VARIoT IoT vulnerabilities database
VAR-200512-0724 | CVE-2005-4587 | Juniper NetScreen-Security Manager Remote Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Juniper NetScreen-Security Manager (NSM) 2004 FP2 and FP3 allow remote attackers to cause a denial of service (crash or hang of server components that are automatically restarted) via a long crafted string on (1) port 7800 (the GUI Server port) or (2) port 7801 (the Device Server port). Juniper NSM is prone to a remote denial of service vulnerability.
A remote attacker may trigger a crash or hang in the server and deny service to legitimate users. It should be noted that the application ships with a watchdog service that periodically restarts the services.
NSM 2004 FP2 and FP3 are reportedly vulnerable. NetScreen-Security Manager (NSM) is a security management platform that provides management and monitoring of devices, networks, and security configurations and policies.
TITLE:
Juniper NetScreen Security Manager Potential Denial of Service
SECUNIA ADVISORY ID:
SA18232
VERIFY ADVISORY:
http://secunia.com/advisories/18232/
CRITICAL:
Less critical
IMPACT:
DoS
WHERE:
>From local network
SOFTWARE:
NetScreen-Security Manager (NSM) 2004
http://secunia.com/product/2843/
DESCRIPTION:
David Maciejak has reported a vulnerability in NetScreen Security
Manager (NSM) which potentially can be exploited by malicious people
to cause a DoS (Denial of Service).
The vulnerability is caused due to an unspecified error in "guiSrv"
and "devSrv". This can be exploited to crash the service via
specially crafted input sent to port 7800 and 7801.
The vulnerability has been reported in NSM 2004 FP2 and FP3. Other
versions may also be affected.
SOLUTION:
Update to version FP4r1 (2005.1).
PROVIDED AND/OR DISCOVERED BY:
David Maciejak
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200603-0283 | CVE-2006-0398 | Apple Safari WebKit component vulnerable to buffer overflow |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Apple Safari WebKit component is vulnerable to buffer overflow. This may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Commands would be executed in the context of the user opening the archive file.
Attackers can reportedly use Safari and Apple Mail as exploitation vectors for this vulnerability.
Mac OS X 10.4.5 is reported to be vulnerable. Earlier versions may also be affected. Apple Safari is a web browser bundled with the Apple operating system. There is an issue in Safari's handling of automatic opening of downloaded files. Safari's default configuration allows files to be automatically opened after downloading a safe file. Due to this default configuration and inconsistencies in Safari and OS X's security files, Safari may execute arbitrary shell commands if a specially crafted page is viewed.
TITLE:
Mac OS X KHTMLParser Denial of Service Weakness
SECUNIA ADVISORY ID:
SA18220
VERIFY ADVISORY:
http://secunia.com/advisories/18220/
CRITICAL:
Not critical
IMPACT:
DoS
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Tom Ferris has discovered a weakness in Mac OS X, which can be
exploited by malicious people to cause a DoS (Denial of Service).
The weakness is caused due to an error in the KHTMLParser when
parsing certain malformed HTML documents. This can be exploited to
crash an application that uses the parser via a specially crafted
HTML file. In certain cases, this may cause the system to become
unresponsive. Other applications that use the
parser may also be affected.
SOLUTION:
Do not open or follow links to HTML files from non-trusted sources.
PROVIDED AND/OR DISCOVERED BY:
Tom Ferris
ORIGINAL ADVISORY:
http://security-protocols.com/advisory/sp-x22-advisory.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0793 | CVE-2005-4511 | TN3270 Resource Gateway Format string vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Format string vulnerability in TN3270 Resource Gateway 1.1.0 allows local users to cause a denial of service and possibly execute arbitrary code via format string specifiers in syslog function calls. Tn3270 Resource Gateway is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, resulting in a denial-of-service condition. This may be
exploited to crash the service and may allow arbitrary code
execution.
Successful exploitation requires that a local user is able to input
specially crafted resource strings into the database and e.g.
tricking another user to run the affected software.
