Ixia ATI Update ATI-2020-10 Release Notes

Ixia ATI Update ATI-2020-10 (387223)

Enhancements

Ticket	Info
ATIBPS-16354	The POST action in the HTTP protocol has been modified to support the multipart-format data with the specified Content-Boundary. The boundary now appears in the data part of the POST action as well
ATIBPS-9984	Added new HTTP Evasion Profile (ClientContentLength). This allows changing the HTTP Content-Length Header with a fixed value.

New Protocols & Applications (1)

Name	Category	Info
Paltalk May20	Chat/IM	Paltalk is an Internet chat service that allows users to communicate via instant messaging, voice and video chat.

New Super Flows (8)

Name	Category	Info
HTTP Generic IoT User-Agent Simulation (Desktop Browser)	Testing and Measurement	Simulates a scenario where the client sends a GET request with the latest user-agents used by various desktop browsers and the server sends back a 200 OK response of size 1.966 Mb, which is a standard average page response size in the year 2020. The user-agents in the client GET are selected from the dictionary that have the latest list of 950 Desktop user-agents.
HTTP Generic IoT User-Agent Simulation (Mobile Browser)	Testing and Measurement	Simulates a scenario where the client sends a GET request with the latest user-agents used by various mobile browsers and the server sends back a 200 OK response of size 1.778 Mb, which is a standard average page response size in the year 2020. The user-agents in the client GET are selected from the dictionary that have the latest list of 1000 Mobile user-agents.
Microsoft Teams Apr 20 Video Call Bandwidth	Voice/Video/Media	Simulates a Microsoft Teams user log in to the app, make a videocall with a peer, then log out. The parameters are set accordingly to give high bandwidth.
Paltalk May 20 Audio Call	Chat/IM	Simulates a Paltalk user log in to the app, make an audiocall with a peer, then log out.
Paltalk May 20 Chat	Chat/IM	Simulates a Paltalk user log in to the app, chat with a peer, then log out.
Skype For Business Audiocall Nov 17 Bandwidth	Voice/Video/Media	Simulates a Skype audio call. The parameters are set accordingly to give high bandwidth.
Slack Oct 17 Bandwidth	Enterprise Applications	Simulates the use of the Slack website as of October 2017. All of the available actions for this flow are included. The parameters are set accordingly to give high bandwidth.
WebEx Meeting Bandwidth	Voice/Video/Media	Simulates a WebEx user log in to the app, start a meeting, use audio and video, share content, chat and then sign out. The parameters are set accordingly to give high bandwidth.

New Application Profiles (2)

Name	Info
Work From Home (WFH)	Traffic simulating the mix of all the applications which have contributed to a significant rise in global internet traffic due to Covid-19 pandemic and Work From Home (WFH) situation in the year 2020.
Not Working From Home (NWFH)	Traffic simulating the mix of the top applications which have contributed to a significant rise in global internet traffic due to Covid-19 pandemic in the year 2020.

New Tests (1)

Name

Info

AZORult Neutrino
September 2018 Campaign

Canned test simulating AZORult Neutrino September 2018 Campaign.

It sends 7 strikes in the following order:

#	Strike ID	Name	Description
1	E20-XZ23L	AZORult Password Protected Word Document Phishing Email	This strike simulates a malspam phishing email that has been seen in the wild AZORult and Neutrino malware. This specific phishing attempt is related to the AZORult Neutrino Sept 2018 malware campaign.
2	M20-b8d01	AZORult Neutrino Malware September 2018 Campaign 'AZORult malware' File transfer	This strike simulates the network transfer of the AZORult Neutrino Malware September 2018 Campaign, 'AZORult' module.
3	B20-hzd01	AZORult Neutrino Malware September 2018 Campaign - AZORult Command and Control	This strike simulates the AZORult Command and Control traffic, from the AZORult Neutrino Malware September 2018 Campaign, that occurs after installing the 'AZORult' module with the following steps 1. Client sends HTTP POST request - Server replies with large binary data, including XOR encoded dll module and base64 encoded configuration data. The configuration data contains information that the malware tries to steal from the client. 2. Client sends HTTP POST request with XOR encoded client host information includes machine name, RAM Size, and other information which includes screen resolution and CPU information.
4	M20-29901	Azorult Neutrino Malware September 2018 Campaign 'Neutrino malware' File transfer	This strike simulates the network transfer of the Azorult Neutrino Malware September 2018 Campaign, 'Neutrino' module.
5	B20-jg601	AZORult Neutrino Malware September 2018 Campaign - Neutrino Command and Control	This strike simulates the Neutrino Command and Control traffic, from the AZORult Neutrino Malware September 2018 Campaign, that occurs after installing the 'Neutrino' module with the following traffic template The client sends an HTTP Post request with Base64 encoded data, and the server replies with an HTTP code 404 in order to act like it didn't receive or properly understand the Base64 encoded data that was sent.
6	M20-yi401	AZORult Neutrino Malware September 2018 Campaign 'x86payload' File transfer	This strike simulates the network transfer of the AZORult Neutrino Malware September 2018 Campaign, 'x86payload' module.
7	M20-o1q01	AZORult Neutrino Malware September 2018 Campaign 'x64payload' File transfer	This strike simulates the network transfer of the AZORult Neutrino Malware September 2018 Campaign, 'x64payload' module.

