Details of VAR-200604-0559

ID

VAR-200604-0559

CVE

CVE-2006-2086

TITLE

Juniper Networks IVE client ActiveX control buffer overflow

Trust: 0.8

sources: CERT/CC: VU#477604

DESCRIPTION

Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, or 5.3 before 5.3r2.1, allows remote attackers to execute arbitrary code via a long argument in the ProductName parameter. Juniper SSL-VPN Client ActiveX control is prone to a buffer-overflow vulnerability. The software fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer. Invoking the object from a malicious website may trigger the condition. If the vulnerability were successfully exploited, this would corrupt process memory, resulting in arbitrary code execution. Juniper's SSL VPN series products can provide users with secure remote access services. JuniperSetupDLL.dll is loaded from the JuniperSetup.ocx ActiveX control. If the following super long string is specified in the ProductName parameter, a stack overflow will be triggered in the JuniperSetupDLL.dll function: --- object classid=\"clsid: E5F5D008-DD2C-4D32-977D-1A0ADF03058B\" id= NeoterisSetup codebase=\"path_to_JuniperSetup.cab#version=1,0,0,3\" > ..... ---PARAM NAME=\"ProductName\" VALUE=\"AAAAAAA (long \'\'A\ '\')\" > ..... script language=javascript NeoterisSetup.startSession(); end script The vulnerable function is as follows: .text: 04F15783 ; int __stdcall sub_4F15783_ilvdlp(char *szProductName, LPCSTR lpValueName, LPBYTE lpData, LPDWORD lpcbData) .text: 04F15783 sub_4F15783_ilvdlp proc near .text: 04F15783 .text: 04F15783 SubKey = byte ptr -10Ch .text: 04F15783 Type = dword ptr -8 .text: 04F15783 hKey = dword ptr -4 ... This can be exploited to cause a stack-based buffer overflow when the control is instantiated with an overly long "ProductName" parameter. tricked into visiting a malicious web site. The vulnerability has been reported in versions 1.x through 5.x. SOLUTION: Update to IVE software version 5.3r2.1, 5.2r4.1, 5.1r8, 5.0r6.1, or 4.2r8.1. PROVIDED AND/OR DISCOVERED BY: Yuji Ukai, eEye Digital Security. ORIGINAL ADVISORY: eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060424.html Juniper Networks: http://www.juniper.net/support/security/alerts/PSN-2006-03-013.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2006-2086 // CERT/CC: VU#477604 // JVNDB: JVNDB-2006-003966 // BID: 17712 // VULHUB: VHN-18194 // PACKETSTORM: 45765

AFFECTED PRODUCTS

vendor:	juniper	model:	junipersetup control	scope:	-	version:	-	Trust: 1.4
vendor:	juniper	model:	junipersetup control	scope:	eq	version:	*	Trust: 1.0
vendor:	juniper	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	juniper	model:	vpn-ssl-vpn ive	scope:	eq	version:	5.x	Trust: 0.3

sources: CERT/CC: VU#477604 // BID: 17712 // JVNDB: JVNDB-2006-003966 // CNNVD: CNNVD-200604-546 // NVD: CVE-2006-2086

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2006-2086
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#477604
value:	14.22
Trust: 0.8
NVD:	CVE-2006-2086
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200604-546
value:	HIGH
Trust: 0.6
VULHUB:	VHN-18194
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2006-2086
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-18194
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#477604 // VULHUB: VHN-18194 // JVNDB: JVNDB-2006-003966 // CNNVD: CNNVD-200604-546 // NVD: CVE-2006-2086

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-2086

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200604-546

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200604-546

CONFIGURATIONS

sources: JVNDB: JVNDB-2006-003966

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-18194

PATCH

title:

PSN-2006-03-013.txt

url:

http://www.juniper.net/support/security/alerts/PSN-2006-03-013.txt

Trust: 0.8

sources: JVNDB: JVNDB-2006-003966

EXTERNAL IDS

db:	CERT/CC	id:	VU#477604	Trust: 3.3
db:	SECUNIA	id:	19842	Trust: 2.6
db:	NVD	id:	CVE-2006-2086	Trust: 2.5
db:	BID	id:	17712	Trust: 2.0
db:	VUPEN	id:	ADV-2006-1543	Trust: 1.7
db:	SECTRACK	id:	1016000	Trust: 1.7
db:	SREASON	id:	819	Trust: 1.7
db:	OSVDB	id:	25001	Trust: 1.7
db:	JVNDB	id:	JVNDB-2006-003966	Trust: 0.8
db:	CNNVD	id:	CNNVD-200604-546	Trust: 0.7
db:	BUGTRAQ	id:	20060426 [EEYEB-20060227] JUNIPER NETWORKS SSL-VPN CLIENT BUFFER OVERFLOW	Trust: 0.6
db:	XF	id:	26077	Trust: 0.6
db:	EXPLOIT-DB	id:	16568	Trust: 0.1
db:	SEEBUG	id:	SSVID-71082	Trust: 0.1
db:	PACKETSTORM	id:	83003	Trust: 0.1
db:	VULHUB	id:	VHN-18194	Trust: 0.1
db:	PACKETSTORM	id:	45765	Trust: 0.1

sources: CERT/CC: VU#477604 // VULHUB: VHN-18194 // BID: 17712 // JVNDB: JVNDB-2006-003966 // PACKETSTORM: 45765 // CNNVD: CNNVD-200604-546 // NVD: CVE-2006-2086

REFERENCES

url:	http://www.kb.cert.org/vuls/id/477604	Trust: 2.5
url:	http://www.juniper.net/support/security/alerts/psn-2006-03-013.txt	Trust: 1.8
url:	http://www.eeye.com/html/research/advisories/ad20060424.html	Trust: 1.8
url:	http://www.securityfocus.com/bid/17712	Trust: 1.7
url:	http://www.osvdb.org/25001	Trust: 1.7
url:	http://securitytracker.com/id?1016000	Trust: 1.7
url:	http://secunia.com/advisories/19842	Trust: 1.7
url:	http://securityreason.com/securityalert/819	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/432155/100/0/threaded	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2006/1543	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/26077	Trust: 1.1
url:	http://secunia.com/advisories/19842/	Trust: 0.9
url:	http://www.juniper.net/support/security/alerts/psn-2006-03-013.txt	Trust: 0.8
url:	http://www.eeye.com/html/research/advisories/ad20060424.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-2086	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-2086	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/432155/100/0/threaded	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/26077	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2006/1543	Trust: 0.6
url:	http://www.juniper.net/	Trust: 0.3
url:	http://juniper.net/support/security/security_notices.html	Trust: 0.3
url:	/archive/1/432155	Trust: 0.3
url:	http://secunia.com/product/6644/	Trust: 0.1
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/product/6645/	Trust: 0.1

sources: CERT/CC: VU#477604 // VULHUB: VHN-18194 // BID: 17712 // JVNDB: JVNDB-2006-003966 // PACKETSTORM: 45765 // CNNVD: CNNVD-200604-546 // NVD: CVE-2006-2086

CREDITS

Yuji Ukai

Trust: 0.6

sources: CNNVD: CNNVD-200604-546

SOURCES

db:	CERT/CC	id:	VU#477604
db:	VULHUB	id:	VHN-18194
db:	BID	id:	17712
db:	JVNDB	id:	JVNDB-2006-003966
db:	PACKETSTORM	id:	45765
db:	CNNVD	id:	CNNVD-200604-546
db:	NVD	id:	CVE-2006-2086

LAST UPDATE DATE

2024-08-14T14:29:13.796000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#477604	date:	2006-05-04T00:00:00
db:	VULHUB	id:	VHN-18194	date:	2018-10-18T00:00:00
db:	BID	id:	17712	date:	2006-04-27T18:21:00
db:	JVNDB	id:	JVNDB-2006-003966	date:	2014-03-11T00:00:00
db:	CNNVD	id:	CNNVD-200604-546	date:	2006-04-30T00:00:00
db:	NVD	id:	CVE-2006-2086	date:	2018-10-18T16:38:06.257

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#477604	date:	2006-05-04T00:00:00
db:	VULHUB	id:	VHN-18194	date:	2006-04-29T00:00:00
db:	BID	id:	17712	date:	2006-04-26T00:00:00
db:	JVNDB	id:	JVNDB-2006-003966	date:	2014-03-11T00:00:00
db:	PACKETSTORM	id:	45765	date:	2006-04-27T21:57:26
db:	CNNVD	id:	CNNVD-200604-546	date:	2006-04-29T00:00:00
db:	NVD	id:	CVE-2006-2086	date:	2006-04-29T10:02:00