Ixia ATI Update 2017-06 (302252)

Defects Resolved

Ticket Info
DE6791 Altered strike cve_2016_2569_squid_vary_header_long_string_denial_of_service.xml to support source NAT configurations.
DE7259 (1430303) Desynchronization between client and server when Ignore HTTP Headers evasion profile option is set was fixed for FileTransfer strikes.
DE7419 (1433725) Update the destination port for the DCE RPG Endpoint Mapper flow to 135 (instead of 111). This makes the behavior more correct.
DE7442 The '3GPP LI Handover' and '3GPP LI Handover (Lawful Intercept)' Super Flows have been modified to remove extra segments which could appear in their flows.
DE7452 A change has been made to the HTTP application such that some tests that use the default Client Profile setting may now return a different random profile.  This can result in differences in headers and header values (User-Agent, ...).
DE7459 Changed the X-Forwarded-For header in the attack to be a random IP address.
DE7352 Old certificate used for SSL was expired and now it is replaced with a new valid certificate.

Enhancements

Ticket Info
US55265 Added a new options for SSL Evasion Group: Security Protocol. This evasion option allows for selecting the encryption protocol to be used for sending data. The options include: TLS1.2 (default), TLS1.1, TLS1 and SSLv3 (previous default).
US64260 Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.

New Protocols & Applications (1)

Name Category Info
Appogee Leave Mar17 Enterprise Applications Appogee HR is a Cloud Solution Provider providing software as service applications. Appogee Leave is their online absence management system for tracking PTO, vacation and other staff absences. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Super Flows (2)

Name Category Info
Appogee Quick Calendar Review Enterprise Applications Appogee Leave is an online absence management system for tracking PTO, vacation and other staff absences. In this simulation a user logs in, check the leave calendar and then log out. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Appogee Team Manager Access Enterprise Applications Appogee Leave is an online absence management system for tracking PTO, vacation and other staff absences. In this simulation a team manager logs in, requests a day off and then view information about their team before logging out. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Strikes (10)

CVSS ID References Category Info
10.0 E17-tejn1 CVE-2017-6343
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
URL
Exploits This strike extracts the username and password from Dahau brand IP Cameras. The password is retrieved from known static paths from the device. The URL is dependent on model generation.
10.0 E17-5b001 APSB-17-04
BID-96190
CVE-2017-2988
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
GOOGLE-1013
Exploits This strike exploits a command execution vulnerability in Trend Micro InterScan Web Security Virtual Appliance (IWSVA).
7.8 D17-0fux1 CVE-2017-5945
CVSS-7.8 (AV:N/AC:L/AU:N/C:N/I:N/A:C)
SECURITY_TRACKER-1037688
URL
Denial This strike exploits denial of service vulnerability in Quagga VTY. The vulnerability is due to lack of input validation on user-supplied data. By sending a large amount of data to the Quagga VTY, an unauthenticated attacker could trigger a denial-of-service condition.
7.6 E17-31z01 BID-96681
CVE-2017-0071
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
GOOGLE-1045
MS17-007
Exploits This strike exploits a vulnerability in Microsoft Edge's Chakra.dll component. Specifically, the vulnerability lies in the ProfiledLdElem function of the JS::ProfilingHelpers method. An attacker can craft javascript that allows for a javascriptArray object to get processed as a javascriptNativeArray or javascriptfloatArray, which leads to type confusion. A successful attack may cause a denial of service condition in the browser or lead to remote code execution.
7.6 E17-30a01 BID-96059
CVE-2017-0010
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
MS17-007
Exploits This strike exploits a vulnerability in Microsoft Edge. Specifically, the vulnerability lies in the CheckModuleReturn function of the AsmJSCompiler method. Due to improper validation, when experimental Javascript features are enabled in the Edge browser and the AsmJSCompiler::CheckModuleReturn function is called on a NULL object, it is possible to corrupt memory. This may result in a denial of service condition in the browser or potentially lead to remote code execution.
5.0 D16-30001 CVE-2016-10159
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
URL
Denial This strike causes a denial of service in PHP due to a integer overflow when parsing a phar file. The flaw is a bounds check for the filename length field embedded in the file. A malicious file can cause a PHP server to crash.
4.3 E17-4tl01 BID-95723
CVE-2017-2361
CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)
GOOGLE-1040
Exploits This strike exploits a vulnerability in MacOS HelpViewer. Specifically, HelpViewer's WebView has a protocol handler x-help-script, that can be used to access a local file via path traversal. An attacker can craft javascript that will allow for an XMLHTTP request to open this local file. This strike demonstrates this by opening one of the following apps, Calculator, Messages, Preview, or Notes, by accessing this HTML on a remote server with a vulnerable version of MacOS.
4.3 E17-31t01 BID-96648
CVE-2017-0065
CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)
MS17-007
Exploits This strike exploits an information disclosure vulnerability in Microsoft Edge. Specifically, the vulnerability lies in the _LoadRMHTML function of CReadingModeViewerEdge. A remote attacker can determine, through the read URI scheme, whether or not a file exists on a target system.
4.3 E17-30801 BID-96073
CVE-2017-0008
CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)
MS17-006
Exploits This strike exploits an information disclosure vulnerability in Microsoft Internet Explorer. Specifically, the vulnerability lies in the DoParseAndBind function of the MSHTML!CResProtocol method. An attacker can create javascript in such a way that uses an onreadystatechange event handler to monitor the number of times a loading event is fired to determine whether or not a portable executable exists on the target's local filesystem. This strike demonstrates this by checking a static list of PE files that may or may not exist, and sends the results back to the attacker.
4.0 E17-0j001 CVSS-4.0 (AV:N/AC:L/AU:S/C:P/I:N/A:N)
URL
ZDI-17-077
Exploits This strike exploits an information disclosure vulnerability in Trend Micro Control Manager. The vulnerability is due to improper checks of user-supplied input before executing an XML query. An authenticated attacker can leverage this vulnerability to disclose sensitive information on vulnerable installations of Trend Micro Control Manager. NOTE: By default the vulnerable services are accessed via SSL connection (port 443)

