| Ticket | Info |
|---|---|
| DE7420 (1431780) | The server port for the RPC NFS flow has been changed to 2049. |
| DE7549 (1436449) | SMTP protocol has been modified to use the correct Content-Transfer-Encoding header when “quoted-printable” is requested. |
| Ticket | Info |
|---|---|
| US56283 | A new Application Profile "Top Five OS X or Mac OS Apps 2016" which includes 'Dropbox', 'Netflix', 'VLC HTTP Flash File Streaming", 'uTorrent' and 'Skype'. |
| US64629 | The real world application traffic mix has been implemented. To achieve this the following new super flows were added: Yahoo Search GET Home Page, Amazon GET Home Page, Facebook GET Home Page, Google Search Home Page, Gmail GET Index, HTTP POST PDF file, FTP 1MB File Download, SMTP 17k, SMTP 100K, HTTPS 10K , HTTPS 100K, POP3 512. |
| US65894 | Added one new Manufacturing Message Specification (MMS) Write Request super flow. The SuperFlow uses the following two new actions: Confirmed Service Request Write and Confirmed Service Response Write. |
| Name | Category | Info |
|---|---|---|
| Manufacturing Message Specification (MMS) Write Request | SCADA | This traffic emulates a Confirmed Request (write) message. |
| DDoS mDNS Response Flood | System Network/Admin | This attack emulates mDNS distributed denial of service, where the attacker redirects a flood of mDNS responses to the victim. |
| FTP 1MB File Download | Data Transfer/File Sharing | Simulates FTP in extended passive mode using the actions where the client logs in, enters passive mode, retrieves 1 MB data from the server and proceed to store their own data at the server site. |
| Google Mail GET Index | Email/WebMail | Simulates Google Webmail where the client requests homepage index.html and the server responds with a 200 OK. |
| POP3 512 | Email/WebMail | Simulates a POP3 session where the client logs in and retrieves a mail of size 512KB. |
| Amazon GET Home Page | Financial | Amazon is a large online retailer. This traffic simulates an Amazon user request of the Amazon home page. |
| Facebook GET Home Page | Social Networking/Search | Simulates the action where the client requests and gets back the Facebook home page. |
| Google Search GET Home Page | Social Networking/Search | Simulates the action of client requesting and getting back the Google home page. |
| Yahoo Search GET Home Page | Social Networking/Search | Simulates the start up of a Yahoo Search Web session where the client requests the Yahoo search home page and the server responds back with the home page. |
| HTTP POST PDF File | Testing and Measurement | Simulates HTTP POST request where the client posts a pdf file of size 100K bytes. |
| HTTPS 100k | Testing and Measurement | Simulates HTTPS (TLS) sessions exchanging data of size 100KB. Please note that this protocol does not make use of the SSL encryption engine.[RFC 1035] |
| HTTPS 10k | Testing and Measurement | Simulates HTTPS (TLS) sessions exchanging data of size 10KB. Please note that this protocol does not make use of the SSL encryption engine.[RFC 1035] |
| SMTP 100k | Email/WebMail | Simulates an SMTP Email session, in which the client connects to the server, tells where to send the data, and then sends the message of type pdf and size 100KB.[RFC 1035][RFC 5321] |
| SMTP 17k | Email/WebMail | Simulates an SMTP Email session, in which the client connects to the server, tells where to send the data, and then sends the message of type pdf and size 17KB.[RFC 1035][RFC 5321] |
| Name | Info |
|---|---|
| Top Five OS X or Mac OS Apps 2016 | This traffic mix represents five of the most popular OS X or Mac OS applications in 2016. |
| Application Traffic Mix 2016 | This mix represents the applications that contribute to the majority of the internet traffic. |
| Name | Info |
|---|---|
| DDoS mDNS Response Flood | This attack emulates mDNS distributed denial of service, where the attacker redirects a flood of mDNS responses to the victim. |
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 10.0 | E17-7gu01 |
BID-96755 CVE-2017-5790 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) URL ZDI-17-166 |
Exploits | This strike exploits an insecure java deserialization in Hewlett Packard Enterprise (HPE) Intelligent Management Center (IMC). IMC accepts java serialized objects in the body of HTTP POST requests to accessMgrServlet. It does not validate the objects before deserialization. An attacker could send an HTTP POST request to the vulnerable URI with a specially crafted java serialize object to achieve arbitrary command execution with privileges of the user running the IMC application, often SYSTEM or root. |
| 10.0 | E16-adf01 |
BID-94479 CVE-2016-9555 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) SECURITYTRACKER-1037339 URL |
Exploits | This strike exploits a denial of service vulnerability in the Linux Kernel SCTP module. The first chunk of an Out-of-the-Blue (OOTB) SCTP packet is processed before the length field is verified. An overly large chunk length value will trigger an out-of-bounds read, which may lead to a kernel panic, resulting in a denial of service condition. |
| 10.0 | E17-0gvp1 |
CVE-2017-7269 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) SCIP-98561 URL |
Exploits | This strike exploits a remote code execution vulnerability in Windows Internet Information Services 6. The vulnerability is due to failure to sanitize input to the ScStoragePathFromUrl parameter via PROPFIND request. Successful exploitation of this vulnerability could result in the execution of arbitrary code on the target system. |
| 10.0 | E17-0f661 |
CVE-2017-5404 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) GOOGLE-1130 URL |
Exploits | This strike exploits a remote code execution vulnerability in Mozilla Firefox. The vulnerability can be triggered by manipulating range elements within selections. Successful exploitation of this vulnerability could result in the execution of arbitrary code on the target system. |
| 9.0 | G17-swd01 |
CVSS-9.0 (AV:N/AC:L/AU:N/C:C/I:P/A:P) URL |
Generic | This strike sends a series of HTTP requests with parameters containing sql. Each successive request adds additional encoded characters in an attempt to enumerate whether the target is vulnerable to SQLi attacks. NOTE: This pattern was observed in the wild during March 2017. |
| 7.6 | E17-32m01 |
BID-96682 CVE-2017-0094 CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C) MS17-007 |
Exploits | This strike exploits a vulnerability in the Microsoft Edge ChakraCore engine. Specifically, if an object that is inherited from proxy is indexed with a symbol, type confusion can occur. The SetPropertyTrap method assumes the returned type to always be a Property String. However, if this object makes calls on symbol object type confusion can occur. This can lead to a denial of service condition in the browser, or potentially allow for remote code execution to occur. |
| 4.3 | E17-31n01 |
BID-96645 CVE-2017-0059 CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N) GOOGLE-1076 MS17-006 |
Exploits | This strike exploits a Use-After-Free vulnerability in Microsoft Internet Explorer. Specifically, when a textarea value is allocated, a CStr object is created and assigned to this value. Later this object is reallocated when a handler method is triggered and the form is reset. It is then possible to call a function that looks for the pointer to the CStr object, but it has already been freed and no longer exists. This results in a Use-After-Free condition, which can lead to a disclosure of memory contents or potentially allow for remote code execution to occur. |
| 4.3 | E17-30x01 |
BID-96087 CVE-2017-0033 CVSS-4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N) MS17-006 URL |
Exploits | This strike exploits a vulnerability that exists in the Microsoft Internet Explorer and Edge Browsers. If a request to a URL is made, a check to ensure that the page is not a security error page is performed, and if it is, the BlockedSite warning page will be called. A malicious attacker can utilize the ms-appx-web protocol and make a request to this warning page with his or her own data as parameters to spoof the information presented to the user when the page is displayed. This can lead to a social engineering attack. |