RELEASE NOTES FOR UPDATE PACKAGE 523-4333

RELEASE DATE:    Wednesday May 15, 2013
MD5 CHECKSUM:    fb5466616b79247288501ff3b99f9393
SHA1 CHECKSUM:    ba3341020296781c3b545a04368e2f0862fe3b69

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Stonesoft Management Center:    4.3.0.7891
- Stonesoft Firewall engine with inspection:    4.3.0.6029 (if SIP or HTTP inspection is used)
- Stonesoft IPS Sensor and Analyzer engine:    4.3.0.4333

This update package improves the detection capabilities of the Stonesoft IPS system.

List of detected attacks in this update package:
Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Microsoft Visio detected     CVE-2013-1301     Microsoft-Visio-External-Entities-Resolution-Vulnerability
High     An attempt to exploit a vulnerability in Microsoft Visio detected     CVE-2013-1301     Microsoft-Visio-External-Entities-Resolution-Vulnerability
High     An attempt to exploit vulnerability in Microsoft Internet Explorer detected     CVE-2013-1347     Microsoft-Internet-Explorer-CGenericElement-Memory-Corruption
High     An attempt to exploit vulnerability in phpMyAdmin Devel Team phpMyAdmin detected     CVE-2013-3238     Phpmyadmin-Preg_Replace-Function-Code-Injection
High     An attempt to exploit vulnerability in McAfee Virtual Technician detected     CVE-2012-5879     McAfee-Virtual-Technician-ActiveX-Control-Insecure-Method-Exposure
Moderate     An attempt to exploit vulnerability in HP Intelligent Management Center detected     CVE-2012-5206     HP-Intelligent-Management-Center-Syslogdownloadservlet-Information-Disclosure
Moderate     An attempt to exploit vulnerability in MS Windows detected     CVE-2013-1305     Windows-HTTP.sys-DOS-Vulnerability-CVE-2013-1305
Moderate     A vulnerabiity in Internet Explorer     CVE-2013-1279     MSIE-JSON-Array-Information-Disclosure-Vulnerability
Moderate     A vulnerabiity in Internet Explorer     CVE-2013-2551     Internet-Explorer-Use-After-Free-Vulnerability-CVE-2013-2551

Detected Attacks
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Moderate HP-Intelligent-Management-Center-Syslogdownloadservlet-Information-Disclosure CVE-2012-5206 HTTP_CSU-HP-IMC-Syslogdownloadservlet-Information-Disclosure Suspected Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Moderate Windows-HTTP.sys-DOS-Vulnerability-CVE-2013-1305 CVE-2013-1305 HTTP_CSH-Windows-HTTP.sys-DOS-Vulnerability-CVE-2013-1305 Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Phpmyadmin-Preg_Replace-Function-Code-Injection CVE-2013-3238 HTTP_CRL-Phpmyadmin-Preg_Replace-Function-Code-Injection Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Internet-Explorer-CGenericElement-Memory-Corruption CVE-2013-1347 File-Text_Microsoft-Internet-Explorer-CGenericElement-Memory-Corruption Suspected Compromise
Moderate MSIE-JSON-Array-Information-Disclosure-Vulnerability CVE-2013-1279 File-Text_MSIE-JSON-Array-Information-Disclosure-Vulnerability Potential Compromise
Moderate Internet-Explorer-Use-After-Free-Vulnerability-CVE-2013-2551 CVE-2013-2551 File-Text_Internet-Explorer-Use-After-Free-CVE-2013-2551 Potential Compromise
High McAfee-Virtual-Technician-ActiveX-Control-Insecure-Method-Exposure CVE-2012-5879 File-Text_McAfee-Virtual-Technician-ActiveX-Control-Insecure-Method-Exposure Suspected Compromise