Modified Strikes (12)

CVSS ID References Category Info
9.3 R16-d0a01 CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
EXPLOITDB-40273
Recon Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
9.3 R16-24401 CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
EXPLOITDB-40272
Recon Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
9.3 E16-31v01 CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
EXPLOITDB-40273
Exploits Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
9.3 E16-r9m01 CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
EXPLOITDB-40272
Exploits Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
9.0 E15-5ss01 BID-77666
CVE-2015-3628
CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
EXPLOITDB-38764
SECURITYTRACKER-1034306
SECURITYTRACKER-1034307
URL
Exploits Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
8.5 E17-0f801 CVSS-8.5 (AV:N/AC:M/AU:S/C:C/I:C/A:C)
ZDI-17-122
ZDI-17-123
ZDI-17-124
Exploits Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
8.5 E16-rfh01 CVSS-8.5 (AV:N/AC:M/AU:S/C:C/I:C/A:C)
SECURITYTRACKER-1035949
ZDI-ZDI-16-348
Exploits Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
8.5 E16-73l02 BID-93284
CVE-2016-5313
CVSS-8.5 (AV:N/AC:M/AU:S/C:C/I:C/A:C)
SECURITYTRACKER-1036973
URL
Exploits Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
7.8 E15-j9p01 CVSS-7.8 (AV:N/AC:L/AU:N/C:C/I:N/A:N)
EXPLOITDB-38090
URL
Exploits Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
6.8 E17-0e7z1 BID-95737
CVE-2017-3823
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
GOOGLE-1096
URL
Exploits Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
6.5 E16-7u201 CVE-2016-6266
CVSS-6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)
URL
Exploits Update Default SSL Strikes list with new strikes that had the default_over_ssl keyword added to their metadata.
5.0 D16-4zd01 BID-83406
CVE-2016-2569
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
SECURITYTRACKER-1035101
URL
Denial
  • Altered strike cve_2016_2569_squid_vary_header_long_string_denial_of_service.xml to support source NAT configurations.
  • Changed the X-Forwarded-For header in the attack to be a random IP address.