RELEASE NOTES FOR UPDATE PACKAGE 572-5211

RELEASE DATE:    Thursday March 27, 2014
MD5 CHECKSUM:    96c195bd07701b16b32477161c4fd9c3
SHA1 CHECKSUM:    1c1af5c2b38bbe1c1e5b3cf980f7da22ecfb14bc

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Stonesoft Management Center:    5.2.0.8231
- Stonesoft Firewall engine with inspection:    5.1.0.7516 (if SIP or HTTP inspection is used)
- Stonesoft IPS Sensor and Analyzer engine:    5.2.0.5211

This update package improves the detection capabilities of the Stonesoft IPS system.

List of detected attacks in this update package:
Risk levelDescriptionReferenceVulnerability
High     Moodle Remote Command Execution detected     CVE-2013-3630     Moodle-Remote-Command-Execution
Moderate     An attempt to exploit a vulnerability in EMC Connectrix Manager Converged Network Edition detected     CVE-2014-2276     EMC-Cmcne-Fileuploadcontroller-Information-Disclosure
Moderate     An attempt to exploit a vulnerability in Microsoft Word detected     CVE-2014-1761     Microsoft-Word-RTF-Remote-Code-Execution-CVE-2014-1761
Moderate     Zabbix Authenticated Remote Command Execution detected     CVE-2013-3628     Zabbix-Authenticated-Remote-Command-Execution
Moderate     An attempt to exploit a vulnerability in Microsoft Word detected     CVE-2014-1761     Microsoft-Word-RTF-Remote-Code-Execution-CVE-2014-1761
Moderate     ISPConfig Remote Command Execution detected     CVE-2013-3629     ISPConfig-Remote-Command-Execution
Moderate     An attempt to exploit a vulnerability in PHP Group PHP detected     CVE-2014-2270     Php-Libmagic-Portable-Executable-Out-Of-Bounds-Memory-Access
Moderate     Nas4Free Remote Command Execution detected     CVE-2013-3631     Nas4Free-Remote-Command-Execution
Low     Detected PHP scripting in the Client Request     No CVE/CAN Web-Server-Side-Script-Disclosure
Low     Detected PHP scripting in the Client Request     No CVE/CAN Web-Server-Side-Script-Disclosure

Detected Attacks
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Moderate EMC-Cmcne-Fileuploadcontroller-Information-Disclosure CVE-2014-2276 HTTP_CS-EMC-Cmcne-Fileuploadcontroller-Information-Disclosure Suspected Compromise
Moderate Php-Libmagic-Portable-Executable-Out-Of-Bounds-Memory-Access CVE-2014-2270 HTTP_CS-Php-Libmagic-Portable-Executable-Out-Of-Bounds-Memory-Access Suspected Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Low Web-Server-Side-Script-Disclosure No CVE/CAN HTTP_CSH-Php-Scripting-In-Client-Request Possibly Unwanted Content

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Moderate Zabbix-Authenticated-Remote-Command-Execution CVE-2013-3628 HTTP_CRL-Zabbix-Authenticated-Remote-Command-Execution Suspected Compromise
Moderate ISPConfig-Remote-Command-Execution CVE-2013-3629 HTTP_CRL-ISPConfig-Remote-Command-Execution Suspected Compromise
Low Web-Server-Side-Script-Disclosure No CVE/CAN HTTP_CRL-Php-Scripting-In-Client-Request Possibly Unwanted Content
Moderate Nas4Free-Remote-Command-Execution CVE-2013-3631 HTTP_CRL-Nas4Free-Remote-Command-Execution Suspected Compromise
High Moodle-Remote-Command-Execution CVE-2013-3630 HTTP_CRL-Moodle-Remote-Command-Execution Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Moderate Microsoft-Word-RTF-Remote-Code-Execution-CVE-2014-1761 CVE-2014-1761 File-Text_Microsoft-Word-RTF-Remote-Code-Execution-CVE-2014-1761 Suspected Compromise

RTF File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Moderate Microsoft-Word-RTF-Remote-Code-Execution-CVE-2014-1761 CVE-2014-1761 File-RTF_Microsoft-Word-RTF-Remote-Code-Execution-CVE-2014-1761 Suspected Compromise

UPDATED DETECTED ATTACKS:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Moderate EMC-Cmcne-Inmservlets.war-Fileuploadcontroller-Arbitrary-File-Upload CVE-2013-6810 HTTP_CS-EMC-Cmcne-Inmservlets.war-Fileuploadcontroller-Arbitrary-File-Upload Suspected Compromise
Fingerprint regexp changed

RTF File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Moderate Microsoft-Word-RTF-Remote-Code-Execution-CVE-2014-1761 CVE-2014-1761 File-RTF_Word-RTF-Listoverridecount-RCE-Multiple-Vulnerabilities Suspected Compromise
Name: File-RTF_Word-RTF-Listoverridecount-RCE-CVE-2012-2539->File-RTF_Word-RTF-Listoverridecount-RCE-Multiple-Vulnerabilities
Description has changed
Category tag application Microsoft Word 2010 added
Category tag group MS2014-03 added
Category tag group CVE2014 added

LIST OF OTHER CHANGES

NEW OBJECTS:
TypeName
CategoryZabbix
CategoryNas4Free
CategoryMoodle
CategoryMicrosoft Word 2010
CategoryISPConfig
ApplicationMoodle
UPDATED OBJECTS:
TypeNameChanges
ApplicationBasecamp
Description has changed
ApplicationYouku
Description has changed
ApplicationFacebook-Plugins-Live-Stream
Category tag application_type Web Applications removed
Category tag application_usage Social Networking removed
ApplicationWikibooks
Description has changed
ApplicationWikiquote
Description has changed
ApplicationWikinews
Description has changed
ApplicationTelnet
Parameter Is cacheable flag changed
ApplicationWikispecies
Description has changed
ApplicationWikiversity
Description has changed
ApplicationFacebook-Plugins-Like-Button
Description has changed
ApplicationWikisource
Description has changed

ACTIVATING THE UPDATE PACKAGE

1.    Ensure that the MD5 and SHA1 checksums of the update package are correct.
2.    Open Admin Tools in the SMC GUI client.
3.    Right-click on the Updates folder and select "Import Update Packages".
4.    Right-click on the imported package and select Activate.
5.    Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

Copyright (C) 2000-2014 Stonesoft Corporation. All rights reserved.
These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation.

Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein.

THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS.

IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.