Sign-up

ID

VAR-200110-0073


CVE

CVE-2001-0669


TITLE

Multiple intrusion detection systems may be circumvented via %u encoding

Trust: 0.8

sources: CERT/CC: VU#548515

DESCRIPTION

Various Intrusion Detection Systems (IDS) including (1) Cisco Secure Intrusion Detection System, (2) Cisco Catalyst 6000 Intrusion Detection System Module, (3) Dragon Sensor 4.x, (4) Snort before 1.8.1, (5) ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2, and (6) ISS RealSecure Server Sensor 5.5 and 6.0 for Windows, allow remote attackers to evade detection of HTTP attacks via non-standard "%u" Unicode encoding of ASCII characters in the requested URL. Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected. The Microsoft IIS web server supports a non-standard method of encoding web requests. If there is no webserver support for this encoding method or if it is disabled, there will be no targets to which encoded attacks can be sent. **NOTE**: Only RealSecure, Dragon and Snort are confirmed vulnerable. It is highly likely that IDS systems from other vendors are vulnerable as well, however we have not recieved confirmation. This record will be updated as more information becomes available regarding affected technologies. BlackICE products detect '%u' encoded requests as being invalid, but do not decode them and detect encoded attack signatures

Trust: 1.98

sources: NVD: CVE-2001-0669 // CERT/CC: VU#548515 // BID: 3292 // VULHUB: VHN-3478

AFFECTED PRODUCTS

vendor:issmodel:realsecure network sensorscope:eqversion:5.x

Trust: 1.6

vendor:ciscomodel:secure intrusion detection systemscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:catalyst 6000 intrusion detection system modulescope:eqversion:*

Trust: 1.0

vendor:enterasysmodel:dragonscope:eqversion:4.x

Trust: 1.0

vendor:issmodel:realsecure server sensorscope:eqversion:6.0

Trust: 1.0

vendor:issmodel:realsecure server sensorscope:eqversion:5.5

Trust: 1.0

vendor:issmodel:realsecure network sensorscope:eqversion:6.x

Trust: 1.0

vendor:snortmodel:snortscope:eqversion:1.8.1

Trust: 1.0

vendor:ciscomodel: - scope: - version: -

Trust: 0.8

vendor:enterasysmodel: - scope: - version: -

Trust: 0.8

vendor:internet securitymodel: - scope: - version: -

Trust: 0.8

vendor:the snortmodel: - scope: - version: -

Trust: 0.8

vendor:snortmodel:project snortscope:eqversion:1.8

Trust: 0.3

vendor:snortmodel:project snortscope:eqversion:1.7

Trust: 0.3

vendor:snortmodel:project snortscope:eqversion:1.6.3

Trust: 0.3

vendor:snortmodel:project snortscope:eqversion:1.6.2

Trust: 0.3

vendor:snortmodel:project snortscope:eqversion:1.6.1

Trust: 0.3

vendor:snortmodel:project snortscope:eqversion:1.6

Trust: 0.3

vendor:snortmodel:project snortscope:eqversion:1.5.2

Trust: 0.3

vendor:snortmodel:project snortscope:eqversion:1.5.1

Trust: 0.3

vendor:snortmodel:project snortscope:eqversion:1.5

Trust: 0.3

vendor:nfrmodel:network intrusion detectionscope:eqversion:5.0

Trust: 0.3

vendor:internetmodel:security systems realsecure server sensor winscope:eqversion:6.0

Trust: 0.3

vendor:internetmodel:security systems realsecure server sensor winscope:eqversion:5.5.2

Trust: 0.3

vendor:internetmodel:security systems realsecure server sensor winscope:eqversion:5.5.1

Trust: 0.3

vendor:internetmodel:security systems realsecure server sensor winscope:eqversion:5.5

Trust: 0.3

vendor:internetmodel:security systems realsecure server sensor winscope:eqversion:5.0

Trust: 0.3

vendor:internetmodel:security systems realsecure network sensorscope:eqversion:6.0

Trust: 0.3

vendor:internetmodel:security systems realsecure network sensorscope:eqversion:5.5.2

Trust: 0.3

vendor:internetmodel:security systems realsecure network sensorscope:eqversion:5.5.1

Trust: 0.3

vendor:internetmodel:security systems realsecure network sensorscope:eqversion:5.5

Trust: 0.3

vendor:internetmodel:security systems realsecure network sensorscope:eqversion:5.0

Trust: 0.3

vendor:enterasysmodel:dragon idsscope:eqversion:4.0

Trust: 0.3

vendor:ciscomodel:secure ids network sensorscope:eqversion:3.0

Trust: 0.3

vendor:ciscomodel:secure ids host sensorscope:eqversion:2.0

Trust: 0.3

vendor:ciscomodel:catalyst ids modulescope:eqversion:6000

Trust: 0.3

vendor:snortmodel:project snortscope:neversion:1.8.1

Trust: 0.3

vendor:internetmodel:security systems realsecure server sensor winscope:neversion:6.0.1

