Cisco Systems, Inc. Cisco Intrusion Prevention System IPS 6.2(4)E4 SERVICE PACK Copyright (C) 2011 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== SERVICE PACK NOTE 6.2(4)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS - MINIMUM REQUIREMENTS - FILE LIST - SUPPORTED PLATFORMS - INSTALLATION USING THE CLI - INSTALLATION CAVEATS - RESOLVED ISSUES - RELEVANT ISSUES NOT RESOLVED - NEW FEATURES - RESTRICTIONS - CSM UPDATE INSTRUCTIONS - CSM, AIM IPS, and NME IPS UPDATE INSTRUCTIONS ======================================================================== SERVICE PACK NOTE This SERVICE PACK addresses the issues described in the RESOLVED ISSUES section of this document. This service pack is being used as a release vehicle to repair critical sensor failures. This service pack contains the S549 signature level, but preserves any more recent signature levels installed on your sensor. ======================================================================== 6.2(4)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS NOTE: You must have a valid maintenance contract per sensor to receive and use software upgrades including signature updates from Cisco.com. MINIMUM REQUIREMENTS To install the IPS-K9-6.2-4-E4.pkg, IPS-NME-K9-6.2-4-E4.pkg, or IPS-AIM-K9-6.2-4-E4.pkg service pack version upgrade file, you must be running IPS version 5.1(6)E3 or later on your sensor. NOTE: The IPS-AIM-K9-6.2-4-E4.pkg upgrade file can only be used to upgrade AIM-IPS sensors. The IPS-NME-K9-6.2-4-E4.pkg upgrade file can only be used to upgrade NME-IPS sensors. The IPS-SSC_5-K9-6.2-4-E4.pkg can only be used to upgrade AIP SSC5 sensors. For all other supported sensors, use the IPS-K9-6.2.4-E4.pkg upgrade file. To see what version the sensor is currently running, log in to the CLI and execute the 'show version' command. For detailed instructions on installing the service pack upgrade file, refer to "Upgrading, Downgrading, and Installing System Images," in Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.2 available at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_installation_and_configuration_guides_list.html FILE LIST The following files are included as part of this release: Readme - IPS-6_2-4-E4-readme.txt Service Pack Upgrade Files - IPS-AIM-K9-6.2-4-E4.pkg - IPS-K9-6.2-4-E4.pkg - IPS-NME-K9-6.2-4-E4.pkg - IPS-SSC_5-K9-6.2-4-E4.pkg 6.2(4) System Image Files - IPS-4240-K9-sys-1.1-a-6.2-4-E4.img - IPS-4255-K9-sys-1.1-a-6.2-4-E4.img - IPS-4260-K9-sys-1.1-a-6.2-4-E4.img - IPS-4270_20-K9-sys-1.1-a-6.2-4-E4.img - IPS-IDSM2-K9-sys-1.1-a-6.2-4-E4.bin.gz - IPS-SSM_10-K9-sys-1.1-a-6.2-4-E4.img - IPS-SSM_20-K9-sys-1.1-a-6.2-4-E4.img - IPS-SSM_40-K9-sys-1.1-a-6.2-4-E4.img - IPS-AIM-K9-sys-1.1-a-6.2-4-E4.img - IPS-NME-K9-sys-1.1-a-6.2-4-E4.img - IPS-SSC_5-K9-sys-1.1-a-6.2-4-E4.img 6.2(4) Recovery Image Files - IPS-K9-r-1.1-a-6.2-4-E4.pkg - IPS-AIM-K9-r-1.1-a-6.2-4-E4.pkg - IPS-NME-K9-r-1.1-a-6.2-4-E4.pkg - IPS-SSC_5-K9-r-1.1-a-6.2-4-E4.pkg CSM Package Service Pack Upgrade Files - IPS-CS-MGR-AIM-K9-6.2-4-E4.zip - IPS-CS-MGR-K9-6.2-4-E4.zip - IPS-CS-MGR-NME-K9-6.2-4-E4.zip - IPS-CS-MGR-SSC_5-K9-6.2-4-E4.zip SUPPORTED PLATFORMS The following IPS/IDS platforms are supported: - IPS 4240 Series Appliance Sensor - IPS 4255 Series Appliance Sensor - IPS 4260 Series Appliance Sensor - IPS 4270 Series Appliance Sensor - IDSM2 for Catalyst 6500 - AIP SSC-5 for ASA 5505 - AIP SSM-10 for ASA 5500 - AIP SSM-20 for ASA 5500 - AIP SSM-40 for ASA 5500 - AIM IPS for ISR Router - NME IPS for ISR Router The following platforms are no longer supported: - IDS-4210 Series Appliance Sensor - IDS-4215 Series Appliance Sensor - IDS-4235 Series Appliance Sensor - IDS-4250 Series Appliance Sensor - NM-CIDS for Cisco 26xx, 3660, and 37xx Router Families INSTALLATION USING THE CLI NOTE: You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site, and you must have a SMARTnet maintenance contract number to request software upgrades from Cisco.com. NOTE: This service pack requires an automatic reboot of the sensor to apply the changes. Inline network traffic will be disrupted during the reboot. To install the 6.2(4)E4 service pack using the CLI, follow these steps: 1. Download the file IPS-K9-6.2-4-E4.pkg to a local server. Note: The AIM, NME, and SSC-5 devices require their own platform-specific package as listed above. 2. Log in to the CLI using an account with administrator privileges. 3. Type the following command to enter configuration mode: configure terminal 4. Type the following command to upgrade the sensor: sensor(config)# upgrade [URL]/IPS-K9-6.2-4-E4.pkg where the [URL] is a uniform resource locator pointing to where the package is located. For example, to retrieve the update via SCP, type the following: sensor(config)# upgrade scp://@/// IPS-K9-6.2-4-E4.pkg The available transport methods are SCP, FTP, HTTP, or HTTPS. 