The vulnerability has been reported in version 1.1.0. Prior versions
may also be affected.
SOLUTION:
Update to version 1.1.1.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://sourceforge.net/project/shownotes.php?release_id=379592
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0744 | CVE-2005-4499 | Cisco Product IP ACL Vulnerabilities that bypass authentication in functions |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Downloadable RADIUS ACLs feature in Cisco PIX and VPN 3000 concentrators, when creating an ACL on the Cisco Secure Access Control Server (CS ACS), generates a random internal name for an ACL that is also used as a hidden user name and password, which allows remote attackers to gain privileges by sniffing the username from the cleartext portion of a RADIUS session, then using the password to log in to another device that uses CS ACS. plural Cisco Product implements IP ACL In function, the device ACL When downloading ACL Name RAS/NAS Username and password for authentication by ( Same as user name ) As we use as ACL If the name is known, ACL There is a vulnerability that makes it possible to pass authentication illegally using a name.There is a possibility of unauthorized access to the network. Cisco PIX and VPN 3000 concentrators, when managed by Cisco Secure Access Control Servers are vulnerable to an information disclosure vulnerability. This issue is due to a design flaw that communicates sensitive information over an unencrypted communications channel.
This issue allows remote attackers with the ability to gain access to sensitive information if they can sniff network packets traveling between affected devices and the RADIUS server. This information potentially aids them in further attacks.
Specific Cisco versions and products affected by this issue are not currently known. The list of affected packages will be updated as further information is disclosed. Cisco PIX is a very popular network firewall, while CS ACS is a network device that provides authentication, authorization, and account services. Cisco PIX has a loophole in network management communication, and attackers may use this loophole to gain unauthorized access to the device. At the same time, CS ACS will also create an internal hidden user named #ACSACL#-IP-uacl-43a97a9d with the password #ACSACL#-IP-uacl-43a97a9d (!). The CS ACS GUI cannot see the user. The protocol used by the PIX downloads the ACL steps as follows: 0) The user accesses the Internet through the PIX with HTTP(s); the PIX requests the user name and password, and then the user enters the user name and password in the dialog box. 1) PIX sends a Radius access request to CS ACS to authenticate the user (user password is encrypted by Radius). 2) The Radius server authenticates the user and sends back the cisco-av-pair vendor-specific attribute (VSA) with the ACS: CiscoSecure-Defined-ACL=#ACSACL#-IP-uacl-43a97a9d value. 3) PIX sends Radius access request again to authenticate user#ACSACL#-IP-uacl-43a97a9d 4) Radius server authenticates user, sends back ACL body with another cisco-av-pair VSA attribute (ip:inacl#1=... ). This means that anyone can see the plaintext #ACSACL#-IP-uacl-43a97a9d user name sent from the CS ACS server to the PIX by the Radius protocol through the network, and the user's password is the same as the user name. If the network device is configured to use the same CS ACS server for login authentication, you can use the sniffed user name to log in to the network device.
The vulnerability is caused due to a design error in the Downloadable
IP ACL (Access Control List) feature. This can be exploited by
malicious people who knows the name of a Downloadable IP ACL
configured on the ACS server to authenticate to the RAS/NAS (Remote
Access Server/Network Access Server) by using the name of that ACL as
their user name.
Successful exploitation requires that the attacker knows the name of
the Downloadable IP ACL e.g. by sniffing network traffic between the
RAS/NAS and the ACS server.
SOLUTION:
The vulnerability has been fixed in the following versions.
* Cisco Secure ACS Version 4.0.1
* PIX version 6.3(5)
* PIX/ASA 7.0(2)
* Cisco IOS Software Version 12.3(8)T4
* VPN 3000 versions 4.0.5.B and 4.1.5.B
Cisco FWSM:
Refer to vendor's original advisory for workaround instructions.
