Ixia ATI Update 2017-15 (312645)

Defects Resolved

Ticket Info
DE7984 (1446934) The following strikes: D14-5r301, B14-32k01, were updated to generate the correct length for SSL Client Hello packets.
DE8048 The "Office 365 Outlook Mail Jul 15" superflows and its protocol have been deprecated in favor of the new July 2017 release.

New Protocols & Applications (2)

Name Category Info
Office365 Outlook Mail Jul17 Email/WebMail The use of the Office 365 Outlook Mail website as of July 2017. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Netflix Jul17 Voice/Video/Media Netflix is a subscription based provider of streaming media and video-on-demand. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Super Flows (6)

Name Category Info
Office 365 Outlook Mail Jul 17 Email/WebMail The use of the Office 365 Outlook Mail website as of July 2017. All of the available actions for this flow are exercised. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Office 365 Outlook Mail Jul 17 Send Message with Attachment Email/WebMail The use of the Office 365 Outlook Mail website as of July 2017. The user accesses the sign in page, signs in, views the inbox, sends a message with attachment then logs out. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Office 365 Outlook Mail Jul 17 View Message Email/WebMail The use of the Office 365 Outlook Mail website as of July 2017. The user accesses the sign in page, signs in, views the inbox, views a message then logs out. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Netflix July 2017 Voice/Video/Media Login to Netflix, search for a movie, view detail information about the movie, start playing it and then pause and resume it. After a short time this is followed by logging out. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Netflix Login/Logout July 2017 Voice/Video/Media Perform a simple login and then logout for Netflix. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Netflix Play Movie July 2017 Voice/Video/Media Search for a Netflix movie and play it. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Strikes (7)

CVSS ID References Category Info
10.0 E17-0frh1 BID-98493
CVE-2017-5821
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
URL
ZDI-17-339
Exploits This strike exploits a command injection vulnerability in Hewlett Packard Enterprise (HPE) Intelligent Management Center. When a RestoreZipFile command is issued certain parameters are not properly validated and sanitized. It is possible to pass command injection characters that allow for code injection. An unauthenticated user can send a specially crafted RestoreZipFile command to the target and potentially achieve remote code execution with root privileges.
10.0 E17-0frg1 BID-98493
CVE-2017-5820
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
URL
ZDI-17-336
Exploits This strike exploits a command injection vulnerability in Hewlett Packard Enterprise (HPE) Intelligent Management Center. When a BackupZipFile command is issued certain parameters are not properly validated and sanitized. It is possible to pass command injection characters that allow for code injection. An unauthenticated user can send a specially crafted BackupZipFile command to the target and potentially achieve remote code execution with root privileges.
10.0 E17-qjsm1 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-41884
MSF-MODULES/EXPLOITS/LINUX/HTTP/ALIENVAULT_EXEC
URL
Exploits This strike exploits a command injection vulnerability in the network component of AlienVault. Specifically, when a POST request is made to the fqdn api the host_ip parameter is not properly validated. It is possible to directly pass a command via the host_ip parameter that will get executed in the shell as the root user.
10.0 E17-0fr21 BID-98088
CVE-2017-5806
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
URL
Exploits This strike exploits a stack buffer overflow vulnerability in Hewlett Packard Enterprise (HPE) Intelligent Management Center. Because certain data fields of an WSM iNode message are not properly validated if an iNode protocol message is received with an SSID size parameter less than 0x2 an integer underflow occurs. Later this value is used as the size argument in a memcpy instruction which causes a buffer overflow to occur. It may be possible for an unauthenticated user to send a crafted iNode message to the target and potentially achieve remote code execution.
9.3 E17-0hv01 BID-98703
CVE-2017-8540
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
GOOGLE-1258
SCIP-101815
Exploits This strike exploits a Use-After-Free vulnerability in Microsoft MpEngine GarbageCollection. The vulnerability is due to allowing a callback function to set a global GarbageCollection flag while executing. An attacker could remotely execute arbitrary code on a target system by sending a malicious file via email or enticing a user to view the file in a web browser.
7.5 E17-m9km1 BID-99484
CVE-2017-9791
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
SECURITYTRACKER-1038838
URL
Exploits This strike exploits a remote command execution vulnerability in the Struts 1 plugin in Apache Struts 2.3.x. When using the Struts 1 plugin in Struts 2, and the Struts 1 action and value are part of a message presented to the user, it is possible for an attacker to craft a malicious field value that may allow for remote code execution to occur.
4.0 D17-0h6j1 BID-99132
CVE-2017-7659
CVSS-4.0 (AV:L/AC:M/AU:N/C:P/I:P/A:P)
URL
Denial This strike exploits a null pointer dereference vulnerability in Apache. The vulnerability is due to lack of input validation of HTTP Host parameter in module mod_http2 . A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process.

Modified Strikes (2)

CVSS ID References Category Info
7.1 D14-5r301 BID-70586
CVE-2014-3567
CVSS-7.1 (AV:N/AC:M/AU:N/C:N/I:N/A:C)
URL
Denial The following strikes: D14-5r301, B14-32k01, were updated to generate the correct length for SSL Client Hello packets.
5.8 B14-32k01 BID-65919
CVE-2014-0092
CVSS-5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)
URL
Backdoors The following strikes: D14-5r301, B14-32k01, were updated to generate the correct length for SSL Client Hello packets.