Ixia ATI Update 2016-17 (278632)

Defects Resolved

Ticket Info
DE4958 Strikes for CVE-2012-4226, CVE-2013-0083, CVE-2009-0237 had unencoded characters in the uri strings. Uri strings are now properly encoded.
DE5492 Security test components configured with a "Strike List Iterations" of 1 or greater were subject to an issue in which subsequent iterations of a strike were blocked due to a system error. This fix corrects that issue.
DE6446 (1406147) The client in super flow "DCE RPC MAPI" was sending SYN to wrong Destination IP resulting in TCP Reset for the 'DCE RPC MAPI Session'. This issue has been fixed in this release.
DE6489 The RADIUS "Behavior on disabled fields" setting added in ATI Update 277126 has been updated for clarity. In addition, the setting label has been changed to "Behavior on disabled AVP fields".
DE6496 (1406744) The strike E10-4i301 has been modified and no longer encodes the URI characters "?" and "=".

Enhancements

Ticket Info
US51424 The following Super Flows have been deprecated as they have been superseded by newer versions provided in the monthly Evergreen update: “Hotmail” (now "Evergreen Windows Live Mail"), "Hotmail-French", "Hotmail-German", "Hotmail-Italian", "Hotmail-Japanese", "Hotmail-Persian", "Hotmail-Spanish", "Ymail" (now "Evergreen Yahoo Mail").The "GMX" Flow and Super Flows have been deprecated and replaced with a new "GMX Mail Aug 16" Flow and accompanying Super Flows.

New Protocols & Applications (3)

Name Category Info
Gmx Aug16 Email/WebMail Emulates the use of the GMX Mail website as of August 2016. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Google Safe Browsing Aug16 Social Networking/Search Google Safe Browsing is a blacklist service provided by Google that provides lists of URLs for web resources that contain malware or phishing content. The Google Chrome, Apple Safari and Mozilla Firefox web browsers use the lists from the Google Safe Browsing service for checking pages against potential threats. Google also provides a public API for the service. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Google Voice Actions Aug16 Social Networking/Search Google Voice Actions let users quickly complete tasks in your app using voice commands. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Super Flows (9)

Name Category Info
GMX Mail Aug 16 Email/WebMail Emulates the use of the GMX Mail website as of August 2016. All of the available actions for this flow are exercised. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
GMX Mail Aug 16 Send Message Email/WebMail Emulates the use of the GMX Mail website as of August 2016. The user accesses the sign in page, signs in, views the inbox, sends a message then logs out. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
GMX Mail Aug 16 Send Message with Attachment Email/WebMail Emulates the use of the GMX Mail website as of August 2016. The user accesses the sign in page, signs in, views the inbox, sends a message with attachment then logs out. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
GMX Mail Aug 16 View Message Email/WebMail Emulates the use of the GMX Mail website as of August 2016. The user accesses the sign in page, signs in, views the inbox, views a message then logs out. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
GMX Mail Aug 16 View Message with Attachment Email/WebMail Emulates the use of the GMX Mail website as of August 2016. The user accesses the sign in page, signs in, views the inbox, views a message that contains an attachment then logs out. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Google Safe Browsing Social Networking/Search Matches a URL against lists of URLs with web resources that contain malware or phishing content.
Google Voice Actions Social Networking/Search Use voice commands to access phone options and to perform a Google searches. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Google Voice Actions Google Search Social Networking/Search Use voice commands to perform a Google search for the specified information. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Google Voice Actions Phone Options Social Networking/Search Use voice commands to access phone options. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Strikes (12)

