| Ticket | Info |
|---|---|
| DE6395 (1407628) | Two new actions, "Set Accept TLS Options" and "Set Start TLS Options", have been added to Web based protocols to allow TLS options to be set when creating encrypted flows which follow.These two actions will also be available on future Evergreen protocols. |
| DE6400 (1407851) | The "Skip Action When NAT Disable" parameter has been added on the Conditional Request action, on the "MySQL Database Advanced" superflow. |
| DE6402 (1407859) | Updated CVSS score to fractional value for Strike E15-ydi01. |
| DE6425 (1408218) | Fixes an error affecting Security test components whose Attack Retries are greater than 0 and whose Concurrent Strikes mode is set to "default". Subsequent executions of a strike will occur if the first attempt fails and the number of Attack Retries is 1 or greater. In these cases, this strike would affect other strikes that are executed concurrently and use the same source or destination port such that they would not run. |
| Ticket | Info |
|---|---|
| US42200 (1390797) | The 'Radius Accounting' flow now has the 'Behavior on disabled fields' option which allows the user to remove Attribute Value Pairs from the protocol messages if the fields are disabled. The affected AVPs are: NAS IP Address, NAS Port, Framed IP Address, Framed Netmask, Calling Station ID and Called Station ID. |
| US48014 | When a Conditional Request match/nomatch does not have an associated action(s) then the implicit behavior is to advance to the next action in the Super Flow. This update makes that implicit behavior explicit by adding actions to configured match/nomatch blocks that did not have an associated action(s). As such, each of the following Super Flows have been updated such that every match and mismatch in its Conditional Request actions has a corresponding action. The list of updated Super Flows is as follows: BreakingPoint ClientSim IMAP (Authenticated), BreakingPoint ClientSim IPP, BreakingPoint ClientSim LPD, BreakingPoint ClientSim MySQL (Authenticated), BreakingPoint ClientSim NetBIOS Session, BreakingPoint ClientSim NNTP, BreakingPoint ClientSim POP3 (Authenticated), BreakingPoint ClientSim POP3 Login, BreakingPoint ClientSim QOTD, BreakingPoint ClientSim RADIUS Access, BreakingPoint ClientSim RADIUS Accounting |
| US50684 | Added 'Torshammer 'canned test. The test case emulates an HTTP Slow Post application attack traffic sent over the Tor network. A new network neighborhood called 'BreakingPoint Torshammer' was designed for this purpose which has a collection of multiple Tor exitnode IP addresses assigned to the client side. |
| US49587 | Added 'Locky Malware Infection Test Scenario' canned test and the associated 'Malware Infection Network' neighborhood. This test simulates a Locky malware infection scenario. A Locky malware sample gets sent to an email server (through SMTP). An email client downloads the email (through IMAP). In this scenario the client also runs the malicious attachment contained in the email. The attachment is actually a downloader that fetches Locky malware (through HTTP). During the above conversations, DNS queries are also made. |
| Name | Category | Info |
|---|---|---|
| Pokemon GO Aug16 | Games | Pokemon Go is a free-to-play location-based, augmented reality game developed by Niantic for iOS and Android devices. In the game, players use the smart device's GPS and camera to capture, battle, and train virtual creatures, called Pokemon, who appear on the screen as if they were in the same real-world location as the player. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature. |
| Profinet PNIO-CM | SCADA | Profinet is a family of SCADA protocols defined in the PROFINET Open Industrial Ethernet standard provided by the PROFIBUS User Organization. PNIO-CM is the Profinet IO Context Manager protocol which runs over UDP DCERPC version 4. |
| Name | Category | Info |
|---|---|---|
| Pokemon GO | Games | The user collects Poke Balls and catches Pokemons. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature. |
| Pokemon GO Catch and Upgrade Pokemon | Games | The user catches a Pokemon and upgrades it. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature. |
| Pokemon GO Spin PokeStops and Collect | Games | The user walks on the map, spins PokeStops and collects Poke Balls and eggs. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature. |
| Profinet PNIO-CM Read Implicit | SCADA | The first two actions here emulate a PNIO-CM Read Implicit Request and its response using default parameters. The next Read Implicit Request show the use of a token for the 'API' parameter while the corresponding response shows how the 'Block 4 Data' parameter is used to provide the fourth block in that response. |
| Profinet PNIO-CM Write | SCADA | Emulates a PNIO-CM Write Request and its Write Response. |
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 10.0 | E16-3nt01 |