PROVIDED AND/OR DISCOVERED BY:
ovt
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00805bf1c4.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0696 | CVE-2005-4464 | Ingate Firewall and SIParator Remote Kernel Deadlock Denial Of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Ingate Firewall before 4.3.4 and SIParator before 4.3.4 allows remote attackers to cause a denial of service (kernel deadlock) by sending a SYN packet for a TCP stream, which requires an RST packet in response. Ingate Firewall and SIParator products are susceptible to a remote denial of service vulnerability.
TITLE:
Ingate Firewall and SIParator Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA18138
VERIFY ADVISORY:
http://secunia.com/advisories/18138/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
OPERATING SYSTEM:
Ingate SIParator 4.x
http://secunia.com/product/5687/
Ingate Firewall 4.x
http://secunia.com/product/4050/
DESCRIPTION:
A vulnerability has been reported in Ingate Firewall and SIParator,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).
The vulnerability is caused due to an error in the kernel when
handling certain TCP packets in a media stream.
SOLUTION:
Update to version 4.3.4.
http://www.ingate.com/upgrades.php
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.ingate.com/relnote-434.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0082 | CVE-2005-4440 | Cisco IOS of 802.1q VLAN In the protocol Traffic spoofing and segment avoidance vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: Medium |
The 802.1q VLAN protocol allows remote attackers to bypass network segmentation and spoof VLAN traffic via a message with two 802.1q tags, which causes the second tag to be redirected from a downstream switch after the first tag has been stripped, as demonstrated by Yersinia, aka "double-tagging VLAN jumping attack.". ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ VLAN (Virtual LAN) Is LAN By setting a virtual group different from the physical connection form, LAN The terminal has a switch function MAC Address or IP Groups according to address, protocol used, etc. Also, PVLAN (Private VLAN) Is more than one VLAN Is a function that configures one subnet by combining IEEE Standardized by VLAN Standard of 802.1q Is Cisco IOS Works Cisco Catalyst And many other switching devices. 802.1q On the frame flowing through the network VLAN Identification ID ( tag ) Which switch is VLAN Between multiple switches VLAN Can be configured. Cisco IOS Implemented in VLAN/PVLAN Has the following security issues that allow it to communicate to hosts on different isolated segments: 1) Intentionally created 2 Horn IEEE 802.1q When a packet containing a tag is sent, VLAN There is an issue where it is possible to send packets to hosts on segments separated by. 2) Destination MAC When a packet with an address changed to that of a gateway router is sent, PVLAN There is an issue where it is possible to send packets to hosts on segments separated by. In addition, hosts that can communicate with the target host in packets that exploit these issues ( Host managed by attacker ) From IP By spoofing the address, it is possible to control the destination of response packets from the target host. When used by a remote attacker, as a result, the attacker may gain access to a target host that is otherwise inaccessible and attempt further attacks.Please refer to the “Overview” for the impact of this vulnerability. Vlan Protocol is prone to a security bypass vulnerability
VAR-200512-0083 | CVE-2005-4441 | Cisco IOS of PVLAN In the protocol Traffic spoofing and segment avoidance vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: Medium |
The PVLAN protocol allows remote attackers to bypass network segmentation and spoof PVLAN traffic via a PVLAN message with a target MAC address that is set to a gateway router, which causes the packet to be sent to the router, where the source MAC is modified, aka "Modification of the MAC spoofing PVLAN jumping attack," as demonstrated by pvlan.c. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ VLAN (Virtual LAN) Is LAN By setting a virtual group different from the physical connection form, LAN The terminal has a switch function MAC Address or IP Groups according to address, protocol used, etc. Also, PVLAN (Private VLAN) Is more than one VLAN Is a function that configures one subnet by combining IEEE Standardized by VLAN Standard of 802.1q Is Cisco IOS Works Cisco Catalyst And many other switching devices. 