CVSS ID References Category Info
10.0 E16-3nq01 BID-80745
CVE-2016-0854
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-39735
SCIP-80271
URL
ZDI-16-127
ZDI-16-128
Exploits This strike exploits a file upload vulnerability in Advantech WebAccess. WebAccess has several URIs designed to accept image files. These files are not verified, and specially crafted HTTP POST requests can be used to upload any arbitrary file. This includes uploading asp and aspx files, which can then be called to achieve arbitrary asp code execution with the privlidges of the IIS service. Successful exploitation may result in creation of arbitrary files and could lead to arbitrary code execution.
10.0 E16-3ru01 APSB-16-08
BID-84311
CVE-2016-1002
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-39608
GOOGLE-721
SECURITYTRACKER-1035251
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a memory corruption in shape rendering. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E15-9i501 APSB-15-32
BID-78715
CVE-2015-8429
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-39052
GOOGLE-577
SECURITYTRACKER-1034318
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a use after free in TextField type setter. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E15-9i401 APSB-15-32
BID-78715
CVE-2015-8428
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-39051
GOOGLE-578
SECURITYTRACKER-1034318
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a use after free in TextField htmlText setter. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E15-9i101 APSB-15-32
BID-78715
CVE-2015-8425
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-39049
GOOGLE-583
SECURITYTRACKER-1034318
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a use after free in TextField variable. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E15-9i001 APSB-15-32
BID-78715
CVE-2015-8424
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-39048
GOOGLE-584
SECURITYTRACKER-1034318
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a use after free in replaceText. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
8.5 E16-7wu02 CVE-2016-6366
CVSS-8.5 (AV:N/AC:M/AU:S/C:C/I:C/A:C)
URL
Exploits This strike exploits a buffer overflow vulnerability in the SNMP service of several Cisco products. All versions of Cisco ASA software are reported to be affected. The vulnerability is due to a buffer overflow when parsing SNMP packets. This vulnerability allows an attacker with knowledge of the SNMP community string and access to the management interface to remotely execute code. NOTE: A publicly available exploit for this vulnerability can be found in the reported leak of 0Day exploits from the NSA by a group known as the "Shadow Brokers", identified as EXTRABACON.
7.5 E12-3pb01 BID-54298
CVE-2012-0911
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
EXPLOITDB-19573
EXPLOITDB-19630
MSF-MODULES/EXPLOIT/UNIX/WEBAPP/TIKIWIKI_UNSERIALIZE_EXEC
Exploits This strike exploits a code execution vulnerability in Tiki Wiki. Certain configurations of Tiki Wiki will allow writing of arbitrary PHP code via the printpages parameter of the tiki-print_multi_pages script. A specially crafted HTTP request can write and call arbitrary PHP code, resulting in arbitrary code execution.
7.5 E16-6ht01 BID-91778
CVE-2016-4529
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
URL
Exploits This strike exploits a pointer dereference vulnerability in Schneider Electric's SoMachine HVAC software. Specifically the SetDataIntf method in the AxEditGrid activeX control can be used by an attacker to corrupt memory. This memory corruption can lead to a denial of service condition or possible remote code execution.
6.4 E16-6hw01 BID-91077
CVE-2016-4532
CVSS-6.4 (AV:N/AC:L/AU:N/C:P/I:P/A:N)
URL
Exploits This strike exploits a directory traversal vulnerability in Trihedral VTScada. When an un-authenticated user pairs this attack with CVE-2016-4510 ,which allows for a file to specified with the inclusion of a null character, directory traversal characters can be added to the file name and get interpreted as the file path. This allows a remote attacker to effectively traverse the applications directory structure and read documents at will.
6.4 E16-6ha01 BID-91077
CVE-2016-4510
CVSS-6.4 (AV:N/AC:L/AU:N/C:P/I:P/A:N)
URL
Exploits This strike exploits a filter bypass vulnerability in Trihedral VTScada. Specifically, the VTScada application allows for an un-authenticated user to send http requests to access files with one of several valid file extensions. However, if a null byte character is included with the valid file extension the application processes the string but truncates the file path at the null character. This allows a remote attacker to disclose file information that is not meant to be seen by external users.
2.6 E16-5kf01 BID-92284
CVE-2016-3327
CVSS-2.6 (AV:N/AC:H/AU:N/C:P/I:N/A:N)
MS16-095
Exploits This strike exploits a vulnerability in Microsoft Internet Explorer and Edge browsers. A buffer overrun vulnerability can occur when an invalid UNC URL is processed. When this happens the code enters a loop that iterates through the buffer containing the attacker specified URL. Eventually this will exhaust the memory that was allcoated for the buffer causing a denial of service condition in the browser and potentially allowing for the attacker to disclose memory information that can be used in other types of attacks.

Modified Strikes (4)

CVSS ID References Category Info
10.0 E10-4i301 BID-39114
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
Exploits The strike E10-4i301 has been modified and no longer encodes the URI characters "?" and "=".
5.0 E12-69e01 BID-54311
CVE-2012-4226
CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
URL
Exploits Strikes for CVE-2012-4226, CVE-2013-0083, CVE-2009-0237 had unencoded characters in the uri strings. Uri strings are now properly encoded.
4.3 E09-06l01 CVE-2009-0237
CVSS-4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)
MS09-016
Exploits Strikes for CVE-2012-4226, CVE-2013-0083, CVE-2009-0237 had unencoded characters in the uri strings. Uri strings are now properly encoded.
4.3 E13-32b01 BID-58367
CVE-2013-0083
CVSS-4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)
MS13-024
Exploits Strikes for CVE-2012-4226, CVE-2013-0083, CVE-2009-0237 had unencoded characters in the uri strings. Uri strings are now properly encoded.