We just released XPU 1.2 for Network Sensor 5.0. RealSecure Network Sensor
XPU 1.2 addresses two issues in the RealSecure Network Sensor 5.0 release.
This XPU eliminates a remote vulnerability in the TrinooDaemon Decode and a
false positive issue in the ISS Scan Decode. Please read the release notes
for more information. You can download the XPU right now through the RS
Console.
*************************************************************
Audra Eng
Internet Security Systems (ISS)
Phone: 415-379-3566
Fax: 415-831-4780
Internet Security Systems -- The Power to Protect
*******************************************************************
<<RELNOTES_XPU_MU1_2_Aug0200.txt>>
=====================================================================
Network Sensor Micro-Update 1.2 RELEASE NOTES
==================================================
Last modified: August 2, 2000
Two issues in the RealSecure Network Sensor 5.0 release have been identified and are
being addressed by this update:
---------------------
TrinooDaemon Decode
Fix Priority:
critical
Problem Description:
A critical defect has been identified in the TrinooDaemon decode. The defect
can
result in the remote crash of a Network Sensor when the TrinooDeamon decode is
enabled.
Fix Description:
MicroUpdate 1.2 eliminates this remote vulnerability.
Decode Description:
Trin00 is a distributed denial of service attack tool. The TrinooDaemon
decode
detects the Trin00 program's master-daemon communications.
---------------------
ISS Scan Decode
Fix Priority:
low
Problem Description:
A False Positive issue has been identified in the ISS Scan Signature. It was
possible for certain ICMP Echo Request payloads to falsely trigger the ISS
Scan
event, when in fact no scan is taking place.
Fix Description:
MicroUpdate 1.2 eliminates this false positive.
Decode Description:
The ISS Scan Decode provides notification that a network is being probed by
ISS's
Internet Security Scanner.
---------------------
MicroUpdate 1.2 does not contain a console update, this is purely a fix release and
does not contain any new decodes. The console will display update level 1.1, while the
network sensor will display 1.2.
1. Customer Support
====================
Available 8 AM to 8 PM Monday through Friday US Eastern Time (GMT-5).
Telephone (in the U.S.): 1-888-447-4861
Telephone (outside the U.S.): +1-678-443-6400
E-mail: [EMAIL PROTECTED]
=====================================================================
=====================================================================
RealSecure X-Press Updates are cummulative. The Release Notes for Micro-Update 1.1
are included below.
==================================================
Network Sensor Micro-Update 1.1 RELEASE NOTES
==================================================
RealSecure 5.0 now has X-Press Update capability, a technology that allows customers
to take full advantage of ISS X-Force research. From the ISS website, customers can
download just the latest attack signatures and remotely distribute them to their
sensors. As always, our signatures are verified, QA tested and digitally signed for
authentication within the product.
The RealSecure X-Press Update mechanism also supports the ability to completely
upgrade sensors to the new version. Once a RealSecure 5.0 sensor is installed,
customers can upgrade that sensor to the next released version from a remote or
centralized RealSecure WorkGroup Manager (formerly called the Console). This makes it
easier to manage more sensors.
The X-Press Update simplifies the process by automatically pointing you to the latest,
cumulative update for a sensor. Its easy-to-use design ensures that only the software
appropriate for your platform is installed.
DESCRIPTION:
RealSecure X-Press Update 1.1 is released concurrently with RealSecure 5.0 and
delivers a new signature, SubSeven_Scan for the Network Sensor.
SubSeven (aka BackDoor-G) is a trojan tool that can be used by malicious users to
maintain access to Windows 95 and 98 machines and control them from remote over TCP.
Reference:
SubSeven Web Page: http://freehosting2.at.webjump.com/ar/arvid-org/
==================================================
1. X-Press Update Description
1.1 X-Press Update Type Definitions
Micro-update:
A DLL or shared library that contains signature updates only.
Service Release:
A fix to a critical problem. May be a new sensor or daemon binary or some combination
of files. Less than a full install or Full Upgrade but generally treated as one.
Full Upgrade:
A complete new release (full install) of a sensor and new signatures.
Uninstall:
Removing the last installed update and restoring the system to the state it was in
prior to the update. Note this only applies to MicroUpdates and Patches.
1.2 Prerequisites for installing an X-Press Update
* RealSecure console must be version 5.0 or higher.
* RealSecure sensor must be version 5.0 or higher.
* Must have master controller status for the sensor being updated.
* Must have access to the X-Press Updates through an Internet connection, SAFEsuite
CD, or local network.
* Must close the RealSecure online help before installing the X-Press Update package.
1.3 New Signatures
Risk Check Name Category
==== ==================== =========
High SubSeven_Scan Backdoors
1.4 Testing X-Press Updates
In addition to the messages that indicate that an X-Press Update was successfully
installed, you can test the SSH_Detected signature in the update:
1.4.1 Testing the SSH signature in the first X-Press Update
SSH_Detected is the only decode which currently contains event info which indicates
whether the decode is running as a built-in signature or Micro-update.
1. Enable the SSH_Detected signature.
2. Using an SSH client, attempt to connect to an SSH server on the network segment
being
monitored. The SSH_Detected event will trigger.
3. Inspect the event. The SSH_Detected event will report its DecodeType as "Builtin".
4. Install the X-Press Update.
5. Attempt to connect to an SSH server again. The SSH_Detected event will trigger
again.
6. Inspect the event. The SSH_Detected event will report its DecodeType as
"MicroDecode".
