Vulnerability Note VU#548515

Multiple intrusion detection systems may be circumvented via %u encoding

Original Release date: 07 Sep 2001 | Last revised: 30 Oct 2003

Overview

Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected.

Description

Most intrusion detection systems are capable of decoding URLs that are encoded using either the "UTF" or "hex-encode" encoding schemes. Microsoft's Information Server (IIS) employs both of these encoding schemes. It also makes use of an encoding scheme known as "%u encoding". According to the eEye Digital Security Advisory, "The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings." Because "%u encoding does not appear to be widely utilized by products other than Microsoft's Information Server (IIS), certain intrusion detection systems are not able to properly decode %u encoded requests.

Impact

An intruder can pass %u encoded malicious traffic undetected through an intrusion detection system in violation of implied security policies. This will typically be reconnaissance traffic and/or attack traffic directed at an IIS web server.

Solution

Contact your vendor for patches.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Cisco Systems Inc.Affected-07 Sep 2001
Enterasys NetworksAffected-07 Sep 2001
Internet Security Systems Inc.Affected-07 Sep 2001
The Snort ProjectAffected-18 Sep 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks eEye Digital Security for their advisory, on which this document is based.

This document was written by Ian A. Finlay.

Other Information

  • CVE IDs: CAN-2001-0669
  • Date Public: 05 Sep 2001
  • Date First Published: 07 Sep 2001
  • Date Last Updated: 30 Oct 2003
  • Severity Metric: 13.13
  • Document Revision: 47

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.