Ixia ATI Update 2018-03 (324336)

Defects Resolved

Ticket Info
DE8911 (1464239) This defect fixes the behavior of the  A and AAAA type resource records in the pack answer action of the mDNS application. After the fix the value given in the RR Name Field parameter will be used as the hostname overriding the value provided in the host parameter in the action. 
DE9167 Fixed an issue in which the delimiter "|0A|" was used in the chunk-size for strike referenced by CVE 2017-16943.
DE9168 Fixed an issue for strike E13-21t01 in the "NT Trans Request" packet. The two bytes of "Byte Count" were missing, which made the first two bytes of subsequent “NT CREATE Parameters” (10 00) use as BCC by mistake. This caused both “NT CREATE Parameters” and “NT CREATE Data” to not be dissected properly by Wireshark.

Enhancements

Ticket Info
US79190 The DNAME resource record has been added to the DNS application. The record can be set using  the "Type" parameter in the Query and Response actions. Another new parameter "Alias Name" has been added to the DNS Response action. This parameter can be used to specify the alias names for the CNAME and DNAME resource records.  
US81772 Deprecated Application Protocol 'Office 365 Outlook Calendar Jul 15'.

New Protocols & Applications (1)

Name Category Info
Office 365 Outlook Tasks Jan18 Email/WebMail The use of the Office365 Outlook Calendar Feb18 website as of February 2018. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Super Flows (3)

Name Category Info
NFS Retries Data Transfer/File Sharing Simulates a NFSv3 session in which the client connects to a remote server in order to have access to data as if it were stored locally [RFC 1094]. The NFS client attempts three retries in case of application failure.
SIP/RTP Direct Voice Call Retries Voice/Video/Media Simulates a SIP voice call between two endpoints. The call setup occurs directly between the two endpoints using UDP transport. Furthermore, simulates three UAC INVITE retransmission in case of failure.
Office 365 Outlook Tasks Jan 18 Email/WebMail Simulating the use of the Office365 Outlook Calendar website as of February 2018. All of the available actions for this flow are exercised.

New Strikes (16)

CVSS ID References Category Info
10.0 E14-zv2t1 BID-73328
CVE-2014-9013
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-36490
Exploits This strike exploits a RCE vulnerability existent in the WordPress Marketplace plugin. This vulnerability is due to the lack of proper input sanitization while processing data from a POST request. An unauthenticated user could exploit this vulnerability by specially crafting a HTTP POST request with a call to wpmp_pp_ajax_call() method, which can lead to arbitrary code execution in the context of the vulnerable WP plugin.
10.0 E18-0jvu2 CVE-2018-1161
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
URL
ZDI-18-004
Exploits A stack buffer overflow has been identified in Quest NetVault Backup appliance. The vulnerability is caused by the lack of proper input sanitisation in the context of multipart HTTP requests processing. The vulnerability can be exploited by accessing the Web Interface of the NetVault server via a specially-crafted HTTP POST request, allowing the attacker arbitrary code execution with SYSTEM privileges.
9.4 E18-0jvu1 CVE-2018-1162
CVSS-9.4 (AV:N/AC:L/AU:N/C:N/I:C/A:C)
URL
ZDI-18-005
Exploits An arbitrary file overwrite vulnerabilty has been identified in Quest NetVault Backup appliance. The vulnerability is caused by the lack of user input sanitisation in the context of log exportation. The vulnerability can be exploited by accessing the Web Interface of the NetVault server via a specially-crafted HTTP POST request, allowing the attacker to overwrite any file with SYSTEM privileges.
9.3 E17-3i591 BID-102204
CVE-2017-17405
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
EXPLOITDB-43381
URL
Exploits This strike exploits a remote command injection vulnerability in Ruby before 2.4.3. The vulnerability is due to ruby NEt::FTP, which will execute any command after the "|" pipe character in the localfile argument. This vulnerability could allow an unauthorized user to execute arbitrary code on the server.
9.3 E17-0hzy1 BID-101162
CVE-2017-8718
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
URL
ZDI-17-839
Exploits This strike exploits a heap based buffer overflow vulnerability in the JET database engine component of Microsoft Office (msexcl40.dll). The vulnerability is due to an erroneous validation of RecordDataLength in BIFF substreams. An attacker could execute arbitrary code by enticing a user to open a maliciously crafted document.
9.3 E18-0j2d1 BID-102845
CVE-2018-0101
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
EXPLOITDB-43986
SCIP-112635
URL
Exploits This strike exploits a double-free memory corruption vulnerability in Cisco ASA. The vulnerability is due to failure to parse invalid XML data. By sending a crafted SSL packet containing invalid XML, a remote, unauthenticated attacker could execute arbitrary code on the targeted device.
7.6 E17-0i0z2 BID-100778
CVE-2017-8755
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-42766
GOOGLE-1327
Exploits This strike exploits a vulnerability in the Microsoft Edge browser. Specifically, the vulnerability exists in the javascript Chakra engine. Javascript can be crafted in such a way that allows for an exception to be thrown when re-parsing asmjs modules. By exhausting the stack we can cause an exception to occur. This may cause a denial of service condition in the browser, or potentially lead to remote code execution.
7.6 E17-3dw58 BID-102081
CVE-2017-11893
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-43466
GOOGLE-1379
Exploits This strike exploits a vulnerability in the Microsoft Edge browser. Specifically, the vulnerability exists in the javascript Chakra engine. Javascript can be crafted in such a way that allows for type confusion to occur when MinInAnArray or MaxInAnArray methods are called to return the largest or smallest of a series of numbers. The functions fail to properly validate the input and can instead change the type from a JavascriptNativeArray to a VarArray causing type confusion to occur. This may cause a denial of service condition in the browser, or potentially lead to remote code execution.
7.5 E17-3g3e1 BID-101907
CVE-2017-14746
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
URL
Exploits This strike exploits an use-after-free vulnerability in Samba Team SMBv1 server. The vulnerability is due to incorrect handling of objects in memory. By sending a crafted request to target server, a remote attacker with permissions to connect to a share could execute arbitrary code in the context of smbd process. NOTE: When run in OneArm mode, the strike requires a SMB share named "myshare" with anonymous access enabled.
7.5 E17-m90q1 BID-96872
CVE-2017-6950
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
SECURITYTRACKER-1038122
URL
Exploits A security policy bypass vulnerability has been found in SAP GUI. The vulnerability is due to improper implementation of client side security policies regarding the Windows application regsvr32.exe. A remote attacker could exploit this vulnerability by enticing user to connect to SAP server controlled by attacker, then executing arbitrary code on the target via a crafted ABAP code.
6.8 E18-8v9i1 BID-102796
CVE-2018-1000006
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
EXPLOITDB-43899
URL
Exploits This strike exploits a remote command injection vulnerability in GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier. The vulnerability is due to insufficient validation of whether additional command line arguments were specified via the URI. This vulnerability could allow an unauthorized user to execute arbitrary code on the server.
6.8 E18-0mr21 BID-102893
CVE-2018-4878
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
URL
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a use after free found in vulnerable methods inside object DRMManager. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
5.0 E17-jp331 CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
URL
Exploits This strike emulates a scanner running multiple TLS handshakes using an RSA Encrypted PreMaster Secret, which may be vulnerable to the Return Of Bleichenbacher's Oracle Threat (ROBOT) decryption attack. Due to incorrect handling of improperly padded or invalid RSA Encrypted PreMaster Secrets, information which may be used to decrypt or decipher the server's private key is leaked. Successful exploitation may result in decryption of encrypted communications or may allow the attacker to sign cryptographically sign messages with the server's private key. This strike emulates both client and server side of the scanner. A properly responding server should send one generic TLS alert message. This strike emulates multiple known incorrect responses which either leak information or indicate a vulnerable server.
5.0 E17-3gi31 BID-101908
CVE-2017-15275
CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
URL
Exploits This strike exploits a memory leak vulnerability in Samba Team SMBv1 server. The vulnerability is due to incorrect management of heap memory. By sending a craftet request to target server, a remote attacker with permissions to connect to a share may potentially obtain password hashes or other high-value data. NOTE: When run in OneArm mode, the strike requires a SMB share named "myshare" with anonymous access enabled.
5.0 D17-3g871 BID-101881
CVE-2017-14919
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
Denial This strike identifies a vulnerability in the Node.js zlib library. zlib has issues when trying to deflate an 8 bit windowBit value and will throw a z_stream_error when encountered. Node.js does not properly handle this exception, and this vulnerability can be demonstrated using the WebSocket extension for Node because it allows for the windowBit value to be set in the headers.
4.3 E17-3icg1 BID-102201
CVE-2017-17664
CVSS-4.3 (AV:N/AC:M/AU:N/C:N/I:N/A:P)
SCIP-110667
URL
Exploits This strike exploits an out of bounds write vulnerability in Digium Asterisk. Asterisk allocates memory for RTCP Sender and Receiver Reports based on the message's Reception Report Count field. The number of reports received is tracked by Asterisk. If Asterisk receives a new Sender or Receiver Report with a Reception Report Count that is less than the number of reports received, an out of bounds write will occur. Successful exploitation may result in arbitrary code execution or abnormal program termination.

Modified Strikes (2)

CVSS ID References Category Info
7.5 E17-madc1 CVE-2017-16943
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
SECURITYTRACKER-1039872
URL
Exploits Fixed an issue in which the delimiter "|0A|" was used in the chunk-size.
5.0 E13-21t01 CVE-2013-4124
CVSS-5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
URL
Exploits Fixed an issue for strike E13-21t01 in the "NT Trans Request" packet. The two bytes of "Byte Count" were missing, which made the first two bytes of subsequent “NT CREATE Parameters” (10 00) use as BCC by mistake. This caused both “NT CREATE Parameters” and “NT CREATE Data” to not be dissected properly by Wireshark.