TippingPoint detection bypass

Type securityvulns
Reporter Securityvulns
Modified 2007-07-12T00:00:00



(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_3Com_TippingPoint_IPS_Detection_Bypass_2.pdf )

CYBSEC S.A. www.cybsec.com

Pre-Advisory Name: TippingPoint detection bypass

Vulnerability Class: Design flaw

Release Date: 2007-07-04

Affected Platforms:

  • TippingPoint IPS running TOS versions 2.1.x, 2.2.x prior to 2.2.5, and 2.5.x prior to 2.5.2

Local / Remote: Remote

Severity: High

Author: Andres Riancho

Vendor Status:

  • Confirmed, updates released.

Reference to Vulnerability Disclosure Policy:


Product Overview:

"The TippingPoint Intrusion Prevention System (IPS) is an award-winning security solution that blocks worms, viruses, Trojans, Denial of Service and Distributed Denial of Service attacks, Spyware, VoIP threats, and Peer-to-Peer threats. Inspecting traffic through Layer 7, the IPS blocks malicious traffic before damage occurs."

Vulnerability Description:

When IP packets are fragmented in a special way, the appliance fails to correctly reassemble the data stream.

Technical Details:

Technical details will be released 30 days after publication of this pre-advisory. This was agreed upon with TippingPoint to allow their customers to upgrade affected software prior to technical knowledge been publicly available.


Exploiting this vulnerability, an attacker would be able to bypass all filters and detection.


TippingPoint has released a new version of the TippingPoint OS to address this vulnerability. Customers should apply the new firmware immediately. More information can be found at http://www.3com.com/securityalert/alerts/3COM-07-002.html

Vendor Response:

  • 2006-02-06: Initial Vendor Contact.
  • 2006-06-20: Vendor Confirmed Vulnerability.
  • 2007-07-04: Vendor Releases Update.

Contact Information:

For more information regarding the vulnerability feel free to contact the author at ariancho {at} cybsec.com.

For more information regarding CYBSEC: www.cybsec.com (c) 2006 - CYBSEC S.A. Security Systems

Andres Riancho CYBSEC S.A. Security Systems E-mail: ariancho@cybsec.com PGP key: http://www.cybsec.com/pgp/ariancho.txt Tel/Fax: [54 11] 4371-4444 Web: http://www.cybsec.com

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGlMsB1351/apVCtIRArLwAJ9ntxG9m3NXMtEsue4NyukuujQetACfdRgJ d0RW2DQcKlpmc97RhmhSt0U= =gwf5 -----END PGP SIGNATURE-----