Multiple vendor content scanning engine Unicode security bypass

multiple-scanengine-unicode-security-bypass (34277) The risk level is classified as LowLow Risk

Description:

The Cisco Intrusion Prevention System (IPS), Cisco IOS with Firewall/IPS, and 3COM TippingPoint IPS, Novell Access Manager, and various other vendor content scanning systems could allow a remote attacker to bypass security restrictions. A remote attacker could exploit this vulnerability by sending a specially-crafted full-width or half-width Unicode-encoded HTTP request to bypass content scanning and possibly gain unauthorized access to the protected network or system.

*CVSS:

Base Score: 3.5
  Access Vector: Remote
  Access Complexity: Low
  Authentication: Not Required
  Confidentiality Impact: None
  Integrity Impact: Partial
  Availability Impact: None
 
Temporal Score: 2.6
  Exploitability: Unproven
  Remediation Level: Official-Fix
  Report Confidence: Confirmed

Consequences:

Bypass Security

Remedy:

Refer to McAfee Security Bulletin 612970 for patch, upgrade, or suggested workaround information. See References.

For 3COM TippingPoint IPS:
Upgrade to the latest Digital Vaccine (DV 7287 or later), available from TippingPoint's Threat Management Center.

For Novell Access Manager:
Upgrade to the latest version of Novell Access Manager (3.0 SP1 RC1 or later), available from the Novell Web site, June 28, 2007. See References.

Refer to Novell Security Alert Document ID: 3193302 for patch, upgrade, or suggested workaround information. See References.

For SecureSphere MX Management Server:
Refer to the Salesforce Website for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • 3COM-07-001 : TippingPoint¿ IPS Unicode Evasion.
  • BugTraq Mailing List, Tue May 15 2007 - 01:36:24 CDT : GS07-01 Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass Vulnerability.
  • cisco-sr-20070514-unicode: Cisco Security Response: HTTP Full-Width and Half-Width Unicode Encoding Evasion.
  • GamaLAB Security Advisory GS07-01: Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass Vulnerability.
  • McAfee Security Bulletin 612970: IntruShield signature prevents published full/half width Unicode character obfuscation technique.
  • Novell Security Alert Document ID: 3193302: Security concerns scanning full-width/half-width Unicode encoded traffic.
  • Novell Web site, June 28, 2007: Novell Access Manager 3.0 SP1 Release Candidate 1 Readme.
  • Salesforce Web site: Imperva Security Response for VU#739224.
  • Stonesoft Information for VU#739224: Stonesoft StoneGate IPS unicode bypass.
  • Stonesoft Web site: IPS Software Solutions.
  • BID-23980: Multiple Products Full/Half Width Unicode Detection Evasion Vulnerability
  • BID-25568: Multiple Novell Content Scanning Systems Full-Width/Half-Width Unicode Scan Bypass Vulnerability
  • CVE-2007-2688: The Cisco Intrusion Prevention System (IPS) and IOS with Firewall/IPS Feature Set do not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic.
  • CVE-2007-2689: Check Point Web Intelligence does not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic.
  • CVE-2007-2690: Multiple IBM ISS Proventia Series products, including the A, G, and M series, do not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic.
  • CVE-2007-2734: The 3Com TippingPoint IPS do not properly handle certain full-width and half-width Unicode character encodings in an HTTP POST request, which might allow remote attackers to evade detection of HTTP traffic.
  • CVE-2007-3570: The Linux Access Gateway in Novell Access Manager before 3.0 SP1 Release Candidate 1 (RC1) allows remote attackers to bypass unspecified security controls via Fullwidth/Halfwidth Unicode encoded data in a HTTP POST request.
  • CVE-2007-5793: Stonesoft StoneGate IPS before 4.0 does not properly decode Fullwidth/Halfwidth Unicode encoded data, which makes it easier for remote attackers to scan or penetrate systems and avoid detection.
  • OSVDB ID: 35336: Cisco Multiple Product HTTP Unicode Encoding Detection Bypass
  • SA25285: Cisco Products HTTP Unicode Encoding Detection Bypass
  • SA25302: 3Com TippingPoint IPS HTTP Unicode Encoding Detection Bypass
  • SA26692: Novell iChain HTTP Unicode Encoding Detection Bypass
  • SA26695: Novell Access Manager HTTP Unicode Encoding Detection Bypass
  • SA26698: Novell BorderManager Unicode Encoding Detection Bypass
  • SA27455: Stonesoft StoneGate IPS HTTP Unicode Encoding Detection Bypass
  • SECTRACK ID: 1018053: Cisco IOS Firewall/IPS Feature Set Lets Remote Users Evade Detection With Certain Character Encodings
  • SECTRACK ID: 1018054: Cisco Intrusion Prevention System Lets Remote Users Evade Detection With Certain Character Encodings
  • SECTRACK ID: 1018067: Check Point Web Intelligence Lets Remote Users Evade Detection With Certain Character Encodings
  • SECTRACK ID: 1018068: Proventia Lets Remote Users Evade Detection With Certain Character Encodings
  • US-CERT VU#739224: HTTP content scanning systems full-width/half-width Unicode encoding bypass
  • VUPEN/ADV-2007-1803: Cisco IPS Full/Half Width Unicode Characters Handling Detection Evasion Vulnerability
  • VUPEN/ADV-2007-1817: 3Com TippingPoint IPS Products Unicode Characters Detection Evasion Vulnerability
  • VUPEN/ADV-2007-2390: Novell Access Manager Fullwidth/Halfwidth Unicode Data Security Bypass Vulnerability
  • VUPEN/ADV-2007-2757: Stonesoft StoneGate IPS Fullwidth/Halfwidth Unicode Data Security Bypass Issue
  • VUPEN/ADV-2007-3075: Novell Products Fullwidth/Halfwidth Unicode Data Security Bypass Vulnerability

