8215.0 New Enabled
Adobe Acrobat and Read... CVE-2015-5103 High 85 6673.0 Enabled Retired
Adobe Acrobat and Read... CVE-2015-5113 High 85 6672.0 Enabled Retired
Adobe Acrobat Reader M... CVE-2015-5102 High 80 6663.0 Enabled Retired
Adobe Acrobat Reader U... CVE-2015-5111 High 80 6654.0 Enabled Retired
Adobe Flash Player Bit... CVE-2015-5123 High 80 6653.0 Enabled Retired
Adobe Flash Player Int... CVE-2015-3104 High 85 6649.0 Enabled Retired
Internet Explorer Memo... CVE-2015-2443 High 85 6674.0 Enabled Retired
Microsoft Excel DLL Ha... CVE-2015-2378 High 85 6671.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-2403 High 80 6597.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-1733 High 80 6590.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-1729 High 80 6589.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-1738 High 80 6591.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-2397 High 70 6594.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-2388 High 85 6603.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-2409 High 85 6602.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-2425 High 85 6650.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-2390 High 85 6612.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-2383 High 85 6614.0 Enabled Retired
Microsoft Internet Exp... CVE-2015-2444 High 85 6675.0 Enabled Retired
Microsoft Office Excel... CVE-2015-2375 High 80 6657.0 Enabled Retired
Microsoft Office Word... CVE-2015-1759 High 80 6531.0 Enabled Retired
Microsoft Windows Acce... CVE-2015-2365 High 80 6658.0 Enabled Retired
Microsoft Windows DLL... CVE-2015-2369 High 85 6652.0 Enabled Retired
Microsoft Windows Win3... CVE-2015-2367 High 85 6668.0 Enabled Retired
Microsoft Windows Win3... CVE-2015-2366 High 85 6667.0 Enabled Retired
Adobe Flash Player and... CVE-2015-3108 Medium 60 6582.0 Enabled Retired
Medium 60 6582.1 Enabled Retired
Adobe Flash Player and... CVE-2015-3081 Medium 60 6567.0 Enabled Retired
Adobe Flash Player Sec... CVE-2015-3079 Medium 60 6565.0 Enabled Retired
Medium 60 6565.1 Enabled Retired
New Vulnerability and Exploit Protections
Western Digital My Clo...
Vulnerability Disclosed: 12/12/2017
A vulnerability in Western Digital My Cloud could allow an unauthenticated, remote attacker to execute arbitrary code as root on a targeted system. The vulnerability is in the /web/jquery/uploader/multi_uploadify.php function of the affected software and is due to insufficient authentication by the affected software. An attacker could exploit this vulnerability by submitting a crafted PHP shell to a targeted system. A successful exploit could allow the attacker to execute arbitrary code as root on the targeted system.
Severity Description Protected Since Signature ID Event Action
High Western Digital My Cloud NAS Web Administration HTTP Service File Upload 8215.0 Block*

Microsoft Edge Code Ex...
Vulnerability Disclosed: 4/10/2018
A vulnerability in the Chakra scripting engine used by Microsoft Edge could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability is due to improper memory operations that are performed by the affected software. An attacker could exploit this vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.
Severity Description Protected Since Signature ID Event Action
High Microsoft Edge Code Execution 8226.0 produce-alert

Microsoft Edge Code Ex...
Vulnerability Disclosed: 4/10/2018
A vulnerability in the Chakra scripting engine used by Microsoft Edge could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability is due to improper memory operations that are performed by the affected software. An attacker could exploit this vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.
Severity Description Protected Since Signature ID Event Action
High Microsoft Edge Code Execution 8227.0 produce-alert

Microsoft Edge Code Ex...
Vulnerability Disclosed: 4/10/2018
A vulnerability in the Chakra scripting engine used by Microsoft Edge could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability is due to improper memory operations that are performed by the affected software. An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.
Severity Description Protected Since Signature ID Event Action
High Microsoft Edge Code Execution 8228.0 produce-alert