802.1q On the frame flowing through the network VLAN Identification ID ( tag ) Which switch is VLAN Between multiple switches VLAN Can be configured. Cisco IOS Implemented in VLAN/PVLAN Has the following security issues that allow it to communicate to hosts on different isolated segments: 1) Intentionally created 2 Horn IEEE 802.1q When a packet containing a tag is sent, VLAN There is an issue where it is possible to send packets to hosts on segments separated by. In addition, hosts that can communicate with the target host in packets that exploit these issues ( Host managed by attacker ) From IP By spoofing the address, it is possible to control the destination of response packets from the target host. When used by a remote attacker, as a result, the attacker may gain access to a target host that is otherwise inaccessible and attempt further attacks.Please refer to the “Overview” for the impact of this vulnerability. Pvlan Protocol is prone to a security bypass vulnerability
VAR-200512-0059 | CVE-2005-4417 | Widcomm Bluetooth for Windows Remote attack vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
The default configuration of Widcomm Bluetooth for Windows (BTW) 4.0.1.1500 and earlier, as installed on Belkin Bluetooth Software 1.4.2 Build 10 and ANYCOM Blue USB-130-250 Software 4.0.1.1500, and possibly other devices, sets null Authentication and Authorization values, which allows remote attackers to send arbitrary audio and possibly eavesdrop using the microphone via the Hands Free Audio Gateway and Headset profile. Blue Usb-130-250 Software is prone to a remote security vulnerability
VAR-200512-0078 | CVE-2005-4436 | Cisco IOS of EIGRP Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Extended Interior Gateway Routing Protocol (EIGRP) 1.2, as implemented in Cisco IOS after 12.3(2), 12.3(3)B, and 12.3(2)T and other products, allows remote attackers to cause a denial of service by sending a "spoofed neighbor announcement" with (1) mismatched k values or (2) "goodbye message" Type-Length-Value (TLV). ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Cisco IOS Implemented in EIGRP There are several problems: 1) EIGRP Adjacent devices are notified when the routing process ends Goodbye Message There is a problem with improper handling. Intentionally created by a remote attacker Goodbye Message If is sent, adjacency with the device may be lost. 2) Authenticated EIGRP There is a flaw in the packet verification method, MD5 Contains a hash value EIGRP There is a problem that allows eavesdropping on packets and reusing their hash values. A remote attacker EIGRP HELLO If a packet is sent to the target device, the response from the target device EIGRP You may get information about your domain. Also, BID 6443 Like the problem of network bandwidth ARP It can be exhausted with requests and eventually result in an unusable network.Please refer to the “Overview” for the impact of this vulnerability.
This issue allows attackers to gain access to potentially sensitive network information in EIGRP UPDATE reply packets, or to cause a denial of service condition by flooding routers with HELLO packets. By utilizing replayed HELLO packets with MD5 enabled, attackers may cause a more severe denial of service condition. The Cisco EIGRP protocol is susceptible to a remote denial of service vulnerability. This issue is possible when MD5 neighbor authentication is not in use.
This issue allows attackers to cause routing relationships to be torn down, forcing them to be reestablished. The routing link will be unavailable during the time that the link is torn down, until it is reestablished. By repeating the attack, a sustained denial of network service is possible.
This issue is being tracked by Cisco Bug ID CSCsc13698. Internet Operating System (IOS) is an operating system used on CISCO routers. There is a loophole in the EIGRP implementation of IOS, and attackers may use this loophole to carry out denial-of-service attacks on routers. Attackers can inject forged packets into the network outside the perimeter so that receiving hosts will believe them. Successful exploitation of this vulnerability could lead to the destruction and reconstruction of routing neighbor relationships, and repeated attacks could lead to persistent denial of service
VAR-200512-0171 | CVE-2005-4391 | Retired: Mindroute Lemoon/Damoon Search Module Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in damoon allows remote attackers to inject arbitrary web script or HTML via unspecified search parameters, possibly the q parameter. lemoon and damoon are prone to a cross-site scripting vulnerability. This issue is due to a failure in the applications to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Further information from the vendor states this issue does not affect lemoon or damoon directly, or sites utilizing the core elements of the software. This BID is being retired.
