Cisco Applied Mitigation Bulletin-
Microsoft announced four security bulletins that address 42 vulnerabilities as part of the monthly security bulletin release on September 09, 2014. A summary of these bulletins is on the Microsoft website at http://technet.microsoft.com/en-us/security/bulletin/ms14-sep. This document provides identification and mitigation techniques that administrators can deploy on Cisco network devices.
The vulnerabilities that have a client software attack vector, can be exploited locally on the vulnerable device, require user interaction, or can be exploited using web-based attacks (these include but are not limited to cross-site scripting, phishing, and web-based email threats) or email attachments, are in the following list:
The vulnerabilities that have a network mitigation, including web and email security issues, are in the following list. Cisco devices provide several countermeasures for the vulnerabilities that have a network attack vector, which will be discussed in detail later in this document.
Information about affected and unaffected products is available in the respective Microsoft advisories and the Cisco Alerts that are referenced in Cisco Event Response: Microsoft Security Bulletin Release for September 2014.
In addition, multiple Cisco products use Microsoft operating systems as their base operating system. Cisco products that may be affected by the vulnerabilities described in the referenced Microsoft advisories are detailed in the "Associated Products" table in the "Product Sets" section.
-
MS14-052, Cumulative Security Update for Internet Explorer (2977629): These vulnerabilities have been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2013-7331, CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, and CVE-2014-4079 through CVE-2014-4111. These vulnerabilities can be exploited remotely without authentication and require user interaction. The attack vector for exploitation of these vulnerabilities is over HTTP and HTTPS packets that typically use TCP port 80 and port 443 but may also use TCP ports 3128, 8000, 8010, 8080, 8888, and 24326. Successful exploitation of these vulnerabilities may allow arbitrary code execution, which could enable an attacker to take control of the affected device.
MS14-055, Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928): These vulnerabilities have been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2014-4068, CVE-2014-4070, and CVE-2014-4071. These vulnerabilities can be exploited remotely without authentication and may require user interaction. The attack vector for exploitation of these vulnerabilities is over SMTP packets using TCP port 25 and HTTP and HTTPS packets that typically use TCP port 80 and port 443 but may also use TCP ports 3128, 8000, 8010, 8080, 8888, and 24326. Successful exploitation of these vulnerabilities may result in a denial of service (DoS) condition or allow information disclosure, which enables an attacker to learn information about the affected device. Due to the nature of cross-site scripting vulnerabilities, no additional information will be presented in this bulletin.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, refer to the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.
-
Information about vulnerable, unaffected, and fixed software is available in the Microsoft Security Bulletin Summary for September 2014, which is available at the following link: http://www.microsoft.com/technet/security/bulletin/ms14-sep
-
The vulnerabilities that have a client software attack vector, can be exploited locally on the vulnerable device, require user interaction, or can be exploited using web-based attacks (these include but are not limited to cross-site scripting, phishing, and web-based email threats) or email attachments, are in the following list:
These vulnerabilities are mitigated most successfully at the endpoint through software updates, user education, desktop administration best practices, and endpoint protection software such as Host Intrusion Prevention Systems (HIPS) or antivirus products.
The vulnerabilities that have a network mitigation are in the following list. Cisco devices provide several countermeasures for these vulnerabilities. This section of the document provides an overview of these techniques.
Effective use of Cisco Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit these vulnerabilities.
Effective use of Sourcefire Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit these vulnerabilities.
-
Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of these vulnerabilities. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.
-
Caution:The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.
Specific information about mitigation and identification is available for these devices:
Cisco Intrusion Prevention System
Mitigation: Cisco IPS Signature Event Actions
Administrators can use the Cisco IPS appliances and services modules to provide threat detection and help prevent attempts to exploit several of the vulnerabilities described in this document. The following table provides an overview of CVE identifiers and the respective Cisco IPS signatures that will trigger events on potential attempts to exploit these vulnerabilities.
