Cisco Intrusion Prevention System Signature Update S340 June 20, 2008 Copyright (C) 1999-2008 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== S340 SIGNATURE UPDATE DETAILS - NEW SIGNATURES - TUNED SIGNATURES - CAVEATS - RESOLVED CAVEATS IMPORTANT NOTES - E2 ENGINE UPDATE REQUIRED FOR SIGNATURE UPDATES S339 AND LATER IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS - TARGET PLATFORMS AND REQUIRED VERSIONS - INSTALLATION - UNINSTALLATION - CAVEATS CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS - CSM VERSION 3.1 AND ABOVE - INSTALLATION - UNINSTALLATION - CAVEATS - CSM VERSION 3.0/ IPS MC - INSTALLATION - UNINSTALLATION - CAVEATS S339 SIGNATURE UPDATE DETAILS - NEW FEATURES - NEW SIGNATURES - TUNED SIGNATURES/RESOLVED CAVEATS - CAVEATS ======================================================================== S340 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6234.0 VideoLAN VLC Subtitle Overflow STRING-TCP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. RESOLVED CAVEATS None. ======================================================================== IMPORTANT NOTES E2 ENGINE UPDATE REQUIRED FOR SIGNATURE UPDATES S339 AND LATER The E2 engine update was released on June 18, 2008. Beginning with the S339 signature update, all signature releases will require installation of the E2 engine update. Note: The S339 signature update has been packaged into the E2 engine update and will not be released as a separate signature update. The following table should be reviewed to ensure that your IPS sensors have been migrated to a release that supports the E2 engine update. Currently, these are IPS 6.0(4), 6.0(5) or 6.1(1) for 6.x sensors and 5.1(7) or 5.1(8) for 5.x sensors. Release Prior to 5.1(7)E1 6.0(1)E1 6.0(4)E1 6.1(1)E1 5.1(7)E1 6.0(2)E1 6.0(3)E1 S338 and Earlier Signature Support Yes Yes Yes Yes Yes S339 and Later Signature Support No No No No No Eligible for E2 Engine Update? No Yes No Yes Yes The E2 engine update will only be supported on sensors running 5.1(7), 5.1(8), 6.0(4), 6.0(5) or 6.1(1). IPS sensors running older service pack versions must be upgraded to one of these releases prior to installing the E2 engine update. Warning: Your sensors MUST be running release 5.1(7)E2, 5.1(8)E2, 6.0(4)E2, 6.0(5)E2, or 6.1(1)E2 to continue to install signature updates beginning with S339. The E2 engine update and readme(s) can be downloaded from Cisco.com at the following URL: http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml Please note that there is a 60-day grace period after a service pack or minor release during which any engine updates will be released for both the current and previous release. After 60 days, only the current release will receive an engine update. Customers who choose to remain on an older release will be required to update to the latest service pack in order to maintain up-to-date protection. For more information on supported versions please click here: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_bulletin0900aecd80358daa.html ======================================================================== IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS TARGET PLATFORMS AND REQUIRED VERSIONS ------------------------------------------------------------------------ Note: Beginning with S339, signature updates have a minimum required Engine update level of E2. You must be running the E2 engine update to install signature update S339 or later. The E2 engine update is supported on sensors running IPS versions 5.1(7), 5.1(8), 6.0(4), 6.0(5) or 6.1(1). ------------------------------------------------------------------------ Note2: The S339 signature update has been packaged into the E2 engine update and will not be released as a separate signature update. ---------------------------------------------------------------------- Note3: All signature updates are cumulative. The S340 signature update contains all previously released signature updates. This signature update may contain signatures that include protected parameters. A protected value is not visible to the user. ---------------------------------------------------------------------- The IPS-sig-S340-req-E2.pkg upgrade file can be applied to the following sensor platforms: - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230) - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2) - NM-CIDS IDS Network Module for Cisco 26xx, 3660, and 37xx Router Families. - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-40 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - AIM-IPS Cisco Advanced Integration Module for ISR Routers The sensor must running engine update version E2 before you can apply this signature update. To determine the current sensor version, log in to CLI and type the following command at the prompt: show version INSTALLATION ------------------------------------------------------------------------ Note: Signature updates may take a while to install depending on the sensors upgrade history, configuration, and amount of traffic the sensor is processing. The AIM-IPS, for example, has taken up to 40 minutes to update during testing. Please do not reboot the sensor while the signature update is installing as the sensor may be left in an unknown state requiring it to be reimaged. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Note: Before installing a new signature update, it is highly recommended that you back-up your configuration file to a remote system. For details, refer to the Copy command section in the applicable Command Reference Guide located at the following urls: IPS Version 6.1: http://www.cisco.com/en/US/docs/security/ips/6.1/command/reference/crCmds.html#wp458440 IPS Version 6.0: http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp458440 IPS Version 5.1: http://www.cisco.com/en/US/docs/security/ips/5.1/command/reference/crCmds.html#wp458440 ------------------------------------------------------------------------ WARNING: DO NOT REBOOT THE SENSOR DURING THE INSTALLATION PROCESS. Doing so will leave the sensor in an unknown state and may require that the sensor be re-imaged. To install the S340 signature update: 1. Download the binary file IPS-sig-S340-req-E2.pkg to an ftp, scp, http, or https server on your network from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup CAUTION: You must preserve the original file name. 2. Log in to the IPS CLI using an account with administrator privileges. 