The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of IDS, IPS: Advanced Evasion Techniques

Synthesis of the vulnerability

Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS.
Severity of this bulletin: 2/4.
Number of vulnerabilities in this bulletin: 23.
Creation date: 17/12/2010.
Références of this threat: CVE-2010-0102, SBP-2010-31, SBP-2010-32, SBP-2010-33, SBP-2010-34, SBP-2010-35, VIGILANCE-VUL-10227.

Description of the vulnerability

IDS/IPS capture network frames, and analyze their content, in order to detect intrusions attempts. Attackers usually apply variations on these packets, in order to bypass IDS/IPS. Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS. These 23 cases use IPv4, TCP, SMB and MSRPC variations. They are based on methods known since 12 years. Stonesoft named these cases "Advanced Evasion Techniques". They were announced in VIGILANCE-ACTU-2612.

An attacker can send a SMB Write packet with a special "writemode" value, followed by other SMB Write packets to be ignored. [severity:2/4]

An attacker can split SMB Write data in packets containing only one byte, encapsulated in small IPv4/TCP fragments. [severity:2/4]

An attacker can duplicate each IPv4 packet, with additional IPv4 options. [severity:2/4]

An attacker can fragment MSRPC queries into packets containing at most 25 bytes of payload. [severity:2/4]

An attacker can send MSRPC messages where all integers are encoded as Big Endian instead of Little Endian. [severity:2/4]

An attacker can change NDR flags of MSRPC messages. [severity:2/4]

An attacker can create MSRPC fragmented messages in fragmented SMB messages. [severity:2/4]

An attacker can fragment SMB messages in blocks containing one byte of payload. [severity:2/4]

An attacker can fragment SMB messages in blocks containing at most 32 bytes of payload. [severity:2/4]

An attacker can use a SMB filename starting by "unused\..\". [severity:2/4]

An attacker can use overlapping TCP segments. [severity:2/4]

An attacker can send TCP segments in random order. [severity:2/4]

An attacker can fragment TCP data in blocks of one byte. [severity:2/4]

An attacker can use a second TCP session using the same port numbers. [severity:2/4]

An attacker can use a TCP session, where the first byte is sent with the urgent flag. [severity:2/4]

An attacker can send a NetBIOS message, with data similar to an HTTP GET query. [severity:2/4]

An attacker can inject 5 SMB Write inside a SMB Write. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in the reverse order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in random order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent with an initial sequence number near 0xFFFFFFFF. [severity:2/4]

An attacker can send an empty NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can send an invalid NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can use an unknown variation. [severity:2/4]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability announce impacts software or systems such as FW-1, CheckPoint Security Gateway, VPN-1, Cisco IPS, TippingPoint IPS, McAfee NTBA, Snort.

Our Vigil@nce team determined that the severity of this cybersecurity threat is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 23 vulnerabilities.

An attacker with a expert ability can exploit this computer threat bulletin.

Solutions for this threat

Check Point: solutions for Advanced Evasion Techniques.
Check Point document indicate how to enable protections.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a cybersecurity bulletin. The technology watch team tracks security threats targeting the computer system.