VARIoT IoT vulnerabilities database

Juniper NetScreen-Security Manager (NSM) 2004 FP2 and FP3 allow remote attackers to cause a denial of service (crash or hang of server components that are automatically restarted) via a long crafted string on (1) port 7800 (the GUI Server port) or (2) port 7801 (the Device Server port). Juniper NSM is prone to a remote denial of service vulnerability. A remote attacker may trigger a crash or hang in the server and deny service to legitimate users. It should be noted that the application ships with a watchdog service that periodically restarts the services. NSM 2004 FP2 and FP3 are reportedly vulnerable. NetScreen-Security Manager (NSM) is a security management platform that provides management and monitoring of devices, networks, and security configurations and policies. TITLE: Juniper NetScreen Security Manager Potential Denial of Service SECUNIA ADVISORY ID: SA18232 VERIFY ADVISORY: http://secunia.com/advisories/18232/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network SOFTWARE: NetScreen-Security Manager (NSM) 2004 http://secunia.com/product/2843/ DESCRIPTION: David Maciejak has reported a vulnerability in NetScreen Security Manager (NSM) which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error in "guiSrv" and "devSrv". This can be exploited to crash the service via specially crafted input sent to port 7800 and 7801. The vulnerability has been reported in NSM 2004 FP2 and FP3. Other versions may also be affected. SOLUTION: Update to version FP4r1 (2005.1). PROVIDED AND/OR DISCOVERED BY: David Maciejak ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Apple Safari WebKit component is vulnerable to buffer overflow. This may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Commands would be executed in the context of the user opening the archive file. Attackers can reportedly use Safari and Apple Mail as exploitation vectors for this vulnerability. Mac OS X 10.4.5 is reported to be vulnerable. Earlier versions may also be affected. Apple Safari is a web browser bundled with the Apple operating system. There is an issue in Safari's handling of automatic opening of downloaded files. Safari's default configuration allows files to be automatically opened after downloading a safe file. Due to this default configuration and inconsistencies in Safari and OS X's security files, Safari may execute arbitrary shell commands if a specially crafted page is viewed. TITLE: Mac OS X KHTMLParser Denial of Service Weakness SECUNIA ADVISORY ID: SA18220 VERIFY ADVISORY: http://secunia.com/advisories/18220/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Tom Ferris has discovered a weakness in Mac OS X, which can be exploited by malicious people to cause a DoS (Denial of Service). The weakness is caused due to an error in the KHTMLParser when parsing certain malformed HTML documents. This can be exploited to crash an application that uses the parser via a specially crafted HTML file. In certain cases, this may cause the system to become unresponsive. Other applications that use the parser may also be affected. SOLUTION: Do not open or follow links to HTML files from non-trusted sources. PROVIDED AND/OR DISCOVERED BY: Tom Ferris ORIGINAL ADVISORY: http://security-protocols.com/advisory/sp-x22-advisory.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Format string vulnerability in TN3270 Resource Gateway 1.1.0 allows local users to cause a denial of service and possibly execute arbitrary code via format string specifiers in syslog function calls. Tn3270 Resource Gateway is prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, resulting in a denial-of-service condition. This may be exploited to crash the service and may allow arbitrary code execution. Successful exploitation requires that a local user is able to input specially crafted resource strings into the database and e.g. tricking another user to run the affected software. The vulnerability has been reported in version 1.1.0. Prior versions may also be affected. SOLUTION: Update to version 1.1.1. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://sourceforge.net/project/shownotes.php?release_id=379592 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Downloadable RADIUS ACLs feature in Cisco PIX and VPN 3000 concentrators, when creating an ACL on the Cisco Secure Access Control Server (CS ACS), generates a random internal name for an ACL that is also used as a hidden user name and password, which allows remote attackers to gain privileges by sniffing the username from the cleartext portion of a RADIUS session, then using the password to log in to another device that uses CS ACS. plural Cisco Product implements IP ACL In function, the device ACL When downloading ACL Name RAS/NAS Username and password for authentication by ( Same as user name ) As we use as ACL If the name is known, ACL There is a vulnerability that makes it possible to pass authentication illegally using a name.There is a possibility of unauthorized access to the network. Cisco PIX and VPN 3000 concentrators, when managed by Cisco Secure Access Control Servers are vulnerable to an information disclosure vulnerability. This issue is due to a design flaw that communicates sensitive information over an unencrypted communications channel. This issue allows remote attackers with the ability to gain access to sensitive information if they can sniff network packets traveling between affected devices and the RADIUS server. This information potentially aids them in further attacks. Specific Cisco versions and products affected by this issue are not currently known. The list of affected packages will be updated as further information is disclosed. Cisco PIX is a very popular network firewall, while CS ACS is a network device that provides authentication, authorization, and account services. Cisco PIX has a loophole in network management communication, and attackers may use this loophole to gain unauthorized access to the device. At the same time, CS ACS will also create an internal hidden user named #ACSACL#-IP-uacl-43a97a9d with the password #ACSACL#-IP-uacl-43a97a9d (!). The CS ACS GUI cannot see the user. The protocol used by the PIX downloads the ACL steps as follows: 0) The user accesses the Internet through the PIX with HTTP(s); the PIX requests the user name and password, and then the user enters the user name and password in the dialog box. 1) PIX sends a Radius access request to CS ACS to authenticate the user (user password is encrypted by Radius). 2) The Radius server authenticates the user and sends back the cisco-av-pair vendor-specific attribute (VSA) with the ACS: CiscoSecure-Defined-ACL=#ACSACL#-IP-uacl-43a97a9d value. 3) PIX sends Radius access request again to authenticate user#ACSACL#-IP-uacl-43a97a9d 4) Radius server authenticates user, sends back ACL body with another cisco-av-pair VSA attribute (ip:inacl#1=... ). This means that anyone can see the plaintext #ACSACL#-IP-uacl-43a97a9d user name sent from the CS ACS server to the PIX by the Radius protocol through the network, and the user's password is the same as the user name. If the network device is configured to use the same CS ACS server for login authentication, you can use the sniffed user name to log in to the network device. The vulnerability is caused due to a design error in the Downloadable IP ACL (Access Control List) feature. This can be exploited by malicious people who knows the name of a Downloadable IP ACL configured on the ACS server to authenticate to the RAS/NAS (Remote Access Server/Network Access Server) by using the name of that ACL as their user name. Successful exploitation requires that the attacker knows the name of the Downloadable IP ACL e.g. by sniffing network traffic between the RAS/NAS and the ACS server. SOLUTION: The vulnerability has been fixed in the following versions. * Cisco Secure ACS Version 4.0.1 * PIX version 6.3(5) * PIX/ASA 7.0(2) * Cisco IOS Software Version 12.3(8)T4 * VPN 3000 versions 4.0.5.B and 4.1.5.B Cisco FWSM: Refer to vendor's original advisory for workaround instructions. PROVIDED AND/OR DISCOVERED BY: ovt ORIGINAL ADVISORY: Cisco: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00805bf1c4.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Ingate Firewall before 4.3.4 and SIParator before 4.3.4 allows remote attackers to cause a denial of service (kernel deadlock) by sending a SYN packet for a TCP stream, which requires an RST packet in response. Ingate Firewall and SIParator products are susceptible to a remote denial of service vulnerability. TITLE: Ingate Firewall and SIParator Denial of Service Vulnerability SECUNIA ADVISORY ID: SA18138 VERIFY ADVISORY: http://secunia.com/advisories/18138/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Ingate SIParator 4.x http://secunia.com/product/5687/ Ingate Firewall 4.x http://secunia.com/product/4050/ DESCRIPTION: A vulnerability has been reported in Ingate Firewall and SIParator, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the kernel when handling certain TCP packets in a media stream. SOLUTION: Update to version 4.3.4. http://www.ingate.com/upgrades.php PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.ingate.com/relnote-434.