RELEASE NOTES FOR UPDATE PACKAGE 715-5211

RELEASE DATE:    Wednesday December 23, 2015
MD5 CHECKSUM:    8ba4030056977daf94ab61d06560a2da
SHA1 CHECKSUM:    37b69519a1dc4eb8db7bd5d6b23599a33b2dcb14

UPDATE CRITICALITY:    CRITICAL

MINIMUM SOFTWARE VERSIONS
- Stonesoft Management Center:    5.2.0.8231
- Stonesoft Firewall engine with inspection:    5.2.0.8034 (if SIP or HTTP inspection is used)
- Stonesoft IPS Sensor and Analyzer engine:    5.2.0.5211

This update package improves the detection capabilities of the Stonesoft IPS system.
Note! Protocol identification and application identification have been enabled on SMC 5.9 in the Firewall Inspection Template, Layer 2 Firewall Inspection Template, and High-Security IPS Template since dynamic update 668.

List of detected attacks in this update package:
Risk levelDescriptionReferenceVulnerability
Critical     An attempt to exploit a vulnerability in Schneider Electric Modicon M340 detected     CVE-2015-7937     Schneider-Electric-Modicon-M340-Buffer-Overflow-Vulnerability
Critical     An attempt to exploit a vulnerability in Zen Cart detected     CVE-2015-8352     Zen-Cart-Ajax.php-Remote-Code-Execution
High     An attempt to exploit a Tivoli Endpoint Buffer Overflow vulnerability detected.     CVE-2011-1220     Tivoli-Endpoint-Buffer-Overflow
High     An attempt to exploit a Novell File Reporter Arbitrary File Delete vulnerability detected.     CVE-2011-2750     Novell-File-Reporter-Arbitrary-File-Delete
High     An attempt to exploit a Lifesize Room Command Execution vulnerability detected.     CVE-2011-2763     Lifesize-Room-Command-Execution
High     An attempt to exploit an EMC Replication Manager Command Execution vulnerability detected.     CVE-2011-0647     EMC-Replication-Manager-Command-Execution
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2015-6128     Microsoft-Windows-Els.dll-Insecure-Library-Loading
High     An attempt to exploit a vulnerability in Unitronics VisiLogic OPLC detected     CVE-2015-7905     Unitronics-Unidownloader-And-VisiLogic-OPLC-Ipworksssl-Memory-Corruption
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2015-6128     Microsoft-Windows-Els.dll-Insecure-Library-Loading
High     An attempt to exploit a vulnerability in Microsoft Office detected     CVE-2015-1770     Microsoft-Office-Uninitialized-Memory-Use-Vulnerability-CVE-2015-1770
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2015-6128     Microsoft-Windows-Els.dll-Insecure-Library-Loading
High     An attempt to exploit a vulnerability in Adobe Systems AIR desktop runtime detected     CVE-2015-3105     Adobe-Flash-Player-Shader-Parameter-Write-What-Where

Detected Attacks
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Tivoli-Endpoint-Buffer-Overflow CVE-2011-1220 HTTP_CS-Tivoli-Endpoint-Buffer-Overflow Suspected Compromise

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High EMC-Replication-Manager-Command-Execution CVE-2011-0647 Generic_CS-EMC-Replication-Manager-Command-Execution Suspected Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Critical Schneider-Electric-Modicon-M340-Buffer-Overflow-Vulnerability CVE-2015-7937 HTTP_CSH-Schneider-Electric-Modicon-M340-Buffer-Overflow-Vulnerability Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Novell-File-Reporter-Arbitrary-File-Delete CVE-2011-2750 HTTP_CRL-Novell-File-Reporter-Arbitrary-File-Delete Suspected Compromise
High Lifesize-Room-Command-Execution CVE-2011-2763 HTTP_CRL-Lifesize-Room-Command-Execution Suspected Compromise
Critical Zen-Cart-Ajax.php-Remote-Code-Execution CVE-2015-8352 HTTP_CRL-Zen-Cart-Ajax.php-Remote-Code-Execution Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Unitronics-Unidownloader-And-VisiLogic-OPLC-Ipworksssl-Memory-Corruption CVE-2015-7905 File-Text_Unitronics-Unidownloader-And-VisiLogic-OPCL-Ipworksssl-Memory-Corruption Suspected Compromise

OLE File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-Els.dll-Insecure-Library-Loading CVE-2015-6128 File-OLE_Microsoft-Windows-Els.dll-Insecure-Library-Loading Suspected Compromise

Flash File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Adobe-Flash-Player-Shader-Parameter-Write-What-Where CVE-2015-3105 File-Flash_Adobe-Flash-Player-Shader-Parameter-Write-What-Where-3 Suspected Compromise

