| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of TippingPoint Intrusion Prevention Systems
SSL 3.0: decrypting session, POODLE
Synthesis of the vulnerability
An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Impacted products: SES, SNS, Apache httpd, Arkoon FAST360, ArubaOS, Asterisk Open Source, BES, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, IronPort Email, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, WebNS, Clearswift Email Gateway, Clearswift Web Gateway, CUPS, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, F-Secure AV, hMailServer, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, ProCurve Switch, SiteScope, HP Switch, TippingPoint IPS, HP-UX, AIX, Domino, Notes, Security Directory Server, SPSS Data Collection, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, IVE OS, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, NETASQ, NetBSD, NetScreen Firewall, ScreenOS, nginx, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, Tuxedo, WebLogic, Palo Alto Firewall PA***, PAN-OS, Polycom CMA, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, Postfix, SSL protocol, Puppet, RHEL, JBoss EAP by Red Hat, RSA Authentication Manager, ROS, ROX, RuggedSwitch, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WinSCP.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.
Description of the vulnerability
An SSL/TLS session can be established using several protocols:
- SSL 2.0 (obsolete)
- SSL 3.0
- TLS 1.0
- TLS 1.1
- TLS 1.2
An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.
This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).
An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial) |
IDS, IPS: Advanced Evasion Techniques
Synthesis of the vulnerability
Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS.
Impacted products: FW-1, CheckPoint Security Gateway, VPN-1, Cisco IPS, TippingPoint IPS, McAfee NTBA, Snort.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 23.
Creation date: 17/12/2010.
Identifiers: CVE-2010-0102, SBP-2010-31, SBP-2010-32, SBP-2010-33, SBP-2010-34, SBP-2010-35, VIGILANCE-VUL-10227.
Description of the vulnerability
IDS/IPS capture network frames, and analyze their content, in order to detect intrusions attempts. Attackers usually apply variations on these packets, in order to bypass IDS/IPS. Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS. These 23 cases use IPv4, TCP, SMB and MSRPC variations. They are based on methods known since 12 years. Stonesoft named these cases "Advanced Evasion Techniques". They were announced in VIGILANCE-ACTU-2612.
An attacker can send a SMB Write packet with a special "writemode" value, followed by other SMB Write packets to be ignored. [severity:2/4]
An attacker can split SMB Write data in packets containing only one byte, encapsulated in small IPv4/TCP fragments. [severity:2/4]
An attacker can duplicate each IPv4 packet, with additional IPv4 options. [severity:2/4]
An attacker can fragment MSRPC queries into packets containing at most 25 bytes of payload. [severity:2/4]
An attacker can send MSRPC messages where all integers are encoded as Big Endian instead of Little Endian. [severity:2/4]
An attacker can change NDR flags of MSRPC messages. [severity:2/4]
An attacker can create MSRPC fragmented messages in fragmented SMB messages. [severity:2/4]
An attacker can fragment SMB messages in blocks containing one byte of payload. [severity:2/4]
An attacker can fragment SMB messages in blocks containing at most 32 bytes of payload. [severity:2/4]
An attacker can use a SMB filename starting by "unused\..\". [severity:2/4]
An attacker can use overlapping TCP segments. [severity:2/4]
An attacker can send TCP segments in random order. [severity:2/4]
An attacker can fragment TCP data in blocks of one byte. [severity:2/4]
An attacker can use a second TCP session using the same port numbers. [severity:2/4]
An attacker can use a TCP session, where the first byte is sent with the urgent flag. [severity:2/4]
An attacker can send a NetBIOS message, with data similar to an HTTP GET query. [severity:2/4]
An attacker can inject 5 SMB Write inside a SMB Write. [severity:2/4]
An attacker can fragment a MSRPC query in TCP packets sent in the reverse order. [severity:2/4]
An attacker can fragment a MSRPC query in TCP packets sent in random order. [severity:2/4]
An attacker can fragment a MSRPC query in TCP packets sent with an initial sequence number near 0xFFFFFFFF. [severity:2/4]
An attacker can send an empty NetBIOS packet, before each NetBIOS message. [severity:2/4]
An attacker can send an invalid NetBIOS packet, before each NetBIOS message. [severity:2/4]
An attacker can use an unknown variation. [severity:2/4]
Full Vigil@nce bulletin... (Free trial) |
TippingPoint IPS: bypassing via Unicode
Synthesis of the vulnerability
An attacker can use urls containing Unicode characters in order to bypass the IPS.
