The U.S. Computer Emergency Response Team is reporting a network evasion technique that uses full-width and half-width unicode characters to allow malware to evade detection by an intrusion prevention system or firewall. The vulnerability concerns HTTP content-scanning systems that fail to properly scan full-width and half-width Unicode-encoded HTTP traffic. A remote attacker could exploit the vulnerability by sending specially crafted HTTP traffic to a vulnerable content scanning system. After sneaking under the firewall or IPS, the attacker can then scan and attack systems without being detected.
Multiple Cisco Systems products are affected, including Cisco"s IPS CSCsi58602 and its Cisco IOS with Firewall/IPS Feature Set CSCsi67763. Cisco has an advisory up. In the advisory the company states that it"s not aware of any exploits of the vulnerability. While Cisco is the only vendor to have verified that its products are vulnerable, there"s a long list of vendors that haven"t said whether their products are vulnerable or not. Specifically, the US-CERT note lists 92 vendors whose security products may be vulnerable; of those, as of the afternoon of May 15, only two—Apple and Hewlett-Packard—had verified that their security software isn"t vulnerable.