Type

Reason

Example

Local vulnerabilities

Vulnerability exploitable with only local access requires the attacker to either have physical access or be logged on to the vulnerable system. DPI can only detect attacks over the network.
However, we will be able to ‘detect’ using Integrity Monitoring and Log Inspection Module.

CVE-2011-0005 CSRSS Elevation of Privilege Vulnerability

Kernel vulnerabilities triggered at TCP/IP stack

Since there is no data involved here, DPI cannot inspect this traffic. A good number of this falls under the above category of ‘local’. It would be a remote attack vector, but it can be triggered by continuous flow of specially-crafted TCP/UDP packets without having any payload. DPI can only inspect payload data. Most of the time these kinds of attacks might be stopped at the firewall level.

Vulnerability in TCP/IP Could Allow Remote Code Execution (CVE-2011-2013) and CVE-2012-0152(RDP)

File parsing

The file format is complex to parse over the network or the format specification is not public and/or it is difficult to determine the format structure through reverse engineering.

Microsoft Office Visio Viewer VSD File Type Confusion (CVE-2012-0020)

No vulnerability information

This contributes to a large number of “not addressed” vulnerabilities. A rule can be created only when there is enough information available about vulnerability.

Unable to distinguish good from bad

Sometimes, there is no difference between good and bad traffic. The chances of false positive are high in these cases. However, we will be able ‘detect’ some using Integrity Monitoring and Log Inspection Module.

PowerDNS Recursor "ghost domain names" vulnerability (CVE-2012-1193)

Requires knowledge of server configuration

Sometimes, a benign looking request can be malicious based on server configuration.

Apache Tomcat "RemoteFilterValve" Security Bypass Security Issue (CVE-2008-3271

Understanding why Deep Security cannot cover certain vulnerabilities

Product / Version includes:

Deep Security9.6 , Deep Security As A ServiceAll , Deep Security10.1 , Deep Security10.0 , Cloud One - Endpoint and Workload SecurityAll

Last updated: 2021/08/28

Solution ID: KA-0002774

Category: Configure

Summary

Know why there are certain vulnerabilities that we cannot create rules for making Deep Security unable to protect the system at some point.

There are several reasons why a rule is not present in Deep Security. We need to understand that the Deep Security Packet Inspection (DPI) function looks at network traffic and our rules work on the traffic that comes over the wire.

When vulnerability is local (i.e. no data passes over the wire) or where there is no data that comes over it (i.e. kernel bugs where TCP/IP headers with bad values could allow RCE or cause DoS), this is a scenario where Deep Security cannot create rules for and protect the system.

The table below summarizes the possible reasons for this behavior:

Type	Reason	Example
Local vulnerabilities	Vulnerability exploitable with only local access requires the attacker to either have physical access or be logged on to the vulnerable system. DPI can only detect attacks over the network. However, we will be able to ‘detect’ using Integrity Monitoring and Log Inspection Module.	CVE-2011-0005 CSRSS Elevation of Privilege Vulnerability
Kernel vulnerabilities triggered at TCP/IP stack	Since there is no data involved here, DPI cannot inspect this traffic. A good number of this falls under the above category of ‘local’. It would be a remote attack vector, but it can be triggered by continuous flow of specially-crafted TCP/UDP packets without having any payload. DPI can only inspect payload data. Most of the time these kinds of attacks might be stopped at the firewall level.	Vulnerability in TCP/IP Could Allow Remote Code Execution (CVE-2011-2013) and CVE-2012-0152(RDP)
File parsing	The file format is complex to parse over the network or the format specification is not public and/or it is difficult to determine the format structure through reverse engineering.	Microsoft Office Visio Viewer VSD File Type Confusion (CVE-2012-0020)
No vulnerability information	This contributes to a large number of “not addressed” vulnerabilities. A rule can be created only when there is enough information available about vulnerability.
Unable to distinguish good from bad	Sometimes, there is no difference between good and bad traffic. The chances of false positive are high in these cases. However, we will be able ‘detect’ some using Integrity Monitoring and Log Inspection Module.	PowerDNS Recursor "ghost domain names" vulnerability (CVE-2012-1193)
Requires knowledge of server configuration	Sometimes, a benign looking request can be malicious based on server configuration.	Apache Tomcat "RemoteFilterValve" Security Bypass Security Issue (CVE-2008-3271

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Understanding why Deep Security cannot cover certain vulnerabilities

Understanding why Deep Security cannot cover certain vulnerabilities

Product / Version includes:

Summary