Ixia ATI Update 2018-06 (327112)

Defects Resolved

Ticket Info
DE8360 Strikes using SSL now close correctly with a four way FIN in back to back.
DE8582 Stopped duplicate addition of sockets into session tracking array, which prevented some strikes from running correctly with SSL evasions enabled.
DE8920 Fixed a defect causing duplication of "Content-Type" header in SMTP and HTTP multipart-mime messages.

Enhancements

Ticket Info
US80591 Two extra superflows were added that make use of TLS actions and implement the encrypted variant or RTMP called RTMPS. - BreakingPoint RTMPS Audio Data 1K - BreakingPoint RTMPS Audio Data 127K  
US83160 Add tag 'Proxy' to superflow Facebook.
US83536 'Youtube September 2016' superflows were changed to support Proxy scenarios and SNI field in TLS handshakes.
US83543 'Google Map' superflows were changed to support Proxy scenarios and SNI field in TLS handshakes.

New Super Flows (3)

Name Category Info
HTTPS Simulated Vine with Client and Server Exchange Application Data Social Networking/Search Simulates the HTTPS sessions of Vine, a short-form video sharing service, with the client exchanging TLS application data with the server.
RTMPS Audio Data 127K Voice/Video/Media A server sends 127kb of audio stream data to the client. The stream is TLS encrypted.
RTMPS Audio Data 1K Voice/Video/Media A server sends 926 bytes of audio stream data to the client. The stream is TLS encrypted.

New Strikes (19)