Trust: 0.3

vendor:enterasysmodel:dragon idsscope:neversion:5.0

Trust: 0.3

vendor:computermodel:associates etrust intrusion detectionscope:neversion:1.5

Trust: 0.3

vendor:computermodel:associates etrust intrusion detectionscope:neversion:1.4.5

Trust: 0.3

vendor:ciscomodel:secure ids network sensor s6scope:neversion:3.0

Trust: 0.3

sources: CERT/CC: VU#548515 // BID: 3292 // CNNVD: CNNVD-200110-136 // NVD: CVE-2001-0669

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2001-0669
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#548515
value: 13.13

Trust: 0.8

CNNVD: CNNVD-200110-136
value: HIGH

Trust: 0.6

VULHUB: VHN-3478
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2001-0669
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-3478
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#548515 // VULHUB: VHN-3478 // CNNVD: CNNVD-200110-136 // NVD: CVE-2001-0669

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2001-0669

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200110-136

TYPE

wrong environmental conditions

Trust: 0.6

sources: CNNVD: CNNVD-200110-136

EXPLOIT AVAILABILITY

sources:
            
            
            VULHUB: VHN-3478

EXTERNAL IDS
db:BIDid:3292
Trust: 2.8
db:CERT/CCid:VU#548515
Trust: 2.5
db:NVDid:CVE-2001-0669
Trust: 1.7
db:CNNVDid:CNNVD-200110-136
Trust: 0.7
db:CISCOid:20010905 CISCO SECURE INTRUSION DETECTION SYSTEM SIGNATURE OBFUSCATION VULNERABILITY
Trust: 0.6
db:ISSid:20010905 MULTIPLE VENDOR IDS UNICODE BYPASS VULNERABILITY
Trust: 0.6
db:BUGTRAQid:20010905 %U ENCODING IDS BYPASS VULNERABILITY
Trust: 0.6
db:SEEBUGid:SSVID-74940
Trust: 0.1
db:EXPLOIT-DBid:21100
Trust: 0.1
db:VULHUBid:VHN-3478
Trust: 0.1
sources:
            
            
            CERT/CC: VU#548515 // 
            
            
            
            VULHUB: VHN-3478 // 
            
            
            
            BID: 3292 // 
            
            
            
            CNNVD: CNNVD-200110-136 // 
            
            
            
            NVD: CVE-2001-0669

REFERENCES
url:http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml
Trust: 2.8
url:http://www.securityfocus.com/bid/3292
Trust: 2.5
url:http://www.kb.cert.org/vuls/id/548515
Trust: 1.7
url:http://xforce.iss.net/alerts/advise95.php
Trust: 1.7
url:http://marc.info/?l=bugtraq&m=99972950200602&w=2
Trust: 1.0
url:http://www.eeye.com/html/research/advisories/index.html
Trust: 0.8
url:http://www.iss.net/db_data/xpu/rs.php
Trust: 0.8
url:http://www.iss.net/eval/eval.php
Trust: 0.8
url:http://marc.theaimsgroup.com/?l=bugtraq&m=99972950200602&w=2
Trust: 0.6
url:http://www.enterasys.com/ids/
Trust: 0.3
url:http://www.eeye.com
Trust: 0.3
url:http://www.iss.net/securing_e-business/security_products/intrusion_detection/
Trust: 0.3
url:http://www.nfr.com/products/nid/
Trust: 0.3
url:http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml
Trust: 0.3
url:http://www.snort.org
Trust: 0.3
url:http://www.iss.net/xforce
Trust: 0.3
url:http://marc.info/?l=bugtraq&m=99972950200602&w=2
Trust: 0.1
sources:
            
            
            CERT/CC: VU#548515 // 
            
            
            
            VULHUB: VHN-3478 // 
            
            
            
            BID: 3292 // 
            
            
            
            CNNVD: CNNVD-200110-136 // 
            
            
            
            NVD: CVE-2001-0669

CREDITS
Credited to 'hsj' as being used in proof of concept code for an unrelated vulnerability.

Further research conducted by eEye Digital Security.
Trust: 0.9
sources:
            
            
            BID: 3292 // 
            
            
            
            CNNVD: CNNVD-200110-136

SOURCES
db:CERT/CCid:VU#548515
db:VULHUBid:VHN-3478
db:BIDid:3292
db:CNNVDid:CNNVD-200110-136
db:NVDid:CVE-2001-0669

LAST UPDATE DATE
2024-08-14T14:00:58.250000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#548515date:2003-10-30T00:00:00
db:VULHUBid:VHN-3478date:2016-10-18T00:00:00
db:BIDid:3292date:2001-09-05T00:00:00
db:CNNVDid:CNNVD-200110-136date:2006-08-22T00:00:00
db:NVDid:CVE-2001-0669date:2016-10-18T02:11:41.187

SOURCES RELEASE DATE
db:CERT/CCid:VU#548515date:2001-09-07T00:00:00
db:VULHUBid:VHN-3478date:2001-10-30T00:00:00
db:BIDid:3292date:2001-09-05T00:00:00
db:CNNVDid:CNNVD-200110-136date:2001-10-30T00:00:00
db:NVDid:CVE-2001-0669date:2001-10-30T05:00:00