HighProventia Network IPS, RealSecure Desktop, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature looks for a large Control Channel request.
Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: This signature could fire on non-related traffic with a specific byte sequence on TCP port 2556.
High
Proventia Network IPS: XPU 1.95, RealSecure Desktop: eqb, Proventia-G 1.1 and earlier: XPU 24.56, Proventia Desktop: 1960, Proventia Network IDS: XPU 24.56, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: XPU 1.95, IBM Security Server Protection for Windows: 1.0.914.1960, RealSecure Server Sensor: XPU 24.56, RealSecure Network: XPU 24.56, BlackICE PC Protection: 3.6cqb, BlackICE Server Protection: 3.6.cqb, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.95
Cisco Unified CallManager: 4.2, Cisco Unified CallManager: 5.0, Cisco Unified CallManager: 3.3(5)SR1, Cisco Unified CallManager: 3.3(5)SR1a, Cisco Unified CallManager: 3.3(5)SR2, Cisco Unified CallManager: 3.3(5), Cisco Unified CallManager: 4.1(3)SR1, Cisco Unified CallManager: 4.1(3)SR2, Cisco Unified CallManager: 4.1(3)SR3, Cisco Unified CallManager: 4.1(3)SR4, Cisco Unified CallManager: 4.1(3), Cisco Unified CallManager: 4.2(3)SR1, Cisco Unified Communications Manager: 4.3, Cisco Unified Communications Manager: 4.3(1), Cisco Unified Communications Manager: 5.1, Cisco Unified Communications Manager: 5.1(1)
Unauthorized Access Attempt
The Real-Time Information Server (RIS) Data Collector service (RisDC.exe) of the Cisco Unified Communications Manager (CUCM), formerly Cisco CallManager, is vulnerable to a heap-based buffer overflow caused by an integer overflow vulnerability. By sending specially-crafted packets to a vulnerable device, a remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code or cause the service to crash.
Refer to cisco-sa-20070711-cucm for patch, upgrade, or suggested workaround information. See References.
cisco-sa-20070711-cucm
Cisco Security Advisory: Cisco Unified Communications Manager Overflow Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20070711-cucm.shtml
IBM Internet Security Systems Protection Advisory July 11, 2007
Cisco Call Manager RisDC.exe Remote Code Execution
http://www.iss.net/threats/271.html
ISS X-Force
Cisco Unified Communications Manager RisDC.exe buffer overflow
http://www.iss.net/security_center/static/19057.php
CVE
CVE-2006-5278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5278