Ixia ATI Update ATI-2020-11 (388154)

Enhancements

Ticket Info
ATIBPS-16694 The following strikes have had their descriptions updated to more specifically reflect what the traffic they simulate is and is not:
andariel_2019_main_command_and_control.xml
andariel_2019_proto_command_and_control.xml
andariel_2019_shellcode_command_and_control.xml

New Protocols & Applications (2)

Name Category Info
GRPC Remote Access gRPC is a modern open source high performance RPC framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed computing to connect devices, mobile applications and browsers to backend services.
Jira May20 Enterprise Applications Jira Software is part of a family of products designed to help teams of all types manage work. Originally, Jira was designed as a bug and issue tracker. But today, Jira has evolved into a powerful work management tool for all kinds of use cases, from requirements and test case management to agile software development.

New Super Flows (23)

Name Category Info
Google Cache Bandwidth Social Networking/Search The user performs a search, accesses the cached version of the page and then directly queries Google for the cached version of another page, by accessing webcache.googleusercontent.com.
Jira May20 Enterprise Applications Simulates the use of Jira software as of May 2020. The user gets the login page, logs in to jira, creates a project, creates a story, adds comment to that story, changes the status of the story to closed and logs out.
Jira Create Story May20 Enterprise Applications Simulates the use of Jira software as of May 2020. The user gets the login page, logs in to jira, creates a story, adds comment to that story and logs out.
Jira Create Project May20 Enterprise Applications Simulates the use of Jira software as of May 2020. The user gets the login page, logs in to jira, creates a project and logs out.
gRPC POST Response 200 GetPresence Remote Access This simulates a gRPC communication between a client which sends a byte string and a server which returns a true or false result.
gRPC POST Response 200 HelloWorld Remote Access This simulates a gRPC communication between a client which sends a name(string) and a server which sends a hello message(string).
gRPC POST Response 200 RPC ProcessNumber Remote Access This simulates a gRPC communication between a client which sends a number(signed int) and a server which processes it and sends back the result(integer).
Static Stream 150 UDP Packets (64B Downlink) UDP IMIX/Testing and Measurement Simulates a stream of 150 64-bytes UDP packets sent in downlink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (64B Uplink) UDP IMIX/Testing and Measurement Simulates a stream of 150 64-bytes UDP packets sent in uplink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (128B Downlink) UDP IMIX/Testing and Measurement Simulates a stream of 150 128-bytes UDP packets sent in downlink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (128B Uplink) UDP IMIX/Testing and Measurement Simulates a stream of 150 128-bytes UDP packets sent in uplink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (256B Downlink) UDP IMIX/Testing and Measurement Simulates a stream of 150 256-bytes UDP packets sent in downlink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (256B Uplink) UDP IMIX/Testing and Measurement Simulates a stream of 150 256-bytes UDP packets sent in uplink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (512B Downlink) UDP IMIX/Testing and Measurement Simulates a stream of 150 512-bytes UDP packets sent in downlink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (512B Uplink) UDP IMIX/Testing and Measurement Simulates a stream of 150 512-bytes UDP packets sent in uplink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (1024B Downlink) UDP IMIX/Testing and Measurement Simulates a stream of 150 1024-bytes UDP packets sent in downlink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (1024B Uplink) UDP IMIX/Testing and Measurement Simulates a stream of 150 1024-bytes UDP packets sent in uplink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (1280B Downlink) UDP IMIX/Testing and Measurement Simulates a stream of 150 1280-bytes UDP packets sent in downlink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (1280B Uplink) UDP IMIX/Testing and Measurement Simulates a stream of 150 1280-bytes UDP packets sent in uplink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (1518B Downlink) UDP IMIX/Testing and Measurement Simulates a stream of 150 1518-bytes UDP packets sent in downlink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (1518B Uplink) UDP IMIX/Testing and Measurement Simulates a stream of 150 1518-bytes UDP packets sent in uplink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (9216B Downlink) UDP IMIX/Testing and Measurement Simulates a stream of 150 9216-bytes UDP packets sent in downlink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).
Static Stream 150 UDP Packets (9216B Uplink) UDP IMIX/Testing and Measurement Simulates a stream of 150 9216-bytes UDP packets sent in uplink direction across a basic switching-environment (46 bytes accumulated L2/3/4 headers).

New Application Profiles (2)

Name Info
Sandvine 2019 EMEA Downstream Added a new app profile that simulates the downstream traffic generated by the top 11 applications reported in the Sandvine Global Internet Phenomena Report September 2019 for the EMEA region.
Sandvine 2019 EMEA Upstream Added a new app profile that simulates the upstream traffic generated by the top 11 applications reported in the Sandvine Global Internet Phenomena Report September 2019 for the EMEA region.

New Tests (1)

Name Info
Maze Ransomware
April 2020 Campaign
Canned test simulating Maze Ransomware April 2020 Campaign.

