Ixia ATI Update ATI-2020-03 (379359)

Enhancements

Ticket Info
ATIBPS-16452 Added missing smart strike lists Strike Level 1-3 for 2020.

New Protocols & Applications (2)

Name Category Info
AppDynamics Feb20 Enterprise Applications Simulates the use of AppDynamics website as of February 2020. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time.
Splunk Jan20 Distributed Computing Simulates the use of Splunk as of January 2020. Splunk is a software technology which is used for monitoring, searching, analyzing and visualizing the machine generated data (logs) in real time. It can monitor and read different type of log files and stores data as events in indexers. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time.

New Super Flows (10)

Name Category Info
AppDynamics Feb20 Enterprise Applications Simulates the use of AppDynamics website as of February 2020. The user signs in, goes to the controller, creates an application and a dashboard, and then signs out.
AppDynamics Feb20 Bandwidth Enterprise Applications Simulates the use of AppDynamics website as of February 2020. The parameters here are set for high bandwidth that could be used in Sandvine profiles. The user signs in, goes to the controller, creates an application and a dashboard, and then signs out.
AppDynamics Feb20 Create Application Enterprise Applications Simulates the use of AppDynamics website as of February 2020. The user signs in, goes to the controller, creates an application and then signs out.
AppDynamics Feb20 Create Dashboard Enterprise Applications Simulates the use of AppDynamics website as of February 2020. The user signs in, goes to the controller, creates a dashboard and then signs out.
Dropbox Nov17 Bandwidth Data Transfer/File Sharing The use of the Dropbox website as of November 2017. All of the available actions for this flow are exercised.
Service-Now May 18 Bandwidth Enterprise Applications Simulates the use of the Service-Now as of May 2018. The user logs in views an incident, reports an incident and logs out.
SMBv2 Bandwidth Data Transfer/File Sharing It simulates an SMBv2 session in which the client authenticates and connects to the server to request and download a file. The parameters here are set for high bandwidth that could be used in Sandvine profiles.
Splunk Jan 20 Distributed Computing Simulates the use of the Splunk as of January 2020. The user signs in, uploads a log, searches for a log, and signs out.
Splunk Jan 20 Search Log Distributed Computing Simulates the use of the Splunk as of January 2020. The user signs in, searches a log and signs out.
Splunk Jan 20 Upload Log Distributed Computing Simulates the use of the Splunk as of January 2020. The user signs in, uploads a log and signs out.

New Application Profiles (2)

Name Info
Healthcare Industry Traffic Mix A traffic distribution profile constructed with the top applications seen in the health care industry. The traffic mix includes SMBv2, HTTP, MSSQL and Facebook.
Media and Entertainment Industry Traffic Distribution A traffic distribution profile constructed with the top applications seen in the media and entertainment industry. The traffic mix includes HTTP, Syslog, Oracle and Raw.

New Strikes (7)

CVSS ID References Category Info
10.0 E20-140f1 CVE-2020-7247
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EXPLOITDB-47984
URL
Exploits A remote command injection vulnerability exists in OpenSMTPD after commit a8e222352f and before version 6.6.2. The vulnerability is due to lack of user input sanitization when processing 'MAIL FROM' commands. A successful attack may lead to remote command execution with the privileges of the user running the OpenSMTPD service.
10.0 E20-0yw11 CVE-2020-0609
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
CVSSV3-9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL
Exploits This strike replicates an attack known as Bluegate against Remote Desktop Gateway (RDG), exploiting a heap buffer overflow. The flaw is due to unsanitized index parameters when parsing large UDP packets. Successful exploitation allows the attacker to execute arbitrary code on the target system, with the privileges of the user running the RDG daemon. NOTE: Normally, a connection to the RDG is formed through DTLS(Datagram TLS). After the initial handshake, all the conversation is encrypted. To showcase the actual malicious bytestream message, the strike is implemented in such a way as to present the exchange in plain, devoid of any encryption.
9.0 E20-7u391 CVE-2019-19509
CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
CVSSV3-8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
URL
Exploits An OS Command Injection exists in rConfig 3.9.3 and prior versions as a result of no sanitization of user supplied data. The parameter processed in 'ajaxArchiveFiles.php' is then used as a command line argument within a privileged command. By sending a crafted 'path' parameter to '/lib/ajaxHandlers/ajaxArchiveFiles.php' path, a remote authenticated attacker may execute arbitrary OS commands as a superuser.
7.5 E20-7slf1 CVE-2019-17571
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL
Exploits An untrusted deserialization vulnerability exists in Apache Log4j versions 1.2 up to 1.2.17. The vulnerability is due to the lack of class filtering in the SocketServer and SocketNode classes. By sending a crafted serialized Java object, a remote unauthenticated attacker may execute arbitrary code on the target system.
6.8 E20-0xic1 CVE-2019-8820
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
CVSSV3-8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
GOOGLE-1924
Exploits This strike exploits a vulnerability in Apple WebKit. Specifically, an attacker can craft JavaScript in such a way that when reconstructing arguments objects type confusion can occur leading to a denial of service in the browser.
6.8 E20-0xgt1 CVE-2019-8765
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
CVSSV3-8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
GOOGLE-1915
Exploits This strike exploits a vulnerability in Apple WebKit. Specifically, an attacker can craft JavaScript in such a way that when modifying the GetterSetter type confusion can occur leading to a denial of service in the browser.
4.3 E20-0xgs1 CVE-2019-8764
CVSS-4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)
CVSSV3-6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
GOOGLE-1914
Exploits This strike exploits a vulnerability in Apple WebKit. Specifically, an attacker can craft JavaScript in such a way that a cross-origin object can be placed into the prototype chain of a regular object and trigger the invocation of a cross-origin setter. If this causes an exception it can be potentially leaked allowing access to another window's function constructor and turning it into a UXSS attack.

Defects Resolved

Ticket Info
ATIBPS-16455 Fixed Youtube Dec18 Bandwidth super flow by disabling TLS on each flow.
ATIBPS-16459 Fixed E19-0pm31 metadata with correct strike direction.
ATIBPS-16460 Fixed E19-0ply1 metadata with correct strike direction.