TITLE:
damoon "q" Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA18118
VERIFY ADVISORY:
http://secunia.com/advisories/18118/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
SOFTWARE:
damoon
http://secunia.com/product/6563/
DESCRIPTION:
r0t has reported a vulnerability in damoon, which can be exploited by
malicious people to conduct cross-site scripting attacks.
Input passed to the "q" parameter when performing a search isn't
properly sanitised before being returned to the user.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
r0t
ORIGINAL ADVISORY:
http://pridels.blogspot.com/2005/12/damoon-xss-vuln.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0178 | CVE-2005-4398 | Lemoon/Damoon Search Module Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
NOTE: the vendor has disputed this issue. Cross-site scripting (XSS) vulnerability in lemoon 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified search parameters, possibly the q parameter. NOTE: the vendor has disputed this issue, saying "Sites are built on top of ASP.NET and you use lemoon core objects to easily manage and render content. The XSS vuln. you are referring to exists in one of our public sites built on lemoon i.e. a custom made site (as all sites are). The problem exists in a UserControl that handles form input and is in no way related to the lemoon core product. lemoon and damoon are prone to a cross-site scripting vulnerability. This issue is due to a failure in the applications to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. This BID is being retired.
TITLE:
lemoon "q" Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA18119
VERIFY ADVISORY:
http://secunia.com/advisories/18119/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
SOFTWARE:
lemoon 2.x
http://secunia.com/product/6564/
DESCRIPTION:
r0t has reported a vulnerability in lemoon, which can be exploited by
malicious people to conduct cross-site scripting attacks.
Input passed to the "q" parameter when performing a search isn't
properly sanitised before being returned to the user.
The vulnerability has been reported in version 2.0 and prior. Other
versions may also be affected.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
r0t
ORIGINAL ADVISORY:
http://pridels.blogspot.com/2005/12/lemoon-xss-vuln.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0079 | CVE-2005-4437 | Cisco EIGRP Protocol HELLO Packet Replay Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
MD5 Neighbor Authentication in Extended Interior Gateway Routing Protocol (EIGRP) 1.2, as implemented in Cisco IOS 11.3 and later, does not include the Message Authentication Code (MAC) in the checksum, which allows remote attackers to sniff message hashes and (1) replay EIGRP HELLO messages or (2) cause a denial of service by sending a large number of spoofed EIGRP neighbor announcements, which results in an ARP storm on the local network. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Cisco IOS As a routing protocol Cisco Proprietary extended distance vector protocol EIGRP (Enhanced Interior Gateway Routing Protocol) Has been implemented. Cisco IOS Implemented in EIGRP There are several problems: 1) EIGRP Adjacent devices are notified when the routing process ends Goodbye Message There is a problem with improper handling. Intentionally created by a remote attacker Goodbye Message If is sent, adjacency with the device may be lost. 2) Authenticated EIGRP There is a flaw in the packet verification method, MD5 Contains a hash value EIGRP There is a problem that allows eavesdropping on packets and reusing their hash values. A remote attacker EIGRP HELLO If a packet is sent to the target device, the response from the target device EIGRP You may get information about your domain. Also, BID 6443 Like the problem of network bandwidth ARP It can be exhausted with requests and eventually result in an unusable network.Please refer to the “Overview” for the impact of this vulnerability.
This issue allows attackers to gain access to potentially sensitive network information in EIGRP UPDATE reply packets, or to cause a denial of service condition by flooding routers with HELLO packets. By utilizing replayed HELLO packets with MD5 enabled, attackers may cause a more severe denial of service condition. The Cisco EIGRP protocol is susceptible to a remote denial of service vulnerability. This issue is possible when MD5 neighbor authentication is not in use.
This issue allows attackers to cause routing relationships to be torn down, forcing them to be reestablished. The routing link will be unavailable during the time that the link is torn down, until it is reestablished. By repeating the attack, a sustained denial of network service is possible.
