Newly Discovered Evasion Method For Targeted Attacks Silently Bypasses Network, Application Security

CERT-Finland has reported a newly discovered technique that evades network and security devices -- namely IDS/IPS systems, but it could also work against network firewalls and Web application firewalls -- and lets attackers sneak in and conduct targeted attacks against an enterprise network.

The threat, which was discovered by researchers at Stonesoft's Helsinki labs, is based on vulnerabilities inherent in several vendors' IDS/IPS products, according to CERT-Finland, which has alerted the affected IDS/IPS vendors. The names of the vendors and their products have not been released publicly.

Jussi Eronen, head of vulnerability coordination at CERT-FI, which first issued an alert on the threat on Oct. 4, will update its vulnerability alert on the threat today.

Stonesoft says the attack method takes advantage of how TCP/IP handles packets. "It takes advantage of the fact that the TCP protocol allows conservative creation of packets, but liberal receiving of packets," says Matt McKinley, director of U.S. product management at Stonesoft. "There are predictable, limited ways you can evade an IPS ... packets can only be created in a few ways. We came up with a way to create packets that don't conform to rules and confuse IPSes in ways that conventional methods cannot do."

McKinley says it lets the attacker work his way inside the network without being noticed. "It's a way to knock at the door until something lets you in because there's no way to detect it. It continues to knock until something lets it in," he says. "When the packet then makes it to the host, the host is designed to look only at the things it's interested in and ignore all else ... it's end to end delivery [of a malicious payload]."

McKinley says the attack could also work against other network security devices, including firewalls. It would likely be used to spread a network worm akin to the Stuxnet attack or some other targeted attack, he says. "It's a way to deliver [a worm] into a network and cause any kind of harm you want," McKinley says.

How difficult would it be to pull off this attack? "That's the creepy part. The impact of this is fairly simple. We feel it's well within the means of motivated hackers to do it. This is not particularly complicated," McKinley says.

ICSA Labs has verified the attack and is also sounding the alarm about the risk to enterprises. Jack Walsh, intrusion detection and prevention program manager at ICSA Labs, says it could take some time for network security vendors to add protection for this attack to their products, thus leaving enterprises at risk until those patches become available. IDS/IPSes, firewalls, next-generation firewalls, and Web application firewalls are most at risk of this evasion technique, he says.

Walsh says the evasion technique itself basically gives attackers a foot in the door to do their dirty work, and it can affect more than just TCP/IP protocols. "It's only after the evasion is coupled with an attack that they exploit some vulnerability," Walsh says. "The weakness that the evasions take advantage of are in the protocols, but the affected protocols aren't limited to TCP/IP. Some evasions affect higher layer application protocols as well."

And protocols aren't the only thing vulnerable to this evasion technique, he says. "The standards defining the protocols suggest a certain amount of permissiveness between sending and receiving systems to ease interoperability and communication. Our need for systems to be interoperable and our need for communication between systems to be as easy as possible allow these evasions to work," Walsh says.

Once inside, attackers can compromise data and steal information from enterprises, he says. And it's even possible they have been using this method already, unbeknown to victim organizations. "Given that these evasions have always existed, criminals could be using them already. If they are in use, then there would be little evidence of it," Walsh says.

Some vendors might need to rearchitect their products to fix this, while others might have to patch or build in protections, Walsh says.

Meanwhile, CERT-Finland's Eronen wouldn't provide details of the products known to be affected thus far or their weaknesses that allow for the attack since coordination among the vendors is still under way.

"If [targeted] networks have systems that are for some reason left unpatched -- legacy systems, no supported patches available, compliance does not allow for any system modification, just to name a few possible reasons -- and IDS/IPS systems are employed as virtual patches, then these systems are particularly vulnerable to attacks using evasion techniques," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.