CVE ID Signature Release Signature ID Signature Name Enabled Severity Fidelity* CVE-2014-2799 S819 4550/0 Microsoft Internet Explorer Use After Free Remote Code Execution Yes High 85 CVE-2014-4065 S819 4631/0 Microsoft Internet Explorer Memory Corruption Vulnerability Yes High 85 CVE-2014-4080 S819 4634/0 Microsoft Internet Explorer Memory Corruption Vulnerability Yes High 85 CVE-2014-4081 S819 4629/0 Microsoft Internet Explorer Remote Code Execution Yes High 85 CVE-2014-4084 S819 4627/0 Microsoft Internet Explorer Memory Corruption Yes High 85 CVE-2014-4087 S819 4624/0 Microsoft Internet Explorer Remote Code Execution Yes High 85 CVE-2014-4088 S819 4633/0 Microsoft Internet Explorer Remote Code Execution Yes Medium 75 CVE-2014-4089 S819 4628/0 Microsoft Internet Explorer Memory Corruption Yes High 85 CVE-2014-4092 S819 4626/0 Microsoft Internet Explorer Use After Free Vulnerability Yes High 85 CVE-2014-4094 S819 4630/0 Microsoft Internet Explorer Use After Free Vulnerability Yes High 80 CVE-2014-4095 S819 4635/0 Microsoft Internet Explorer Use After Free Vulnerability Yes High 80 * Fidelity is also referred to as Signature Fidelity Rating (SFR) and is the relative measure of the accuracy of the signature (predefined). The value ranges from 0 through 100 and is set by Cisco Systems, Inc.
Administrators can configure Cisco IPS sensors to perform an event action when an attack is detected. The configured event action performs preventive or deterrent controls to help protect against an attack that is attempting to exploit the vulnerabilities listed in the preceding table.
Cisco IPS sensors are most effective when deployed in inline protection mode combined with the use of an event action. Automatic Threat Prevention for Cisco IPS 7.x and 6.x sensors that are deployed in inline protection mode provides threat prevention against an attack that is attempting to exploit the vulnerability that is described in this document. Threat prevention is achieved through a default override that performs an event action for triggered signatures with a riskRatingValue greater than 90.For additional information about the risk rating and threat rating calculation, reference Risk Rating and Threat Rating: Simplify IPS Policy Management.
For information about using Cisco Security Manager to view the activity from a Cisco IPS sensor, see Identification of Malicious Traffic Using Cisco Security Manager white paper.
Sourcefire Signature Information
The following Sourcefire Snort signatures are available for the Microsoft September 2014 Security Update.
Microsoft Bulletin ID Microsoft Advisory Name Applicable Rules 2977629 Cumulative Security Update for Internet Explorer 1:29821 2977629 Cumulative Security Update for Internet Explorer 1:29822 2977629 Cumulative Security Update for Internet Explorer 1:30110 2977629 Cumulative Security Update for Internet Explorer 1:30111 2977629 Cumulative Security Update for Internet Explorer 1:30112 2977629 Cumulative Security Update for Internet Explorer 1:30113 2977629 Cumulative Security Update for Internet Explorer 1:31782 2977629 Cumulative Security Update for Internet Explorer 1:31783 2977629 Cumulative Security Update for Internet Explorer 1:31784 2977629 Cumulative Security Update for Internet Explorer 1:31785 2977629 Cumulative Security Update for Internet Explorer 1:31786 2977629 Cumulative Security Update for Internet Explorer 1:31787 2977629 Cumulative Security Update for Internet Explorer 1:31788 2977629 Cumulative Security Update for Internet Explorer 1:31789 2977629 Cumulative Security Update for Internet Explorer 1:31790 2977629 Cumulative Security Update for Internet Explorer 1:31791 2977629 Cumulative Security Update for Internet Explorer 1:31792 2977629 Cumulative Security Update for Internet Explorer 1:31793 2977629 Cumulative Security Update for Internet Explorer 1:31794 2977629 Cumulative Security Update for Internet Explorer 1:31795 2977629 Cumulative Security Update for Internet Explorer 1:31796 2977629 Cumulative Security Update for Internet Explorer 1:31797 2977629 Cumulative Security Update for Internet Explorer 1:31799 2977629 Cumulative Security Update for Internet Explorer 1:31800 2977629 Cumulative Security Update for Internet Explorer 1:31801 2977629 Cumulative Security Update for Internet Explorer 1:31802 2977629 Cumulative Security Update for Internet Explorer 1:31811 2977629 Cumulative Security Update for Internet Explorer 1:31812 For information about using Sourcefire Snort and Sourcefire Next Generation IPS, reference Sourcefire Next-Generation Security.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
-
Show Less
-
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-
The security vulnerability applies to the following combinations of products.