It sends 3 strikes in the following order:

# Strike ID Name Description
1 M20-naq01 Maze Apr 2020 Campaign - Word Malware File Transfer This strike simulates the network transfer of Maze Ransomware Apr 2020 'Word' pre-loader module.
2 M20-ks601 Maze Apr 2020 Campaign - Maze Malware File Transfer This strike simulates the network transfer of Maze Ransomware Apr 2020 'Maze' main module once 'Word' module is executed.
3 B20-jyu01 Maze Apr 2020 Campaign - Command and Control This strike simulates the Maze Apr 2020 Campaign - Command and Control traffic that occurs after executing the 'maze' module. 1. Victim sends HTTP POST request with binary data containing host information - Attacker replies with HTTP code 404 as reply. 2. Victim sends HTTP POST request with binary data containing host information - Attacker replies with HTTP code 404 as reply.
The first strike sends a malicious Word Document with a Macro script embedded. The 2nd strike simulates the download of the Maze malware. Once a user has opened the document, maze malware is downloaded via an HTTP GET request. The 3rd strike performs 2 Maze CNC POST requests. Both requests are sent with binary data which contains host fingerprint information such as host name and user name.

New Strikes (8)

CVSS ID References Category Info
10.0 E20-9s251 CVE-2020-10189
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EXPLOITDB-48224
URL
Exploits This strike exploits a Java deserialization vulnerability in the Zoho ManageEngine Desktop Central. This vulnerability is in the getChartImage function of the FileStorage class, due to lack of proper validation of user-supplied data, which results in deserialization of untrusted data. A remote unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests to the target server. Successful exploitation results in remote code execution under the context of SYSTEM/root.
7.5 E20-9urh1 CVE-2020-13693
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVSSV3-9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL
Exploits An authentication bypass vulnerability exists in the bbPress Wordpress plugin. The vulnerability is due to lack of validation on user authorization requests. A remote unauthorized attacker can exploit this vulnerability by sending a crafted HTTP POST request to the system. Successful exploitation results in creating a user with full privileges ('Keymaster' role).
7.5 E20-10n81 CVE-2020-2884
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL
Exploits This strike exploits an insecure deserialization vulnerability in Oracle Coherence library, which is used in popular products such as Oracle WebLogic Server. The vulnerability lies in the 'MvelExtractor.class' in the Coherence REST library. The vulnerability is a result of insufficient validation of T3 requests. The server allows deserialization of classes in objects embedded with T3 protocol messages. Successful exploitation leads to remote code execution, in the context of the user running the Oracle WebLogic Service.
7.5 E20-10n71 CVE-2020-2883
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL
ZDI-20-504
ZDI-20-570
Exploits This strike exploits an insecure deserialization vulnerability in Oracle Coherence library, which is used in popular products such as Oracle WebLogic Server. The vulnerability lies in the 'ReflectionExtractor.class' in the Coherence REST library. The vulnerability is a result of insufficient validation of T3 requests. The server allows deserialization of classes in objects embedded with T3 protocol messages. Successful exploitation leads to remote code execution, in the context of the user running the Oracle WebLogic Service.
7.5 E20-0r641 CVE-2019-0604
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL
URL
Exploits This strike exploits an insecure deserialization vulnerability in Microsoft SharePoint. The vulnerability is due to insufficient validation of user-supplied data to 'EntityInstanceIdEncoder' class. A remote, authenticated attacker could exploit this vulnerability by sending maliciously crafted HTTP requests to a target SharePoint server. Successful exploitation of this vulnerability leads to remote code execution on the target SharePoint web application.
6.5 E20-11h01 CVE-2020-3956
CVSS-6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)
CVSSV3-8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
URL
Exploits A command injection vulnerability exists in VMware Cloud Director. The vulnerability is due to the lack of sanitization while parsing input passed to 'hostname' parameter within the SMPT configuration form. An authenticated attacker can exploit this vulnerability by crafting a malicious HTTP PUT request. Successful exploitation results in full control of the cloud director platform.
6.0 E20-13jv1 CVE-2020-6651
CVSS-6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
CVSSV3-7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
URL
ZDI-20-649
Exploits A command injection vulnerability exists in Eaton Intelligent Power Manager 1.67 and prior, due to lack of user input sanitization. An authenticated remote attacker may execute arbitrary OS commands as a superuser by providing a crafted filename parameter when uploading a configuration file.
5.0 D20-152h1 CVE-2020-8617
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
CVSSV3-7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
URL
Denial A denial of service vulnerability exists in BIND DNS Server versions 9.0.0-9.11.18, 9.12.0-9.12.4-P2, 9.14.0-9.14.11, 9.16.0-9.16.2-9.17.0 to 9.17.1 due to lack of MAC field size check when parsing TSIG records. A remote attacker may conduct a denial of service attack by sending a crafted DNS packet which leads to abnormal process termination due to a failed assertion.

Defects Resolved

Ticket Info
ATIBPS-16697 The HTTP POST now supports CSV file types when content type is multipart/form-data.
ATIBPS-16632 Fixed Strike E19-5lqr1 with a correct jsp payload.
ATIBPS-16501 Fixed keywords for Strike E17-3d6r1.
ATIBPS-16765 Updated keywords for Strike E12-02701.
ATIBPS-16673 Fixed payload generation for Strike E12-3dw01.