Reference:
eEye Digital Security Bulletin, 5 September 2001, %u encoding IDS bypass vulnerability

CVE Name:
CAN-2001-0669

Affected:
Various Vendors' IDS products as referenced

Not Affected:
Symantec security products

Overview:
Symantec became aware of discussions/analysis of a vulnerability that affected some intrusion detection systems. eEye Digital Security has since released a bulletin describing this issue. The vulnerability stems from a non-HTTP standard Unicode encoding format known as %u encoding that Microsoft IIS (Internet Information Services) Web Server recognizes.

Microsoft's IIS server supports various types of Unicode encoding, the majority of them being RFC-compliant and easily detected by the majority if not all IDS systems. However, eEye Digital Security describes a non-standard way of performing Unicode encoding of HTTP requests which IIS supports that could potentially obfuscate an attack similar to Code Red and variants. This use of non-standard Unicode could potentially allow intruders to launch attacks against Microsoft IIS web servers that might be able to go undetected by intrusion detection systems with signatures that only check for RFC-compliant encoding methods.

Risk Impact:
Potentially High risk if security products do not alert on this method of Unicode encoding.
Low Risk to Symantec customers.

Symantec Response:
Securing a user's computer from real and potential attacks by Internet threats requires a multi-tiered approach. Symantec's Security offerings consisting of Anti-virus, Intrusion Detection, Vulnerability Management, Vulnerability Assessment and Firewall products provide protection at all points of entry and exit on the network in comprehensive solutions for both consumer and corporate users. Symantec Engineers have reviewed Symantec's suite of security products against the possibility of an attack as described by eEye Digital Security. Symantec's network-based IDS product, NetProwler, detects attempts to exploit this vulnerability with the URL_Hex_Characters signature available in SU4 and updated in SU7. Users should update NetProwler to include all SUs for maximum protection. Symantec's other security products do not utilize this functionality and are not affected by this obfuscation attempt. Symantec is confident that our multi-tiered product line provides protection for our customers against non-standard Unicode exploit attempts of this nature.

In keeping with Symantec's commitment to customer security, Symantec continuously reviews ways to further improve the security of our customers.

Credit:
Symantec wishes to thank the security professionals at eEye Digital Security for bringing this issue to the attention of the security community and giving us the opportunity to research and respond to the issue.

Copyright (c) 2001 by Symantec Corp.
Permission to redistribute this Advisory electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this Advisory in medium other than electronically requires permission from SymSecurity@symantec.com.
Disclaimer:
The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec Security Response, Symantec product names and Sym Security are Registered Trademarks of Symantec Corporation and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Sym Security's PGP key is available from MIT's PGP key server as well as from certserver.pgp.com.