Primary Products Microsoft, Inc. .NET Framework 1.1 (SP1) | 2.0 (SP2) | 3.0 (SP2) | 3.5 (Base) | 3.5.1 (Base) | 4.0 (Base) | 4.5 (Base) | 4.5.1 (Base) | 4.5.2 (Base) Internet Explorer 6.0 (Base) | 7.0 (Base) | 8.0 (Base) | 9.0 (Base) | 10.0 (Base) | 11.0 (Base) Windows 7 for 32-bit systems (SP1) | for x64-based systems (SP1) Windows 8 for 32-bit systems (Base) | for x64-based systems (Base) Windows 8.1 for 32-bit Systems (Base) | for x64-based Systems (Base) Windows RT Original Release (Base) | 8.1 (Base) Windows Server 2003 Datacenter Edition (SP2) | Datacenter Edition, 64-bit (Itanium) (SP2) | Datacenter Edition x64 (AMD/EM64T) (SP2) | Enterprise Edition (SP2) | Enterprise Edition, 64-bit (Itanium) (SP2) | Enterprise Edition x64 (AMD/EM64T) (SP2) | Standard Edition (SP2) | Standard Edition, 64-bit (Itanium) (SP2) | Standard Edition x64 (AMD/EM64T) (SP2) | Web Edition (SP2) Windows Server 2008 Datacenter Edition (SP2) | Datacenter Edition, 64-bit (SP2) | Itanium-Based Systems Edition (SP2) | Enterprise Edition (SP2) | Enterprise Edition, 64-bit (SP2) | Essential Business Server Standard (SP2) | Essential Business Server Premium (SP2) | Essential Business Server Premium, 64-bit (SP2) | Standard Edition (SP2) | Standard Edition, 64-bit (SP2) | Web Server (SP2) | Web Server, 64-bit (SP2) Windows Server 2008 R2 x64-Based Systems Edition (SP1) | Itanium-Based Systems Edition (SP1) Windows Server 2012 Original Release (Base) Windows Server 2012 R2 Original Release (Base) Windows Vista Home Basic (SP2) | Home Premium (SP2) | Business (SP2) | Enterprise (SP2) | Ultimate (SP2) | Home Basic x64 Edition (SP2) | Home Premium x64 Edition (SP2) | Business x64 Edition (SP2) | Enterprise x64 Edition (SP2) | Ultimate x64 Edition (SP2) Lync Server 2010 (Base) | 2013 (Base)
Associated Products Microsoft, Inc. Windows 7 for 32-bit systems | for x64-based systems Windows 8 for 32-bit systems | for x64-based systems Windows 8.1 for 32-bit Systems | for x64-based Systems Windows RT Original Release | 8.1 Windows Server 2003 Datacenter Edition | Datacenter Edition, 64-bit (Itanium) | Datacenter Edition x64 (AMD/EM64T) | Enterprise Edition | Enterprise Edition, 64-bit (Itanium) | Enterprise Edition x64 (AMD/EM64T) | Standard Edition | Standard Edition, 64-bit (Itanium) | Standard Edition x64 (AMD/EM64T) | Web Edition Windows Server 2008 Datacenter Edition | Datacenter Edition, 64-bit | Itanium-Based Systems Edition | Enterprise Edition | Enterprise Edition, 64-bit | Essential Business Server Standard | Essential Business Server Premium | Essential Business Server Premium, 64-bit | Standard Edition | Standard Edition, 64-bit | Web Server | Web Server, 64-bit Windows Server 2008 R2 x64-Based Systems Edition | Itanium-Based Systems Edition Windows Server 2012 Original Release Windows Server 2012 R2 Original Release Windows Vista Home Basic | Home Premium | Business | Enterprise | Ultimate | Home Basic x64 Edition | Home Premium x64 Edition | Business x64 Edition | Enterprise x64 Edition (Base) | Ultimate x64 Edition
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products