Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1934
Views
0
Helpful
3
Replies

RVS4000 IPS identifies flickr images, etc., as Microsoft Color Management Module Buffer Overflow exploit

dstegall72
Level 1
Level 1

‎08-08-2010 09:53 PM

If I enable the IPS function in my RVS4000, some images from various popular websites like Flickr and blogspot will not load.  They are detected by IPS as "EXPLOIT Microsoft Color Management Module Buffer Overflow"

You can test it yourself with this image hosted at blogspot:

http://4.bp.blogspot.com/_a7jkcMVp5Vg/TF3gjYJrHBI/AAAAAAAAMqM/ScJAA8y9nZk/s400/sorry.jpg

With IPS enabled, that image will not load.  With IPS disabled, it will.

I am using firmware 1.3.2.0 and IPS signature version 1.42.

I believe IPS is incorrectly identifying these images as containing the color management buffer overflow exploit.

Any chance this could be corrected in the next IPS signature release?

As an aside, I would prefer to open a case with support about this, but I really can't figure out how to do so.  I purchased the RVS4000 when it was still made by linksys.  I would assume I should still be able to get support on it now that it's own by Cisco, but trying to open a case on the web for this seems impossible.  Am I missing something?

Labels:
0 Helpful
3 Replies 3

dstegall72
Level 1
Level 1

‎08-14-2010 08:25 AM

Anyone else experiencing this?  Given that Microsoft rates this exploit as "critical", I'd rather not disable IPS, but it's frustrating that so many images seem to be blocked by having it enabled.

0 Helpful

DominikAu
Level 1
Level 1
In response to dstegall72

‎08-18-2010 02:30 PM

i've experienced this too, on flickr. unfortunately i didn't save the links to the images that rose that IPS alert.

but i can see your image with ips activated.

WRVS4400Nv2 @ V2.0.0.8;

IPS signatures: 1.42

0 Helpful

DominikAu
Level 1
Level 1
In response to DominikAu

‎08-18-2010 02:45 PM

i've just removed the proxy in my browser, so that it connects direct.

et voila: EXPLOIT Microsoft Color Management Module Buffer Overflow

but this rises the fear that IPS works just as expected when no (external) proxy is used.

that would be a serious problem, at least because it isn't mentioned in the online help/manual and because i'd leave my real ip at many places, which i wouldn't like.

i'd be happy to read a response from cisco to the Buffer Overflow (is it a false positive) and if IPS should work when a external proxy is used (via unencrypted connections, so the [w]rvs has a chance to read the communication.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents