VARIoT IoT vulnerabilities database
VAR-200605-0001 | CVE-2006-0561 | Windows for Cisco Secure Access Control Server Password cracking vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Cisco Secure Access Control Server (ACS) 3.x for Windows stores ACS administrator passwords and the master key in the registry with insecure permissions, which allows local users and remote administrators to decrypt the passwords by using Microsoft's cryptographic API functions to obtain the plaintext version of the master key. Cisco Secure ACS is susceptible to an insecure password-storage vulnerability. This issue is due to a failure of the application to properly secure sensitive password information.
This issue allows attackers to gain access to encrypted passwords and to the key used to encrypt them. This allows them to obtain the plaintext passwords, aiding them in attacking other services that depend on the ACS server for authentication. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec Vulnerability Research
https://www.symantec.com/research
Security Advisory
Advisory ID : SYMSA-2006-003
Advisory Title: Cisco Secure ACS for Windows - Administrator
Password Disclosure
Author : Andreas Junestam
Release Date : 05-08-2006
Application : Cisco Secure ACS 3.x for Windows
Platform : Microsoft Windows
Severity : System access / exploit available
Vendor status : Vendor verified, workaround available
CVE Number : CVE-2006-0561
Reference : http://www.securityfocus.com/bid/16743
Overview:
Cisco Secure ACS is a central administration platform for
Cisco network devices. It controls authentication and
authorization for enrolled devices. Administrative
passwords for locally-defined users are stored in such a
way they can be obtained from the Windows registry. If
remote registry access is enabled, this can be done over
the network. The passwords are
encrypted using the Crypto API Microsoft Base Cryptographic
Provider v1.0. This information
can easily be obtained locally by a Windows administrator,
and if remote registry access is enabled, it can be
obtained over the network. With this, the clear-text
passwords can be recovered by decrypting the information
in the registry with the supplied key. A locally generated master key is used to
encrypt/decrypt the ACS administrator passwords. The master
key is also stored in the Windows registry in an encrypted
format. One feature of Windows
operating systems is the ability to modify the permissions
of a registry key to remove access even for local or
domain administrators.
The following registry key and all of its sub-keys need to
be protected.
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators
Note: The "CiscoAAAv3.3" portion of the registry key path
may differ slightly depending on the version of Cisco Secure
ACS for Windows that is installed. The Windows users that need permissions to the registry
key will depend on the deployment type.
For information about editing the Windows registry, please
consult the following Microsoft documentation. For information on
restricting remote registry access, please consult the
following Microsoft documentation.
"How to restrict access to the registry from a remote computer"
http://support.microsoft.com/kb/q153183
"How to Manage Remote Access to the Registry"
http://support.microsoft.com/kb/q314837
Recommendation:
Follow your organization's testing procedures before
applying patches or workarounds. See Cisco's instructions
on how to place an ACL on the Registry Key, and also how
to restrict remote access to the Windows registry.
These recommendations do not eliminate the vulnerability,
but provide some mitigation.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CVE-2006-0561
- -------Symantec Vulnerability Research Advisory Information-------
For questions about this advisory, or to report an error:
research@symantec.com
For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf
Symantec Vulnerability Research Advisory Archive:
http://www.symantec.com/research/
Symantec Vulnerability Research PGP Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_PGP.asc
- -------------Symantec Product Advisory Information-------------
To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com
For general information on Symantec's Product Vulnerability
reporting and response:
http://www.symantec.com/security/
Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html
Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
- ---------------------------------------------------------------
Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by
Symantec Consulting Services. Reprinting the whole or part of
this alert in any medium other than electronically requires
permission from cs_advisories@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information.
Symantec, Symantec products, and Symantec Consulting Services are
registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEXR5muk7IIFI45IARArK+AJwOzswbkJN2WirzNweklR+iBBHpsQCgyNOe
vKVo3Si7ycswRs/2kiA997I=
=dkX3
-----END PGP SIGNATURE-----
VAR-200605-0002 | CVE-2006-0515 | Cisco PIX Firewall In URL Vulnerability bypassed by filtering |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Cisco PIX/ASA 7.1.x before 7.1(2) and 7.0.x before 7.0(5), PIX 6.3.x before 6.3.5(112), and FWSM 2.3.x before 2.3(4) and 3.x before 3.1(7), when used with Websense/N2H2, allows remote attackers to bypass HTTP access restrictions by splitting the GET method of an HTTP request into multiple packets, which prevents the request from being sent to Websense for inspection, aka bugs CSCsc67612, CSCsc68472, and CSCsd81734. Multiple Cisco products are susceptible to a content-filtering bypass vulnerability. This issue is due to a failure of the software to properly recognize HTTP request traffic.
This issue allows users to bypass content-filtering and access forbidden websites.
Cisco is tracking this issue as Bug IDs CSCsc67612, CSCsc68472, and CSCsd81734.http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd81734. Cisco PIX is a very popular network firewall, and FWSM is a firewall service module on Cisco equipment. Attackers can use this loophole to bypass Websense content inspection and filtering. Gal has reported a vulnerability in Cisco PIX/ASA/FWSM,
which can be exploited by malicious people to bypass certain security
restrictions.
Successful exploitation requires that PIX, ASA, or FWSM are
configured to use Websense/N2H2 for content filtering.
* Cisco PIX/ASA software version 7.x.
* Cisco FWSM software version 2.3 and 3.1.
SOLUTION:
Update to the fixed versions.
FWSM version 2.3:
Update to version 2.3(4).
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm?psrtdcat20e2
FWSM version 3.1:
Update to version 3.1(1.7).
Contact Cisco TAC or Cisco support partner for the updates.
PIX version 6.3.x:
Update to version 6.3.5(112).
Contact Cisco TAC or Cisco support partner for the updates.
PIX/ASA version 7.x:
Update to version 7.0(5) or 7.1(2).
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2
PROVIDED AND/OR DISCOVERED BY:
George D. Gal
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sr-20060508-pix.shtml
Virtual Security Research, LLC:
http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: WebSense content filter bypass when deployed in
conjunction with Cisco filtering devices
Release Date: 2006-05-08
Application: Websense in Conjunction with Cisco PIX
Version: Websense 5.5.2
Cisco PIX OS / ASA < 7.0.4.12
Cisco PIX OS < 6.3.5(112)
FWSM 2.3.x
FWSM 3.x
(other versions untested)
Severity: Low
Author: George D. Gal <ggal_at_vsecurity.com>
Vendor Status: Vendor Notified, Fix Available
CVE Candidate: CVE-2006-0515
Reference:
http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description:
>>From the WebSense website[1]:
"Websense Enterprise, the industry-leading web filtering solution,
improves employee productivity, reduces legal liability, and optimizes
the use of IT resources. Websense Enterprise integrates seamlessly
with leading network infrastructure products to offer unequaled
flexibility and control."
Vulnerability Overview:
On August 9th, 2005 VSR has identified the ability to bypass the
Websense URL filtering capabilities when used in conjunction with the
Cisco PIX for web content filtering. Shortly thereafter another
security researcher [sledge.hammer(a+t)sinhack.net] had published[2] a
proof-of-concept for evading the URL filtering performed by Websense
claiming that Websense has failed to address the issue. However, the
vulnerability has been verified by Cisco as a problem which relies
within its handling of filtered requests.
However, when splitting the HTTP request into two or more packets on the
HTTP method it is possible to circumvent the filtering mechanism.
Additionally, requests using this fragmented approach do not appear to
be logged within Websense indicating that the request is never sent to
Websense for policy inspection.
The simplest form required to exploit this vulnerability is to fragment
the first character of the HTTP request, followed by a single TCP packet
for subsequent data (e.g. setting the PSH flag on the individual packets).
Virtual Security Research has created a utility[3] to demonstrate the
ability to bypass Websense filtering for the affected versions of Cisco
filtering devices enumerated in this advisory header. You may download
and run this utility at your own risk from:
http://www.vsecurity.com/tools/WebsenseBypassProxy.java
The following Snort output demonstrates the fragmented request capable
of bypassing Websense:
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
11/04-10:06:36.260991 0:B:DB:DE:19:87 -> 0:0:C:7:AC:5 type:0x800 len:0x43
10.254.5.113:58034 -> 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1534
IpLen:20 DgmLen:53 DF
***AP*** Seq: 0xF5B80F51 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32
TCP Options (3) => NOP NOP TS: 148674 160066961
47 G
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/04-10:06:36.359288 0:30:7B:93:19:4C -> 0:B:DB:DE:19:87 type:0x800
len:0x42
82.165.25.125:80 -> 10.254.5.113:58034 TCP TTL:49 TOS:0x0 ID:36972
IpLen:20 DgmLen:52 DF
***A**** Seq: 0x21D6E47 Ack: 0xF5B80F52 Win: 0x16A0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 160066973 148674
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/04-10:06:36.359387 0:B:DB:DE:19:87 -> 0:0:C:7:AC:5 type:0x800 len:0x185
10.254.5.113:58034 -> 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1535
IpLen:20 DgmLen:375 DF
***AP*** Seq: 0xF5B80F52 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32
TCP Options (3) => NOP NOP TS: 148683 160066973
45 54 20 2F 66 61 76 69 63 6F 6E 2E 69 63 6F 20 ET /favicon.ico
48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 HTTP/1.1..Host:
77 77 77 2E 70 68 72 61 63 6B 2E 6F 72 67 0D 0A www.phrack.org..
55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi
6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 3B lla/5.0 (X11; U;
20 46 72 65 65 42 53 44 20 69 33 38 36 3B 20 65 FreeBSD i386; e
6E 2D 55 53 3B 20 72 76 3A 31 2E 37 2E 39 29 20 n-US; rv:1.7.9)
47 65 63 6B 6F 2F 32 30 30 35 30 37 31 38 20 46 Gecko/20050718 F
69 72 65 66 6F 78 2F 31 2E 30 2E 35 0D 0A 41 63 irefox/1.0.5..Ac
63 65 70 74 3A 20 69 6D 61 67 65 2F 70 6E 67 2C cept: image/png,
2A 2F 2A 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 */*;q=0.5..Accep
74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 t-Language: en-u
73 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 s,en;q=0.5..Acce
70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 pt-Encoding: gzi
70 2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 p,deflate..Accep
74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 t-Charset: ISO-8
38 35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 859-1,utf-8;q=0.
37 2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 7,*;q=0.7..Keep-
41 6C 69 76 65 3A 20 63 6C 6F 73 65 0D 0A 43 6F Alive: close..Co
6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D nnection: close.
0A 0D 0A ...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/04-10:06:36.458004 0:30:7B:93:19:4C -> 0:B:DB:DE:19:87 type:0x800
len:0x42
82.165.25.125:80 -> 10.254.5.113:58034 TCP TTL:49 TOS:0x0 ID:55157
IpLen:20 DgmLen:52 DF
***A**** Seq: 0x21D6E47 Ack: 0xF5B81095 Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 160066982 148683
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Vendor Response:
WebSense and Cisco were first notified on 2005-11-04. While no responses
or acknowledgments were received from Websense the following time line
outlines the responses from Cisco regarding this issue:
2005-11-04 - Acknowledgment of security notification
2005-12-02 - Subsequent follow-up and response from Cisco to determine
cause of observed behavior
2006-01-04 - Subsequent follow-up and response from Cisco acknowledging
issue is being addressed by development teams
2006-01-30 - Estimated release of PIX code for 7.0.4 release is
2/20/2006
2006-02-17 - Notified by Cisco that fix will not make estimated
delivery date due to regression issues, new release data
of 3/20/2006 provided
2006-03-06 - Status update from vendor on new date, targets on track
for 7.0 PIX OS release
2006-03-13 - Confirmation from Cisco on 3/20 code release
2006-03-17 - Communications from Cisco notifying VSR of other potential
products affected (FWSM).
2006-03-24 - Communications received from Cisco acknowledging
communication with FWSM team
2006-04-04 - Communication received from Cisco acknowledging FWSM
vulnerability
2006-04-07 - Communications from Cisco confirming fixes for FWSM 2.3.x
and 3.x PSIRT awaiting release date for code
2006-04-14 - Communications from Cisco providing coordination details
with FWSM team
2006-04-18 - Communications from Cisco providing build details
incorporating fixes for FWSM products
2006-04-26 - Communications from Cisco providing details and update on
FWSM testing and release availability; coordination for
advisory release
2006-05-04 - Communications from Cisco for advisory release
coordination
Recommendation:
Cisco PIX/ASA and FWSM customers should apply the latest upgrades from
vendor:
PIX OS 7.0.x upgrade is:
7.0.4.12
available at:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix-interim
http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim
PIX OS 6.3 upgrade is:
6.3.5(112)
available by customer request via the Cisco TAC
FWSM 2.3.x upgrade is:
2.3(4)
available at:
http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm
FWSM 3.x upgrade is:
3.1(1.7)
available by customer request via the Cisco TAC
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CVE-2006-0515
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
References:
1. WebSense Enterprise
http://www.websense.com/global/en/ProductsServices/WebsenseEnterprise/
2. Sinhack.net URL Filtering Evasion
http://sinhack.net/URLFilteringEvasion/
3. Proof-of-Concept WebSense Bypass utility
http://www.vsecurity.com/tools/WebsenseBypassProxy.java
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Vulnerability Disclosure Policy:
http://www.vsecurity.com/disclosurepolicy.html
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright 2006 Virtual Security Research, LLC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFEX2nxTY6Rj3GeBOoRAucJAKCM5Bvtn/hyuDSC/87eLEIPDLZmSgCffMYc
zVXMT1rLZxcJ0PDF4qWjlDQ=
=LrNn
-----END PGP SIGNATURE-----
VAR-200605-0499 | CVE-2006-2226 | XM Easy Personal FTP Server Buffer Overflow Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Buffer overflow in XM Easy Personal FTP Server 4.2 and 5.0.1 allows remote authenticated users to cause a denial of service via a long argument to the PORT command. A buffer may be overrun with attacker-supplied data.
Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the ftp server application. Failed exploit attempts will likely crash applications, denying service to legitimate users.
----------------------------------------------------------------------
Secunia Survey
Secunia would like to invite you to participate in an electronic survey
evolving the usefulness of our mailing lists. To value your effort
Secunia will offer you free access to the Secunia Security Manager for
three months as well as have a prize draw for an iPod nano.
We hope that you will give us a few minutes of your time, as your
response will help us provide you with better services in the future.
The questionnaire contains 19 questions and it takes approximately 5
minutes to answer the questionnaire.
https://ca.secunia.com/survey/?survey_url=kei933wBid2
The survey is being conducted in accordance with the general Secunia
Security Policy and your answers will of course be kept strictly
confidential.
The vulnerability is caused due to a boundary error within the
handling of the USER command. This can be exploited to cause a
heap-based buffer overflow via overly long arguments passed to the
command.
The vulnerability has been confirmed in version 4.3. Prior versions
may also be affected.
SOLUTION:
Filter malicious requests in a proxy or firewall with FTP filtering
capabilities.
PROVIDED AND/OR DISCOVERED BY:
Muhammad Ahmed Siddiqui
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0161 | CVE-2006-2267 | Kerio WinRoute Firewall Protocol detection module Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Kerio WinRoute Firewall before 6.2.1 allows remote attackers to cause a denial of service (application crash) via unknown vectors in the "email protocol inspectors," possibly (1) SMTP and (2) POP3. Kerio WinRoute Firewall is prone to a remote denial-of-service vulnerability. The exact cause of this issue is currently unknown.
This issue affects Kerio WinRoute Firewall versions prior to 6.2.1. Kerio WinRoute Firewall is a widely popular firewall software system.
----------------------------------------------------------------------
Secunia Survey
Secunia would like to invite you to participate in an electronic survey
evolving the usefulness of our mailing lists. To value your effort
Secunia will offer you free access to the Secunia Security Manager for
three months as well as have a prize draw for an iPod nano.
We hope that you will give us a few minutes of your time, as your
response will help us provide you with better services in the future.
The questionnaire contains 19 questions and it takes approximately 5
minutes to answer the questionnaire.
https://ca.secunia.com/survey/?survey_url=kei933wBid2
The survey is being conducted in accordance with the general Secunia
Security Policy and your answers will of course be kept strictly
confidential.
Best regards,
Niels Henrik Rasmussen
CEO Secunia
----------------------------------------------------------------------
TITLE:
Kerio WinRoute Firewall Protocol Inspection Denial of Service
SECUNIA ADVISORY ID:
SA19947
VERIFY ADVISORY:
http://secunia.com/advisories/19947/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
SOFTWARE:
Kerio WinRoute Firewall 6.x
http://secunia.com/product/3613/
DESCRIPTION:
A vulnerability has been reported in Kerio WinRoute Firewall, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
The vulnerability is caused due to an unspecified error in the SMTP
and POP3 protocol inspectors. This can be exploited to crash the
service when a malformed e-mail is sent via SMTP or received via
POP3.
SOLUTION:
Update to version 6.2.1 or later.
http://www.kerio.com/kwf_download.html
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.kerio.com/kwf_history.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0584 | CVE-2006-2229 | OpenVPN management interface TCP session information disclosure vulnerability |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
OpenVPN 2.0.7 and earlier, when configured to use the --management option with an IP that is not 127.0.0.1, uses a cleartext password for TCP sessions to the management interface, which might allow remote attackers to view sensitive information or cause a denial of service. OpenVPN is prone to a denial-of-service vulnerability
VAR-200605-0497 | CVE-2006-2224 | Quagga RIPd Route Injection Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly enforce RIPv2 authentication requirements, which allows remote attackers to modify routing state via RIPv1 RESPONSE packets. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Quagga , GNU Zebra Is TCP/IP A collection of daemons that support base routing related protocols. Out of them RIP , BGP As a daemon that handles the protocol RIPd , bgpd Is included. Quagga , GNU Zebra Has several security issues: 1) RIPd The daemon RIPv2 Even if the setting is valid only, regardless of the presence or absence of authentication RIPv1 There is a problem that responds to the request. (CVE-2006-2223) If exploited by a remote attacker, SEND UPDATE Such as REQUEST Routing information may be obtained illegally by using packets. 2) RIPd The daemon RIPv2 Despite being enabled for authentication, RIPv1 There is a problem of accepting packets without authentication. 3) bgpd Daemon community_str2com() There are deficiencies in the function, Telnet From the management interface show ip bgp If you execute the command, you will end up in an infinite loop CPU There is a problem that consumes resources. (CVE-2006-2276) If exploited by a local attacker, the target system can eventually become unserviceable.Please refer to the “Overview” for the impact of this vulnerability. Quagga is susceptible to remote information-disclosure and route-injection vulnerabilities. The application fails to properly ensure that required authentication and protocol configuration options are enforced.
These issues allow remote attackers to gain access to potentially sensitive network-routing configuration information and to inject arbitrary routes into the RIP routing table. This may aid malicious users in further attacks against targeted networks.
Quagga versions 0.98.5 and 0.99.3 are vulnerable to these issues; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 1059-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 19th, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : quagga
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2006-2223 CVE-2006-2224 CVE-2006-2276
BugTraq ID : 17808
Debian Bugs : 365940 366980
Konstantin Gavrilenko discovered several vulnerabilities in quagga,
the BGP/OSPF/RIP routing daemon.
CVE-2006-2276
Fredrik Widell discovered that local users are can cause a denial
of service ia a certain sh ip bgp command entered in the telnet
interface.
The old stable distribution (woody) does not contain quagga packages.
For the stable distribution (sarge) these problems have been fixed in
version 0.98.3-7.2.
For the unstable distribution (sid) these problems have been fixed in
version 0.99.4-1.
We recommend that you upgrade your quagga package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2.dsc
Size/MD5 checksum: 725 e985734e8ee31a87ff96f9c9b7291fa5
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2.diff.gz
Size/MD5 checksum: 43801 fe5b28230c268fe7ab141453a82c473c
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3.orig.tar.gz
Size/MD5 checksum: 2118348 68be5e911e4d604c0f5959338263356e
Architecture independent components:
http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.98.3-7.2_all.deb
Size/MD5 checksum: 488700 c79865480dfe140b106d39111b5379ba
Alpha architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_alpha.deb
Size/MD5 checksum: 1611704 c44bc78a27990ca9d77fe4529c04e42a
AMD64 architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_amd64.deb
Size/MD5 checksum: 1412990 7ab17ec568d3f0e2122677e81db5a2e2
ARM architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_arm.deb
Size/MD5 checksum: 1290442 9a5d285ffe43d8b05c470147c48357d5
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_i386.deb
Size/MD5 checksum: 1191426 a0438042e1935582b66a44f17e62b40b
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_ia64.deb
Size/MD5 checksum: 1829114 9e6e40afc51734c572de0f4e6e2d6519
HP Precision architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_hppa.deb
Size/MD5 checksum: 1447726 4f6d058646cd78f86994eee61359df22
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_m68k.deb
Size/MD5 checksum: 1159670 1438a6da0f5c0672075438df92e82695
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_mips.deb
Size/MD5 checksum: 1352522 567e463657f21ec64870c1a243012b49
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_mipsel.deb
Size/MD5 checksum: 1355460 3dec77ae54b897882091bb5501b349c7
PowerPC architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_powerpc.deb
Size/MD5 checksum: 1316776 adaa0828d830d7145236ee2f216fe46d
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_s390.deb
Size/MD5 checksum: 1401616 41b91f2eb90d26b1482696681552d9cb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_sparc.deb
Size/MD5 checksum: 1287378 3b1624ec028e9f7944edd3fc396b0778
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEbehrW5ql+IAeqTIRAu1bAJ0YQwvwCvugopyXVBCit2SwrYl+SACdF09d
ELcxVZUFQP8s43SsJQ3mlqo=
=Niwk
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200605-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Quagga Routing Suite: Multiple vulnerabilities
Date: May 21, 2006
Bugs: #132353
ID: 200605-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Quagga's RIP daemon allows the injection of routes and the disclosure
of routing information. The BGP daemon is vulnerable to a Denial of
Service.
Background
==========
The Quagga Routing Suite implements three major routing protocols: RIP
(v1/v2/v3), OSPF (v2/v3) and BGP4.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/quagga < 0.98.6-r1 >= 0.98.6-r1
Description
===========
Konstantin V. Gavrilenko discovered two flaws in the Routing
Information Protocol (RIP) daemon that allow the processing of RIP v1
packets (carrying no authentication) even when the daemon is configured
to use MD5 authentication or, in another case, even if RIP v1 is
completely disabled.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Quagga users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/quagga-0.98.6-r1"
References
==========
[ 1 ] CVE-2006-2223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2223
[ 2 ] CVE-2006-2224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2224
[ 3 ] CVE-2006-2276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2276
[ 4 ] Official release information
http://www.quagga.net/news2.php?y=2006&m=5&d=8#id1147115280
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200605-15.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-200605-0496 | CVE-2006-2223 | Quagga of RIPd Vulnerabilities in which routing information leaks |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly implement configurations that (1) disable RIPv1 or (2) require plaintext or MD5 authentication, which allows remote attackers to obtain sensitive information (routing state) via REQUEST packets such as SEND UPDATE. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Quagga , GNU Zebra Is TCP/IP A collection of daemons that support base routing related protocols. Out of them RIP , BGP As a daemon that handles the protocol RIPd , bgpd Is included. Quagga , GNU Zebra Has several security issues: 1) RIPd The daemon RIPv2 Even if the setting is valid only, regardless of the presence or absence of authentication RIPv1 There is a problem that responds to the request. 2) RIPd The daemon RIPv2 Despite being enabled for authentication, RIPv1 There is a problem of accepting packets without authentication. (CVE-2006-2224) If exploited by a remote attacker, RIPv1 of RESPONSE By using packet RIP The routing table may be modified incorrectly. 3) bgpd Daemon community_str2com() There are deficiencies in the function, Telnet From the management interface show ip bgp If you execute the command, you will end up in an infinite loop CPU There is a problem that consumes resources. (CVE-2006-2276) If exploited by a local attacker, the target system can eventually become unserviceable.Please refer to the “Overview” for the impact of this vulnerability. Quagga is susceptible to remote information-disclosure and route-injection vulnerabilities. The application fails to properly ensure that required authentication and protocol configuration options are enforced.
These issues allow remote attackers to gain access to potentially sensitive network-routing configuration information and to inject arbitrary routes into the RIP routing table. This may aid malicious users in further attacks against targeted networks.
Quagga versions 0.98.5 and 0.99.3 are vulnerable to these issues; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 1059-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 19th, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : quagga
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2006-2223 CVE-2006-2224 CVE-2006-2276
BugTraq ID : 17808
Debian Bugs : 365940 366980
Konstantin Gavrilenko discovered several vulnerabilities in quagga,
the BGP/OSPF/RIP routing daemon.
CVE-2006-2276
Fredrik Widell discovered that local users are can cause a denial
of service ia a certain sh ip bgp command entered in the telnet
interface.
The old stable distribution (woody) does not contain quagga packages.
For the stable distribution (sarge) these problems have been fixed in
version 0.98.3-7.2.
For the unstable distribution (sid) these problems have been fixed in
version 0.99.4-1.
We recommend that you upgrade your quagga package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2.dsc
Size/MD5 checksum: 725 e985734e8ee31a87ff96f9c9b7291fa5
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2.diff.gz
Size/MD5 checksum: 43801 fe5b28230c268fe7ab141453a82c473c
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3.orig.tar.gz
Size/MD5 checksum: 2118348 68be5e911e4d604c0f5959338263356e
Architecture independent components:
http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.98.3-7.2_all.deb
Size/MD5 checksum: 488700 c79865480dfe140b106d39111b5379ba
Alpha architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_alpha.deb
Size/MD5 checksum: 1611704 c44bc78a27990ca9d77fe4529c04e42a
AMD64 architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_amd64.deb
Size/MD5 checksum: 1412990 7ab17ec568d3f0e2122677e81db5a2e2
ARM architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_arm.deb
Size/MD5 checksum: 1290442 9a5d285ffe43d8b05c470147c48357d5
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_i386.deb
Size/MD5 checksum: 1191426 a0438042e1935582b66a44f17e62b40b
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_ia64.deb
Size/MD5 checksum: 1829114 9e6e40afc51734c572de0f4e6e2d6519
HP Precision architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_hppa.deb
Size/MD5 checksum: 1447726 4f6d058646cd78f86994eee61359df22
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_m68k.deb
Size/MD5 checksum: 1159670 1438a6da0f5c0672075438df92e82695
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_mips.deb
Size/MD5 checksum: 1352522 567e463657f21ec64870c1a243012b49
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_mipsel.deb
Size/MD5 checksum: 1355460 3dec77ae54b897882091bb5501b349c7
PowerPC architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_powerpc.deb
Size/MD5 checksum: 1316776 adaa0828d830d7145236ee2f216fe46d
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_s390.deb
Size/MD5 checksum: 1401616 41b91f2eb90d26b1482696681552d9cb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_sparc.deb
Size/MD5 checksum: 1287378 3b1624ec028e9f7944edd3fc396b0778
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEbehrW5ql+IAeqTIRAu1bAJ0YQwvwCvugopyXVBCit2SwrYl+SACdF09d
ELcxVZUFQP8s43SsJQ3mlqo=
=Niwk
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200605-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Quagga Routing Suite: Multiple vulnerabilities
Date: May 21, 2006
Bugs: #132353
ID: 200605-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Quagga's RIP daemon allows the injection of routes and the disclosure
of routing information. The BGP daemon is vulnerable to a Denial of
Service.
Background
==========
The Quagga Routing Suite implements three major routing protocols: RIP
(v1/v2/v3), OSPF (v2/v3) and BGP4.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/quagga < 0.98.6-r1 >= 0.98.6-r1
Description
===========
Konstantin V. Gavrilenko discovered two flaws in the Routing
Information Protocol (RIP) daemon that allow the processing of RIP v1
packets (carrying no authentication) even when the daemon is configured
to use MD5 authentication or, in another case, even if RIP v1 is
completely disabled.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Quagga users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/quagga-0.98.6-r1"
References
==========
[ 1 ] CVE-2006-2223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2223
[ 2 ] CVE-2006-2224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2224
[ 3 ] CVE-2006-2276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2276
[ 4 ] Official release information
http://www.quagga.net/news2.php?y=2006&m=5&d=8#id1147115280
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200605-15.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-200605-0543 | CVE-2006-2166 | Cisco Unity Express User Authentication Local privilege escalation vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Unspecified vulnerability in the HTTP management interface in Cisco Unity Express (CUE) 2.2(2) and earlier, when running on any CUE Advanced Integration Module (AIM) or Network Module (NM), allows remote authenticated attackers to reset the password for any user with an expired password. Cisco Unity Express (CUE) is prone to a privilege-escalation vulnerability. An attacker could reset the password of a privileged account that has an expired password. Cisco Unity is an advanced unified communications solution for enterprise-level organizations that can provide powerful messaging services and intelligent voice messaging services. There is a loophole in Cisco Unity's handling of user authentication. Local attackers may use this loophole to elevate their privileges. Cisco Unity has a problem with the authentication process of the HTTP-based management interface. If the target user is an administrator, then An attacker could gain administrator privileges on the device.
TITLE:
Cisco Unity Express Expired Password Change Vulnerability
SECUNIA ADVISORY ID:
SA19881
VERIFY ADVISORY:
http://secunia.com/advisories/19881/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Manipulation of data
WHERE:
>From local network
SOFTWARE:
Cisco Unity Express 2.x
http://secunia.com/product/5151/
DESCRIPTION:
A vulnerability has been reported in Cisco Unity Express (CUE), which
can be exploited by malicious users to manipulate certain
information.
The vulnerability is caused due to missing restrictions in the HTTP
management interface during password changes. This makes it possible
for an authenticated user to change the password for another user
with an expired password (including newly created users with
blank/randomly selected passwords).
Successful exploitation may e.g. grant administrative privileges on a
CUE module, if the changed expired password belongs to an
administrative user.
SOLUTION:
Update to version 2.3(1) or later.
http://www.cisco.com/pcgi-bin/tablebuild.pl/cue-231?psrtdcat20e2
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Xu He and Keith Vaughan, Bank of America
Application Assessment Team.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20060501-cue.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0505 | CVE-2006-2129 | Pro Publish set_inc.php Direct Static Code Injection Vulnerability |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Direct static code injection vulnerability in Pro Publish 2.0 allows remote authenticated administrators to execute arbitrary PHP code by editing certain settings, which are stored in set_inc.php. Harm to remote attackers can use vulnerabilities to obtain sensitive information. Conditions required for the attack An attacker must access DeltaScripts PHP Pro Publish. Vulnerability Information DeltaScripts PHP Pro Publish is a PHP-based article management program. The problem is that multiple scripts lack filtering on the web parameters submitted by users, submit malicious SQL data, and can change the original SQL logic, resulting in obtaining sensitive information. Vendor solutions are currently not available: http://www.deltascripts.com/propublish. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
1) Input passed to the "email" and "password" parameters in
admin/login.php, to the "find_str" parameter in search.php, and to
the "catid" parameter in cat.php isn't properly sanitised before
being used in a SQL query. This can be exploited to manipulate SQL
queries by injecting arbitrary SQL code.
Successful exploitation of certain parameters requires that
"magic_quotes_gpc" is disabled.
Successful exploitation requires that "magic_quotes_gpc" is
disabled.
The vulnerabilities have been confirmed in version 2.0. Other
versions may also be affected.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
Aliaksandr Hartsuyeu
ORIGINAL ADVISORY:
http://evuln.com/vulns/131/summary.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0504 | CVE-2006-2128 | CNVD-2006-2796 |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Harm to remote attackers can use vulnerabilities to obtain sensitive information. Conditions required for the attack An attacker must access DeltaScripts PHP Pro Publish. Vulnerability Information DeltaScripts PHP Pro Publish is a PHP-based article management program. DeltaScripts PHP Pro Publish incorrectly filters URI data submitted by users, and remote attackers can use the vulnerability to obtain sensitive information. The problem is that multiple scripts lack filtering on the web parameters submitted by users, submit malicious SQL data, and can change the original SQL logic, resulting in obtaining sensitive information. Vendor solutions are currently not available: http://www.deltascripts.com/propublish. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
1) Input passed to the "email" and "password" parameters in
admin/login.php, to the "find_str" parameter in search.php, and to
the "catid" parameter in cat.php isn't properly sanitised before
being used in a SQL query. This can be exploited to manipulate SQL
queries by injecting arbitrary SQL code.
Successful exploitation of certain parameters requires that
"magic_quotes_gpc" is disabled.
2) It is possible for the administrative user to inject arbitrary PHP
code into the set_inc.php file via specially-crafted input in the
"Settings" page.
Successful exploitation requires that "magic_quotes_gpc" is
disabled.
The vulnerabilities have been confirmed in version 2.0. Other
versions may also be affected.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
Aliaksandr Hartsuyeu
ORIGINAL ADVISORY:
http://evuln.com/vulns/131/summary.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0019 | CVE-2006-2277 | Apple Mac OS X ImageIO OpenEXR Image File Remote Denial Of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Multiple Apple Mac OS X 10.4 applications might allow context-dependent attackers to cause a denial of service (application crash) via a crafted OpenEXR (.exr) image file, which triggers the crash when opening a folder using Finder, displaying the image in Safari, or using Preview to open the file. ImageIO is susceptible to a remote denial-of-service vulnerability. This issue is do to a failure to properly process malicious OpenEXR image files.
This issue allows remote users to crash applications that use the ImageIO API, denying further service to users
VAR-200604-0560 | CVE-2006-2087 | Gmax Mail client in Hitachi Groupmax Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Gmax Mail client in Hitachi Groupmax before 20060426 allows remote attackers to cause a denial of service (application hang or erroneous behavior) via an attachment with an MS-DOS device filename. Some email clients contain a vulnerability which may crash themselves as they do not properly handle an attached file with an particular file name.Actual impact could differ depending on the email clients though, email clients may crash when hadling an attached file with a particular file name. Other possible impacts could be an attached file not being saved or hanged up while in the saving process, or an error message being displayed on the application related to the attached file. Groupmax Integrated Desktop is prone to a denial-of-service vulnerability.
TITLE:
Groupmax Mail Client Attachment Filename Handling Weakness
SECUNIA ADVISORY ID:
SA19840
VERIFY ADVISORY:
http://secunia.com/advisories/19840/
CRITICAL:
Not critical
IMPACT:
DoS
WHERE:
>From remote
SOFTWARE:
Groupmax World Wide Web Desktop 5.x
http://secunia.com/product/4333/
Groupmax World Wide Web 3.x
http://secunia.com/product/4332/
Groupmax World Wide Web 2.x
http://secunia.com/product/4331/
Groupmax Mail 7.x
http://secunia.com/product/6160/
Groupmax Mail 6.x
http://secunia.com/product/6159/
Groupmax Integrated Desktop Version 7.x
http://secunia.com/product/9565/
Groupmax Integrated Desktop Version 6.x
http://secunia.com/product/9564/
Groupmax Integrated Desktop Version 5.x
http://secunia.com/product/9563/
Groupmax Integrated Desktop Version 3.x
http://secunia.com/product/9562/
Groupmax Integrated Desktop Version 2.x
http://secunia.com/product/9561/
Groupmax World Wide Web Desktop 6.x
http://secunia.com/product/4334/
Groupmax World Wide Web Desktop for Jichitai 6.x
http://secunia.com/product/4335/
DESCRIPTION:
A weakness has been reported in Groupmax Mail Client, which
potentially can be exploited by malicious people to cause a DoS
(Denial of Service).
The weakness is caused due to an error within the handling of email
attachments.
The weakness has been reported in the following products:
* Groupmax Integrated Desktop version 3, 5, 6, 7.
* Mail Client version 02-00 through 02-31-/E.
* GroupMail/Client(DOS/V) version 01-21-/C through 01-21-/D.
* GroupMail/Client version 01-01 through 01-21-/G.
* Groupmax World Wide Web Desktop Version 2, 3, 5, 6.
SOLUTION:
Apply patches (see patch matrix in the vendor advisory).
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.hitachi-support.com/security_e/vuls_e/HS06-006_e/index-e.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0523 | CVE-2006-2108 | Oce 3121/3122 parser.exe Printer Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
parser.exe in Océ (OCE) 3121/3122 Printer allows remote attackers to cause a denial of service (crash or reboot) via a long request, possibly triggering a buffer overflow. The Oce 2121/3122 printer is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the device to properly handle user-supplied data.
An attacker can exploit this issue to crash the device, effectively denying service to legitimate users.
TITLE:
Oc\xe9 3121/3122 Printer Long URL Denial of Service
SECUNIA ADVISORY ID:
SA19847
VERIFY ADVISORY:
http://secunia.com/advisories/19847/
CRITICAL:
Less critical
IMPACT:
DoS
WHERE:
>From local network
OPERATING SYSTEM:
OCE 3121/3122
http://secunia.com/product/9606/
DESCRIPTION:
Herman Groeneveld has reported a vulnerability in Oc\xe9 3121/3122
Printer, which can be exploited by malicious people to cause a DoS
(Denial of Service).
The vulnerability is caused due to an error in the built-in webserver
when handling user-supplied URL. This can be exploited to cause the
printer to stop printing until it is restarted.
SOLUTION:
Restrict access of the printer to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Herman Groeneveld
ORIGINAL ADVISORY:
http://milw0rm.com/exploits/1718
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0570 | CVE-2006-2068 | Hitachi JP1 Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Hitachi JP1 products allow remote attackers to cause a denial of service (application stop or fail) via unexpected requests or data. Unknown vulnerability in Hitachi JP1 product. Multiple JP1 products are prone to a denial-of-service vulnerability.
This issue affects multiple models and versions of Hitachi JP1 products. Specific models and versions will be listed in future revisions of this BID.
TITLE:
Hitachi Multiple JP1 Products Denial of Service
SECUNIA ADVISORY ID:
SA19841
VERIFY ADVISORY:
http://secunia.com/advisories/19841/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
SOFTWARE:
Hitachi JP1/Server Conductor/Server Manager
http://secunia.com/product/9572/
Hitachi JP1/Server Conductor/Blade Server Manager
http://secunia.com/product/9571/
Hitachi JP1/Security Integrated Manager
http://secunia.com/product/9574/
Hitachi JP1/PFM/SNMP System Observer (SSO)
http://secunia.com/product/9566/
Hitachi JP1/Performance Management (PFM)
http://secunia.com/product/9568/
Hitachi JP1/File Access Control
http://secunia.com/product/9573/
Hitachi JP1/Cm2/Network Node Manager
http://secunia.com/product/9570/
Hitachi JP1/Automatic Job Management System 2 (AJS2)
http://secunia.com/product/9567/
DESCRIPTION:
A vulnerability has been reported in multiple JP1 products, which can
be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when handling certain
specially crafted data or requests. This can be exploited to cause
the products to stop responding.
The vulnerability has been reported in the following products:
* JP1/PFM/SNMP System Observer
* JP1/Server System Observer
* JP1/Automatic Job Management System 2
* JP1/Performance Management
* Cm2/Network Node Manager Enterprise/Unlimited/250,
* JP1/Cm2/Network Node Manager Enterprise/250
* JP1/Server Conductor/Blade Server Manager
* JP1/Server Conductor/Server Manager
* Server Conductor/Blade Server Manager
* Server Conductor/Server Manager
* System Manager - Management Console
* JP1/File Access Control
* JP1/Security Integrated Manager
SOLUTION:
Apply patches (see patch matrix in the vendor advisory).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.hitachi-support.com/security_e/vuls_e/HS06-007_e/index-e.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0552 | CVE-2006-2078 | Multiple vulnerabilities in DNS implementations |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in multiple FITELnet products, including FITELnet-F40, F80, F100, F120, F1000, and E20/E30, allow remote attackers to cause a denial of service via crafted DNS messages that trigger errors in (1) ProxyDNS or (2) PKI-Resolver, as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. There are unexplained vulnerabilities in multiple FITELnet products, including FITELnet-F40, F80, F100, F120, F1000 and E20/E30.
Consequences of these vulnerabilities are currently unknown, but remote code execution or denial-of-service attacks may be possible.
This BID will be updated as further information is disclosed.
TITLE:
FITELnet Products DNS Handling Vulnerability
SECUNIA ADVISORY ID:
SA19820
VERIFY ADVISORY:
http://secunia.com/advisories/19820/
CRITICAL:
Moderately critical
IMPACT:
Unknown
WHERE:
>From remote
OPERATING SYSTEM:
FITELnet-E Series
http://secunia.com/product/9600/
FITELnet-F Series
http://secunia.com/product/9599/
MUCHO-EV/PK
http://secunia.com/product/9601/
DESCRIPTION:
A vulnerability with unknown impact has been reported in various
FITELnet products.
The vulnerability is caused due to unspecified errors in ProxyDNS and
PKI-Resolver when handling certain malformed DNS packets.
The vulnerability has been reported in the following products:
FITELnet-F40
FITELnet-F80
FITELnet-F100
FITELnet-F120
FITELnet-F1000
FITELnet-E20/E30
MUCHO-EV/PK
SOLUTION:
The vendor is reportedly working on a fix.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor based on DNS Test Tool created by Oulu University
Secure Programming Group.
ORIGINAL ADVISORY:
http://www.furukawa.co.jp/fitelnet/topic/dns2_attacks.html
NISCC:
http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0559 | CVE-2006-2086 | Juniper Networks IVE client ActiveX control buffer overflow |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, or 5.3 before 5.3r2.1, allows remote attackers to execute arbitrary code via a long argument in the ProductName parameter. Juniper SSL-VPN Client ActiveX control is prone to a buffer-overflow vulnerability. The software fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer.
Invoking the object from a malicious website may trigger the condition. If the vulnerability were successfully exploited, this would corrupt process memory, resulting in arbitrary code execution. Juniper's SSL VPN series products can provide users with secure remote access services. JuniperSetupDLL.dll is loaded from the JuniperSetup.ocx ActiveX control. If the following super long string is specified in the ProductName parameter, a stack overflow will be triggered in the JuniperSetupDLL.dll function: --- object classid=\"clsid: E5F5D008-DD2C-4D32-977D-1A0ADF03058B\" id= NeoterisSetup codebase=\"path_to_JuniperSetup.cab#version=1,0,0,3\" > ..... ---PARAM NAME=\"ProductName\" VALUE=\"AAAAAAA (long \'\'A\ '\')\" > ..... script language=javascript NeoterisSetup.startSession(); end script The vulnerable function is as follows: .text: 04F15783 ; int __stdcall sub_4F15783_ilvdlp(char *szProductName, LPCSTR lpValueName, LPBYTE lpData, LPDWORD lpcbData) .text: 04F15783 sub_4F15783_ilvdlp proc near .text: 04F15783 .text: 04F15783 SubKey = byte ptr -10Ch .text: 04F15783 Type = dword ptr -8 .text: 04F15783 hKey = dword ptr -4 ... This
can be exploited to cause a stack-based buffer overflow when the
control is instantiated with an overly long "ProductName" parameter. tricked into visiting a malicious web site.
The vulnerability has been reported in versions 1.x through 5.x.
SOLUTION:
Update to IVE software version 5.3r2.1, 5.2r4.1, 5.1r8, 5.0r6.1, or
4.2r8.1.
PROVIDED AND/OR DISCOVERED BY:
Yuji Ukai, eEye Digital Security.
ORIGINAL ADVISORY:
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060424.html
Juniper Networks:
http://www.juniper.net/support/security/alerts/PSN-2006-03-013.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0487 | CVE-2006-2043 | IP3 Networks NetAccess NA75 Multiple Local Vulnerabilities |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 allows local users to gain Unix shell access via "`" (backtick) characters in the appliance's command line interface (CLI). IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities:
- A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system.
- An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks.
- An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information.
These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected.
TITLE:
IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses
SECUNIA ADVISORY ID:
SA19818
VERIFY ADVISORY:
http://secunia.com/advisories/19818/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Manipulation of data, Exposure of sensitive
information, Privilege escalation
WHERE:
>From local network
OPERATING SYSTEM:
IP3 Networks NA75
http://secunia.com/product/9602/
DESCRIPTION:
Ralph Moonen has reported a vulnerability and some weaknesses in IP3
Networks NA75, which can be exploited by malicious, local users to
potentially gain escalated privileges and disclose or manipulate
sensitive information, or by malicious people to conduct SQL
injection attacks.
1) Some input passed in the web interface is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Example:
* The password field during login.
3) The shadow password file has world-readable permissions, which can
be exploited to disclose other users' encrypted passwords.
4) The database file is stored with world-readable and world-writable
permissions.
SOLUTION:
Apply patch available from the vendor.
http://www.ip3.com/supportoverview.htm
PROVIDED AND/OR DISCOVERED BY:
Ralph Moonen
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0574 | CVE-2006-2072 | DeleGate DNS Response Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Multiple unspecified vulnerabilities in DeleGate 9.x before 9.0.6 and 8.x before 8.11.6 allow remote attackers to cause a denial of service via crafted DNS responses messages that cause (1) a buffer over-read or (2) infinite recursion, which can trigger a segmentation fault or invalid memory access, as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ In multiple products DNS For protocol implementation, DNS There are deficiencies due to protocol specifications, and certain DNS There are problems that cause memory area corruption and buffer overflow when packets are processed. Depending on the product implementation, the impact will vary, but if exploited by a remote attacker, DNS A service that processes packets or an application may go out of service. The discoverer also suggests the possibility of arbitrary code execution.Please refer to the “Overview” for the impact of this vulnerability. There are several unexplained vulnerabilities in the 9.x series prior to DeleGate 9.0.6 and the 8.x series prior to 8.11.6.
The vendor has addressed this issue in versions 8.11.6 and 9.0.6; earlier versions are vulnerable. ISC BIND is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the application to properly handle malformed TSIG (Secret Key Transaction Authentication for DNS) replies.
To exploit this issue, attackers must be able to send messages with a correct TSIG during a zone transfer. This limits the potential for remote exploits significantly.
An attacker can exploit this issue to crash the affected service, effectively denying service to legitimate users.
TITLE:
DeleGate DNS Query Handling Denial of Service
SECUNIA ADVISORY ID:
SA19750
VERIFY ADVISORY:
http://secunia.com/advisories/19750/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
SOFTWARE:
DeleGate 8.x
http://secunia.com/product/1237/
DESCRIPTION:
A vulnerability has been reported in DeleGate, which can be exploited
by malicious people to cause a DoS (Denial of Service). This can lead to out-of-bounds memory
accesses and infinite recursive function calls, which causes the
process to stop responding to requests.
The vulnerability has been reported in version 8.11.5 and prior
(stable), and in version 9.0.5 and prior (development).
SOLUTION:
Update to version 8.11.6 or later.
http://www.delegate.org/delegate/download/
The vulnerability has also been fixed in development version 9.0.6.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor based on DNS Test Tool created by Oulu University
Secure Programming Group.
ORIGINAL ADVISORY:
NISCC:
http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0489 | CVE-2006-2045 | IP3 Networks NetAccess NA75 Information disclosure vulnerability |
CVSS V2: 3.6 CVSS V3: - Severity: LOW |
The (1) shadow password file in na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has world readable permissions, which allows local users to view encrypted passwords; and the (2) NetAccess database file has world readable and writable permissions, which allows local users to view sensitive information and modify data. IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities:
- A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system.
- An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks.
- An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information.
These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected.
TITLE:
IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses
SECUNIA ADVISORY ID:
SA19818
VERIFY ADVISORY:
http://secunia.com/advisories/19818/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Manipulation of data, Exposure of sensitive
information, Privilege escalation
WHERE:
>From local network
OPERATING SYSTEM:
IP3 Networks NA75
http://secunia.com/product/9602/
DESCRIPTION:
Ralph Moonen has reported a vulnerability and some weaknesses in IP3
Networks NA75, which can be exploited by malicious, local users to
potentially gain escalated privileges and disclose or manipulate
sensitive information, or by malicious people to conduct SQL
injection attacks.
1) Some input passed in the web interface is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Example:
* The password field during login.
2) Some input validation errors in the command line interface can be
exploited to inject arbitrary shell commands via the "`" backtick
character.
4) The database file is stored with world-readable and world-writable
permissions.
SOLUTION:
Apply patch available from the vendor.
http://www.ip3.com/supportoverview.htm
PROVIDED AND/OR DISCOVERED BY:
Ralph Moonen
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0488 | CVE-2006-2044 | IP3 Networks NetAccess NA75 Multiple Local Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has a default username of admin and a default password of admin. IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities:
- A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system.
- An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks.
- An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information.
These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected.
TITLE:
IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses
SECUNIA ADVISORY ID:
SA19818
VERIFY ADVISORY:
http://secunia.com/advisories/19818/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Manipulation of data, Exposure of sensitive
information, Privilege escalation
WHERE:
>From local network
OPERATING SYSTEM:
IP3 Networks NA75
http://secunia.com/product/9602/
DESCRIPTION:
Ralph Moonen has reported a vulnerability and some weaknesses in IP3
Networks NA75, which can be exploited by malicious, local users to
potentially gain escalated privileges and disclose or manipulate
sensitive information, or by malicious people to conduct SQL
injection attacks.
1) Some input passed in the web interface is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Example:
* The password field during login.
2) Some input validation errors in the command line interface can be
exploited to inject arbitrary shell commands via the "`" backtick
character.
3) The shadow password file has world-readable permissions, which can
be exploited to disclose other users' encrypted passwords.
4) The database file is stored with world-readable and world-writable
permissions.
SOLUTION:
Apply patch available from the vendor.
http://www.ip3.com/supportoverview.htm
PROVIDED AND/OR DISCOVERED BY:
Ralph Moonen
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------