The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of StoneGate IPS

computer vulnerability note CVE-2008-4609

TCP: denial of service Sockstress

Synthesis of the vulnerability

An attacker can use a small TCP Window, in order to overload a TCP server.
Impacted products: ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, VPN-1, ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, BIG-IP Hardware, TMOS, Linux, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP, NLD, OES, OpenSolaris, openSUSE, Solaris, Trusted Solaris, TCP protocol, StoneGate Firewall, StoneGate IPS, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 01/10/2008.
Revisions dates: 20/10/2008, 09/09/2009.
Identifiers: 109444, 110132, 267088, 6759500, 967723, BID-31545, c01923093, CERTA-2009-ALE-017-003, cisco-sa-20090908-tcp24, cisco-sr-20081017-tcp, cpujul2012, CVE-2008-4609, FICORA #193744, HPSBMI02473, MS09-048, SA34, SA35, SA36, SA37, SA38, SA40, SA41, sk42723, sk42725, SOL10509, SOL7301, SOL9293, SSRT080138, SUSE-SA:2009:047, VIGILANCE-VUL-8139, VU#723308.

Description of the vulnerability

The "window" field of a TCP packet indicates the size of the accepted window (and thus the range) for sequence numbers of incoming packets.

According to the TCP protocol, when the system cannot receive more packets (for example if its buffers are full), it lowers the value of the "window" field. The remote host then has to send data slowly.

An attacker can therefore connect to a listening TCP service, and artificially extend the session duration, in order to overload the remote host.

The attacker can also use a "reverse syn cookies" and the TCP Timestamp option to not have to keep a state on his computer.

An attacker can therefore only use few resources on his computer, and force the usage of a lot of resources on the target. The impact of this temporary denial of service depends on the target system, and is similar to an attacker opening several real TCP sessions (excepted that his computer only uses a few resources). The attacker cannot spoof his IP address to exploit this attack.

There are several attack variants, related to the window size or to a temporary increase of window size. The VIGILANCE-VUL-8844 vulnerability can be seen as a variant.

When the attacker stops sending packets, the denial of service stops. However, some additional implementations errors (such as the Microsoft CVE-2009-1926 vulnerability of VIGILANCE-VUL-9008, or the Cisco Nexus 5000 vulnerabilities described in the solution for Cisco) cause a permanent denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2008-0166

Debian: predictable openssl randoms

Synthesis of the vulnerability

Keys generated by the openssl package of Debian 4.0 are predictable.
Impacted products: ProxySG par Blue Coat, Debian, StoneGate Firewall, StoneGate IPS.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet client.
Creation date: 13/05/2008.
Identifiers: BID-29179, CERTA-2008-AVI-239, CERTA-2008-AVI-246, CVE-2008-0166, DSA-1571-1, DSA-1576-1, DSA-1576-2, VIGILANCE-VUL-7821, VU#925211.

Description of the vulnerability

The openssl package of Debian is a modified version of OpenSSL.

However, these changes generate predictable keys.

Keys generated for following applications are potentially impacted:
 - X.509 certificates (apache, etc.)
 - DNSSEC
 - OpenVPN
 - SSH

Keys generated for following applications are not impacted:
 - GnuPG
 - GNUTLS

An attacker can therefore predict keys generated by the openssl package of Debian, in order for example to spoof the identity of a client or a server.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-2688 CVE-2007-2689 CVE-2007-2734

IDS: bypassing IDS with half of full width characters

Synthesis of the vulnerability

An attacker can use half or full width Unicode characters in order to bypass several IDS.
Impacted products: VPN-1, ASA, IOS by Cisco, Cisco IPS, Cisco Router, TippingPoint IPS, Snort, StoneGate IPS.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 15/05/2007.
Revisions dates: 16/05/2007, 22/05/2007.
Identifiers: 3COM-07-001, 91767, BID-23980, cisco-sr-20070514-unicode, CSCsi58602, CSCsi67763, CSCsi91487, CVE-2007-2688, CVE-2007-2689, CVE-2007-2734, CVE-2007-5793, GS07-01, VIGILANCE-VUL-6815, VU#739224.

Description of the vulnerability

Unicode character tables contain characters with similar displays. For example:
 - the 'à' character can be encoded U+00E0, or 'a' followed by the '`' combining diacritical (U+0061-U+0300)
 - the 'ff' string can be encoded U+0066-U+0066, or using the U+FB00 ligature
 - the 'a' character can be encoded U+0061, or using the full-width U+FF41 character (full-width characters have a fixed width, like typing machines ; full-width characters are mainly used as aliases for ASCII-127 characters ; half-width characters are mainly used for simplified Asian characters)

Some software automatically convert characters with a similar display. For example, PHP and ASP.NET convert full-width characters to ASCII-127 characters.

Some IPS/IPS not correctly handle half-width nor full-width characters.

An attacker can therefore use these characters to bypass the IDS.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.