Stonesoft Claims To Find More Evasion Techniques in Security Products

Four months after it first went public with a warning about widespread vulnerabilities in network security products, Stonesoft said it has found more than 100 new holes, and that security vendors are doing little to address the problem.

Stonesoft holesFour months after it first went public with a warning about widespread vulnerabilities in network security products, Stonesoft said it has found more than 100 new holes, and that security vendors are doing little to address the problem.

The company on Monday announced that it has submitted information on 124 new holes, which it calls “advanced evasion techniques” (AETs), to Finnish CERT.  The release is the first since October, 2010, when Stonesoft and the CERT issued an advisory concerning 23 AETs affecting a wide range of commercially available intrusion detection (IDS) and intrusion prevention (IPS) products.(http://www.cert.fi/en/reports/2010/vulnerability385726.html) Many of the original 23 evasion techniques are still unpatched, Stonesoft said on Monday. 
The company’s claims have been greeted with everything from skepticism to indifference by security vendors and many experts, who claim that Stonesoft is using heated rhetoric to call attention to technical limitations of IDS and IPS products that are already well known. Beyond that, there is no evidence that the attack methodologies used by Stonesoft are being used in attacks outside the lab. 
Neither Stonesoft nor CERT-FI disclosed details of the 124 vulnerabilities. In October, Stonesoft said that the holes were discovered using an internal testing tool it has dubbed “Predator,” can test (or “fuzz”) common protocols such as TCP, MSRPC, IPv4 and SMB and try evasion techniques at multiple network layers simultaneously using techniques like IP fragmentation and TCP segmentation. 
However, designing an attack tool to do what Predator does would be a significant investment of time and money and its unclear whether any attackers have done so, given the ready availability of less expensive means to compromise networks.
Stonesoft executives say such attacks aren’t unlikely in an age of state sponsored cyber attacks and other “advanced persistent threats.” 

The company on Monday announced that it has submitted information on 124 new holes, which it calls “advanced evasion techniques” (AETs), to Finnish CERT.  The release is the first since October, 2010, when Stonesoft and the Finnish CERT issued an advisory concerning 23 AETs affecting a wide range of commercially available intrusion detection (IDS) and intrusion prevention (IPS) products. 

Stonesoft uses an internal testing tool it has dubbed “Predator,” can test (or “fuzz”) common protocols such as TCP, MSRPC, IPv4 and SMB and try evasion techniques at multiple network layers simultaneously using techniques like IP fragmentation and TCP segmentation. However, designing an attack tool to do what Predator does would be a significant investment of time and money and its unclear whether any attackers have done so, given highly effective and less expensive means to compromise networks.

Stonesoft executives say such attacks aren’t unlikely in an age of state sponsored cyber attacks and other so-called advanced persistent threats.  But the company’s claims have been greeted with everything from skepticism to indifference by security vendors and experts, who claim that Stonesoft is merely calling attention to technical limitations of IDS and IPS products that are already well known.  Many of the original 23 evasion techniques are still unpatched, Stonesoft said on Monday. However, there is not evidence, to date, that the attack methodologies described by Stonesoft are being used in attacks outside the lab. 

Neither Stonesoft nor CERT-FI disclosed details of the 124 vulnerabilities and, as of Monday, Finnish CERT had not issued an advisory for the additional AETs, as it did in October.

Suggested articles