Unicode encoding can be used to bypass intrusion detection systems
It seems possible to evade detection by intrusion detection or intrusion prevention systems (IDS/IPS) by using a special Unicode encoding. If a nefarious individual uses full-width/half-width Unicode encoding when transferring, for example, http traffic, some intrusion detection and intrusion prevention systems are blind to malicious code embedded therein.
The vulnerability was discovered by Turkish researchers at GamaSEC some three weeks ago. US-CERT and Cisco have now issued their own security advisories on this vulnerability. US-CERT is maintaining a longer list of IDS/IPS system vendors, of which to date only Apple and HP have been classified as not vulnerable. Cisco has reported that its intrusion prevention system and IOS with firewall / IPS functions are vulnerable. However, the vendor has not yet released software updates or a temporary workaround.
Numerous IDS/IPS vendors are likely to release software updates shortly, once they have tested their systems and discovered any vulnerability present. Administrators of affected systems should download these as soon as possible in order to avoid unnecessary risks to network security.
- Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass Vulnerability, security announcement from GamaSEC
- HTTP content scanning systems full-width/half-width Unicode encoding bypass, vulnerability note from US-CERT
- HTTP Full-Width and Half-Width Unicode Encoding Evasion, security response from Cisco
(mba)