CVE-2016-0857 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) SCIP-80274 URL ZDI-ZDI-16-121 |
Exploits | This strike exploits a buffer overflow vulnerability in Advantech WebAccess. A specially crafted DCE/RPC request with OpNum 0x00 and certain vulnerable function IDs can overflow a buffer, which could lead to arbitrary code execution or abnormal termination of the WebAccess process. |
| 10.0 | E16-4jq01 |
CVE-2016-2006 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) |
Exploits | This strike exploits a buffer overflow vulnerability in HP Data Protector's Backup Client Service (OmniInet.exe). The vulnerability is due to improper checks on an EXEC_BAR request message. A message with an overly long Domain parameter will overflow a stack buffer which can result in remote code execution. |
| 10.0 | E16-3rg01 |
APSB-16-08 BID-84312 CVE-2016-0988 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) GOOGLE-681 SECURITYTRACKER-1035252 |
Exploits | This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a use after free in setInterval. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process. |
| 10.0 | E15-9i301 |
APSB-15-32 BID-78715 CVE-2015-8427 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) EXPLOITDB-39053 GOOGLE-579 SECURITYTRACKER-1034318 |
Exploits | This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a use after free in TextField variable setter. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process. |
| 10.0 | E15-9i201 |
APSB-15-32 BID-78715 CVE-2015-8426 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) EXPLOITDB-39650 GOOGLE-581 SECURITYTRACKER-1034318 |
Exploits | This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a use after free in TextField maxChars setter. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process. |
| 10.0 | E14-9ig01 |
APSB-14-24 BID-71047 CVE-2014-8440 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) EXPLOITDB-36880 SECURITYTRACKER-1031182 URL |
Exploits | This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process. |
| 10.0 | E14-3eb02 |
APSB-14-13 BID-67092 CVE-2014-0515 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) EXPLOITDB-33333 SECUNIA-SA58085 SECURITYTRACKER-1030155 |
Exploits | This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to improper verification of data type of the defaultValue metadata and data type of the parameter. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process. |
| 9.3 | E16-5hi01 |
BID-91094 CVE-2016-3222 CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C) MS16-068 |
Exploits | This strike exploits a vulnerability in the Microsoft Edge Browser. Specifically, the vulnerability exists in the isEqualNode method. An uninitialized local variable used by another function and is later dereferenced, leading to memory corruption. This memory corruption can potentially result in remote code execution or a denial of service condition in the application. |
| 9.3 | E15-7nu01 |
BID-76984 CVE-2015-6042 CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C) MS15-106 URL |
Exploits | This strike exploits a vulnerability in Microsoft Internet Explorer. Specifically a use after free vulnerability occurs when an iframe element is encountered pointing to code in which a CWindow object is created. If the children of this object are deleted upon invoking an event listener, memory corruption can occur leading a use after free condition. It is possible that an attacker can control this, potentially leading to remote code execution, or a denial of service in the Internet Explorer application. |
| 8.5 | E16-ofr01 |
CVSS-8.5 (AV:N/AC:L/AU:N/C:P/I:C/A:N) EXPLOITDB-40170 MSF-MODULES/EXPLOITS/LINUX/HTTP/CENTREON_USERALIAS_EXEC.RB |
Exploits | This strike exploits a vulnerability in Centreon Web Interface. The vulnerability is due to how Centreon utilizes the echo command for logging SQL errors. It is possible for an un-authenticated attacker to abuse this functionality to inject and execute commands remotely at the login screen. |
| 7.5 | E16-2vf01 |
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) EXPLOITDB-40130 URL |
Exploits | This strike exploits a command execution in the Drupal RESTful Web Services (RESTWS) Module. The RESTWS module checks requests to see if it references a callback function. If it does not have a default callback function, other arguments in the URL are handled as arguments, including an argument which is used as the callback function. This argument can be set to "system," allowing for command execution. An attacker can send a specially crafted HTTP request to achieve remote php command execution. Successful exploitation can result in the execution of arbitrary code with the privileges of the target Drupal server. |
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 10.0 | E15-ydi01 |
ZDI-15-180 CVSS-10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
Exploits | Updated CVSS score to fractional value for Strike E15-ydi01. |