Vulnerability Note VU#548515
Multiple intrusion detection systems may be circumvented via %u encoding
Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected.
Most intrusion detection systems are capable of decoding URLs that are encoded using either the "UTF" or "hex-encode" encoding schemes. Microsoft's Information Server (IIS) employs both of these encoding schemes. It also makes use of an encoding scheme known as "%u encoding". According to the eEye Digital Security Advisory, "The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings." Because "%u encoding does not appear to be widely utilized by products other than Microsoft's Information Server (IIS), certain intrusion detection systems are not able to properly decode %u encoded requests.
An intruder can pass %u encoded malicious traffic undetected through an intrusion detection system in violation of implied security policies. This will typically be reconnaissance traffic and/or attack traffic directed at an IIS web server.
Contact your vendor for patches.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cisco Systems Inc.||Affected||-||07 Sep 2001|
|Enterasys Networks||Affected||-||07 Sep 2001|
|Internet Security Systems Inc.||Affected||-||07 Sep 2001|
|The Snort Project||Affected||-||18 Sep 2002|
CVSS Metrics (Learn More)
The CERT Coordination Center thanks eEye Digital Security for their advisory, on which this document is based.
This document was written by Ian A. Finlay.
- CVE IDs: CAN-2001-0669
- Date Public: 05 Sep 2001
- Date First Published: 07 Sep 2001
- Date Last Updated: 30 Oct 2003
- Severity Metric: 13.13
- Document Revision: 47
If you have feedback, comments, or additional information about this vulnerability, please send us email.