Retired Signatures

Signature ID Previous Status Signature Name Threat Name
6590.0 Enabled Microsoft Internet Explorer Use After Free Microsoft Internet Exp...
6531.0 Enabled Microsoft Office Word Use After Free Microsoft Office Word ...
6565.0 Enabled Adobe Flash Player Security Bypass Vulnerability Adobe Flash Player Sec...
6565.1 Enabled Adobe Flash Player Security Bypass Vulnerability Adobe Flash Player Sec...
6567.0 Enabled Adobe Flash Player Security Bypass Vulnerability Adobe Flash Player and...
6582.0 Enabled Adobe Flash Player Memory Address Discovery Security Bypass Adobe Flash Player and...
6582.1 Enabled Adobe Flash Player Memory Address Discovery Security Bypass Adobe Flash Player and...
6589.0 Enabled Microsoft Internet Explorer Code Execution Microsoft Internet Exp...
6591.0 Enabled Microsoft Internet Explorer Code Execution Microsoft Internet Exp...
6594.0 Enabled Microsoft Internet Explorer Memory Corruption Microsoft Internet Exp...
6597.0 Enabled Microsoft Internet Explorer Code Execution Microsoft Internet Exp...
6603.0 Enabled Microsoft Internet Explorer Memory Corruption Microsoft Internet Exp...
6612.0 Enabled Microsoft Internet Explorer Memory Corruption Microsoft Internet Exp...
6614.0 Enabled Microsoft Internet Explorer Memory Corruption Microsoft Internet Exp...
6602.0 Enabled Microsoft Internet Explorer Memory Corruption Microsoft Internet Exp...
6649.0 Enabled Adobe Flash Player Integer Overflow Adobe Flash Player Int...
6650.0 Enabled Microsoft Internet Explorer Remote Code Execution Microsoft Internet Exp...
6652.0 Enabled Microsoft Windows DLL Planting Remote Code Execution Microsoft Windows DLL ...
6653.0 Enabled Adobe Flash Player BitmapData Object Remote Code Execution Adobe Flash Player Bit...
6654.0 Enabled Adobe Acrobat Reader Use After Free Adobe Acrobat Reader U...
6657.0 Enabled Microsoft Office Excel Information Disclosure Microsoft Office Excel...
6658.0 Enabled Microsoft Windows Access After Release Microsoft Windows Acce...
6663.0 Enabled Adobe Acrobat Reader Memory Corruption Adobe Acrobat Reader M...
6667.0 Enabled Microsoft Windows Win32k Driver Privilege Escalation Microsoft Windows Win3...
6668.0 Enabled Microsoft Windows Win32k Driver Information Disclosure Microsoft Windows Win3...
6671.0 Enabled Microsoft Excel DLL Remote Code Execution Microsoft Excel DLL Ha...
6672.0 Enabled Adobe Acrobat and Reader Use After Free Adobe Acrobat and Read...
6674.0 Enabled Microsoft Internet Explorer Memory Corruption Internet Explorer Memo...
6675.0 Enabled Microsoft Internet Explorer Use After Free Microsoft Internet Exp...
6673.0 Enabled Adobe Acrobat and Reader Memory Corruption Adobe Acrobat and Read...
8214.0 New Use of psexec Remote Administration Tool Activity Use Of PsExec Remote A...

* Inline sensor with Event Action Override set to "deny-packet-inline" at Risk Rating 90 (Cisco default configuration)


Security Research Library
Increase your knowledge of today's vulnerabilities, tomorrow's threats, and the technology necessary to keep up.
Cisco Security
Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations.

Cisco Multivendor Security Alerts
Up-to-the-minute, actionable intelligence, in-depth vulnerability analysis, and highly reliable threat validation to assist in proactive prevention.

Cisco Security Tactical Resources
Guidance on specific technologies and problem sets to help organizations secure business applications and processes by identifying, preventing, and adapting to threats.
Cisco Security Services
Professional services to support your self-defending network.
Cisco Security Blog
Collaborate with the Cisco Security Community and gain insights into emerging security threats, trends, and best practices.


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Contacts | Feedback | Subscribe | Unsubscribe
Terms & Conditions | Privacy Statement | Trademarks of Cisco Systems Inc.

© 1992-2018 Cisco Systems Inc. All rights reserved.

Cisco Systems, Inc.
Corporate Headquarters 
170 West Tasman Dr.
San Jose, CA 95134
USA