This issue is being tracked by Cisco Bug ID CSCsc13698
VAR-200512-1034 | CVE-2005-4360 | Microsoft IIS Illegal in HTTP Service disruption due to request processing (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The URL parser in Microsoft Internet Information Services (IIS) 5.1 on Windows XP Professional SP2 allows remote attackers to execute arbitrary code via multiple requests to ".dll" followed by arguments such as "~0" through "~9", which causes ntdll.dll to produce a return value that is not correctly handled by IIS, as demonstrated using "/_vti_bin/.dll/*/~0". NOTE: the consequence was originally believed to be only a denial of service (application crash and reboot). Microsoft IIS To the virtual directory [ Scripts and executables ] If you have enabled execute access for a specific directory for this virtual directory, HTTP request (URL) Because there are deficiencies in handling inetinfo.exe Contains a vulnerability that crashes.Microsoft IIS so ASP And CGI Using Web Application disrupted service operation (DoS) It may be in a state. Microsoft IIS is prone to a remote code-execution vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the vulnerable application, which may lead to the complete compromise of affected computers.
This issue affects Microsoft IIS 5.1 running on Windows XP SP2.
Note: this issue was previously reported as a denial-of-service vulnerability. New information from the vendor states that code execution is possible.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA07-191A
Microsoft Updates for Multiple Vulnerabilities
Original release date: July 10, 2007
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Excel
* Microsoft Publisher
* Microsoft .NET Framework
* Microsoft Internet Information Services (IIS)
* Microsoft Windows Vista Firewall
Overview
Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows, Excel, Publisher, .NET Framework, Internet
Information Services, and Windows Vista Firewall.
I. Description
Microsoft has released updates to address vulnerabilities that affect
Microsoft Windows, Excel, Publisher, .NET Framework, Internet
Information Services, and Windows Vista Firewall as part of the
Microsoft Security Bulletin Summary for July 2007.
Further information about the vulnerabilities addressed by these
updates is available in the Vulnerability Notes Database
II. An attacker may also be able to cause a denial of
service.
III. Solution
Apply updates from Microsoft
Microsoft has provided updates for these vulnerabilities in the July
2007 Security Bulletins. The Security Bulletins describe any known
issues related to the updates. Administrators are encouraged to note
any known issues that are described in the Bulletins and test for any
potentially adverse effects.
System administrators may wish to consider using an automated patch
distribution system such as Windows Server Update Services (WSUS).
IV. References
* US-CERT Vulnerability Notes for Microsoft July 2007 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms07-jul>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Microsoft Security Bulletin Summary for July 2007 -
<http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>
* Microsoft Office Update - <http://officeupdate.microsoft.com/>
* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA07-191A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-191A Feedback VU#487905" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
July 10, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRpPwhvRFkHkM87XOAQKWiQf/XFpYurcCFZ1qG700NatqdY7wL6pO4qbv
hGzdzUJH+aRN7b6XaEE/ZLprWnyj2H8HbH+HAHOuKDOxBI7N6PQ4WPaeZ14tDsNP
pNFg81LjE5Hlj6h5N2p8XML3t/4X7a7wk5YB7nhiBdisxAJ7iNjQ1BawjTlA9/kl
dTaIRW2njHpupGLWuin60U/di12jI3JirgJHfiRK6Ruiqnv56rM7LS9IOT1HV5RR
0otIr1Dttdnmgveb0YOiz7A36nwMiCEUzcUu2rKzARpZ4gMBIrSbfkAJpyUE0w3K
WMh1tgEt3fooTgvBUhpDjfxbMNka85wGbpizcsKnw6VVzIQAlr0y3Q==
=FRhW
-----END PGP SIGNATURE-----
.
The vulnerability is caused due to an error in the handling of
certain malformed URL.
Example:
http://[host]/[dir]/.dll/%01~0
Successful exploitation requires that "[dir]" is a virtual directory
that is configured with "Scripts & Executables" execution
permissions.
Note: IIS will automatically restart after the crash.
SOLUTION:
Filter potential malicious characters or character sequences with a
HTTP proxy.
IIS 5.0 and 6.0 are reportedly not affected.
