Ixia ATI Update 2016-23 (288532)

Defects Resolved

Ticket Info
DE6819 The missing OPT field when the DNS response is set to DNSKEY type has been fixed. The action behaves as expected. With the fix when the DO bit is set to true and the type is set to DNSKEY an OPT field appears under the additional answers section. 
DE6865 Updated Microsoft Tuesday StrikeLists to include all months for which Strikes are available; corrected ms keyword for 7 strikes (see Modified Strikes).
DE6879 Fixed and issue where some strikes sending HTTP traffic were encrypted when ran with SSL::EnableOnAllHTTP evasion profile (see Modified Strikes).
DE6886 (1405368) This fix resolves an issue where SSL sessions were being reused despite disabling the "Resume Max Reuse" and "Resume Expire" settings in the "Start TLS" action.
DE6887 (1418366) This update fixes an issue with the "GetAddr Reply" action provided by the "RPC BIND (Portmap)" flow. Previously, some message lengths generated an incorrect padding.

Enhancements

Ticket Info
US58329 Extended the LDAP flow action "Search Result Entry" to include support for multiple Attribute and Attribute value pairs. The values are imported via a JSON file specified by the user. Two new parameters have been added "Partial Attribute List" and "Include Result Done". Existing functionality has not been altered.
US57972 Added new Application mixes emulating the Sandvine 2016 Internet trends for the Asia Pacific, Africa and Middle East regions have been added.

New Protocols & Applications (3)

Name Category Info
Kelihos Command-and-Control Botnet Security Kelihos Botnet is a peer-to-peer botnet, where individual botnet nodes are capable of acting as command-and-control servers for the entire botnet.
BuzzFeed Nov 16 Social Networking/Search BuzzFeed is a social news and entertainment web site where users can easily navigate to the latest items that are currently creating the most 'buzz'. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
GoToMeeting Oct16 Voice/Video/Media GoToMeeting is a web-hosted service created and marketed by the Online Services division of Citrix Systems. It is an online meeting, desktop sharing, and video conferencing software that enables the user to meet with other computer users, customers, clients or colleagues via the Internet in real time. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Super Flows (9)

Name Category Info
DDoS CLDAP Flood Authentication The CLDAP (Connectionless LDAP) flood sends a flood of UDP datagrams targeted at a server. It is a reflection attack caused by a forged request for all attributes supported by the reflecting LDAP server.
Kelihos Command-and-Control Botnet Communication Security This traffic emulates a Kelihos Command-and-Control Botnet Communication session. It demonstrates the actions a peer can perform in order to exchange encrypted data with the server.
BuzzFeed Nov. 2016 Social Networking/Search BuzzFeed is a social news and entertainment web site where users can easily view the latest items that are currently creating the most 'buzz'. In this emulation a user, who is not logged into BuzzFeed, navigates to a number of items of interest. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
GoToMeeting Mobile Voice/Video/Media Traffic that simulates signing in, starting and joining a meeting from the mobile app. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
GoToMeeting Mobile Join Meeting Voice/Video/Media Traffic that simulates signing in and joining an existing meeting from the mobile app. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
GoToMeeting Mobile Start Meeting Voice/Video/Media Traffic that simulates signing in and starting a meeting from the mobile app. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
GoToMeeting Web App Voice/Video/Media Traffic that simulates using the GoToMeeting web app from a browser. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
YouTube September 2016 Bandwidth Voice/Video/Media Traffic that simulates some of the actions a user can perform on the YouTube website without DNS flow. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Google Safe Browsing Bandwidth Social Networking/Search Traffic that simulates google browsing where a URL is matched against lists of URLs with web resources that contain malware or phishing content. The parameters here are set for high bandwidth that could be used in Sandvine profiles.

New Application Profiles (5)

Name Info
Sandvine Africa Fixed Access 2016 October Traffic emulating the mix of applications reported in the Sandvine Global Internet Phenomena Report October 2016 for Africa Fixed Access.
Sandvine Africa Mobile Access 2016 October Traffic emulating the mix of applications reported in the Sandvine Global Internet Phenomena Report October 2016 for Africa Mobile Access.
Sandvine Asia Pacific Fixed Access 2016 October Traffic emulating the mix of applications reported in the Sandvine Global Internet Phenomena Report October 2016 for Asia Pacific Fixed Access.
Sandvine Asia Pacific Mobile Access 2016 October Traffic emulating the mix of applications reported in the Sandvine Global Internet Phenomena Report October 2016 for Asia Pacific Mobile Access.
Sandvine Middle East Mobile Access 2016 October Traffic emulating the mix of applications reported in the Sandvine Global Internet Phenomena Report October 2016 for Middle East Mobile Access.

New DDoS (1)

Name Info
DDoS CLDAP Flood The CLDAP (Connectionless LDAP) flood sends a flood of UDP datagrams targeted at a server. It is a reflection attack caused by a forged request for all attributes supported by the reflecting LDAP server.

