McAfee M4050 - Network Security Platform Manuel d'utilisateur télécharger pdf (Page 3)

Network Security Platform v5.1

Page 3

700-2014C00

Release Notes

1 What’s new in this release

This section details the additions and/or enhancements delivered with this 5.1 Release.

Support for Integration with Foundstone 6.8

With this release of 5.1, the Manager supports integration with Foundstone version 6.8.

Coverage of new TCP\IP vulnerabilities

This release of Network Security Platform covers the new TCP/IP vulnerabilities, including the ones disclosed in

Microsoft Security Bulletins MS09-048. These vulnerabilities could allow an attacker to cause a Denial-of-Service (DoS)

or execute code remotely on a compromised machine. The corresponding attack IDs of the vulnerabilities covered and

related details are given below.

Note: For protection against the following attacks, you need Sensor software 5.1.7.74/5.1.7.73 and Signature set version

5.1.27.12 or above.

1. AID 0x00009d00 – TCP: Small Window Flow Detected: This alert indicates the presence of a TCP flow with a very

small window size advertised by the client. Multiple such flows can potentially lead to resource exhaustion on the server.

This alert indicates a component attack. The correlated attack ID is 0x40019100. Please refer to KB60305 for more

details.

The vulnerabilities covered by this attack signature are:

 CVE-2008-4609 - TCP/IP Zero Window Size Vulnerability

 CVE-2009-1926 - TCP/IP Orphaned Connections Vulnerability

For the details on these vulnerabilities, you can go to http://www.microsoft.com/technet/security/Bulletin/ms09-048.mspx

or https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html.

2. AID 0x40019100 – TCP: Small Window DoS: This alert indicates an attempt to exploit a DoS vulnerability by sending

multiple TCP flows to a victim server with a very small client receive window size in the TCP header. This alert indicates

a correlated attack. The component attack ID is 0x00009d00. Please refer to KB60305 for more details.

3. AID 0x00009e00 – TCP: 3-Way Handshake PAWS Fail DoS: This alert indicates an attempt to establish a TCP flow

that will fail the "PROTECT AGAINST WRAPPED SEQUENCE NUMBERS" (PAWS) test. This can potentially lead to

resource exhaustion or even code execution on the victim machine.

The vulnerability covered by this attack signature is CVE-2009-1925 - TCP/IP Timestamps Code Execution Vulnerability.

4. AID 0x00009b00 – TCP: SYN Packet Fixed Options Header: This alert indicates the presence of a TCP Syn packet

with a fixed options pattern. It has been observed that an exploit tool can send such packets that can potentially lead to a

DoS condition. This alert indicates a component attack. The correlated attack ID is 0x40014600. Please refer to

KB60305 for more details.

5. AID 0x40014600 – TCP: SYN Packet Fixed Header Options DoS: This alert indicates that someone is attempting to

DoS the victim by sending TCP SYN packets with fixed options in the header. This alert indicates a correlated attack.

The component attack ID is 0x00009b00. Please refer to KB60305 for more details.

Detection of attacks related to Conficker worm

AID 0x45d09300 – WORM: Conficker Activity Detected: This update provides accurate coverage for the detection of

Conficker communication over TCP/UDP protocols. The detection logic uses the port generation algorithm used by

Conficker worm.

For further details, go to: http://mtc.sri.com/Conficker/addendumC/index.html

Support for forwarding ICMP checksum error

Earlier the CLI command ‘set tcpudpchecksumerrorr forward’ could be used for forwarding TCP and UDP packets alone.

With this release, this CLI command can be used to forward ICMP checksum errors as well.

1 2 3 4 5 6 7 8 9 10 11

Commentaires sur ces manuels

Pas de commentaire

McAfee M4050 - Network Security Platform Manuel d'utilisateur Page 3

Commentaires sur ces manuels

Produits connexes et manuels pour Non McAfee M4050 - Network Security Platform