PROVIDED AND/OR DISCOVERED BY:
Inge Henriksen
ORIGINAL ADVISORY:
http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote-dos-dll-url.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0144 | CVE-2005-4332 | Cisco Clean Access Multiple JSP Page access validation vulnerability |
CVSS V2: 9.4 CVSS V3: - Severity: HIGH |
Cisco Clean Access 3.5.5 and earlier on the Secure Smart Manager allows remote attackers to bypass authentication and cause a denial of service or upload files via direct requests to obsolete JSP files including (1) admin/uploadclient.jsp, (2) apply_firmware_action.jsp, and (3) file.jsp. Cisco Clean Access is prone to a vulnerability that could allow unauthorized users to access various Web server JSP pages.
This could allow an attacker to upload unauthorized data, cause denial of service issues, and possibly take unauthorized actions through accessing inappropriate JSP pages.
Cisco Clean Access version 3.5.5 is reported vulnerable; prior versions may also be affected.
Cisco has stated that this issue is being tracked by bug ID CSCsc85405. Similar issues exist in apply_firmware_action.jsp and file.jsp.
The vulnerability is caused due to missing authentication on several
obsolete JSP files (e.g. "/admin/uploadclient.jsp",
"apply_firmware_action.jsp" and "file.jsp") that is present on the
Secure Smart Manager. This can be exploited to upload files onto the
affected system without requiring authentication, potentially to
cause a DoS by filling up the disk space.
The vulnerability has been reported in 3.5.5. Other versions may also
be affected.
SOLUTION:
Apply patch.
http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches?psrtdcat20e2
PROVIDED AND/OR DISCOVERED BY:
Alex Lanstein
ORIGINAL ADVISORY:
CISCO:
http://www.cisco.com/warp/public/707/cisco-response-20051221-CCA.shtml
Alex Lanstein:
http://www.awarenetwork.org/forum/viewtopic.php?p=2236
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0658 | CVE-2005-3253 | WEP Key Authentication Bypass Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Wireless Access Points (AP) for (1) Avaya AP-3 through AP-6 2.5 to 2.5.4, and AP-7/AP-8 2.5 and other versions before 3.1, and (2) Proxim AP-600 and AP-2000 before 2.5.5, and Proxim AP-700 and AP-4000 after 2.4.11 and before 3.1, use a static WEP key of "12345", which allows remote attackers to bypass authentication. Both Avaya wireless AP and Proxim wireless AP are very popular wireless access devices.
The problem is caused due to the presence of a static WEP key set to
"12345". This can be exploited to bypass the 802.1x authentication
process.
Successful exploitation allows access to network resources.
The security issue affects the following products:
* Avaya Wireless Access Points AP-3, AP-4, AP-5, and AP-6 (All
versions after 2.5 to 2.5.4)
* Avaya Wireless Access Points AP-7 and AP-8 (All versions after 2.5
and prior to 3.1)
SOLUTION:
Avaya Wireless AP-3:
Apply Software Update 2.5.5 for AP3.
http://support.avaya.com/japple/css/japple?temp.documentID=280939&temp.productID=107770&temp.bucketID=108025&PAGE=Document
Avaya Wireless AP-4, 5, and 6:
Apply Software Update 2.5.5 for AP4, 5, and 6.
http://support.avaya.com/japple/css/japple?temp.documentID=280948&temp.productID=107770&temp.bucketID=108025&PAGE=Document
Avaya Wireless AP-7:
Apply Software Update 3.1 for AP7.
http://support.avaya.com/japple/css/japple?temp.documentID=280946&temp.productID=107770&temp.bucketID=108025&PAGE=Document
Avaya Wireless AP-8:
Apply Software Update 2.5.5 for AP4, 5, and 6.
http://support.avaya.com/japple/css/japple?temp.documentID=280948&temp.productID=107770&temp.bucketID=108025&PAGE=Document
PROVIDED AND/OR DISCOVERED BY:
Urmas Kahar and Tarmo Kaljumae
ORIGINAL ADVISORY:
http://support.avaya.com/elmodocs2/security/ASA-2005-233.pdf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0087 | CVE-2005-4275 | Scientific Atlanta DPX2100 Cable Modem LanD Packet Denial Of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Scientific Atlanta DPX2100 Cable Modem allows remote attackers to cause a denial of service (device crash) via an IP packet with the same source and destination IPs and ports, and with the SYN flag set (aka LanD), as demonstrated using hping2. NOTE: the provenance of this issue is unknown; the details are obtained solely from third party information. Scientific Atlanta DPX2100 cable modems are prone to a denial of service vulnerability.
