VARIoT IoT vulnerabilities database

Multiple unspecified vulnerabilities in multiple FITELnet products, including FITELnet-F40, F80, F100, F120, F1000, and E20/E30, allow remote attackers to cause a denial of service via crafted DNS messages that trigger errors in (1) ProxyDNS or (2) PKI-Resolver, as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. There are unexplained vulnerabilities in multiple FITELnet products, including FITELnet-F40, F80, F100, F120, F1000 and E20/E30. Consequences of these vulnerabilities are currently unknown, but remote code execution or denial-of-service attacks may be possible. This BID will be updated as further information is disclosed. TITLE: FITELnet Products DNS Handling Vulnerability SECUNIA ADVISORY ID: SA19820 VERIFY ADVISORY: http://secunia.com/advisories/19820/ CRITICAL: Moderately critical IMPACT: Unknown WHERE: >From remote OPERATING SYSTEM: FITELnet-E Series http://secunia.com/product/9600/ FITELnet-F Series http://secunia.com/product/9599/ MUCHO-EV/PK http://secunia.com/product/9601/ DESCRIPTION: A vulnerability with unknown impact has been reported in various FITELnet products. The vulnerability is caused due to unspecified errors in ProxyDNS and PKI-Resolver when handling certain malformed DNS packets. The vulnerability has been reported in the following products: FITELnet-F40 FITELnet-F80 FITELnet-F100 FITELnet-F120 FITELnet-F1000 FITELnet-E20/E30 MUCHO-EV/PK SOLUTION: The vendor is reportedly working on a fix. PROVIDED AND/OR DISCOVERED BY: Reported by vendor based on DNS Test Tool created by Oulu University Secure Programming Group. ORIGINAL ADVISORY: http://www.furukawa.co.jp/fitelnet/topic/dns2_attacks.html NISCC: http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, or 5.3 before 5.3r2.1, allows remote attackers to execute arbitrary code via a long argument in the ProductName parameter. Juniper SSL-VPN Client ActiveX control is prone to a buffer-overflow vulnerability. The software fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer. Invoking the object from a malicious website may trigger the condition. If the vulnerability were successfully exploited, this would corrupt process memory, resulting in arbitrary code execution. Juniper's SSL VPN series products can provide users with secure remote access services. JuniperSetupDLL.dll is loaded from the JuniperSetup.ocx ActiveX control. If the following super long string is specified in the ProductName parameter, a stack overflow will be triggered in the JuniperSetupDLL.dll function: --- object classid=\"clsid: E5F5D008-DD2C-4D32-977D-1A0ADF03058B\" id= NeoterisSetup codebase=\"path_to_JuniperSetup.cab#version=1,0,0,3\" > ..... ---PARAM NAME=\"ProductName\" VALUE=\"AAAAAAA (long \'\'A\ '\')\" > ..... script language=javascript NeoterisSetup.startSession(); end script The vulnerable function is as follows: .text: 04F15783 ; int __stdcall sub_4F15783_ilvdlp(char *szProductName, LPCSTR lpValueName, LPBYTE lpData, LPDWORD lpcbData) .text: 04F15783 sub_4F15783_ilvdlp proc near .text: 04F15783 .text: 04F15783 SubKey = byte ptr -10Ch .text: 04F15783 Type = dword ptr -8 .text: 04F15783 hKey = dword ptr -4 ... This can be exploited to cause a stack-based buffer overflow when the control is instantiated with an overly long "ProductName" parameter. tricked into visiting a malicious web site. The vulnerability has been reported in versions 1.x through 5.x. SOLUTION: Update to IVE software version 5.3r2.1, 5.2r4.1, 5.1r8, 5.0r6.1, or 4.2r8.1. PROVIDED AND/OR DISCOVERED BY: Yuji Ukai, eEye Digital Security. ORIGINAL ADVISORY: eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060424.html Juniper Networks: http://www.juniper.net/support/security/alerts/PSN-2006-03-013.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 allows local users to gain Unix shell access via "`" (backtick) characters in the appliance's command line interface (CLI). IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities: - A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system. - An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks. - An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information. These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected. TITLE: IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses SECUNIA ADVISORY ID: SA19818 VERIFY ADVISORY: http://secunia.com/advisories/19818/ CRITICAL: Less critical IMPACT: Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation WHERE: >From local network OPERATING SYSTEM: IP3 Networks NA75 http://secunia.com/product/9602/ DESCRIPTION: Ralph Moonen has reported a vulnerability and some weaknesses in IP3 Networks NA75, which can be exploited by malicious, local users to potentially gain escalated privileges and disclose or manipulate sensitive information, or by malicious people to conduct SQL injection attacks. 1) Some input passed in the web interface is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Example: * The password field during login. 3) The shadow password file has world-readable permissions, which can be exploited to disclose other users' encrypted passwords. 4) The database file is stored with world-readable and world-writable permissions. SOLUTION: Apply patch available from the vendor. http://www.ip3.com/supportoverview.htm PROVIDED AND/OR DISCOVERED BY: Ralph Moonen ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in DeleGate 9.x before 9.0.6 and 8.x before 8.11.6 allow remote attackers to cause a denial of service via crafted DNS responses messages that cause (1) a buffer over-read or (2) infinite recursion, which can trigger a segmentation fault or invalid memory access, as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ In multiple products DNS For protocol implementation, DNS There are deficiencies due to protocol specifications, and certain DNS There are problems that cause memory area corruption and buffer overflow when packets are processed. Depending on the product implementation, the impact will vary, but if exploited by a remote attacker, DNS A service that processes packets or an application may go out of service. The discoverer also suggests the possibility of arbitrary code execution.Please refer to the “Overview” for the impact of this vulnerability. There are several unexplained vulnerabilities in the 9.x series prior to DeleGate 9.0.6 and the 8.x series prior to 8.11.6. The vendor has addressed this issue in versions 8.11.6 and 9.0.6; earlier versions are vulnerable. ISC BIND is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the application to properly handle malformed TSIG (Secret Key Transaction Authentication for DNS) replies. To exploit this issue, attackers must be able to send messages with a correct TSIG during a zone transfer. This limits the potential for remote exploits significantly. An attacker can exploit this issue to crash the affected service, effectively denying service to legitimate users. TITLE: DeleGate DNS Query Handling Denial of Service SECUNIA ADVISORY ID: SA19750 VERIFY ADVISORY: http://secunia.com/advisories/19750/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: DeleGate 8.x http://secunia.com/product/1237/ DESCRIPTION: A vulnerability has been reported in DeleGate, which can be exploited by malicious people to cause a DoS (Denial of Service). This can lead to out-of-bounds memory accesses and infinite recursive function calls, which causes the process to stop responding to requests. The vulnerability has been reported in version 8.11.5 and prior (stable), and in version 9.0.5 and prior (development). SOLUTION: Update to version 8.11.6 or later. http://www.delegate.org/delegate/download/ The vulnerability has also been fixed in development version 9.0.6. PROVIDED AND/OR DISCOVERED BY: Reported by vendor based on DNS Test Tool created by Oulu University Secure Programming Group. ORIGINAL ADVISORY: NISCC: http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The (1) shadow password file in na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has world readable permissions, which allows local users to view encrypted passwords; and the (2) NetAccess database file has world readable and writable permissions, which allows local users to view sensitive information and modify data. IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities: - A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system. - An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks. - An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information. These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected. TITLE: IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses SECUNIA ADVISORY ID: SA19818 VERIFY ADVISORY: http://secunia.com/advisories/19818/ CRITICAL: Less critical IMPACT: Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation WHERE: >From local network OPERATING SYSTEM: IP3 Networks NA75 http://secunia.com/product/9602/ DESCRIPTION: Ralph Moonen has reported a vulnerability and some weaknesses in IP3 Networks NA75, which can be exploited by malicious, local users to potentially gain escalated privileges and disclose or manipulate sensitive information, or by malicious people to conduct SQL injection attacks. 1) Some input passed in the web interface is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Example: * The password field during login. 2) Some input validation errors in the command line interface can be exploited to inject arbitrary shell commands via the "`" backtick character. 4) The database file is stored with world-readable and world-writable permissions. SOLUTION: Apply patch available from the vendor. http://www.ip3.com/supportoverview.htm PROVIDED AND/OR DISCOVERED BY: Ralph Moonen ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has a default username of admin and a default password of admin. IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities: - A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system. - An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks. - An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information. These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected. TITLE: IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses SECUNIA ADVISORY ID: SA19818 VERIFY ADVISORY: http://secunia.com/advisories/19818/ CRITICAL: Less critical IMPACT: Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation WHERE: >From local network OPERATING SYSTEM: IP3 Networks NA75 http://secunia.com/product/9602/ DESCRIPTION: Ralph Moonen has reported a vulnerability and some weaknesses in IP3 Networks NA75, which can be exploited by malicious, local users to potentially gain escalated privileges and disclose or manipulate sensitive information, or by malicious people to conduct SQL injection attacks. 1) Some input passed in the web interface is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Example: * The password field during login. 2) Some input validation errors in the command line interface can be exploited to inject arbitrary shell commands via the "`" backtick character. 3) The shadow password file has world-readable permissions, which can be exploited to disclose other users' encrypted passwords. 4) The database file is stored with world-readable and world-writable permissions. SOLUTION: Apply patch available from the vendor. http://www.ip3.com/supportoverview.htm PROVIDED AND/OR DISCOVERED BY: Ralph Moonen ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Juniper Networks JUNOSe E-series routers before 7-1-1 has unknown impact and remote attack vectors related to the DNS "client code," as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. Juniper JUNOSe is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the application to properly handle DNS datagrams. An attacker can exploit this issue to crash the affected DNS client service, effectively denying service to legitimate users. Juniper Networks JunosE is an operating system of Juniper Networks (Juniper Networks) running on E series IP edge and broadband service routers. The PROTOS DNS test component developed by OUSPG for DNS implementation found in the test that if a specially crafted message is sent, JUNOSe will have a denial of service when responding to DNS. The vulnerability is caused due to unspecified errors within the handling of DNS responses. SOLUTION: The vulnerability has been fixed in JUNOSe versions 5-3-5p0-2, 6-0-3p0-6, 6-0-4, 6-1-3p0-1, 7-0-1p0-7, 7-0-2, 7-1-0p0-1, and 7-1-1. PROVIDED AND/OR DISCOVERED BY: Reported by vendor based on DNS Test Tool created by Oulu University Secure Programming Group. ORIGINAL ADVISORY: NISCC: http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Mac OS X Safari 2.0.3, 1.3.1, and possibly other versions allows remote attackers to cause a denial of service (CPU consumption and crash) via a TD element with a large number in the rowspan attribute. Apple Mac OS X of Safari There is a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Apple Safari web browser is prone to a denial-of-service vulnerability. An attacker can exploit this issue to consume excessive system resources and eventually crash an affected browser. Safari opening malicious HTML files may cause the operating system to slow down SRCOD (Spinning Rainbow Cursor Of Death), so that no application can be launched to kill the process. Safari will crash after a few minutes. TITLE: Safari "rowspan" Attribute Denial of Service Vulnerability SECUNIA ADVISORY ID: SA19763 VERIFY ADVISORY: http://secunia.com/advisories/19763/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote SOFTWARE: Safari 1.x http://secunia.com/product/1543/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Yannick von Arx has discovered a vulnerability in Safari, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the processing of "td" HTML tags with overly large values for the "rowspan" attribute. This can be exploited to consume a large amount of CPU and memory resources on a vulnerable system by tricking a user into visiting a malicious web site. Successful exploitation causes a vulnerable system to become unresponsive. The vulnerability has been confirmed in version 2.0.3 (417.9.2) and has also been reported in version 1.3.1 (312.3.1). Other versions may also be affected. SOLUTION: Do not visit untrusted web sites while working with unsaved sensitive information. PROVIDED AND/OR DISCOVERED BY: Yannick von Arx ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045472.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Dnsmasq 2.29 allows remote attackers to cause a denial of service (application crash) via a DHCP client broadcast reply request. Dnsmasq is prone to a remote denial-of-service vulnerability. TITLE: Dnsmasq DHCP Broadcast Reply Denial of Service SECUNIA ADVISORY ID: SA19760 VERIFY ADVISORY: http://secunia.com/advisories/19760/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network SOFTWARE: Dnsmasq 2.x http://secunia.com/product/4837/ DESCRIPTION: A vulnerability has been reported in Dnsmasq, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of certain requests from a DHCP client. The vulnerability has been reported in version 2.29. SOLUTION: Update to version 2.30. http://thekelleys.org.uk/dnsmasq/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Sandra Dekkers. ORIGINAL ADVISORY: http://thekelleys.org.uk/dnsmasq/CHANGELOG ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Java InputMethods on Mac OS X 10.4.5 may cause InputMethods to send input events for secure fields to the wrong text field, which might reveal the password to others who can view the screen. Mac OS X is prone to a local security vulnerability

An unspecified Fortinet product, possibly Fortinet28, allows remote attackers to cause a denial of service via a "small synflood" to the SMTP port (TCP port 25), as demonstrated by a 10-microsecond wait between sending packets. NOTE: this issue has been disputed in followup posts that suggest that a protection feature is triggering a RST. Unspecified Fortinet Product has a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Fortinet28 is prone to a denial-of-service vulnerability

Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 routers, allows remote attackers to cause a denial of service (Modular Services Cards (MSC) crash or "MPLS packet handling problems") via certain MPLS packets, as identified by Cisco bug IDs (1) CSCsd15970 and (2) CSCsd55531. Cisco IOS XR The denial of service (DoS) There is a vulnerability that can be exploited.Denial of service by third party (DoS) May be in a state. A successful attack results in a denial-of-service condition for traffic that is being switched on an affected Modular Services Card (MSC) or line card. A sustained denial-of-service condition can also arise from repeated attacks. Cisco IOS XR Software, a member of the Cisco IOS Software family, uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs on Cisco CRS-1 and Cisco 12000 series routers. MPLS packets are forwarded through the MPLS network, so the packets that trigger this vulnerability can be sent from remote systems in the MPLS network. Such packets cannot be received on interfaces that are not configured with MPLS. Successful exploitation requires that MPLS has been configured on the network device. SOLUTION: Apply patches (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in Linksys RT31P2 VoIP router allow remote attackers to cause a denial of service via malformed Session Initiation Protocol (SIP) messages. Linksys RT31P2 is a broadband router that supports VoIP phone functions. This issue allows remote attackers to crash affected devices, denying service to legitimate users. SOLUTION: The product has reportedly been discontinued. Filter traffic or use another product. PROVIDED AND/OR DISCOVERED BY: Peter Thermos and Guy Hadsall, Telcordia. ORIGINAL ADVISORY: US-CERT VU#621566: http://www.kb.cert.org/vuls/id/621566 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13, Hosting Solution Engine (HSE) and User Registration Tool (URT) before 20060419, and all versions of Ethernet Subscriber Solution Engine (ESSE) and CiscoWorks2000 Service Management Solution (SMS) allow local users to gain Linux shell access via shell metacharacters in arguments to the "show" command in the application's command line interface (CLI), aka bug ID CSCsd21502 (WLSE), CSCsd22861 (URT), and CSCsd22859 (HSE). NOTE: other issues might be addressed by the Cisco advisory. plural Cisco The product includes Linux A vulnerability exists that allows shell access to be obtained.By local users Linux Shell access may be obtained. Multiple Linux-based Cisco products are prone to a local privilege-escalation vulnerability. The applications fail to properly sanitize user-supplied input. This issue allows attackers with telnet or SSH access to affected devices to execute arbitrary shell commands with superuser privileges. This facilitates the complete compromise of affected devices. CiscoWorks WLSE is the centralized system-level application for managing and controlling the entire autonomous Cisco WLAN infrastructure. There is a vulnerability in the implementation of the CiscoWorks WLSE configuration management script. Attackers may exploit this vulnerability to obtain sensitive information. The \"displayMsg\" parameter in /wlse/configure/archive/archiveApplyDisplay.jsp in WLSE devices can lead to a cross-site scripting vulnerability. Attackers can exploit this vulnerability to steal JSP session cookies, and then combine it with other vulnerabilities to gain administrative-level access to the system. This is related to vulnerability #2 in: SA19736 SOLUTION: Apply fixes. Cisco URT: Update to version 2.5.5(A1) for the URT appliance. http://www.cisco.com/pcgi-bin/tablebuild.pl/urt-3des Cisco HSE: Apply HSE-PSIRT1 patch. However, Cisco encourages customers requiring a fix to open a service request through the Technical Support organization. TITLE: Cisco WLSE Privilege Escalation and Cross-Site Scripting SECUNIA ADVISORY ID: SA19736 VERIFY ADVISORY: http://secunia.com/advisories/19736/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Privilege escalation WHERE: >From remote OPERATING SYSTEM: CiscoWorks Wireless LAN Solution Engine 2.x http://secunia.com/product/2187/ DESCRIPTION: Adam Pointon has reported two vulnerabilities in CiscoWorks Wireless LAN Solution Engine (WLSE), which can be exploited by malicious, local users to gain escalated privileges or by malicious people to conduct cross-site scripting attacks. 1) Input passed to the "displayMsg" parameter in "/wlse/configure/archive/archiveApplyDisplay.jsp" in the WLSE appliance web interface is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. 2) Several errors in the "show" CLI application can be exploited to gain a shell account with root privileges from the command line interface. SOLUTION: Update to version 2.13 or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/wlan-sol-eng PROVIDED AND/OR DISCOVERED BY: Adam Pointon, Assurance. The vendor also credits Mathieu Pepin for reporting the second vulnerability. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml Assurance: http://www.assurance.com.au/advisories/200604-cisco.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 or Cisco 12000 series routers, allows remote attackers to cause a denial of service (Line card crash) via certain MPLS packets, as identified by Cisco bug ID CSCsc77475. Cisco IOS XR There is a service disruption (Line Card crash ) There are vulnerabilities that are put into a state.Service disruption by a third party (Line Card crash ) There is a possibility of being put into a state. A successful attack results in a denial-of-service condition for traffic that is being switched on an affected Modular Services Card (MSC) or line card. A sustained denial-of-service condition can also arise from repeated attacks. Cisco IOS XR Software, a member of the Cisco IOS Software family, uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs on Cisco CRS-1 and Cisco 12000 series routers. MPLS packets are forwarded through the MPLS network, so the packets that trigger this vulnerability can be sent from remote systems in the MPLS network. Such packets cannot be received on interfaces that are not configured with MPLS. Successful exploitation requires that MPLS has been configured on the network device. SOLUTION: Apply patches (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the appliance web user interface in Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13 allows remote attackers to inject arbitrary web script or HTML, possibly via the displayMsg parameter to archiveApplyDisplay.jsp, aka bug ID CSCsc01095. CiscoWorks Wireless LAN Solution Engine (WLSE) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal JSP session cookie-based authentication credentials and launch other attacks. CiscoWorks WLSE is the centralized system-level application for managing and controlling the entire autonomous Cisco WLAN infrastructure. There is a vulnerability in the implementation of the CiscoWorks WLSE configuration management script. Attackers may exploit this vulnerability to obtain sensitive information. The "displayMsg" parameter in /wlse/configure/archive/archiveApplyDisplay.jsp in WLSE devices can lead to a cross-site scripting vulnerability. This is related to vulnerability #2 in: SA19736 SOLUTION: Apply fixes. Cisco URT: Update to version 2.5.5(A1) for the URT appliance. http://www.cisco.com/pcgi-bin/tablebuild.pl/urt-3des Cisco HSE: Apply HSE-PSIRT1 patch. 1) Input passed to the "displayMsg" parameter in "/wlse/configure/archive/archiveApplyDisplay.jsp" in the WLSE appliance web interface is not properly sanitised before being returned to users. 2) Several errors in the "show" CLI application can be exploited to gain a shell account with root privileges from the command line interface. SOLUTION: Update to version 2.13 or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/wlan-sol-eng PROVIDED AND/OR DISCOVERED BY: Adam Pointon, Assurance. The vendor also credits Mathieu Pepin for reporting the second vulnerability. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml Assurance: http://www.assurance.com.au/advisories/200604-cisco.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in unspecified components in Symantec LiveUpdate for Macintosh 3.0.0 through 3.5.0 do not set the execution path, which allows local users to gain privileges via a Trojan horse program. Symantec LiveUpdate for Macintosh is prone to a local privilege-escalation vulnerability. This issue is due to the application's failure to properly use the PATH environment variable in some of its components. A successful exploit allows local attackers to gain superuser privileges, leading to a complete compromise of the affected computer. TITLE: Symantec LiveUpdate for Machintosh Privilege Escalation SECUNIA ADVISORY ID: SA19682 VERIFY ADVISORY: http://secunia.com/advisories/19682/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Symantec Norton Utilities for Macintosh 8.x http://secunia.com/product/5953/ Symantec Norton SystemWorks for Macintosh 3.x http://secunia.com/product/5952/ Symantec Norton Personal Firewall for Macintosh 3.x http://secunia.com/product/5950/ Symantec Norton Internet Security for Macintosh 3.x http://secunia.com/product/5951/ Symantec Norton AntiVirus for Macintosh 9.x http://secunia.com/product/5948/ Symantec Norton AntiVirus for Macintosh 10.x http://secunia.com/product/5949/ Symantec LiveUpdate for Macintosh 3.x http://secunia.com/product/5954/ DESCRIPTION: A vulnerability has been reported in Symantec LiveUpdate for Machintosh, which can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply latest LiveUpdate patch. PROVIDED AND/OR DISCOVERED BY: The vendor credits DigitalMunition.com. ORIGINAL ADVISORY: http://securityresponse.symantec.com/avcenter/security/Content/2006.04.17b.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626. Microsoft Internet Explorer is prone to address-bar spoofing. Attackers may exploit this via a malicious web page to spoof the contents of a page that the victim may trust. This vulnerability may be useful in phishing or other attacks that rely on content spoofing. TITLE: Internet Explorer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA18957 VERIFY ADVISORY: http://secunia.com/advisories/18957/ CRITICAL: Highly critical IMPACT: Spoofing, System access, Cross Site Scripting WHERE: >From remote SOFTWARE: Microsoft Internet Explorer 5.5 http://secunia.com/product/10/ Microsoft Internet Explorer 5.01 http://secunia.com/product/9/ Microsoft Internet Explorer 6.x http://secunia.com/product/11/ DESCRIPTION: Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting attacks, conduct phishing attacks, or compromise a user's system. 1) An error in the cross-domain restriction when accessing properties of certain dynamically created objects can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site via a JavaScript URI handler applied on a dynamically created "object" tag. 2) An error within the handling of multiple event handlers (e.g. onLoad) in an HTML element can be exploited to corrupt memory in a way that may allow execution of arbitrary code. 3) An error within the parsing of specially crafted, non-valid HTML can be exploited to corrupt memory in a way that allows execution of arbitrary code when a malicious HTML document is viewed. 4) An error within the instantiation of COM objects that are not intended to be instantiated in Internet Explorer can be exploited to corrupt memory in a way that allows execution of arbitrary code. 5) An error within the handling of HTML elements containing a specially crafted tag can be exploited to corrupt memory in a way that allows execution of arbitrary code. 6) An error within the handling of double-byte characters in specially crafted URLs can be exploited to corrupt memory in a way that allows execution of arbitrary code. Successful exploitation requires that the system uses double-byte character sets. 7) An error in the way IOleClientSite information is returned when an embedded object is dynamically created can be exploited to execute arbitrary code in context of another site or security zone. 8) An unspecified error can be exploited to spoof information displayed in the address bar and other parts of the trust UI. 9) Some unspecified vulnerabilities exist in the two ActiveX controls included with Danim.dll and Dxtmsft.dll. SOLUTION: Apply patches. Internet Explorer 5.01 SP4 on Windows 2000 SP4: http://www.microsoft.com/downloa...7B87-AF8F-4346-9164-596E3E5C22B1 Internet Explorer 6 SP1 on Windows 2000 SP4 or Windows XP SP1: http://www.microsoft.com/downloa...41E1-2B36-4696-987A-099FC57E0129 Internet Explorer 6 for Windows XP SP2: http://www.microsoft.com/downloa...FB31-E6B4-4771-81F1-4ACCEBF72133 Internet Explorer 6 for Windows Server 2003 and Windows Server 2003 SP1: http://www.microsoft.com/downloa...6871-D217-41D3-BECC-B27FAFA00054 Internet Explorer 6 for Windows Server 2003 for Itanium-based systems and Windows Server 2003 with SP1 for Itanium-based systems: http://www.microsoft.com/downloa...957C-0ABE-4129-ABAF-AA2852AD62A3 Internet Explorer 6 for Windows Server 2003 x64 Edition: http://www.microsoft.com/downloa...8BE3-39EE-4937-9BD1-280FC35125C6 Internet Explorer 6 for Windows XP Professional x64 Edition: http://www.microsoft.com/downloa...FE3E-620A-4BBC-868B-CA2D9EFF7AC3 Internet Explorer 6 SP1 on Windows 98, Windows 98 SE, or Windows ME: Patches are available via the Microsoft Update Web site or the Windows Update Web site. PROVIDED AND/OR DISCOVERED BY: 1) Discovered by anonymous person. 2) Michal Zalewski 3) The vendor credits Jan P. Monsch, Compass Security Network Computing. 4) The vendor credits Richard M. Smith, Boston Software Forensics. 5) The vendor credits Thomas Waldegger. 6) The vendor credits Sowhat, Nevis Labs. 7) The vendor credits Heiko Schultze, SAP. 9) The vendor credits Will Dormann, CERT/CC. ORIGINAL ADVISORY: MS06-013 (KB912812): http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters. Microsoft FrontPage Server Extensions are prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before it is rendered to other users. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user, with the privileges of the victim userâ??s account. This may help the attacker steal cookie-based authentication credentials and launch other attacks. SOLUTION: Apply patches. FrontPage Server Extensions 2002 (Windows Server 2003 and Windows Server 2003 SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=5C03F85A-5228-47FB-A338-90FA23818E08 FrontPage Server Extensions 2002 (Windows Server 2003 for Itanium-based systems and Windows Server 2003 with SP1 for Itanium-based systems): http://www.microsoft.com/downloads/details.aspx?FamilyId=59F15A6B-CC1B-43D5-A007-BFC9ABB63486 FrontPage Server Extensions 2002 (x64 Edition) downloaded and installed on Windows Server 2003 x64 Edition and Windows XP Pro x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA FrontPage Server Extensions 2002 (x86 Editions) downloaded and installed on Windows Server 2000 SP4, Windows XP SP1, and Windows XP SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA Microsoft SharePoint Team Services: http://www.microsoft.com/downloads/details.aspx?FamilyId=EEE40662-39E6-4C07-8241-1AC4F5D24FFC PROVIDED AND/OR DISCOVERED BY: The vendor credits Esteban Mart\xednez Fay\xf3. ORIGINAL ADVISORY: MS06-017 (KB917627): http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Control cards for Cisco Optical Networking System (ONS) 15000 series nodes before 20060405 allow remote attackers to cause a denial of service (memory exhaustion and possibly card reset) by sending an invalid response when the final ACK is expected, aka bug ID CSCei45910. Cisco Optical Networking System (ONS) The denial of service (DoS) There is a vulnerability that can be exploited.Denial of service by third party (DoS) May be in a state. The response, which is also known as bug ID CSCei45910. Cisco Optical Networking System and Transport Controller are prone to multiple vulnerabilities. Cisco Optical Networking System 15000 series are affected by multiple denial-of-service vulnerabilities. Cisco Transport Controller is prone to an arbitrary code-execution vulnerability. 1) Multiple services are vulnerable to ACK DoS attacks where an invalid response is sent instead of the final ACK packet during the 3-way handshake. This can be exploited to cause the control cards to exhaust memory resources, not respond to further connections, or reset by establishing multiple of these connections. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 2) An error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default) and secure mode for element management system (EMS)-to-network-element access is enabled (disabled by default). 3) Another error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 4) An error within the processing of OSPF (Open Shortest Path First) packets can be exploited to reset the control cards by sending a specially crafted OSPF packet. Successful exploitation requires that the OSPF routing protocol is configured on the LAN interface (disabled by default). Successful exploitation of the above vulnerabilities (#1 through #4) requires that the Optical node has the Common Control Card connected to a DCN (Data Communication Network) and is enabled for IPv4. The above vulnerabilities (#1 through #4) affect the following Cisco ONS 15000 series platforms: * Cisco ONS 15310-CL Series * Cisco ONS 15327 Series * Cisco ONS 15454 MSPP * Cisco ONS 15454 MSTP * Cisco ONS 15600 Series The following Cisco ONS 15000 series platforms are not affected by the vulnerabilities: * Cisco ONS 15100 Series * Cisco ONS 15200 Series * Cisco ONS 15302, ONS 15305, and ONS 15310-MA platforms * Cisco ONS 15500 Series * Cisco ONS 15800 Series 5) A vulnerability exists within the Cisco Transport Controller (CTC) applet launcher, which is downloaded each time a management connection is made to the Optical node. The vulnerability is caused due to the java.policy permissions being to broad by granting all permissions to any software originating from the codeBase or source at http://*/fs/LAUNCHER.jar. This can be exploited to execute arbitrary code on the CTC workstation if it is used to connect to a malicious web site running Java code from the "/fs/LAUNCHER.jar" location. The vulnerability affects versions 4.0.x and prior. SOLUTION: 1-4) Updated versions are available (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060405-ons.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------