It’s not every day that US-CERT warns of a flaw that is potentially so
widespread that it could affect more than 90 vendors covering a huge swath of the IT industry.
US-CERT’s HTTP content scanning systems full-width/half-width Unicode encoding bypass flaw could potentially be one of the most
widespread networking security flaws discovered in years. If exploited, a
malicious user could use the bypass to attack a vulnerable environment.
According to US-CERT, an attacker could send a malicious
HTTP packet to the vulnerable content scanning system (part of an
IPS/IDS or firewall application), which would take advantage of a flaw in how
the systems handle certain types of full-width and half-width Unicode
characters
different international language character sets.
Though the flaw could lead to an attack, it isn’t necessarily a direct attack
vector.
“This isn’t an exploit itself, but allows exploits that would normally be
detected (or blocked) to get through your IDS/IPS undetected,” John Bambenek
of the Internet Storm Center at SANS, wrote in a blog posting.
Cisco has confirmed that its Cisco Intrusion Prevention
System and Cisco IOS with Firewall/IPS Feature Set products are vulnerable
to the flaw. Cisco notes in its advisory that it is not aware of any
malicious use of the vulnerability.
Though Cisco was among the first vendor to release a security alert for the flaw, there is a very long list of vendors that remain potentially vulnerable.
Among those US-CERT lists include: 3com, Alcatel, Avaya, D-Link Systems, Debian GNU/Linux, EMC, Fedora Project, Gentoo Linux, Hitachi, IBM, Intel, Linksys (a division of Cisco), Lucent, McAfee, Microsoft, Nokia, Nortel, Novell, Red Hat, Sony, Sun and Symantec.
It is unclear as to how the vendors plan to fix the potential flaw. 3Com said in its advisory on the flaw that it has already updated its software to address the issue.