Ixia ATI Update 2016-21 (285362)

Defects Resolved

Ticket Info
DE6712 Updated queryString used by 24 dynamic strike lists (including "Strike Level by Year") to exclude malware strikes by file path.
DE4799 (1355592) Fixed an issue that might cause test hang while running HTTP based attacks, with "EnableOnAllHTTP" option set for the SSL Evasion profile, through DUT configured as SSL Transparent Prox.
DE6618 Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory (see Modified Strikes section to see the strikes). Additionally, metadata, including keywords, references and description, updated as well.
DE6685 (1416489) The StructureSize field in the SMB2 TREE_CONNECT Request has been updated to adhere to the Microsoft SMB Protocol Version 2 specification. The value is now 9, regardless of the size of the following buffer.
DE6689 (1416052) Resolves an issue in which some web applications produced an HTTP response whose status line contained a space in the status code.
DE6693 (1416723) The "ServerCertificateFile", "ServerKeyFile", "ClientCertificateFile", and "ClientKeyFile" options in the Security Component Evasion Profile now allow the selection of a system-provided SSL resource.
DE6700 (1416952) The description for the "Application Protocols A-M" and "Application Protocols N-Z" Application Profiles have been updated to indicate that updates to the profiles may take up to several minutes for processing.

Enhancements

Ticket Info
US8573 (36921) Updated the HTTP header 'Accept-Language' generated in HTTP Permutations Super Flows, to match other payload languages (previously only English language was matched). The superflow's logic was not changed. 
US56084 SNMPv2c now supports multiple OID's in GET Request and GET Response actions. See instructions in those actions on how to use a CSV file to import them.
US56759 Added a canned test, superflows, and application profile to emulate the shadow broker exploit chain.

New Protocols & Applications (2)

Name Category Info
YouTube Sep16 Voice/Video/Media YouTube is an American video-sharing website headquartered in San Bruno, California, United States that operates as one of Google's subsidiaries. The site allows users to upload, view, rate, share and comment on videos. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Tinder Sep16 Social Networking/Search Tinder is a location-based social search service application (using Facebook) that facilitates communication between mutually interested users, allowing matched users to chat. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Super Flows (6)

Name Category Info
Equation Group Cisco Exploit Chain Security A demonstration of the Equation Group's exploit chain targeting the ASA and PIX platforms. Creates traffic seen from exploitation through to command and control traffic. See blog post at https://www.ixiacom.com/company/blog/equation-groups-firewall-exploit-chain for more information.
YouTube September 2016 Voice/Video/Media Traffic that simulates some of the actions a user can perform on the YouTube website.
YouTube September 2016 Browse Sections Voice/Video/Media Traffic that simulates browsing through sections, viewing the account settings and trying to upload an image.
YouTube September 2016 Play Video Voice/Video/Media Traffic that simulates playing a video, rating it, creating a playlist and subscribing to channels.
Tinder Social Networking/Search Traffic that simulates signing in, swiping and changing settings in the Tinder app. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Tinder Swiping Social Networking/Search Traffic that simulates signing in and swiping in the Tinder app. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Application Profiles (3)

Name Info
Equation Group Cisco Exploit Chain This Application Profile demonstrates the Equation Group's exploit chain targeting the ASA and PIX platforms. See blog post at https://www.ixiacom.com/company/blog/equation-groups-firewall-exploit-chain for more information.
Top Five Microsoft Windows Applications 2016 This traffic mix represents five of the most popular Microsoft Windows applications in 2016.
Top Five Android Apps 2016 This traffic mix represents five of the most popular Android applications in 2016.

New Canned Test (1)

Name Info
Equation Group Cisco Exploit Chain This test recreates the steps involved in compromising and maintaining control using the exploit kit and tooling provided by the Shadow Broker leak in mid 2016.

New Strikes (11)

