NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0178 Critical Unicode Flaw Undercuts Firewalls and Scanners:

The US Computer Emergency Response Team is reporting a network evasion technique that uses full-width and half-width unicode characters to allow malware to evade detection by an IPS or firewall. The vulnerability affects virtually every major firewall and intrusion prevention system available, including products from Cisco Systems, which means most businesses will be affected. The vulnerability concerns HTTP content- scanning systems that fail to properly scan full-width and half-width Unicode-encoded HTTP traffic. A remote attacker could exploit the vulnerability by sending specially crafted HTTP traffic to a vulnerable content scanning system. After sneaking malware past the firewall or IPS, the attacker can then wreak havoc on a system, scanning and attacking without being detected. Cisco has an advisory up. In the advisory the company states that it's not aware of any exploits of the vulnerability. While Cisco is the only vendor to have verified that its products are vulnerable, there's a long list of vendors that haven't said whether their products are vulnerable or not. Specifically, the US-CERT note lists 92 vendors whose security products may be vulnerable; of those, as of the afternoon of 15MAY, only two -- Apple and Hewlett-Packard -- had verified that their security software isn't vulnerable. The vulnerability has been known since at least 16APR and was made public on 14MAY.

(eWeek 15MAY07)

Last Modified: Monday, 21-May-2007 20:14:39 EDT