Last "Patch Tuesday" there was a serious vulnerability reported for Microsoft that could be exploited via an SNMP buffer overflow. But there does not seem to be a Cisco signature yet. Is there any status on this?
Due to the nature of the vulnerability we are unable to create a signature with sufficient fidelity. These types of vulnerabilities are best suited to end point security systems such as CSA and are unsuitable for network detection.
I am confused. One post shows that you do have a signature, 5274. But you say that this kind of attack is not suited to network detection? This does not make sense to me. It is my understanding that it is a buffer overflow. SNMP is often poorly compliant with RFC's but this is definately a network based issue and as a customer that owns IPS and not CSA it sounds like you are leaving us out on a limb. This is exactly why we have Cisco IPS, that is to identify when someone uses a network based exploit to attack us. If Cisco will not be emphasizing this kind of issue on IPS then perhaps we should be investigating a better solution. This is a very disappointing and scary response.
"This bulletin covers an integer underflow vulnerability in Windows SNMP. This underflow enables attackers to gain complete control of a remote machine with a single malformed UDP packet that is easily spoofed."
Obviously you've pushed some buttons telling me to go buy something else.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...