New Strikes (10)

CVSS ID References Category Info
10.0 E16-7v901 BID-93177
CVE-2016-6309
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
URL
Exploits This strike exploits a use after free vulnerability in OpenSSL. The vulnerability is caused by an error that occurs when reallocating a message with a size greater than 16k bytes in tls_get_message_header function. Successful exploitation may result in execution of arbitrary code or abnormal termination of the OpenSSL vulnerable server.
10.0 E16-3rq01 APSB-16-08
BID-84312
CVE-2016-0998
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
GOOGLE-716
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to an uninitialized stack parameter access in object.unwatch. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E16-3rp02 APSB-16-08
BID-84312
CVE-2016-0997
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
GOOGLE-715
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to an uninitialized stack parameter access in MovieClip.swapDepths. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E15-8wg01 APSB-15-27
BID-77116
CVE-2015-7648
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
GOOGLE-545
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a type confusion in serialization with ObjectEncoder.dynamicPropertyWriter. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E15-8wf01 APSB-15-27
BID-77115
CVE-2015-7647
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
GOOGLE-548
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a type confusion in IExternalizable.readExternal when performing local serialization. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
10.0 E15-7av01 APSB-15-23
BID-76799
CVE-2015-5575
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
GOOGLE-452
Exploits This strike exploits a remote code execution vulnerability in Adobe Flash Player. The vulnerability is due to a wild write at 0x453b0cf0 in color conversion. An attacker can entice a target to open a specially crafted flash file to trigger the vulnerability. Successful exploitation may result in execution of arbitrary code or abnormal termination of the flash process.
9.3 E16-8jp01 BID-93427
CVE-2016-7189
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
MS16-119
Exploits This strike exploits a vulnerability in the Microsoft Edge Browser. Specifically, a type confusion vulnerability exists in the Microsoft Edge module Chakra.dll. A malicious attacker can craft javascript in such a way that when Array.join is called on an arry of elements it is possible to reference the array's prototype if it has a getter function. If this function returns an element of a different type to the calling function to assign to the array type confusion can occur. This can lead to a disclosure of memory contents. It may also be possible to cause a denial of service condition in the browser or achieve remote code execution by corrupting these memory contents in a specified manner.
9.3 E16-5m101 BID-93397
CVE-2016-3385
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
MS16-118
Exploits This strike exploits a vulnerability in Microsoft Internet Explorer. Specifically, a type confusion vulnerability exists in the Microsoft scripting engine's Join function. A malicious attacker can craft code in such a way that when Join is called upon an array object after its contents have been changed, the reference to the original object is kept. If the type of the object in the array has changed it will result in type confusion. It may also be possible to cause a denial of service condition in the browser or achieve remote code execution by corrupting these memory contents in a specified manner.
7.6 E16-8ju01 BID-93399
CVE-2016-7194
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
MS16-119
Exploits This strike exploits a vulnerability in the Microsoft Edge Browser. Specifically, a type confusion vulnerability exists in the Microsoft Edge module Chakra.dll. A malicious attacker can craft javascript in such a way that when the TemplatedForEachItemInRange method is called on an array believing it is of type int, the method will disclose memory contents of the non-integer object in the array.
7.6 E16-8jq01 BID-93428
CVE-2016-7190
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
MS16-119
Exploits This strike exploits a vulnerability in the Microsoft Edge Browser. Specifically, a type confusion vulnerability exists in the Microsoft Edge module Chakra.dll. A malicious attacker can craft javascript in such a way that when a proxy object is created and Array.map is called upon that object, memory information can be disclosed. It may also be possible to cause a denial of service condition in the browser or achieve remote code execution by corrupting these memory contents in a specified manner.

Modified Strikes (11)

CVSS ID References Category Info
10.0 G04-35w01 BID-10708
CVE-2004-0212
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
MS04-022
URL
Generic Updated Microsoft Tuesday StrikeLists to include all months for which Strikes are available; corrected ms keyword for this strike.
10.0 E15-49f01 BID-74013
CVE-2015-1635
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
MS15-034
Exploits Updated Microsoft Tuesday StrikeLists to include all months for which Strikes are available; corrected ms keyword for this strike.
9.3 G03-3mx01 BID-9624
CVE-2003-0825
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
MS04-006
URL
Generic Updated Microsoft Tuesday StrikeLists to include all months for which Strikes are available; corrected ms keyword for this strike.
9.3 E13-wn801 BID-57114
CVE-2013-0003
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
MS13-004
URL
Exploits Updated Microsoft Tuesday StrikeLists to include all months for which Strikes are available; corrected ms keyword for this strike.
8.7 E15-4mw01 BID-74801
CVE-2015-2120
CVSS-8.7 (AV:N/AC:L/AU:S/C:C/I:P/A:C)
URL
Exploits Fixed and issue where some strikes sending HTTP traffic were encrypted when ran with SSL::EnableOnAllHTTP evasion profile.
7.5 G04-33b01 BID-10113
CVE-2004-0119
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
MS04-011
URL
Generic Updated Microsoft Tuesday StrikeLists to include all months for which Strikes are available; corrected ms keyword for this strike.
7.5 G04-3nj01 BID-11342
CVE-2004-0847
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
MS05-004
URL
Generic Updated Microsoft Tuesday StrikeLists to include all months for which Strikes are available; corrected ms keyword for this strike.
7.5 E12-5il02 BID-55273
CVE-2012-3264
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
Exploits Fixed and issue where some strikes sending HTTP traffic were encrypted when ran with SSL::EnableOnAllHTTP evasion profile.
7.5 E13-3t501 BID-62902
CVE-2013-4824
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
ZDI-13-240
Exploits Fixed and issue where some strikes sending HTTP traffic were encrypted when ran with SSL::EnableOnAllHTTP evasion profile.
6.5 E16-48901 CVE-2016-1593
CVSS-6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)
URL
Exploits Fixed and issue where some strikes sending HTTP traffic were encrypted when ran with SSL::EnableOnAllHTTP evasion profile.
5.1 G06-5bq01 BID-18583
CVE-2006-3014
CVSS-5.1 (AV:N/AC:H/AU:N/C:P/I:P/A:P)
MS06-069
URL
Generic Updated Microsoft Tuesday StrikeLists to include all months for which Strikes are available; corrected ms keyword for this strike.