Ixia ATI Update 2019-08 (358481)

Note: Be aware that if you install ATI version 2019-08 or greater you will not be able to revert to an earlier ATI version. If you revert to an earlier ATI version after installing ATI version 2019-08 or greater and then run AppSim/ClientSim or Security tests, they will fail. You will need to re-install the ATI version 2019-08 or a newer version in order to get back into a good state.

Defects Resolved

Ticket Info
DE10400 Strike E16-8jq01 was using non-deterministic method (did not respect seed). This was fixed.

Enhancements

Ticket Info
US95499 Added missing smart strike lists Strike Level 1-3 for 2019.
US96375 (BUG1504858) Fixed the behavior of the CachePoisoning filter. Certain types of strikes cannot be run in CachePoisoning mode; they will be skipped and the log will be updated with the exception.

New Strikes (15)

CVSS ID References Category Info
10.0 E19-0og31 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-31683
URL
Exploits This strike exploits a remote code execution vulnerability on Linksys E Series Router. This vulnerability is due to improper handling of the parameter under "ttcp_ip" under http request. A remote unauthenticated attacker can exploit this vulnerability by sending crafted http requests to the target server. Successful exploitation results in remote code execution.
10.0 E19-zukp1 CVE-2014-8361
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ZDI-15-155
URL
Exploits This strike exploits a remote code execution on Realtek SDK Miniigd UPnP SOAP service. This vulnerability is due to improper handling of the parameter under xml tag when a client sends SOAP traffic to the server. A remote unauthenticated attacker can exploit this vulnerability by sending crafted http requests to the target server. Successful exploitation results in remote code execution.
9.3 E19-0bdw1 CVE-2017-0148
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
EXPLOITDB-41891
EXPLOITDB-41987
MS17-010
Exploits This strike attempts to recreate a sequence of packets correlated with a heap buffer overflow vulnerability in Microsoft Windows SMBv1 service. Affected versions include Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold (releases 1511 and 1607), and Windows Server 2016. The vulnerability is due to insufficient sanitization of user-supplied input passed to the SrvOs2FeaToNt method. A remote, unauthenticated attacker could exploit this vulnerability via a specially-crafted SMB packet, containing bad values for 'Max Parameter Count' and 'Max Data Count' in the 'Trans Request' header. Successful exploitation leads to arbitrary code execution on the target system. Failing to exploiting this vulnerability usually leads to denial-of-service conditions of the targeted SMB server. NOTE: The strike exemplifies only the scanning phase, prior to the actual attack. The vulnerability indicator is usually a 'Trans Response' packet with the Error Status of "STATUS_INSUFF_SERVER_RESOURCES". For generating traffic containing ShadowBrokers shellcode, please see the strike for CVE-2017-0146.
9.3 E19-0bdt2 CVE-2017-0145
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
MS17-010
Exploits This strike attempts to recreate a sequence of packets correlated with a buffer overflow vulnerability in Microsoft Windows SMBv1 service. Affected versions include Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold (releases 1511 and 1607), and Windows Server 2016. The vulnerability is due to insufficient sanitization of user-supplied input while processing SMB_COM_TRANSACTION_SECONDARY requests. A remote, unauthenticated attacker could exploit this vulnerability with a specially-crafted SMB packet, containing bad values for 'DataCount' and 'DataDisplacement' for the specified SMB package type. Successful exploitation leads to arbitrary code execution on the target system. Failing to exploiting this vulnerability usually leads to denial-of-service conditions of the targeted SMB server.
9.3 E19-0qvs1 BID-107906
CVE-2019-0232
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
URL
Exploits This strike replicates an attack on Apache Tomcat based on a Windows command injection vulnerability. The flaw resides in the way the command arguments for a CGI script are transmitted from the request's parameters on the Windows OS. By exploiting this vulnerability, a remote unauthenticated attacker can execute commands on the host system.
9.0 E19-5ki41 CVE-2017-13772
CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
EXPLOITDB-43022
URL
Exploits This strike exhibits the network behavior of a buffer overflow vulnerability inside TP-Link WiFi router. The vulnerability is due do insufficient user input validation passed to 'ping_addr' parameter pertaining to 'PingIframeRpm.htm' form. By crafting a malicious HTTP request, an attacker can cause DoS conditions or achieve code execution on the target device.
