SOL7544 - Full-width and half-width Unicode encoded data bypasses IDS/IPS security controls, VU #739224

2007-06-18T00:00:00
ID SOL7544
Type f5
Reporter f5
Modified 2016-07-25T00:00:00

Description

Unicode is a system for encoding characters of a character set, which is used in networked applications. IDS/IPS or other security devices may fail to decode and recognize the characters that represent an attack if encoded in Unicode, and pass the characters to a target device. If the target device decodes the Unicode and is vulnerable to the attack, the attack may succeed. Additionally, a security device may decode the encoded characters, but would still fail to detect an attack if it applies security policies before the decoding.

Information about this advisory is available at the following location:

<http://www.kb.cert.org/vuls/id/739224>

Certain F5 products perform inspection of application-layer (HTTP) traffic. Some versions of these products' functionalities will not perform a decoding, and then inspect the content to determine whether the content is legitimate.

For BIG-IP ASM 9.2.0 through 9.4.1, full-width and half-width Unicode encoded HTTP requests are not decoded by the BIG-IP ASM system. However, the encoding generates a violation for non-RFC-compliant encoding by default. Therefore, F5 does not consider BIG-IP ASM vulnerable at this time.

F5 Product Development tracked this issue as CR78019, and it was fixed in version 9.4.2 of BIG-IP ASM. For information about upgrading, refer to the BIG-IP ASM Release Notes.

The FirePass controller Content Inspection feature of Portal Access does not decode Unicode encoded HTTP requests, and would pass an attack to the target. However, this requires that the attacker be an authenticated user. The FirePass controller's Portal Access feature will not proxy HTTP requests from unauthenticated users.

F5 Product Development tracked this issue as CR80202, and it was fixed in version 6.0.2 of FirePass software. For information about upgrading, refer to the FirePass Release Notes.

This issue was fixed in FirePass 5.5.2 cumulative hotfix HF-552-9, FirePass 6.0.0 cumulative hotfix HF-600-14, and FirePass 6.0.1 cumulative hotfix HF-601-4. You may download these hotfixes or a later version of the cumulative hotfix from the F5 Downloads site. Additionally, a hotfix for versions 5.5.0 and 5.5.1 of FirePass software will be issued. Customers affected by this issue can contact F5 Technical Support to request the status of the hotfix. Include the CR number and the number of this Solution in your correspondence.

Note: For more information about installing the hotfixes listed above, refer to the readme file on the F5 Downloads site for your version-specific hotfix.

For instructions about downloading software from F5, refer to SOL167: Downloading software from F5.

Additionally, the web interface of a security device may itself be a target of a Unicode-encoded attack. F5 products are not vulnerable to attack using this technique. Attacks directed against web interfaces of F5 products that are Unicode-encoded are not decoded and interpreted into a character set that could be used to exploit a vulnerability.