The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of HPE TippingPoint Intrusion Prevention Systems

computer threat alert CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Severity: 3/4.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

weakness CVE-2010-0102

IDS, IPS: Advanced Evasion Techniques

Synthesis of the vulnerability

Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 23.
Creation date: 17/12/2010.
Identifiers: CVE-2010-0102, SBP-2010-31, SBP-2010-32, SBP-2010-33, SBP-2010-34, SBP-2010-35, VIGILANCE-VUL-10227.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

IDS/IPS capture network frames, and analyze their content, in order to detect intrusions attempts. Attackers usually apply variations on these packets, in order to bypass IDS/IPS. Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS. These 23 cases use IPv4, TCP, SMB and MSRPC variations. They are based on methods known since 12 years. Stonesoft named these cases "Advanced Evasion Techniques". They were announced in VIGILANCE-ACTU-2612.

An attacker can send a SMB Write packet with a special "writemode" value, followed by other SMB Write packets to be ignored. [severity:2/4]

An attacker can split SMB Write data in packets containing only one byte, encapsulated in small IPv4/TCP fragments. [severity:2/4]

An attacker can duplicate each IPv4 packet, with additional IPv4 options. [severity:2/4]

An attacker can fragment MSRPC queries into packets containing at most 25 bytes of payload. [severity:2/4]

An attacker can send MSRPC messages where all integers are encoded as Big Endian instead of Little Endian. [severity:2/4]

An attacker can change NDR flags of MSRPC messages. [severity:2/4]

An attacker can create MSRPC fragmented messages in fragmented SMB messages. [severity:2/4]

An attacker can fragment SMB messages in blocks containing one byte of payload. [severity:2/4]

An attacker can fragment SMB messages in blocks containing at most 32 bytes of payload. [severity:2/4]

An attacker can use a SMB filename starting by "unused\..\". [severity:2/4]

An attacker can use overlapping TCP segments. [severity:2/4]

An attacker can send TCP segments in random order. [severity:2/4]

An attacker can fragment TCP data in blocks of one byte. [severity:2/4]

An attacker can use a second TCP session using the same port numbers. [severity:2/4]

An attacker can use a TCP session, where the first byte is sent with the urgent flag. [severity:2/4]

An attacker can send a NetBIOS message, with data similar to an HTTP GET query. [severity:2/4]

An attacker can inject 5 SMB Write inside a SMB Write. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in the reverse order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in random order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent with an initial sequence number near 0xFFFFFFFF. [severity:2/4]

An attacker can send an empty NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can send an invalid NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can use an unknown variation. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-3701

TippingPoint IPS: bypassing via Unicode

Synthesis of the vulnerability

An attacker can use urls containing Unicode characters in order to bypass the IPS.
Severity: 2/4.
Creation date: 11/07/2007.
Revision date: 12/07/2007.
Identifiers: BID-24855, CVE-2007-3701, VIGILANCE-VUL-6986.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The UTF-8 encoding can be used to represent Unicode characters on several bytes:
 - 1 to 7 bits : 0xxxxxxx
 - 8 to 11 bits : 110xxxxx 10xxxxxx
 - 12 to 16 bits : 1110xxxx 10xxxxxx 10xxxxxx
 - 17 to 21 bits : 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
UTF-8 limits the encoding to 4 bytes and forbids usage of more bytes than necessary.

Some software do not normalize UTF-8 encodings. For example, the "." character must only be represented as 0x2E (b00101110) and not as 0xC0-0xAE (b11000000 10101110). Some web servers, such as IIS 5/5.1, accept all UTF-8 encodings.

However, TippingPoint IPS does not recognize urls encoded using long variants.

An attacker can therefore use this encoding in order to bypass the IPS.
Full Vigil@nce bulletin... (Free trial)

cybersecurity bulletin CVE-2007-3711

TippingPoint IPS: bypassing via fragmentation

Synthesis of the vulnerability

An attacker can fragment packets in order to bypass the IPS.
Severity: 2/4.
Creation date: 11/07/2007.
Identifiers: 3COM-07-002, BID-24861, CERTA-2007-AVI-298, CVE-2007-3711, VIGILANCE-VUL-6992.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The IP protocol supports fragmentation in order to split big packets. The IPS reassembles these fragments to analyze the original content.

However, using a special fragmentation, IPS fails to reassemble fragments.

An attacker can therefore send packets specially fragmented in order to bypass the IPS.
Full Vigil@nce bulletin... (Free trial)

security bulletin CVE-2007-2688 CVE-2007-2689 CVE-2007-2734

IDS: bypassing IDS with half of full width characters

Synthesis of the vulnerability

An attacker can use half or full width Unicode characters in order to bypass several IDS.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 15/05/2007.
Revisions dates: 16/05/2007, 22/05/2007.
Identifiers: 3COM-07-001, 91767, BID-23980, cisco-sr-20070514-unicode, CSCsi58602, CSCsi67763, CSCsi91487, CVE-2007-2688, CVE-2007-2689, CVE-2007-2734, CVE-2007-5793, GS07-01, VIGILANCE-VUL-6815, VU#739224.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Unicode character tables contain characters with similar displays. For example:
 - the 'à' character can be encoded U+00E0, or 'a' followed by the '`' combining diacritical (U+0061-U+0300)
 - the 'ff' string can be encoded U+0066-U+0066, or using the U+FB00 ligature
 - the 'a' character can be encoded U+0061, or using the full-width U+FF41 character (full-width characters have a fixed width, like typing machines ; full-width characters are mainly used as aliases for ASCII-127 characters ; half-width characters are mainly used for simplified Asian characters)

Some software automatically convert characters with a similar display. For example, PHP and ASP.NET convert full-width characters to ASCII-127 characters.

Some IPS/IPS not correctly handle half-width nor full-width characters.

An attacker can therefore use these characters to bypass the IDS.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.