124 new advanced evasion techniques discovered

Stonesoft announced it has discovered 124 new advanced evasion techniques (AETs). Samples of these AETs have been delivered to the Computer Emergency Response Team (CERT-FI), who will continue to coordinate a global vulnerability coordination effort.

The discovery of AETs was first reported in October 2010 and confirmed by ICSA Labs. Since that time, Stonesoft has continued extensive research in the area, which has led to the discovery of 124 new threats. Stonesoft continues to research AETs found in its R&D laboratories and in the wild.

Many vendors claimed to have “fixed” the product vulnerabilities disclosed in CERT-FI’s initial advisories on the 23 AETs discovered last fall. However, real-life testing in Stonesoft’s research lab confirms that AETs are still able to penetrate many of these systems without detection.

In other cases, simple microscopic changes to an AET – such as changing byte size and segmentation offset – allow them to bypass the product’s detection capabilities. This demonstrates that most vendors are only providing temporary and inflexible fixes to the growing AET concern, rather than researching and solving the fundamental architecture issues that give way to these vulnerabilities.

Traditional and advanced evasion techniques have become of increasing concern to the network security community. In its Network IPS Group Test Q4 2010, independent testing lab NSS Labs described IP fragmentation and TCP segmentation evasions as a grave threat stating “if an attacker can avoid detection by fragmenting packets or segmenting TCP streams, an Intrusion Prevention System will be completely blind to ALL attacks.”

“Missing an evasion means a hacker can use an entire class of exploits to circumvent a security product, rendering it virtually useless,” said Rick Moy, president, NSS Labs. “Combining certain evasions further increase the likelihood of success for attackers, and elevates the risk to enterprises.”

While there is no single solution to eliminating the threat of AETs, organizations can mitigate the risks and lessen their vulnerability. One such way is making sure the security devices they use do a proper multilayer normalization process, working on all relevant protocol layers for each connection. Centralized management is also critical as it enables constant updates and upgrades to be made deep within a network’s security architecture. Unfortunately, fingerprinting and signature-based matching – typical security responses for the actual exploits – do not work with the dynamic, combinatory and constantly evolving nature of AETs.

Stonesoft has also released packet capture descriptions for several of the AETs originally disclosed to CERT-FI in 2010.