CVSS ID References Category Info
10.0 E16-6ar01 APSB-16-29
CVE-2016-4275
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-40421
GOOGLE-859
SECURITYTRACKER-1036794
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. There is a memory corruption occurs when freeing memory after AVC decoding. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E16-3rt01 APSB-16-08
BID-84310
CVE-2016-1001
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-39609
GOOGLE-720
SECURITYTRACKER-1035251
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a heap overflow in the Zlib codecs used when playing FLV files in flash. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E15-9hw01 APSB-15-32
BID-78715
CVE-2015-8420
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-39044
GOOGLE-588
SECURITYTRACKER-1034318
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a use after free in TextField sharpness setter. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E15-9hp01 APSB-15-32
BID-78715
CVE-2015-8413
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-39043
GOOGLE-590
SECURITYTRACKER-1034318
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a use after free in Selection SetSelection. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E15-6f401 APSB-15-16
BID-75592
CVE-2015-4432
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
GOOGLE-425
SECURITYTRACKER-1032810
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a heap overflow when loading FLV file with Nellymoser audio codec. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
7.6 E16-5ji01 CVE-2016-3294
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
MS16-105
Exploits This strike exploits a memory corruption vulnerability in the Microsoft Edge Browser. Specifically, when an attacker crafts an html page with an element that makes a call to the insertAdjacentText or insertAdjacentHTML functions, it's possible for type confusion to occur. This can potentially lead to remote code execution within the context of the current user, or a denial of service condition in the browser.
7.2 E14-a5y01 CVE-2014-9286
CVSS-7.2 (AV:L/AC:L/AU:N/C:C/I:C/A:C)
SECURITYTRACKER-1036438
URL
Exploits This strike exploits an integer signedness error in the FreeBSD bspatch utility. The control block data of bsdiff patch files is handled differently in 32 bit and 64 bit versions of bspatch. Due to this difference, certain negative values will lead to data being written outside the allocated buffer. An attacker can create a malicious patch file, which, when applied, may cause arbitrary code execution or abnormal termination of the bspatch utility.
5.1 E16-5jj01 CVE-2016-3295
CVSS-5.1 (AV:N/AC:H/AU:N/C:P/I:P/A:P)
MS16-104
Exploits This strike exploits a memory corruption vulnerability in the Microsoft Internet Explorer and Edge Browsers. Specifically, when an attacker crafts an html page with a caption element that contains a doctype declaration a type confusion vulnerability can occur. This can potentially lead to remote code execution within the context of the current user, or a denial of service condition in the browser.
5.0 E16-6ih01 CVE-2016-4553
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:P/A:N)
SECURITYTRACKER-1035768
URL
Exploits This strike exploits a cache poisoning vulnerability in Squid Proxy Server. Squid accepts fully qualified domain names in the Request-URI field of HTTP requests. If given a fully qualified domain, it does not ignore the host header. If an attacker places a legitimate fully qualified domain name into the Request-URI field and an attacker-controlled malicious domain into the host field, Squid will access the attacker-controlled domain and cache it as the legitimate domain. Future users who attempt to access the url the attacker provided in the Request-URI field will instead be served the cached malicious website.
5.0 D16-4zd01 BID-83406
CVE-2016-2569
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
SECURITYTRACKER-1035101
URL
Denial This strike exploits a denial of service vulnerability in Squid Proxy Server. The Vary header consists of comma delimited values. The server expands this header into a comma + space delimited string. This expansion may cause the string to exceed the maximum character limit, which will result in an assertion failure, terminating the Squid process. Successful exploitation will result in abnormal termination of the Squid process, leading to a denial of service condition.
2.6 E16-5l301 CVE-2016-3351
CVSS-2.6 (AV:N/AC:H/AU:N/C:P/I:N/A:N)
MS16-104
Exploits This strike exploits a vulnerability in Microsoft Internet Explorer and Edge Browsers. Specifically, an attacker can specify different mime type extensions in javascript that will identify whether or not a certain program is installed on the target machine.

Modified Strikes (17)

CVSS ID References Category Info
10.0 E14-6za01 BID-68998
CVE-2014-5158
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ZDI-14-272
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
10.0 E13-7s301 BID-64647
CVE-2013-6195
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ZDI-14-009
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
10.0 E13-6f201 CVE-2013-6194
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ZDI-14-003
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
10.0 E13-6ez01 CVE-2013-2348
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
SCIP-65986
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
10.0 E11-4c101 BID-47638
CVE-2011-1729
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
SCIP-57380
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
10.0 E11-3pn01 BID-46234
CVE-2011-0923
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
SCIP-56392
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
10.0 E11-3pm01 BID-46234
CVE-2011-0922
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
10.0 E09-35301 BID-33554
CVE-2009-0183
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
9.3 E13-u0m01 CVE-2010-0478
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
EXPLOITDB-16333
MS10-025
SCIP-4103
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
9.3 E09-5z101 CVE-2009-3853
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
SCIP-50694
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
9.3 E09-35401 BID-33555
CVE-2009-0184
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
EXPLOITDB-16634
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
7.5 E09-51101 BID-36384
CVE-2009-2629
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
6.4 E14-6zc01 CVE-2014-5160
CVSS-6.4 (AV:N/AC:L/AU:N/C:N/I:P/A:P)
ZDI-14-263
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
5.0 E12-47p01 BID-52667
CVE-2012-1573
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
5.0 E12-47l01 BID-52668
CVE-2012-1569
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
5.0 E10-3kk01 BID-39013
CVE-2010-0740
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
EXPLOITDB-12334
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.
5.0 E09-3of01 BID-34061
CVE-2009-0879
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
Exploits Fixed protocol attribute for 17 Strikes in the /strikes/exploits/misc directory. Additionally, metadata, including keywords, references and description, updated as well.