Ixia ATI Update ATI-2019-18 (368893)

Defects Resolved

Ticket Info
ATIBPS-16090 Fixed header type in the server response for CVE-2018-2615.
ATIBPS-16086 Fixed the payload in the command packet sent to the vulnerable server related for CVE-2008-3175. (BUG1520432)
ATIBPS-16085 Fixed the DHCP Options header payload length for CVE-2019-0697. (BUG1520037)
ATIBPS-16080 Fix SQL Injection query for CVE-2006-0065. (INF1520823)
ATIBPS-16078 Fix strike for CVE-2016-8704: Set 'extlen' value to 0 in 'memchached' protocol packets so the vulnerable code branch is reached. (BUG1519232)
ATIBPS-16077 Fix strike for CVE-2018-18557 (race condition when generating dblocks). (INF1519677)
ATIBPS-16054 The strike ms10_024_smtp_dns_transaction_id.xml has been modified to now include the question and answer to more appropriately look like a DNS response. (BUG1520434)

Enhancements

Ticket Info
ATIBPS-10138 Added the NAT tag to 'Spotify Login', 'Spotify Login and Logout' and 'Spotify Login and Play Music' SuperFlows.
ATIBPS-10054 The original DoH superflows are now splited based on the API type - RFC8484 vs JSON API. DNS over HTTPS -- based on RFC8484 DNS over HTTPS(JSONAPI) -- based on dns.google JSON API new superflow DNS over HTTP2 -- based on RFC8484 DNS over HTTP2(JSONAPI) -- based on dns.google JSON API new superflow
ATIBPS-9807 Added a new client profile "All Mix" that will simulate all the supported BreakingPoint User-Agent values.

New Super Flows (2)

Name Category Info
DNS over HTTP2(JSONAPI) System/Network Admin The client sends a DNS query over HTTP2 to the server.The server replies with HTTP response which contains a DNS message with a single resolved IP address. The communication is over HTTP2 and TLS using JSONAPI.
DNS over HTTPS(JSONAPI) System/Network Admin The client sends two DNS queries over HTTPS to the server.The server replies to each query with JSON response. The first reply has a single item in the "Answer" block which means the URL has a single resolved IP address. The second reply contains multiple blocks. The communication is over HTTP 1.1 and TLS.

New Strikes (10)

CVSS ID References Category Info
10.0 E19-5pn61 CVE-2018-20434
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-47044
Exploits A remote code execution vulnerability exists in LibreNMS versions prior to 1.46. The vulnerability is a result of improper sanitization when parsing the 'community' HTTP request parameter within 'addhost.inc.php' A successful attacker is thus able to send specially crafted HTTP requests that could lead to execution of arbitrary commands on the target server.
9.0 E19-0uuy1 CVE-2019-5386
CVSS-9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
URL
Exploits This strike exploits a remote code execution in the HPE Intelligent Management Center. The vulnerability is due to improper sanitization of user input "beanName" which is passed to the application via the IccSelectDevTypeBean class. A remote authorized attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation results in remote code execution on the target server with SYSTEM privilege.
9.0 E19-7qmt1 CVE-2019-15029
CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
URL
Exploits An OS command injection exists in FusionPBX 4.4.8 due to lack of parameter sanitization while parsing requests to 'service_edit.php'. By exploiting this flaw, an authenticated remote attacker can run arbitrary OS commands on the target system.
7.6 E19-0xep1 CVE-2019-8689
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
GOOGLE-1876
Exploits This strike exploits a vulnerability in Apple Safari Webkit. Specifically when trying to inline GetByVal operations on stack-allocated arguments the code fails to properly check whether index is lower than numberOfArgumentsToSkip. This can potentially lead to uninitialized variable access which can cause a denial of service condition in the browser or allow for remote code execution to occur.
7.6 E19-0pds1 CVE-2018-8288
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
GOOGLE-1565
Exploits This strike exploits a vulnerability in the Microsoft Edge browser. Specifically an attacker can craft javascript in such a way that allows for the initialization process to run without caring about the ImplicitCallFlags. This can cause a denial of service condition in the browser or potentially allow for remote code execution to occur.
7.5 E19-7rh31 CVE-2019-16119
CVSS-7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
URL
Exploits This strike exploits a sql injection vulnerability in WordPress Plugin Photo Gallery. The vulnerability is due to improper sanitization of the album_id parameter. By successfully exploiting this vulnerability, an authenticated attacker could perform sql injection on the target server.
6.5 E19-7nxv1 BID-108073
CVE-2019-11539
CVSS-6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)
URL
Exploits A command injection vulnerability exists in Pulse Connect Secure due to insufficient parameter sanitization. The vulnerability resides in the '/dana-admin/diag/diag.cgi' endpoint and can be exploited by crafting the 'options' parameter in order to create a template file which contains Perl directives. By exploiting the flaw, a remote authenticated attacker may execute arbitrary commands on the target system.
5.8 E19-7p0a1 CVE-2019-12922
CVSS-5.8 (AV:N/AC:M/AU:N/C:N/I:P/A:P)
URL
Exploits This strike simulates a CSRF attack on phpMyAdmin. The flaw is a result of no anti-CSRF technique being employed in the setup page. A remote attacker may entice a phpMyAdmin user to make a request to a crefted URL, leading to removal of arbitray servers from the phpMyAdmin configuration.
4.3 E19-0w6u1 CVE-2019-7110
CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)
URL
Exploits An out of bounds read vulnerability been reported in Adobe Acrobat due to improper handling of JOBOPTIONS files. A remote attacker could exploit this vulnerability by enticing a user to open a maliciously crafted one-byte JOBOPTIONS file. Successful exploitation could lead to information disclosure.
4.0 E19-0trj1 CVE-2019-3967
CVSS-4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
URL
Exploits This strike exploits a directory traversal vulnerability in OpenEMR. The vulnerability is due to improper sanitization of the "form_filename" parameter. By successfully exploiting this vulnerability, a remote, unauthenticated attacker could retrieve arbitrary files from the target server.