The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Stonesoft StoneGate Intrusion Prevention System

cybersecurity weakness CVE-2008-4609

TCP: denial of service Sockstress

Synthesis of the vulnerability

An attacker can use a small TCP Window, in order to overload a TCP server.
Severity: 2/4.
Creation date: 01/10/2008.
Revisions dates: 20/10/2008, 09/09/2009.
Identifiers: 109444, 110132, 267088, 6759500, 967723, BID-31545, c01923093, CERTA-2009-ALE-017-003, cisco-sa-20090908-tcp24, cisco-sr-20081017-tcp, cpujul2012, CVE-2008-4609, FICORA #193744, HPSBMI02473, MS09-048, SA34, SA35, SA36, SA37, SA38, SA40, SA41, sk42723, sk42725, SOL10509, SOL7301, SOL9293, SSRT080138, SUSE-SA:2009:047, VIGILANCE-VUL-8139, VU#723308.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The "window" field of a TCP packet indicates the size of the accepted window (and thus the range) for sequence numbers of incoming packets.

According to the TCP protocol, when the system cannot receive more packets (for example if its buffers are full), it lowers the value of the "window" field. The remote host then has to send data slowly.

An attacker can therefore connect to a listening TCP service, and artificially extend the session duration, in order to overload the remote host.

The attacker can also use a "reverse syn cookies" and the TCP Timestamp option to not have to keep a state on his computer.

An attacker can therefore only use few resources on his computer, and force the usage of a lot of resources on the target. The impact of this temporary denial of service depends on the target system, and is similar to an attacker opening several real TCP sessions (excepted that his computer only uses a few resources). The attacker cannot spoof his IP address to exploit this attack.

There are several attack variants, related to the window size or to a temporary increase of window size. The VIGILANCE-VUL-8844 vulnerability can be seen as a variant.

When the attacker stops sending packets, the denial of service stops. However, some additional implementations errors (such as the Microsoft CVE-2009-1926 vulnerability of VIGILANCE-VUL-9008, or the Cisco Nexus 5000 vulnerabilities described in the solution for Cisco) cause a permanent denial of service.
Full Vigil@nce bulletin... (Free trial)

security threat CVE-2008-0166

Debian: predictable openssl randoms

Synthesis of the vulnerability

Keys generated by the openssl package of Debian 4.0 are predictable.
Severity: 4/4.
Creation date: 13/05/2008.
Identifiers: BID-29179, CERTA-2008-AVI-239, CERTA-2008-AVI-246, CVE-2008-0166, DSA-1571-1, DSA-1576-1, DSA-1576-2, VIGILANCE-VUL-7821, VU#925211.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The openssl package of Debian is a modified version of OpenSSL.

However, these changes generate predictable keys.

Keys generated for following applications are potentially impacted:
 - X.509 certificates (apache, etc.)
 - DNSSEC
 - OpenVPN
 - SSH

Keys generated for following applications are not impacted:
 - GnuPG
 - GNUTLS

An attacker can therefore predict keys generated by the openssl package of Debian, in order for example to spoof the identity of a client or a server.
Full Vigil@nce bulletin... (Free trial)

security bulletin CVE-2007-2688 CVE-2007-2689 CVE-2007-2734

IDS: bypassing IDS with half of full width characters

Synthesis of the vulnerability

An attacker can use half or full width Unicode characters in order to bypass several IDS.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 15/05/2007.
Revisions dates: 16/05/2007, 22/05/2007.
Identifiers: 3COM-07-001, 91767, BID-23980, cisco-sr-20070514-unicode, CSCsi58602, CSCsi67763, CSCsi91487, CVE-2007-2688, CVE-2007-2689, CVE-2007-2734, CVE-2007-5793, GS07-01, VIGILANCE-VUL-6815, VU#739224.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Unicode character tables contain characters with similar displays. For example:
 - the 'à' character can be encoded U+00E0, or 'a' followed by the '`' combining diacritical (U+0061-U+0300)
 - the 'ff' string can be encoded U+0066-U+0066, or using the U+FB00 ligature
 - the 'a' character can be encoded U+0061, or using the full-width U+FF41 character (full-width characters have a fixed width, like typing machines ; full-width characters are mainly used as aliases for ASCII-127 characters ; half-width characters are mainly used for simplified Asian characters)

Some software automatically convert characters with a similar display. For example, PHP and ASP.NET convert full-width characters to ASCII-127 characters.

Some IPS/IPS not correctly handle half-width nor full-width characters.

An attacker can therefore use these characters to bypass the IDS.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.