Background Print only logo
Cert logo
suomeksi | på svenska
www.ficora.fi
Home Page | Advice | Reports | Activities |

NCSC-FI:

P.O. Box 313
FI-00181 Helsinki
Phone: +358 295 390 230 (lnf/mcf)

PGP keys

Finnish Communications Regulatory Authority (FICORA):


Itämerenkatu 3 A
P. O. Box 313
FI-00180 HELSINKI
Phone: +358 259 390 100 (lnf/mcf)

Detailed contact information

Home Page > Reports > 2010 > CERT-FI Advisory on IDS/IPS device vulnerabilities that may circumvent protections

CERT-FI Advisory on IDS/IPS device vulnerabilities that may circumvent protections

Target - network devices



Access Vector - remote





Impact - Bypass of protection




Remediation - fix provided by vendor



Details

Stonesoft reported to CERT-FI about multiple techniques that can be used to evade intrusion detection and prevention systems (IDS/IPS). The evasions are related to interpretation issues with commonly used protocols IP, TCP, NetBIOS, SMB and MSRPC. Modifications in the protocol packets may cause IDS/IPS devices to fail parse them correctly, while being considered valid by the end devices. Some of the evasion techniques require combinations of protocol modifications in packet sequences.

Evasions enable attackers to use known attacks without them being noticed and thwarted by IDS/IPS systems. CERT-FI considers these techniques to be vulnerabilities, as they successfully subvert existing protections. Stonesoft has reported a total of 23 evasion methods to CERT-FI.

Vulnerability Coordination Information and Acknowledgements

Vulnerabilities have been found by Stonesoft. CERT-FI is coordinating the release of these vulnerabilities between Stonesoft and the affected vendors. CERT-FI has discussed the case with a number of network security vendors.

Vendor Information

Checkpoint

Cisco Systems

HP TippingPoint
  • HP DVLabs has tested the evasion techniques against the TippingPoint IPS and found that all of the evasion techniques were NOT successful. TippingPoint customers are not impacted and no further updates are necessary. Customers may contact the TAC for more information.

Stonesoft

  • Stonesoft continues to research advanced evasion techniques and to fix its products to provide protection against them. Stonesoft recommends customers using StoneGate IPS version older than 5.0.0 to upgrade to the newest version available.
Top Layer Security

  • Top Layer Security has evaluated the IPS 5500 E-Series against these evasion techniques, and verified that they are not successful in bypassing IPS protection. Please visit www.toplayer.com for more details.

Trend Micro

  • Trend Micro has completed its investigation into these issues and found that Deep Security version 7.5 and later fully protects against these issues. Customers are encouraged to upgrade to the latest version of Deep Security.

Fortinet

  • Fortinet has investigated the evasion techniques and found latest FortiOS for 4.3 and 5.0 versions are not impacted. Fortinet recommends customers to update to latest Fortigate IPS engine available.

Remediation

Update the affected devices as instructed by vendor. Organisations employing intrusion detection or prevention systems to protect their networks should consider employing complementary means for detecting and preventing network attacks.


References

Contact

CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference [FICORA #385726] in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI encourages those who wish to communicate via email to make use
of our PGP key. The key is available at
https://www.cert.fi/en/activities/contact/pgp-keys.html

The CERT-FI vulnerability coordination policy can be viewed at
https://www.cert.fi/en/activities/Vulncoord/vulncoord-policy.html

Revision history

4 Oct 2010, 12:01 UTC: Published
18 Oct 2010, 09:40 UTC: Updated in connection with Stonesoft's press release
28 Oct 2010, 08:50 UTC: Updated Cisco statement, refined issue description
1 Nov 2010, 09:13 UTC: Added information on 23 evasions
15 Dec 2010, 12:00 UTC: Disclosure
17 Dec 2010, 12:40 UTC: Added more information on remediation
12 Jan 2011, 11:29 UTC: Added vendor statements and advisories from Checkpoint, HP Tippingpoint and Trend Micro
1 Mar 2011, 7:59 UTC: Added vendor statement from Top Layer Security
26 Mar 2012, 12.57 UTC: Trend Micro's statement updated
14 Jun 2013, 14.07 UTC: Added Fortinet's statement

Page updated 14.06.2013   Print version Print version