Ixia ATI Update 2018-19 (341118)

Defects Resolved

Ticket Info
DE9971 Strike E15-36j02 for CVE-2015-0235 was incorrectly classified as "smtp" instead of "http." This has been corrected.
DE9973 Strike E15-72301 was moved from Category Exploits: Apache to Exploits: MiscellaneousStrike E14-35f01 was moved from Category Exploits: Exec to Exploits: SSL
DE9979 Added missing functionality to the HTTPTransportMethods evasion.
DE9980 Added missing smart strike lists Strike Level 1-3 for 2018.
DE9982 The Superflows "BreakingPoint HTTP/2 GET Request Response 304" and "BreakingPoint HTTP/2 POST Response 200" both set the ACK flag wrong in action "settings_frame_client".
DE9983 DNS "Resolve" action is now using the specified "Type".
DE9991 Both Exchange Directory RFR flows in the 'DCE RPC MAPI Session' and 'DCE RPC MAPI with File Attachment' Super Flows now have the same destination port because they are mapped to the same RPC interface.

New Strikes (14)

CVSS ID References Category Info
10.0 E18-5lvj1 CVE-2018-15551
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
URL
Exploits This strike exploits a command injection vulnerability in Supervene RazDC. The vulnerability is due to the lack of user-supplied input sanitization while parsing input passed to 'password' (Password) and 'password2' (Confirm Password) HTTP parameters within 'create_user.cgi' form. By exploiting this vulnerability, a remote, unauthenticated attacker can execute arbitrary OS commands on the target server.
10.0 E18-5lvh1 CVE-2018-15549
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
URL
Exploits This strike exploits a command injection vulnerability in Supervene RazDC. The vulnerability is due to improper validation of input passed to 'User Reset Password' CGI script. By exploiting this vulnerability, a remote, unauthenticated attacker can execute arbitrary OS commands on the target server.
9.3 E18-0jlu1 BID-102347
CVE-2018-0802
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
URL
Exploits This strike exploits a stack buffer overflow vulnerability in EQNEDT component of Microsoft Office. The vulnerability is due to an invalidation of font name field length in an OLE object. An attacker could execute arbitrary code by enticing a user to open a maliciously crafted document using the vulnerable software.
8.5 E18-5mm51 CVE-2018-16509
CVSS-8.5 (AV:N/AC:L/AU:N/C:C/I:P/A:N)
URL
Exploits The strike exploits a vulnerability present in Artifex Ghostscript interpreter for Postscript files. The interpreter is commonly used by various Linux command line utilities such as "ImageMagick" and "convert" when processing documents and images. The vulnerability is due to the lack of file type validation by the interpreter. Successful exploitation results in arbitrary OS commands execution.
7.6 E18-mar21 BID-102920
CVE-2018-0825
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
SECURITYTRACKER-1040366
URL
Exploits This strike exploits a remote code execution vulnerability in Windows dynamic library StructuredQuery.dll. The vulnerability is due to insufficient validation of length parameter in function ReadPWSTR. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user.
7.5 E18-5jtk1 CVE-2018-12888
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
Exploits This strike exploits a Time-Based SQL injection vulnerability in iCMS v7.0.8. The vulnerability is caused by insufficient validation of user input, app=article, on HTTP requests, which are used to create SQL queries. Successful exploitation could allow an attacker to trigger a denial-of-service on the target server for a short period.
6.8 E18-mboq1 BID-105153
CVE-2018-8440
CVSS-6.8 (AV:L/AC:L/AU:S/C:C/I:C/A:C)
SECURITYTRACKER-1041578
Exploits This strike exploits a privilege escalation flaw in Microsoft Windows Task Scheduler ALPC endpoint. The vulnerability consists in the fact that the Task Scheduler's ALPC endpoint doesn't impersonate the user that initiates the calls. This allows a low privilege user to change the access control lists of an arbitrary file using the endpoint's "SchRpcSetSecurity" method. Successful exploitation may lead from arbitrary read/writes to code execution under SYSTEM privileges.
6.8 E18-0pgt1 BID-104994
CVE-2018-8397
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
URL
Exploits This strike exploits a remote code execution vulnerability in the GDI (Graphics Device Interface) components of Microsoft Windows. The vulnerability is due to improper handling of EMF records in memory by the 'GDIPLUS.DLL' library. The vulnerability can be exploited by crafting a malicious EMF file and enticing a user to download and open it. Successful exploitation may result in execution of arbitrary code with user privileges.
6.8 E18-0f6n3 BID-98861
CVE-2017-5071
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
GOOGLE-715582
Exploits This strike exploits a vulnerability in the Google Chrome Browser. Specifically, the vulnerability exists in the Javascript V8 engine. It is possible to craft Javascript in such a way that an out of bounds read will occur in FindSharedFunctionInfo. This may lead to a denial of service condition in the browser, or potentially remote code execution.
6.8 E18-0f652 BID-97220
CVE-2017-5053
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
GOOGLE-702058
Exploits This strike exploits a vulnerability in the Google Chrome Browser. Specifically, the vulnerability exists in the Javascript V8 engine. It is possible to craft Javascript in such a way that an out of bounds read of memory can occur. This may lead to a denial of service condition in the browser, or potentially remote code execution.
5.0 E18-5lds1 CVE-2018-14912
CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
EXPLOITDB-45148
Exploits This strike exploits a directory traversal vulnerability in cgit web server. The vulnerability is caused by insufficient validation of user input, path, on HTTP requests. Successful exploitation could allow an attacker to have arbitrary file accessible on target system.
5.0 E18-0kcc1 CVE-2018-1756
CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
EXPLOITDB-45392
URL
Exploits This strike exploits a SQL injection vulnerability in IBM Security Identity Governance Virtual Appliance. The vulnerability is caused by insufficient validation of user input on HTTP requests which are used to create SQL queries. Successful exploitation could allow an attacker to have access of back-end database.
4.3 R18-mbm71 BID-105140
CVE-2018-15473
CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)
EXPLOITDB-45210
SECURITYTRACKER-1041487
URL
Recon This strike exploits a user enumeration vulnerability in OpenSSH. When processing a specially malformed authentication message, OpenSSH will crash, leading to a denial of service condition. This exploit only works if the malicious message is sent using a valid user name. If the username is invalid, OpenSSH will not crash and will send back an authentication failure message. However if it does crash no message will be received and the connection will be closed. An attacker can send specially crafted authentication messages and monitor for closed connections with no error message to verify if usernames exist. Note: this strike does not send actual encrypted messages. Detection would be based on whether or a second encrypted server reply occurs before the session is terminated.
4.3 E18-0yyj1 CVSS-4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)
EXPLOITDB-45307
URL
Exploits This strike exploits a reflected cross-site scripting vulnerability found in Quizlord WordPress plugin. This vulnerability is due to inadequate input filtering in the web interface, while parsing input passed to quiz title parameter. By exploiting this vulnerability an attacker could cause arbitrary HTML/script code to be executed by the target user's browser.

Modified Strikes (1)

CVSS ID References Category Info
10.0 E15-36j02 BID-72325
CVE-2015-0235
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
URL
Exploits Strike E15-36j02 for CVE-2015-0235 was incorrectly classified as "smtp" instead of "http." This has been corrected.