HighProventia Server IPS for Linux technology, RealSecure Desktop, Proventia Network IPS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, Virtual Server Protection for Vmware:
This signature looks for a large Control Channel request.
Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, Virtual Server Protection for Vmware: This signature could fire on non-related traffic with a specific byte sequence on TCP port 2556.
High
Proventia Server IPS for Linux technology: 1.95, RealSecure Desktop: eqb, Proventia Network IPS: XPU 1.95, Proventia Desktop: 1960, Proventia-G 1.1 and earlier: XPU 24.56, Proventia Network IDS: XPU 24.56, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: XPU 1.95, IBM Security Server Protection for Windows: 1.0.914.1960, RealSecure Server Sensor: XPU 24.56, RealSecure Network: XPU 24.56, BlackICE PC Protection: 3.6cqb, BlackICE Server Protection: 3.6.cqb, Virtual Server Protection for Vmware: 1.0
Cisco Unified CallManager: 4.2, Cisco Unified CallManager: 5.0, Cisco Unified CallManager: 3.3(5)SR1, Cisco Unified CallManager: 3.3(5)SR1a, Cisco Unified CallManager: 3.3(5)SR2, Cisco Unified CallManager: 3.3(5), Cisco Unified CallManager: 4.1(3)SR1, Cisco Unified CallManager: 4.1(3)SR2, Cisco Unified CallManager: 4.1(3)SR3, Cisco Unified CallManager: 4.1(3)SR4, Cisco Unified CallManager: 4.1(3), Cisco Unified CallManager: 4.2(3)SR1, Cisco Unified Communications Manager: 4.3, Cisco Unified Communications Manager: 4.3(1), Cisco Unified Communications Manager: 5.1, Cisco Unified Communications Manager: 5.1(1)
Unauthorized Access Attempt
The Real-Time Information Server (RIS) Data Collector service (RisDC.exe) of the Cisco Unified Communications Manager (CUCM), formerly Cisco CallManager, is vulnerable to a heap-based buffer overflow caused by an integer overflow vulnerability. By sending specially-crafted packets to a vulnerable device, a remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code or cause the service to crash.
Refer to cisco-sa-20070711-cucm for patch, upgrade, or suggested workaround information. See References.
cisco-sa-20070711-cucm
Cisco Security Advisory: Cisco Unified Communications Manager Overflow Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20070711-cucm.shtml
IBM Internet Security Systems Protection Advisory July 11, 2007
Cisco Call Manager RisDC.exe Remote Code Execution
http://www.iss.net/threats/271.html
ISS X-Force
Cisco Unified Communications Manager RisDC.exe buffer overflow
http://www.iss.net/security_center/static/19057.php
CVE
CVE-2006-5278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5278