RTF File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-Els.dll-Insecure-Library-Loading CVE-2015-6128 File-RTF_Microsoft-Windows-Els.dll-Insecure-Library-Loading Suspected Compromise
High Microsoft-Office-Uninitialized-Memory-Use-Vulnerability-CVE-2015-1770 CVE-2015-1770 File-RTF_Microsoft-Office-Uninitialized-Memory-Use-Vulnerability-CVE-2015-1770 Suspected Compromise

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-Els.dll-Insecure-Library-Loading CVE-2015-6128 File-TextId_Microsoft-Windows-Els.dll-Insecure-Library-Loading Suspected Compromise

UPDATED DETECTED ATTACKS:

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Hylafaxplus-LDAP-Authentication-User-Name-Buffer-Overflow CVE-2013-5680 Generic_CS-Hylafaxplus-LDAP-Authentication-User-Name-Buffer-Overflow Potential Compromise
Category tag situation Potential Compromise added
Category tag situation Suspected Compromise removed
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Critical PHP-Cgi-Remote-Code-Execution CVE-2012-1823 HTTP_CSU_PHP-Cgi-Remote-Code-Execution Compromise
Severity: 7->10
Category tag situation Compromise added
Category tag situation Suspected Compromise removed
High Indusoft-Web-Studio-Remote-File-Access CVE-2011-1900 HTTP_CSU-System-File-Disclosure Disclosure
Description has changed
High Sybase-EAServer-Directory-Traversal CVE-2011-2474 HTTP_CSU-Apache-Backslash-Directory-Traversal Suspected Compromise
Description has changed
Category tag group CVE2011 added

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low Long-Basic-Authorization-Header No CVE/CAN HTTP_CSH-Long-Basic-Authorization-Header Other Suspicious Traffic
Fingerprint regexp changed

SNMP UDP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Squid-ASN.1-Header-Parsing-Denial-Of-Service CVE-2004-0918 SNMP-UDP_Squid-ASN.1-Header-Parsing-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low Generic-Shared-Variables No CVE/CAN File-Text_Shared-Variables System Inspections
Fingerprint regexp changed
Low HTTP-Mozilla-CSS-Moz-Binding-Cross-Site-Scripting CVE-2006-0496 File-Text_Mozilla-CSS-Moz-Binding-Cross-Site-Scripting Potential Disclosure
Fingerprint regexp changed
High Adobe-Acropdf-ActiveX-Control-Memory-Corruption CVE-2006-6027 File-Text_Adobe-Acropdf-ActiveX-Control-Memory-Corruption Suspected Compromise
Fingerprint regexp changed
High Microsoft-Internet-Explorer-BrowseDialog-ActiveX-Control-Denial-of-Service CVE-2007-0371 File-Text_Microsoft-Internet-Explorer-BrowseDialog-ActiveX-Control-Denial-of-Service Suspected Compromise
Fingerprint regexp changed
High Mozilla-Firefox-CVE-2014-1510-Webidl-Implementation-Privilege-Escalation CVE-2014-1510 File-Text_Mozilla-Firefox-CVE-2014-1510-Webidl-Implementation-Privilege-Escalation Suspected Compromise
Fingerprint regexp changed
High Oracle-Data-Quality-Filechooserdlg-Onchangedirectory-Untrusted-Pointer-Deref CVE-2014-2418 File-Text_Oracle-Data-Quality-Filechooserdlg-Onchangedirectory-Untrusted-Pointer-Dereference Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES

NEW OBJECTS:
TypeName
CategoryZen Cart
CategoryUnitronics UniDownloader
CategorySchneider Electric Modicon M340
CategoryLifeSize Room
CategoryEMC Replication Manager
ApplicationMoxtra-Meeting
UPDATED OBJECTS:
TypeNameChanges
Network ElementTOR exit nodes
SituationFile-Text_Adobe-Reader-ActiveX-Vulnerable-Function-Call
Description has changed
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Adobe Reader removed
Category tag group CVE2006 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Suspected Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed

ACTIVATING THE UPDATE PACKAGE

1.    Ensure that the MD5 and SHA1 checksums of the update package are correct.
2.    Open Admin Tools in the SMC GUI client.
3.    Right-click on the Updates folder and select "Import Update Packages".
4.    Right-click on the imported package and select Activate.
5.    Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Neither McAfee nor its parent company Intel warrant or endorse any third party products described herein. McAfee, the McAfee logo, and Stonesoft are trademarks or registered trademarks of McAfee, Inc. in the US and other countries. Intel and the Intel logo are trademarks of Intel Corporation in the US and/or other countries. Other names and brands may be claimed as the property of others. Copyright (C) 2000-2015 McAfee, Inc. and Stonesoft Corporation. All rights reserved.