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Visio-External-Entities-Resolution-Vulnerability CVE-2013-1301 File-TextId_Microsoft-Visio-External-Entities-Resolution-Vulnerability-2 Suspected Compromise
High Microsoft-Visio-External-Entities-Resolution-Vulnerability CVE-2013-1301 File-TextId_Microsoft-Visio-External-Entities-Resolution-Vulnerability Potential Compromise

UPDATED DETECTED ATTACKS:

HTTP Server Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Moderate HTTP-Facebook-Photo-Uploader-ActiveX-Control-FileMask-Method-BOF CVE-2008-0660 HTTP_SS-Facebook-Photo-Uploader-ActiveX-Control-FileMask-Method-BOF Compromise
Description has changed

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Moderate 3s-Smart-Software-Solutions-Codesys-Gateway-Server-Denial-Of-Service CVE-2012-4707 Generic_CS-Smart-Software-Solutions-Codesys-Gateway-Server-Denial-Of-Service Suspected Compromise
Description has changed
Moderate 3s-Smart-Software-Solutions-Codesys-Gateway-Server-Memory-Access-Error CVE-2012-4704 Generic_CS-Smart-Software-Solutions-Codesys-Gateway-Server-Memory-Access-Error Suspected Compromise
Description has changed

TCP Server Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low MS-Ie-Frame-Iframe-Embed-Tag-Attribute-BOF-MS04-040 CVE-2004-1050 Generic_SS-Internet-Explorer-HTML-Elements-Buffer-Overflow Suspected Compromise
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Moderate HP-Intelligent-Management-Center-Ictdownloadservlet-Information-Disclosure CVE-2012-5204 HTTP_CSU-HP-IMC-Ictdownloadservlet-Information-Disclosure Suspected Compromise
Fingerprint regexp changed
Moderate HP-Intelligent-Management-Center-Downloadservlet-Information-Disclosure CVE-2012-5208 HTTP_CSU-HP-Intelligent-Management-Center-Downloadservlet-Information-Disclosure Suspected Compromise
Fingerprint regexp changed
High HTTP-DFind-Scanner No CVE/CAN HTTP_DFind-Scanner-Usage Suspected Probe
Category tag situation Suspected Probe added
Category tag situation Suspected Compromise removed
Category tag group HTTP URI Correlation Dependency Group removed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High HTTP-ZmEu-Scanner No CVE/CAN HTTP_ZmEu-Scanner-Usage Probe
Category tag situation Probe added
Category tag situation Compromise removed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Moderate HTTP-Facebook-Photo-Uploader-ActiveX-Control-FileMask-Method-BOF CVE-2008-0660 File-Text_Facebook-Photo-Uploader-ActiveX-Control-FileMask-Method-BOF Compromise
Description has changed
Fingerprint regexp changed

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-Office-TIFF-Converter-Heap-Overflow-CVE-2010-3947 CVE-2010-3947 File-Binary_Microsoft-Office-TIFF-Converter-Heap-Overflow-CVE-2010-3947 Potential Compromise
Category tag situation Potential Compromise added
Category tag situation Suspected Compromise removed

