7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.072 Low
EPSS
Percentile
94.0%
Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected.
Most intrusion detection systems are capable of decoding URLs that are encoded using either the βUTFβ or βhex-encodeβ encoding schemes. Microsoftβs Information Server (IIS) employs both of these encoding schemes. It also makes use of an encoding scheme known as β%u encodingβ. According to the eEye Digital Security Advisory, βThe purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings.β Because "%u encoding does not appear to be widely utilized by products other than Microsoftβs Information Server (IIS), certain intrusion detection systems are not able to properly decode %u encoded requests.
An intruder can pass %u encoded malicious traffic undetected through an intrusion detection system in violation of implied security policies. This will typically be reconnaissance traffic and/or attack traffic directed at an IIS web server.
Contact your vendor for patches.
548515
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: September 07, 2001
Affected
Please see <http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23548515 Feedback>).
Updated: September 07, 2001
Affected
Dragon Sensor 4.x was affected. Signatures to detect the new IIS UNICODE encoding flaw have been available, and a modification to the Web processing engine is already included in Dragon Sensor 5.0. To obtain dragon products, visit <http://dragon.enterasys.com>.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23548515 Feedback>).
Updated: September 07, 2001
Affected
ISS X-Force has included a patch for this vulnerability in RealSecure Network Sensor X-Press Update 3.2. ISS X-Force recommends that all RealSecure customers download and install the update immediately. RealSecure X-Press Update 3.2 is now available. RealSecure Network Sensor customers can download XPU 3.2 from the following address: http://www.iss.net/db_data/xpu/RS.php
RealSecure Server Sensor version 6.0.1 includes a fix for this vulnerability. RealSecure Server Sensor 6.0.1 will be available for download on September 4, 2001. ISS X-Force recommends that all RealSecure customers upgrade their Windows Server Sensors to version 6.0.1. A patch is being developed for RealSecure Server Sensor 5.5 and will be available on or before August 31, 2001 at the ISS Download Center: <http://www.iss.net/eval/eval.php>.
BlackICE products are not affected by this vulnerability. Attempts to exploit this vulnerability will trigger the βHTTP URL bad hex codeβ signature. The next BlackICE product update will specifically address β%uβ encoding."
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23548515 Feedback>).
Updated: September 18, 2002
Affected
Snort 1.8.1 fixes this encoding bug. You can receive it from <http://snort.sourcefire.com/>.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23548515 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The CERT Coordination Center thanks eEye Digital Security for their advisory, on which this document is based.
This document was written by Ian A. Finlay.
CVE IDs: | CVE-2001-0669 |
---|---|
Severity Metric: | 13.13 Date Public: |