Multiple vendor content scanning engine Unicode security bypass

multiple-scanengine-unicode-security-bypass (34277)

Low Risk

Description:

The Cisco Intrusion Prevention System (IPS), Cisco IOS with Firewall/IPS, and 3COM TippingPoint IPS, Novell Access Manager, and various other vendor content scanning systems could allow a remote attacker to bypass security restrictions. A remote attacker could exploit this vulnerability by sending a specially-crafted full-width or half-width Unicode-encoded HTTP request to bypass content scanning and possibly gain unauthorized access to the protected network or system.

Platforms Affected:

• 3Com, TippingPoint 200
• 3Com, TippingPoint 200E
• 3Com, TippingPoint 2400E
• 3Com, TippingPoint 50
• 3Com, TippingPoint 5000E
• 3Com, TippingPoint 600E
• 3Com, TippingPoint IMS X505
• 3Com, TippingPoint IMS X506
• CheckPoint, Web Intelligence
• Cisco, Intrusion Prevention System 4.0
• Cisco, Intrusion Prevention System 5.0(1)
• Cisco, Intrusion Prevention System 5.0(2)
• Cisco, Intrusion Prevention System 5.0(6)P1
• Cisco, Intrusion Prevention System 5.1(1)
• Cisco, Intrusion Prevention System 5.1(1A)
• Cisco, Intrusion Prevention System 5.1(1B)
• Cisco, Intrusion Prevention System 5.1(1C)
• Cisco, Intrusion Prevention System 5.1(1D)
• Cisco, Intrusion Prevention System 5.1(1E)
• Cisco, Intrusion Prevention System 5.1(8)
• Cisco, Intrusion Prevention System 5.1(P1)
• Cisco, IOS 10.0
• Cisco, IOS 11.1CC
• Cisco, IOS 11.3
• Cisco, IOS 12.0
• Cisco, IOS 12.0S
• Cisco, IOS 12.0ST
• Cisco, IOS 12.0T
• Cisco, IOS 12.1
• Cisco, IOS 12.1E
• Cisco, IOS 12.1T
• Cisco, IOS 12.2
• Cisco, IOS 12.2T
• IBM, ISS Proventia Network IDS
• IBM, ISS Proventia Network MFS
• IBM, ISS Proventia-G 1.1 and earlier
• Imperva, SecureSphere MX Management Server
• McAfee, IntruShield Sensor Software 2.1
• McAfee, IntruShield Sensor Software 3.1
• Novell, Access Manager 3 SP1
• Novell, Access Manager 3
• Novell, BorderManager 3.8
• Novell, iChain 2.3
• StoneSoft, StoneGate Firewall prior to 4.0
• StoneSoft, StoneGate IPS 4.0

Remedy:

Refer to McAfee Security Bulletin 612970 for patch, upgrade, or suggested workaround information. See References.

For 3COM TippingPoint IPS:
Upgrade to the latest Digital Vaccine (DV 7287 or later), available from TippingPoint's Threat Management Center.

For Novell Access Manager:
Upgrade to the latest version of Novell Access Manager (3.0 SP1 RC1 or later), available from the Novell Web site, June 28, 2007. See References.

Refer to Novell Security Alert Document ID: 3193302 for patch, upgrade, or suggested workaround information. See References.

For SecureSphere MX Management Server:
Refer to the Salesforce Website for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Bypass Security

References:

• 3COM-07-001 , TippingPoint¿ IPS Unicode Evasion at http://www.3com.com/securityalert/alerts/3COM-07-001.html.
• BugTraq Mailing List, Tue May 15 2007 - 01:36:24 CDT , GS07-01 Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass Vulnerability at http://archives.neohapsis.com/archives/bugtraq/2007-05/0218.html.
• cisco-sr-20070514-unicode, Cisco Security Response: HTTP Full-Width and Half-Width Unicode Encoding Evasion at http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml.
• GamaLAB Security Advisory GS07-01, Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass Vulnerability at http://www.gamasec.net/english/gs07-01.html.
• McAfee Security Bulletin 612970, IntruShield signature prevents published full/half width Unicode character obfuscation technique at https://knowledge.mcafee.com/article/763/612970_f.SAL_Public.html.
• Novell Security Alert Document ID: 3193302, Security concerns scanning full-width/half-width Unicode encoded traffic at https://secure-support.novell.com/KanisaPlatform/Publishing/539/3193302_f.SAL_Public.html.
• Novell Web site, June 28, 2007, Novell Access Manager 3.0 SP1 Release Candidate 1 Readme at http://www.novell.com/documentation/novellaccessmanager/readme/accessmanager_readme.html.
• Salesforce Web site, Imperva Security Response for VU#739224 at http://emea.salesforce.com/_ui/selfservice/pkb/PublicKnowledgeSolution/d?orgId=00D20000000082L&id=50120000000GmHy&retURL=/sol/public/solutionbrowser.jsp?cid=02n20000000D9R4&orgId=00D20000000082L&ps=1.
• Stonesoft Information for VU#739224, Stonesoft StoneGate IPS unicode bypass at http://www.kb.cert.org/vuls/id/MIMG-72BRKJ.
• Stonesoft Web site, IPS Software Solutions at http://www.stonesoft.com/en/products_and_solutions/products/ips/Certified_Servers/index.html.
• BID-23980: Multiple Products Full/Half Width Unicode Detection Evasion Vulnerability
• BID-25568: Multiple Novell Content Scanning Systems Full-Width/Half-Width Unicode Scan Bypass Vulnerability
• CVE-2007-2688: The Cisco Intrusion Prevention System (IPS) and IOS with Firewall/IPS Feature Set do not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic.
• CVE-2007-2689: Check Point Web Intelligence does not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic.
• CVE-2007-2690: Multiple IBM ISS Proventia Series products, including the A, G, and M series, do not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic.
• CVE-2007-2734: The 3Com TippingPoint IPS do not properly handle certain full-width and half-width Unicode character encodings in an HTTP POST request, which might allow remote attackers to evade detection of HTTP traffic.
• CVE-2007-3570: The Linux Access Gateway in Novell Access Manager before 3.0 SP1 Release Candidate 1 (RC1) allows remote attackers to bypass unspecified security controls via Fullwidth/Halfwidth Unicode encoded data in a HTTP POST request.
• CVE-2007-5793: Stonesoft StoneGate IPS before 4.0 does not properly decode Fullwidth/Halfwidth Unicode encoded data, which makes it easier for remote attackers to scan or penetrate systems and avoid detection.
• OSVDB ID: 35336: Cisco Multiple Product HTTP Unicode Encoding Detection Bypass
• SA25285: Cisco Products HTTP Unicode Encoding Detection Bypass
• SA25302: 3Com TippingPoint IPS HTTP Unicode Encoding Detection Bypass
• SA26692: Novell iChain HTTP Unicode Encoding Detection Bypass
• SA26695: Novell Access Manager HTTP Unicode Encoding Detection Bypass
• SA26698: Novell BorderManager Unicode Encoding Detection Bypass
• SA27455: Stonesoft StoneGate IPS HTTP Unicode Encoding Detection Bypass
• SECTRACK ID: 1018053: Cisco IOS Firewall/IPS Feature Set Lets Remote Users Evade Detection With Certain Character Encodings
• SECTRACK ID: 1018054: Cisco Intrusion Prevention System Lets Remote Users Evade Detection With Certain Character Encodings
• SECTRACK ID: 1018067: Check Point Web Intelligence Lets Remote Users Evade Detection With Certain Character Encodings
• SECTRACK ID: 1018068: Proventia Lets Remote Users Evade Detection With Certain Character Encodings
• US-CERT VU#739224: HTTP content scanning systems full-width/half-width Unicode encoding bypass
• VUPEN/ADV-2007-1803: Cisco IPS Full/Half Width Unicode Characters Handling Detection Evasion Vulnerability
• VUPEN/ADV-2007-1817: 3Com TippingPoint IPS Products Unicode Characters Detection Evasion Vulnerability
• VUPEN/ADV-2007-2390: Novell Access Manager Fullwidth/Halfwidth Unicode Data Security Bypass Vulnerability
• VUPEN/ADV-2007-2757: Stonesoft StoneGate IPS Fullwidth/Halfwidth Unicode Data Security Bypass Issue
• VUPEN/ADV-2007-3075: Novell Products Fullwidth/Halfwidth Unicode Data Security Bypass Vulnerability

Reported:

May 14, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page