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. 7. The sensor reboots to finish applying the changes. To determine whether the 6.2(4)E4 service pack has successfully been installed on a sensor, log in to the CLI and type 'show version' at the command prompt. The sensor will report the version as 6.2(4)E4, and the Upgrade History should include IPS-K9-6.2-4-E4.pkg. INSTALLATION CAVEATS The 6.2(4)E4 service pack cannot be uninstalled. You must re-image the sensor using a system image file, which causes all configuration settings to be lost. The install behavior of this service pack is that all executables,libraries, and so forth are replaced but user configuration is preserved. The reason for this upgrade behavior change is that this service pack contains changes to libraries and drivers. RESOLVED ISSUES The following known issues have been resolved in the 6.2(4)E4 service pack release. Release notes can be viewed in Bug Navigator at the following url: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl Identifier Headline ---------- ------------------------------------------------------------- CSCsz20563 SMB Advanced STL vector out of range error message CSCtb12160 SSC-5: IDM https sessions hung in CLOSE_WAIT CSCtd34035 IDS: sensorApp (AnalysisEngine) NotRunning, crashed on AIM-IPS / NME-IPS CSCtd34213 Sensor "show tech-support" should include textual configuration CSCtf00039 ASA:SSM cplane/E CP Message Header Content errors in SSM show tech. CSCtf42699 IPS: Enabling NTP bypasses access control lists CSCtf96673 Users cannot create custom sigs in StringXL on non-Spyker platforms CSCtg09264 Context buffer does not correctly handle < 256 bytes in the stream CSCtg22575 Unexpected Behavior using Exact-Match-Offset In Atomic ip CSCtg92362 IPS: Enh. to add ls -alR /home and /root to show tech cidDump output CSCth01671 Incorrect recognition of multicast traffic in ARP inspector CSCti33651 coreSigHandler should not call functions that malloc CSCti33970 Atomic IP:Cannot write a regular expression for L4 when L4 is Other CSCti38472 show tech-support displays Error: Anomaly Detection is not supported CSCti64172 IDS 7.x pkg storage space errors during upgrade CSCti86165 Service HTTP URI Processing Abnormality CSCti99266 IPS: The AIM module is timing out packets when under load. CSCtj25806 rbcpd stops running on NME/AIM CSCtj25898 memory leak in a time stamp loop in case platform validation fails CSCtj63190 IpDualNode and Frag/Datagram do not expire with TimeEvent CSCtj67834 inline-mode asym on promiscuous int prevents TCP stream reassembly CSCtj78015 TcpRootNode destructor errors on database purge CSCtj85152 dlmallinfo (getMemoryCap) is not thread safe CSCtk55233 improve GRE frag/tunnel workaround CSCtk97777 Restart sensorApp process during CT's for blown memcap CSCtk97799 Log a memcap blown warning to main.log during CT processing CSCtl45521 IME connection to IPS going down due to CT control transaction issue CSCtn23051 sequential allocator miscalculates space and causes memory corruption failed CSCto32025 IPv6: Incorrect decoding of packets containing an ESP header CSCtq85159 Sensor stops passing traffic when under synflood RELEVANT ISSUE NOT RESOLVED CSCth42593 6.2(2p1)E4 crash – FragProcessor CSCti49271 Inline IPS4270 stops traffic after reset in redundant environment CSCtq92141 Authenticated NTP not working NEW FEATURES Version 6.2(4) is primary focused on reliability and serviceability. No new features are being released with this update. CSM UPDATE INSTRUCTIONS To apply the 6.2(4)E4 service pack to sensor(s) using CSM 3.x or 4.x, follow these steps: 1. Download the service pack ZIP file, IPS-CS-MGR-K9-6.2-4-E4.zip, to the /MDC/ips/updates directory. 2. Launch IPS Update Wizard from Tools-->Apply IPS Update. Select Sensor Updates from the drop down menu, and select the IPS-CS-MGR-K9-6.2-4-E4.zip file. 3. Click Next to go to next screen. 4. Select the device(s) to apply the service pack, then click Finish. 5. Create a deployment job and deploy to sensor(s) using Deployment Manager. Deployment Manager can be launched from Tools-->Deployment Manager. Click Deploy in the popup and follow instructions. CSM, AIM IPS, IME IPS, and SSC-5 IPS UPDATE INSTRUCTIONS AIM IPS, NME IPS, and SSC-5 IPS require the following platform-specific packages: IPS-CS-MGR-AIM-K9-6.2-4-E4.pkg for AIM IPS IPS-CS-MGR-NME-K9-6.2-4-E4.pkg for NME IPS IPS-CS-MGR-SSC_5-K9-6.1-4-E4.pkg for SSC-5 IPS. To update AIM IPS, NME IPS, and SSC-5 IPS from CSM, select IPS-CS-MGR-K9-6.2-4-E4.zip in the Update File list box and click Next. The AIM, NME, and SSC-5 platform-specific upgrade packages do not appear in the list; however, CSM automatically applies the correct platform package to them. =========================================================================