3. Type the following command to enter Configuration mode: configure terminal 4. Execute the upgrade command by typing the following: upgrade [URL]/IPS-sig-S340-req-E2.pkg where the [URL] is uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: upgrade ftp://username@ip-address//directory/IPS-sig-S340-req-E2.pkg The available transport methods are: SCP, FTP, HTTP, or HTTPS 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. UNINSTALLATION To uninstall the version S340 signature update and return the sensor to its previous state, follow these steps: 1. Log in to the CLI using an account with administrator privileges. 2. Type the following command to enter Configuration mode: configure terminal 3. Type the following command to start the downgrade: downgrade ------------------------------------------------------------------------ Note: The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is occurring as the sensor may be left in an unknown state requiring the sensor to be reimaged. ------------------------------------------------------------------------ CAVEATS None. ======================================================================== CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS You can only apply the IPS-CS-MGR-sig-S340-req-E2.zip signature update file to CSM 3.0 or later and IPS MC version 2.2 or later. If the target device is running E1, CSM automatically pushes the appropriate E2 update package, followed by the signature update. The E2 packages are not listed or available for selection in the Apply Update Wizard and hence cannot be deployed independently for any device. If the target device is already running E2, the Signature Update will be applied directly. ------------------------------------------------------------------------ Note: Beginning with S339, signature updates have a minimum required Engine update level of E2. You must be running the E2 engine update to install signature update S339 or later. The E2 engine update is supported on sensors running IPS versions 5.1(7), 5.1(8), 6.0(4), 6.0(5) or 6.1(1). ------------------------------------------------------------------------ Note2: The S339 signature update has been packaged into the E2 engine update and will not be released as a separate signature update. ------------------------------------------------------------------------ CSM VERISON 3.1 AND ABOVE INSTALLATION For Automating IPS Update Tasks, please refer to the following: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/defapset.html#wpxref37046 For setting up the Updates Server in CSM 3.1 and above please refer to the following: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/defapset.html#wp1333552 To manually install the version S340 signature update on CSM3.1 and above, follow these steps: 1. Download the appropriate signature update ZIP file, to the /MDC/ips/updates directory on the server where you have installed CSM/ IPS MC from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids 2. Start the Cisco Security Manager client. 3 Click Tools > Apply IPS Update to open the Apply IPS Update wizard 4. On the first page of the wizard, select the update that you want to apply > Click Next to continue. 5. On the second page of the wizard, select the devices (local policies) and/or shared policies you want to update 6. Click Finish to apply your update to the policies. 7. Deploy your changes to your devices. UNINSTALLATION To uninstall a signature update that was installed using CSM 3.1 and above, follow the IPS rollback instructions listed in the Configuration Archive section of the CSM 3.1 User Guide documentation: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/adman.html#wp1075918 Please also refer to the section Understanding Rollback for IPS and IOS IPS of the CSM 3.1 User Guide documentation: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/adman.html#wp1098793. CAVEATS None. CSM VERSION 3.0/ IPS MC INSTALLATION To install the version S340 signature update on CSM 3.0 or IPS MC, follow these steps: 1. Download the appropriate signature update ZIP file, to the /MDC/etc/ids/updates directory on the server where you have installed CSM/ IPS MC from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids 2. Start IPS MC from the CiscoWorks Server desktop. 3 Select Configuration > Updates. 4. In the TOC, select Update Network IDS/IPS Signatures. 5. In the TOC, select Submit. 6. Select a file from the Update File list box and click Apply. 7. Select the sensor(s) you want to update and click Next. 8. Enter Job Name (optional) and select Schedule Type: Immediate or Scheduled. If Scheduled is selected then set the start time of the update. 9. Click Next to continue. 10. Verify the Summary is correct. Use the Back button to correct an incorrect entry. 11. Click Finish. Check the progress viewer to track the installation of sigupdate to the sensor. UNINSTALLATION To uninstall a signature update that was installed using CSM 3.0 or IPS MC, follow the uninstallation instructions listed in the IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS sections of this document. CAVEATS None. ======================================================================== S339 SIGNATURE UPDATE DETAILS NEW FEATURES NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5565.4 Print Spooler Service SERVICE Overflow SMB-ADVANCED High True 5601.1 Windows LSASS RPC Overflow SERVICE SMB-ADVANCED High True 5858.5 DNS Server RPC Interface SERVICE Buffer Overflow SMB-ADVANCED High True 6131.10 Microsoft Plug and Play SERVICE Overflow SMB-ADVANCED High True 6131.11 Microsoft Plug and Play SERIVCE Overflow SMB-ADVANCED High True Heap Overflow STRING-TCP High True 6186.0 RIS Data Collector Heap Overflow STRING-TCP High True 6517.0 Malformed Via Header ATOMIC-IP High True 6518.0 SIP Long Header Field ATOMIC-IP High True Header ATOMIC-IP High False 6523.0 Non-Printable in SIP Header ATOMIC-IP High False 6761.0 Cisco Unified Communications Manager CTL Provider Heap Overflow STRING-TCP High True Partial listing. Complete listing available at http://tools.cisco.com/security/center/bulletin.x?i=57. RESOLVED CAVEATS None. CAVEATS The S339 signature update has been packaged into the E2 engine update and will not be released as a separate signature update.