Vulnerability Note VU#548515
Multiple intrusion detection systems may be circumvented via %u encoding
Overview
Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected.
Description
Most intrusion detection systems are capable of decoding URLs that are encoded using either the "UTF" or "hex-encode" encoding schemes. Microsoft's Information Server (IIS) employs both of these encoding schemes. It also makes use of an encoding scheme known as "%u encoding". According to the eEye Digital Security Advisory, "The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings." Because "%u encoding does not appear to be widely utilized by products other than Microsoft's Information Server (IIS), certain intrusion detection systems are not able to properly decode %u encoded requests. |
Impact
An intruder can pass %u encoded malicious traffic undetected through an intrusion detection system in violation of implied security policies. This will typically be reconnaissance traffic and/or attack traffic directed at an IIS web server. |
Solution
Contact your vendor for patches. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Cisco Systems Inc. | Affected | - | 07 Sep 2001 |
| Enterasys Networks | Affected | - | 07 Sep 2001 |
| Internet Security Systems Inc. | Affected | - | 07 Sep 2001 |
| The Snort Project | Affected | - | 18 Sep 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.securityfocus.com/bid/3292
- http://www.eeye.com/html/Research/Advisories/index.html
- http://www.iss.net/db_data/xpu/RS.php
- http://www.iss.net/eval/eval.php
- http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml
Credit
The CERT Coordination Center thanks eEye Digital Security for their advisory, on which this document is based.
This document was written by Ian A. Finlay.
Other Information
- CVE IDs: CAN-2001-0669
- Date Public: 05 Sep 2001
- Date First Published: 07 Sep 2001
- Date Last Updated: 30 Oct 2003
- Severity Metric: 13.13
- Document Revision: 47
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.