9.0 E19-xwei1 CVSS-9.0 (AV:N/AC:L/AU:N/C:C/I:P/A:P)
URL
Exploits This strike replicates an integer overflow exploit for Chrome browser engine. The vulnerability can be triggered via the Array JS API by using the 'ArrayConcat' or 'ArrayPrototypeFill' as entry points. By successfully exploiting this flaw, an attacker can execute arbitrary code in the context of the Chrome's 'renderer' process.
7.8 D19-0nf41 BID-107125
CVE-2018-5744
CVSS-7.8 (AV:N/AC:L/AU:N/C:N/I:N/A:C)
URL
Denial This strike exploits a memory leak denial of service vulnerability in ISC BIND. Requests with multiple edns-key-tag EDNS0 options result in a memory leak. An attacker can send multiple messages with multiple edns-key-tag EDNS0 options to exhaust system memory, resulting in a denial of corruption condition. Note: it takes thousands of malicious messages to exhaust a system's memory. However a single malicious packet can be identified. This strike sends a single malicious message
7.6 E19-0pdj1 BID-104641
CVE-2018-8279
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-45214
GOOGLE-1570
Exploits This strike exploits a vulnerability in the Microsoft Edge Browser. Specifically the vulnerability exists inside the Microsoft Chakra Javascript engine. It is possible to craft invalid Javascript that still gets parsed by the Chakra engine, which can result in type confusion in the InterpreterStackFrame::OP_ResumeYield method. This can cause a denial of service in the browser or potentially lead to remote code execution.
7.6 E19-0p9n1 BID-103977
CVE-2018-8139
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-45012
GOOGLE-1569
Exploits This strike exploits a vulnerability in the Microsoft Edge Browser. Specifically, the vulnerability exists when the BoundFunction::NewInstance function is used to handle calls to a bound function. This method allocates a new argument array and copies the arguments into the new argument array. It will call the function without respecting the CallFlags_ExtraArg flag that indicates that there's an extra argument at the end of the array. This then results in the new array size being one less than what is required, leading to an Out of Bounds memory read. This can cause a denial of service condition in the browser or potentially lead to remote code execution.
7.6 E19-0jpu2 BID-103989
CVE-2018-0946
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-44758
URL
Exploits This strike exploits a vulnerability in the Microsoft Edge Chakra engine. Specifically the vulnerability is under the CrossSite class, which passes Javascript variables across different contexts. An attacker who successfully exploits the vulnerability could trigger a Use-After-Free condition.
7.6 D19-0pgg1 BID-104981
CVE-2018-8384
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-45431
GOOGLE-1586
Denial This strike exploits a vulnerability in the Microsoft Edge Browser. Specifically, a type confusion vulnerability exists in the Chakra Javascript engine. When object header inlining is deoptimized, the type handler of the object is converted to a dictionary type handler. However, not all attributes belong to the dictionary type, and they are not taken into consideration. If these types are added or removed type confusion will occur. This can lead to a denial of service condition in the browser, or potentially allow for remote code execution.
7.5 E19-5n1d1 CVE-2018-17057
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
EXPLOITDB-46634
Exploits This strike exploits a remote code execution in LimeSurvey. The vulnerability resides in a PHP Phar deserialization within the 'TCPDF' component and can be exploited by uploading a malicious JPEG/Phar polyglot and exporting the survey that contains it. Exploiting this flaw requires authenticatiuon and results in remote code execution.
6.8 D19-0mbc1 CVE-2018-4312
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
EXPLOITDB-45481
GOOGLE-1603
Denial This strike exploits a vulnerability in Apple Safari Webkit. It is possible to craft javascript and html in such a way that when calling the handleMenuItemSelected method a use after free vulnerability will occur. This can lead to a denial of service condition in the browser, or potentially allow for remote code execution.
4.3 E19-0hcy1 BID-99492
CVE-2017-7890
CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)
URL
Exploits This strike exploits a PHP information disclosure vulnerability before version 5.6.31 and 7.x before 7.1.7 . This vulnerability is due to improper handling of objects in memory under GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c file. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted image file to the target server. Successful exploitation results in information disclosure.