Platforms Affected:

  • 3Com TippingPoint 200
  • 3Com TippingPoint 200E
  • 3Com TippingPoint 2400E
  • 3Com TippingPoint 50
  • 3Com TippingPoint 5000E
  • 3Com TippingPoint 600E
  • 3Com TippingPoint IMS X505
  • 3Com TippingPoint IMS X506
  • CheckPoint Web Intelligence
  • Cisco Intrusion Prevention System 4.0
  • Cisco Intrusion Prevention System 5.0(1)
  • Cisco Intrusion Prevention System 5.0(2)
  • Cisco Intrusion Prevention System 5.0(6)P1
  • Cisco Intrusion Prevention System 5.1(1)
  • Cisco Intrusion Prevention System 5.1(1A)
  • Cisco Intrusion Prevention System 5.1(1B)
  • Cisco Intrusion Prevention System 5.1(1C)
  • Cisco Intrusion Prevention System 5.1(1D)
  • Cisco Intrusion Prevention System 5.1(1E)
  • Cisco Intrusion Prevention System 5.1(8)
  • Cisco Intrusion Prevention System 5.1(P1)
  • Cisco IOS 10.0
  • Cisco IOS 11.1CC
  • Cisco IOS 11.3
  • Cisco IOS 12.0
  • Cisco IOS 12.0S
  • Cisco IOS 12.0ST
  • Cisco IOS 12.0T
  • Cisco IOS 12.1
  • Cisco IOS 12.1E
  • Cisco IOS 12.1T
  • Cisco IOS 12.2
  • Cisco IOS 12.2T
  • IBM ISS Proventia Network IDS
  • IBM ISS Proventia Network MFS
  • IBM ISS Proventia-G 1.1 and earlier
  • Imperva SecureSphere MX Management Server
  • McAfee IntruShield Sensor Software 2.1
  • McAfee IntruShield Sensor Software 3.1
  • Novell Access Manager 3 SP1
  • Novell Access Manager 3
  • Novell BorderManager 3.8
  • Novell iChain 2.3
  • StoneSoft StoneGate Firewall prior to 4.0
  • StoneSoft StoneGate IPS 4.0

Reported:

May 14, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Internet Security Systems

IBM Internet Security Systems is a trusted security advisor to thousands of the world's leading businesses and governments, helping to provide pre-emptive protection for networks, desktops and servers. The IBM Proventia? integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shield customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force? research and development team ? an unequivocal world authority in vulnerability and threat research. The IBM Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the IBM Internet Security Systems Web site at www.iss.net or call 800-776-2362.