These devices are susceptible to a remote denial of service vulnerability when handling TCP 'LanD' packets.
This issue allows remote attackers to crash affected devices, or to temporarily block further network routing functionality. This will deny further network services to legitimate users.
Scientific Atlanta DPX2100 cable modems are reportedly affected by this issue. Due to code reuse among devices, other devices may also be affected
VAR-200512-0266 | CVE-2005-4257 | Various Linksys Router LanD Packet denial of service vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Linksys WRT54GS and BEFW11S4 allows remote attackers to cause a denial of service (device crash) via an IP packet with the same source and destination IPs and ports, and with the SYN flag set (aka LAND). NOTE: the provenance of this issue is unknown; the details are obtained solely from the BID. Multiple Linksys devices are prone to a denial of service vulnerability.
These devices are susceptible to a remote denial of service vulnerability when handling TCP 'LanD' packets.
This issue allows remote attackers to crash affected devices, or to temporarily block further network routing functionality. This will deny further network services to legitimate users.
Linksys BEFW11S4 and WRT54GS devices are reportedly affected by this issue. Due to code reuse among devices, other devices may also be affected
VAR-200512-0215 | CVE-2005-4258 | Cisco Catalyst Switches LanD Packet denial of service vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified Cisco Catalyst Switches allow remote attackers to cause a denial of service (device crash) via an IP packet with the same source and destination IPs and ports, and with the SYN flag set (aka LanD). NOTE: the provenance of this issue is unknown; the details are obtained solely from the BID. Multiple unspecified Cisco Catalyst switches are prone to a denial of service vulnerability.
These devices are susceptible to a remote denial of service vulnerability when handling TCP 'LanD' packets.
This issue allows remote attackers to crash affected devices, or to temporarily block further network routing functionality. This will deny further network services to legitimate users.
As no specific Cisco devices were identified by the reporter of this issue, all Cisco Catalyst devices have been marked as vulnerable. This BID will be updated as further information on affected packages is available
VAR-200512-0217 | CVE-2005-4260 | PHPNuke Content Filtering Bypass Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Interpretation conflict in includes/mainfile.php in PHP-Nuke 7.9 and later allows remote attackers to perform cross-site scripting (XSS) attacks by replacing the ">" in the tag with a "<", which bypasses the regular expressions that sanitize the data, but is automatically corrected by many web browsers. NOTE: it could be argued that this vulnerability is due to a design limitation of many web browsers; if so, then this should not be treated as a vulnerability in PHP-Nuke. PHPNuke is prone to a content filtering bypass vulnerability. This issue can allow an attacker to bypass content filters and potentially carry out cross-site scripting, HTML injection and other attacks.
PHPNuke 7.9 and prior versions are reported to be vulnerable
VAR-200512-0229 | CVE-2005-4220 | NetGear RP114 SYN Flood Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Netgear RP114, and possibly other versions and devices, allows remote attackers to cause a denial of service via a SYN flood attack between one system on the internal interface and another on the external interface, which temporarily stops routing between the interfaces, as demonstrated using nmap. NetGear RP114 is a broadband access router suitable for various lines and various access methods.
NetGear RP114 has vulnerabilities in handling a large amount of malicious network traffic, causing the device to malfunction. The NetGear RP114 device is prone to a denial of service vulnerability.
This issue allows attackers to block network traffic to arbitrarily targeted network services, effectively denying service to legitimate users of the device