[NEWS] Cisco Secure IDS Signature Obfuscation Vulnerability

From: support@securiteam.com
Date: 09/07/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Cisco Secure IDS Signature Obfuscation Vulnerability
Message-Id: <20010907080309.B7280138C0@mail.der-keiler.de>
Date: Fri,  7 Sep 2001 10:03:09 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cisco Secure IDS Signature Obfuscation Vulnerability
------------------------------------------------------------------------

SUMMARY

Intrusion Detection Systems inspect network traffic for suspect or
malicious packet formats, data payloads and traffic patterns. Intrusion
detection systems typically implement obfuscation defense - ensuring that
suspect packets cannot easily be disguised with UTF and/or hex encoding
and bypass the Intrusion Detection systems. Recently, the CodeRed worm has
targeted an unpatched vulnerability with many Microsoft IIS systems and
highlighted a different encoding technique supported by Microsoft IIS
systems. This encoding technique known as %u can be used to circumvent
intrusion detection systems, and has been made public by eEye security in
their announcement located at
<http://www.securiteam.com/securitynews/5OP011P5FQ.html>
http://www.securiteam.com/securitynews/5OP011P5FQ.html.

Cisco has corrected this vulnerability in the Cisco Secure Intrusion
Detection System, formerly known as Netranger, with a service pack that is
now available to customers. This vulnerability also affects the Cisco
Catalyst 6000 Intrusion Detection System Module, and will be repaired in a
service pack for version 3.0, which is not yet released.

DETAILS

Affected Products
The following products are affected:
 * Cisco Secure Intrusion Detection System, formerly known as NetRanger,
Sensor component
 * Cisco Catalyst 6000 Intrusion Detection System Module

Additionally, selected workarounds such as the use of NBAR, or the Cisco
Cache Engine, for filtering the CodeRed worm exploit will not detect %u
encoding attack obfuscation, unless specifically configured for all
possibilities.

The Cisco Secure Intrusion Detection System Director for both UNIX and NT
platforms are management components of the IDS, and do not participate in
packet obfuscation detection, and are not affected by this vulnerability.

The following products implement a limited subset of Intrusion Detection
attack signatures, and the signatures included do NOT detect Microsoft IIS
targeted attacks, and are therefore NOT vulnerable to the %u encoding
method of attack obfuscation.

 * Cisco Secure PIX Firewall
 * Cisco IOS Firewall Feature Set with Intrusion Detection

Details
The "CodeRed" worm utilized an obscure Unicode encoding technique to
deliver the payload of the worm. The %u encoding method is a different
encoding method that is understood and parsed by the IIS web server. This
encoding can be applied to other portions of the URL to effectively
obfuscate the attack, preventing detection by many intrusion detection
systems available. Cisco Secure Intrusion Detection System Sensor decoding
algorithms have been modified to detect and parse this Unicode form. Cisco
Catalyst 6000 Intrusion Detection Systems Modules do NOT yet implement
obfuscation detection.

Impact
This method of obfuscation can allow malicious exploitation to bypass
current intrusion detection technology.

Software versions and fixes
This vulnerability is repaired in service pack 3.0(2)S6 for the Cisco
Secure Intrusion Detection System Sensor, and will be included in all
versions forward. This service pack is still officially BETA code until
the testing cycle is complete; however, due to the nature of the repairs
and the public notification of this vulnerability, the code is posted for
customer download at the following location:
 
<ftp://ftp-eng.cisco.com/csids-sig-updates/ServicePacks/IDSk9-sp-3.0-1.42-S6-0.42-.bin> ftp://ftp-eng.cisco.com/csids-sig-updates/ServicePacks/IDSk9-sp-3.0-1.42-S6-0.42-.bin

This vulnerability will be repaired in service pack 3.0 for the Cisco
Catalyst 6000 Intrusion Detection Module. Basic obfuscation detection was
originally slated for the 3.0 release, which is due to be available in
early October 2001. A service pack to the 3.0 release will include this
additional method of obfuscation, but will not be available until after
the October 2001 release. Cisco will update this advisory when more
detailed delivery information for the service pack is available.

Obtaining Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained via the Software Center on Cisco's Worldwide Web site
at <http://www.cisco.com> http://www.cisco.com.

Workarounds
Workarounds for this issue would include implementing a large number of
custom string match entries, each one an iteration of the proprietary
encoding obfuscation method for the expected attack. This workaround could
possibly address a short-term problem, but is not scalable for the
majority of customers and the product upgrade or service pack is
recommended.

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages