Know why there are certain vulnerabilities that we cannot create rules for making Deep Security unable to protect the system at some point.
There are several reasons why a rule is not present in Deep Security. We need to understand that the Deep Security Packet Inspection (DPI) function looks at network traffic and our rules work on the traffic that comes over the wire.
When vulnerability is local (i.e. no data passes over the wire) or where there is no data that comes over it (i.e. kernel bugs where TCP/IP headers with bad values could allow RCE or cause DoS), this is a scenario where Deep Security cannot create rules for and protect the system.
The table below summarizes the possible reasons for this behavior:
|Local vulnerabilities||Vulnerability exploitable with only local access requires the attacker to either have physical access or be logged on to the vulnerable system. DPI can only detect attacks over the network.|
However, we will be able to ‘detect’ using Integrity Monitoring and Log Inspection Module.
|CVE-2011-0005 CSRSS Elevation of Privilege Vulnerability|
|Kernel vulnerabilities triggered at TCP/IP stack||Since there is no data involved here, DPI cannot inspect this traffic. A good number of this falls under the above category of ‘local’. It would be a remote attack vector, but it can be triggered by continuous flow of specially-crafted TCP/UDP packets without having any payload. DPI can only inspect payload data. Most of the time these kinds of attacks might be stopped at the firewall level.||Vulnerability in TCP/IP Could Allow Remote Code Execution (CVE-2011-2013) and CVE-2012-0152(RDP)|
|File parsing||The file format is complex to parse over the network or the format specification is not public and/or it is difficult to determine the format structure through reverse engineering.||Microsoft Office Visio Viewer VSD File Type Confusion (CVE-2012-0020)|
|No vulnerability information||This contributes to a large number of “not addressed” vulnerabilities. A rule can be created only when there is enough information available about vulnerability.|
|Unable to distinguish good from bad||Sometimes, there is no difference between good and bad traffic. The chances of false positive are high in these cases. However, we will be able ‘detect’ some using Integrity Monitoring and Log Inspection Module.||PowerDNS Recursor "ghost domain names" vulnerability (CVE-2012-1193)|
|Requires knowledge of server configuration||Sometimes, a benign looking request can be malicious based on server configuration.||Apache Tomcat "RemoteFilterValve" Security Bypass Security Issue (CVE-2008-3271|