LIST OF OTHER CHANGES

NEW OBJECTS:
TypeName
CategoryMicrosoft Visio 2010
CategoryMicrosoft Visio 2007
CategoryMS2013-05
SituationGeneric_CS-FTP-Traffic-Over-Non-Standard-Port
ApplicationSoundcloud
ApplicationInstagram
ApplicationApple-PhotoStream
ApplicationMojang-Minecraft-Java
ApplicationReddit
UPDATED OBJECTS:
TypeNameChanges
SituationHTTP_CCH-Apache-And-Nginx-Chunked-Encoding-Buffer-Overflow
Name: HTTP_CCH-Apache-Chunked-Encoding-BOF->HTTP_CCH-Apache-And-Nginx-Chunked-Encoding-Buffer-Overflow
Comment has changed
Description has changed
Category tag application nginx added
SituationHTTP_Morfeus-Scanner-Usage
Category tag situation Probe added
Category tag situation Compromise removed
ApplicationBaidu-Hi-Game
Parameter Is cacheable flag changed
ApplicationBaidu-Hi-Audio-Video
Parameter Is cacheable flag changed
ApplicationIMAPS
Parameter Is cacheable flag changed
ApplicationNFS
Parameter Is cacheable flag changed
ApplicationBaidu-Hi-File-Transfer
Parameter Is cacheable flag changed
ApplicationBigAnt-Office-Messenger
Parameter Is cacheable flag changed
ApplicationAmmyy-Admin
Parameter Is cacheable flag changed
ApplicationAOL-Proxy
Parameter Is cacheable flag changed
ApplicationRsync
Parameter Is cacheable flag changed
ApplicationMySQL
Parameter Is cacheable flag changed
ApplicationIRC
Parameter Is cacheable flag changed
ApplicationSubversion-SVN
Parameter Is cacheable flag changed
ApplicationCitrix-XML-Service
Parameter Is cacheable flag changed
ApplicationFTP
Parameter Is cacheable flag changed
ApplicationMicrosoft-SQL-Server
Parameter Is cacheable flag changed
ApplicationJabber
Parameter Is cacheable flag changed
ApplicationIBM-solidDB
Parameter Is cacheable flag changed
ApplicationSMB
Parameter Is cacheable flag changed
ApplicationAliWW-Remote-Control
Parameter Is cacheable flag changed
ApplicationIPP
Parameter Is cacheable flag changed
ApplicationBlizzard-World-of-Warcraft
Parameter Is cacheable flag changed
ApplicationCVS
Parameter Is cacheable flag changed
ApplicationAliWW-File-Transfer
Parameter Is cacheable flag changed
ApplicationX11
Parameter Is cacheable flag changed
ApplicationVNC-Remote-Framebuffer-Protocol
Parameter Is cacheable flag changed
ApplicationICAP
Parameter Is cacheable flag changed
ApplicationPOP3
Parameter Is cacheable flag changed
ApplicationSMTP
Parameter Is cacheable flag changed
ApplicationTelnet
Parameter Is cacheable flag changed
ApplicationCitrix-ICA
Parameter Is cacheable flag changed
ApplicationNetWare-Core-Protocol
Parameter Is cacheable flag changed
ApplicationDameware-Mini-Remote-Control
Parameter Is cacheable flag changed
ApplicationApple-Filing-Protocol
Parameter Is cacheable flag changed
ApplicationmDNS
Parameter Is cacheable flag changed
ApplicationTLS
Parameter Is cacheable flag changed
ApplicationIMAP
Parameter Is cacheable flag changed
ApplicationARCserve
Parameter Is cacheable flag changed
ApplicationIDENT
Parameter Is cacheable flag changed
ApplicationMSRPC
Parameter Is cacheable flag changed
ApplicationOracle
Parameter Is cacheable flag changed
ApplicationIP-Messenger
Parameter Is cacheable flag changed
ApplicationCitrix-Provisioning-Services
Parameter Is cacheable flag changed
ApplicationNNTP
Parameter Is cacheable flag changed
ApplicationSSH
Parameter Is cacheable flag changed
ApplicationAmazon-CloudFront
Parameter Is cacheable flag changed
ApplicationApple-iCloud
Parameter Is cacheable flag changed
ApplicationAmazon-Simple-Storage-Service
Parameter Is cacheable flag changed
ApplicationMicrosoft-Office-Live-Workspace
Parameter Is cacheable flag changed
VPN ProfileSuite-B-GCM-256

ACTIVATING THE UPDATE PACKAGE

1.    Ensure that the MD5 and SHA1 checksums of the update package are correct.
2.    Open Admin Tools in the SMC GUI client.
3.    Right-click on the Updates folder and select "Import Update Packages".
4.    Right-click on the imported package and select Activate.
5.    Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

Copyright (C) 2000-2013 Stonesoft Corporation. All rights reserved.
These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation.

Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein.

THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS.

IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.