CVSS ID References Category Info
10.0 E12-zaxd1 BID-56457
CVE-2012-2897
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
Exploits This strike exploits a vulnerability in the Windows Kernel-Mode driver caused by improper handling of memory objects while parsing TrueType fonts. A remote attacker could exploit the vulnerability to execute arbitrary code or cause a denial of service by enticing a user to open a specially crafted TrueType file.
10.0 E18-0mrp1 BID-102994
CVE-2018-4901
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
SECURITYTRACKER-1040364
URL
Exploits This strike exploits a stack overflow vulnerability in Adobe Acrobat Reader and Adobe Reader. The vulnerability is due to the computation that writes data past the end of the intended buffer. Successful exploitation may potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.
9.3 E18-0oj71 CVE-2018-7187
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
Exploits This strike exploits a command execution vulnerability in Google Golang client. The vulnerability is due to insufficient sanitization of user input by the go get command. An authenticated attacker can entice the client to use "go get" on a malicious URL, a successful exploitation could results in a command injection on the target user.
9.3 E17-3hd91 BID-102140
CVE-2017-16397
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
URL
ZDI-18-177
Exploits This strike exploits an integer overflow vulnerability in Adobe Acrobat Reader ImageConversion component. The vulnerability is due to improper parsing of EMR_STRETCHDIBITS data records in an EMF file. Successful exploitation may result in execution of arbitrary code with user privileges. Failure to exploit will not typically result in a crash.
7.8 E18-0owa1 CVE-2018-7658
CVSS-7.8 (AV:N/AC:L/AU:N/C:N/I:N/A:C)
URL
Exploits This strike exploits a denial of service vulnerability in Softros Network Time System service. The vulnerability is due to improper length validation of user input on port 7001. By exploiting this vulnerability, a remote, unauthenticated attacker could cause a Denial of Service against the target process.
7.8 E18-0ou71 CVE-2018-7583
CVSS-7.8 (AV:N/AC:L/AU:N/C:N/I:N/A:C)
EXPLOITDB-44222
Exploits This strike exploits a buffer-overflow vulnerability in DualDesk Proxy component. The vulnerability is due to improper length validation of user input on port 5500. By exploiting this vulnerability, a remote, unauthenticated attacker could cause a Denial of Service against the target process.
7.6 E18-3dwu3 BID-102089
CVE-2017-11918
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-43469
GOOGLE-1396
Exploits This strike exploits a vulnerability in the Microsoft Edge browser. Specifically, the vulnerability exists in the javascript Chakra engine. It is possible to create javascript in such a way that allows for created variables to escape analysis and get allocated to the stack. This can then allow for the dereference of uninitialized stack values. This may lead to a denial of service condition in the browser, or potentially remote code execution.
7.6 E18-3dwq1 BID-102088
CVE-2017-11914
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-43713
GOOGLE-1403
Exploits This strike exploits a vulnerability in the Microsoft Edge browser. Specifically, the vulnerability exists in the javascript Chakra engine. It is possible to create javascript in such a way that allows for the scriptFunction to be exposed to the user as 'this' when getting the length property. When this happens type confusion occurs. This may lead to a denial of service condition in the browser, or potentially remote code execution.
7.6 E18-3dwn1 BID-102087
CVE-2017-11911
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-43468
GOOGLE-1385
Exploits This strike exploits a vulnerability in the Microsoft Edge browser. Specifically, the vulnerability exists in the javascript Chakra engine. It is possible to create javascript in such a way that an out of bounds read can occur in ASM.js. This may lead to a denial of service condition in the browser, or potentially remote code execution.
7.5 E18-0nmw1 CVE-2018-6024
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
EXPLOITDB-44124
SCIP-113556
Exploits This strike exploits an SQL injection vulnerability in the Project Log 1.5.3 for Joomla! The vulnerability is due to the improper sanitization of requests sent to the application. An attacker could exploit this by sending specifically crafted packets, potentially resulting in the execution of SQL commands which may lead to information disclosure.
7.5 E18-0nm11 CVE-2018-5993
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
EXPLOITDB-44106
SCIP-113529
Exploits This strike exploits an SQL injection vulnerability in the Aist component for Joomla! The vulnerability is due to the improper sanitization of requests sent to the application. An attacker could exploit this by sending specifically crafted packets, potentially resulting in the execution of SQL commands which may lead to information disclosure.
7.5 E17-3i5n1 CVE-2017-17419
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
ZDI-17-984
Exploits An SQL injection vulnerability exists in Quest NetVault Backup appliance. The vulnerability is due to insufficient user-supplied input validation within Server Process Manager Service. The successful exploitation of this vulnerability can result in database information disclosure without authentication via a specially crafted HTTP GET request.
7.5 E18-0ob01 CVE-2018-6892
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
EXPLOITDB-44027
EXPLOITDB-44175
URL
Exploits This strike exploits a buffer overflow vulnerability in CloudMe Sync software. The vulnerability is due to improper length validation of user input on port 8888. A remote, unauthenticated attacker can run arbitrary code on the target system by sending specially crafted payload to the listening port. Note: When run in one-arm mode against a Windows 7 SP1 x86 system, CloundMe Sync process will crash and calc.exe will be launched.
7.5 E18-matp1 BID-103049
CVE-2018-6789
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
SECURITYTRACKER-1040461
URL
Exploits This strike exploits a heap overflow vulnerability found in the base64_decode function of Exim SMTP listener. The vulnerability is due to improper handling of malformed base64 strings. A remote attacker can connect to the SMTP service and send a specially crafted SMTP authentication messages.
7.5 E17-3h0o1 BID-102079
CVE-2017-15944
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
EXPLOITDB-43342
URL
Exploits This strike exploits a management interface authentication bypass vulnerability in Palo Alto Networks PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, and PAN-OS 7.1.13 and earlier. Note: A remote user can exploit a combination of vulnerabilities in the management interface to execute arbitrary commands on the target system. The code will run with root privileges. This strike simulates panAuthCheck authentication bypass.
6.8 E18-0l0s1 BID-102560
CVE-2018-2636
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
EXPLOITDB-43960
URL
Exploits This strike exploits a path traversal vulnerability in the ProcessDimeRequest module on the Oracle Hospitality Simphony application. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request to the target server. Successful exploitation results in the disclosure of arbitrary file contents from the target server.
6.0 E18-0nsm1 CVE-2018-6230
CVSS-6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
EXPLOITDB-44166
URL
Exploits This strike exploits an SQL injection vulnerability in Trend Micro Email Encryption Gateway. The vulnerability is due to the improper sanitization of searching string sent to searchEmail.jsp script. An attacker could exploit this by sending specifically crafted packets, potentially resulting in the execution of SQL commands which may lead to information disclosure, database corruption, denial of service and others.
5.0 E18-08e81 CVE-2016-6272
CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
EXPLOITDB-44098
Exploits This strike exploits a SQL injection vulnerability in the Epic Systems Corporation MyChart. This vulnerability is due to improper sanitization for the GE parameter "topic". A remote attacker can access contents of an XML document containing static display strings, such as field labels on the target system.
3.5 E17-ma191 BID-101029
CVE-2017-12544
CVSS-3.5 (AV:N/AC:M/AU:S/C:N/I:P/A:N)
SECURITYTRACKER-1039437
URL
Exploits This strike exploits a cross-site scripting vulnerability in HPE System Management Homepage. This vulnerability is due to inadequate input filtering in "prod" field. By exploiting this vulnerability an attacker could cause arbitrary scripting code to be executed by the target user's browser.