Impacted products: TippingPoint IPS.
Severity: 2/4.
Consequences: disguisement.
Provenance: internet client.
Creation date: 11/07/2007.
Revision date: 12/07/2007.
Identifiers: BID-24855, CVE-2007-3701, VIGILANCE-VUL-6986.
Description of the vulnerability
The UTF-8 encoding can be used to represent Unicode characters on several bytes:
- 1 to 7 bits : 0xxxxxxx
- 8 to 11 bits : 110xxxxx 10xxxxxx
- 12 to 16 bits : 1110xxxx 10xxxxxx 10xxxxxx
- 17 to 21 bits : 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
UTF-8 limits the encoding to 4 bytes and forbids usage of more bytes than necessary.
Some software do not normalize UTF-8 encodings. For example, the "." character must only be represented as 0x2E (b00101110) and not as 0xC0-0xAE (b11000000 10101110). Some web servers, such as IIS 5/5.1, accept all UTF-8 encodings.
However, TippingPoint IPS does not recognize urls encoded using long variants.
An attacker can therefore use this encoding in order to bypass the IPS.
Full Vigil@nce bulletin... (Free trial) |
TippingPoint IPS: bypassing via fragmentation
Synthesis of the vulnerability
An attacker can fragment packets in order to bypass the IPS.
Impacted products: TippingPoint IPS.
Severity: 2/4.
Consequences: disguisement.
Provenance: internet client.
Creation date: 11/07/2007.
Identifiers: 3COM-07-002, BID-24861, CERTA-2007-AVI-298, CVE-2007-3711, VIGILANCE-VUL-6992.
Description of the vulnerability
The IP protocol supports fragmentation in order to split big packets. The IPS reassembles these fragments to analyze the original content.
However, using a special fragmentation, IPS fails to reassemble fragments.
An attacker can therefore send packets specially fragmented in order to bypass the IPS.
Full Vigil@nce bulletin... (Free trial) |
IDS: bypassing IDS with half of full width characters
Synthesis of the vulnerability
An attacker can use half or full width Unicode characters in order to bypass several IDS.
Impacted products: VPN-1, ASA, IOS by Cisco, Cisco IPS, Cisco Router, TippingPoint IPS, Snort, StoneGate IPS.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 15/05/2007.
Revisions dates: 16/05/2007, 22/05/2007.
Identifiers: 3COM-07-001, 91767, BID-23980, cisco-sr-20070514-unicode, CSCsi58602, CSCsi67763, CSCsi91487, CVE-2007-2688, CVE-2007-2689, CVE-2007-2734, CVE-2007-5793, GS07-01, VIGILANCE-VUL-6815, VU#739224.
Description of the vulnerability
Unicode character tables contain characters with similar displays. For example:
- the 'à' character can be encoded U+00E0, or 'a' followed by the '`' combining diacritical (U+0061-U+0300)
- the 'ff' string can be encoded U+0066-U+0066, or using the U+FB00 ligature
- the 'a' character can be encoded U+0061, or using the full-width U+FF41 character (full-width characters have a fixed width, like typing machines ; full-width characters are mainly used as aliases for ASCII-127 characters ; half-width characters are mainly used for simplified Asian characters)
Some software automatically convert characters with a similar display. For example, PHP and ASP.NET convert full-width characters to ASCII-127 characters.
Some IPS/IPS not correctly handle half-width nor full-width characters.
An attacker can therefore use these characters to bypass the IDS.
Full Vigil@nce bulletin... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
|