The first strike sends a phishing email requesting a payment status update for the attached Word Document. The 2nd strike simulates the download of the AZORult malware. Once a user has opened the document from the phishing email, entered the provided password, and enabled the macro, the AZORult malware is downloaded via an HTTP GET request. The 3rd strike performs 2 AZORult CNC POST requests. The first POST request serves as registry purpose, followed by additional XOR encoded dll module/Base64 encoded configuration. In the second POST request, host-information is being exfiltrated to the attacker controlled malware server. The fourth strike downloads the Neutrino payload via an HTTP request. When Neutrino is executed it sends out multiple HTTP requests with Base64 encoded bodies, followed by a server HTTP code 404 response with Base64 encoded information, which can be seen in the 5th strike. Finally the 6th and 7th strikes simulate the 2 additional downloads that Neutrino would trigger (x86payload.core and x64payload.core) via an HTTP request.

The stages of the campaign sequence are described in more detail here http://www.malware-traffic-analysis.net/2018/09/06/index.html

New Strikes (9)

CVSS	ID	References	Category	Info
10.0	E20-12u21	CVE-2020-5722 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EXPLOITDB-48247 URL	Exploits	Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via a crafted HTTP request. A remote attacker can use this vulnerability to either execute shell commands under root privileges (on versions before 1.0.19.20) or inject HTML in password recovery emails (on versions before 1.0.20.17).
10.0	E20-11ct1	CVE-2020-3805 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H URL	Exploits	An use after free vulnerability exists in Adobe Reader and Acrobat due to incorrect manipulation of objects in memory. The vulnerability exists in 'AcroForm.api' dynamic library and may be triggered by a Field object that begins with an UTF-16 BE BOM sequence. An attacker may execute arbitrary code on a victim's system by enticing the victim to open a crafted PDF file.
9.0	E20-9tjh1	CVE-2020-12109 CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C) CVSSV3-8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H URL	Exploits	A remote command injection exists in multiple TP-Link Cloud Camera devices (NC2XX) due to lack of user input sanitization. By sending a crafted 'sysname' POST parameter to '/setsysname.fcgi' path, a remote authenticated commander may execute arbitrary commands on the target system.
6.8	E20-0z561	CVE-2020-0938 CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P) CVSSV3-7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H URL	Exploits	A memory corruption vulnerability has been reported in Adobe Type Manager component of Microsoft Windows. The vulnerability is due to improper handling of specially crafted BlendDesignPositions array in multiple master Type 1 fonts. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted font file. Successful exploitation could result either in the execution of arbitrary code with SYSTEM or UMFD permissions or denial of service condition.
6.8	E20-13o61	CVE-2020-6806 CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P) CVSSV3-8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H GOOGLE-2005	Exploits	This strike exploits a vulnerability in Spidermonkey, the Javascript engine of Mozilla Firefox. An attacker can craft Javascript promise resolutions in such a way that make it possible to cause an out-of-bounds read off the end of an array resized during script execution. This can lead to a denial of service or potentially allow for remote code execution to occur.
5.0	E20-XZ23L	CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N) CVSSV3-4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N URL	Phishing	This strike simulates a malspam phishing email that has been seen in the wild AZORult and Neutrino malware. This specific phishing attempt is related to the AZORult Neutrino Sept 2018 malware campaign.
5.0	E20-15lv1	CVE-2020-9315 CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N) CVSSV3-7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N URL	Exploits	An information disclosure vulnerability exists in Oracle iPlanet Web Server versions 7.x and prior. By accessing specific paths related to the admin panel, a remote unauthenticated attacker may obtain sensitive information regarding server's configuration.
4.9	E20-15lu1	CVE-2020-9314 CVSS-4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N) CVSSV3-4.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N URL	Exploits	An image injection vulnerability exists in Oracle iPlanet Web Server versions 7.0.x, due to poor 'productNameSrc' HTTP parameter sanitization. By tricking an admin to follow a crafted URL, a remote attacker may perform phishing attacks by injecting a custom image in the admin panel.
4.3	E20-0z571	CVE-2020-0939 CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N) CVSSV3-5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N URL	Exploits	An information disclosure vulnerability has been reported in the Windows Media Foundation component of Microsoft Windows. The vulnerability is due to improper handling of objects in memory. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted QuickTime media file. Successful exploitation could result in the execution of arbitrary code within the context of the user running the application.

Defects Resolved

Ticket	Info
ATIBPS-16509	The AVP Framed-IPv6 has been fixed in the Radius Accounting Request. This also fixes the issue "Not enough room in packet for AVP".
ATIBPS-16620	Fixed multiple hard-coded HTTP strikes to benefit from HTTP evasion profile.
ATIBPS-16625	Added NAT support for Strike E19-7nxv1.
ATIBPS-16641	Fixed multiple strikes that had duplicate keywords.
ATIBPS-16655	The issue where the the standard port number 443 got appended to uri in the Host header in the HTTP application has been fixed (RFC 2818).