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The 802.1q VLAN protocol allows remote attackers to bypass network segmentation and spoof VLAN traffic via a message with two 802.1q tags, which causes the second tag to be redirected from a downstream switch after the first tag has been stripped, as demonstrated by Yersinia, aka "double-tagging VLAN jumping attack.". ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ VLAN (Virtual LAN) Is LAN By setting a virtual group different from the physical connection form, LAN The terminal has a switch function MAC Address or IP Groups according to address, protocol used, etc. Also, PVLAN (Private VLAN) Is more than one VLAN Is a function that configures one subnet by combining IEEE Standardized by VLAN Standard of 802.1q Is Cisco IOS Works Cisco Catalyst And many other switching devices. 802.1q On the frame flowing through the network VLAN Identification ID ( tag ) Which switch is VLAN Between multiple switches VLAN Can be configured. Cisco IOS Implemented in VLAN/PVLAN Has the following security issues that allow it to communicate to hosts on different isolated segments: 1) Intentionally created 2 Horn IEEE 802.1q When a packet containing a tag is sent, VLAN There is an issue where it is possible to send packets to hosts on segments separated by. 2) Destination MAC When a packet with an address changed to that of a gateway router is sent, PVLAN There is an issue where it is possible to send packets to hosts on segments separated by. In addition, hosts that can communicate with the target host in packets that exploit these issues ( Host managed by attacker ) From IP By spoofing the address, it is possible to control the destination of response packets from the target host. When used by a remote attacker, as a result, the attacker may gain access to a target host that is otherwise inaccessible and attempt further attacks.Please refer to the “Overview” for the impact of this vulnerability. Vlan Protocol is prone to a security bypass vulnerability

The PVLAN protocol allows remote attackers to bypass network segmentation and spoof PVLAN traffic via a PVLAN message with a target MAC address that is set to a gateway router, which causes the packet to be sent to the router, where the source MAC is modified, aka "Modification of the MAC spoofing PVLAN jumping attack," as demonstrated by pvlan.c. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ VLAN (Virtual LAN) Is LAN By setting a virtual group different from the physical connection form, LAN The terminal has a switch function MAC Address or IP Groups according to address, protocol used, etc. Also, PVLAN (Private VLAN) Is more than one VLAN Is a function that configures one subnet by combining IEEE Standardized by VLAN Standard of 802.1q Is Cisco IOS Works Cisco Catalyst And many other switching devices. 802.1q On the frame flowing through the network VLAN Identification ID ( tag ) Which switch is VLAN Between multiple switches VLAN Can be configured. Cisco IOS Implemented in VLAN/PVLAN Has the following security issues that allow it to communicate to hosts on different isolated segments: 1) Intentionally created 2 Horn IEEE 802.1q When a packet containing a tag is sent, VLAN There is an issue where it is possible to send packets to hosts on segments separated by. In addition, hosts that can communicate with the target host in packets that exploit these issues ( Host managed by attacker ) From IP By spoofing the address, it is possible to control the destination of response packets from the target host. When used by a remote attacker, as a result, the attacker may gain access to a target host that is otherwise inaccessible and attempt further attacks.Please refer to the “Overview” for the impact of this vulnerability. Pvlan Protocol is prone to a security bypass vulnerability

The default configuration of Widcomm Bluetooth for Windows (BTW) 4.0.1.1500 and earlier, as installed on Belkin Bluetooth Software 1.4.2 Build 10 and ANYCOM Blue USB-130-250 Software 4.0.1.1500, and possibly other devices, sets null Authentication and Authorization values, which allows remote attackers to send arbitrary audio and possibly eavesdrop using the microphone via the Hands Free Audio Gateway and Headset profile. Blue Usb-130-250 Software is prone to a remote security vulnerability

Extended Interior Gateway Routing Protocol (EIGRP) 1.2, as implemented in Cisco IOS after 12.3(2), 12.3(3)B, and 12.3(2)T and other products, allows remote attackers to cause a denial of service by sending a "spoofed neighbor announcement" with (1) mismatched k values or (2) "goodbye message" Type-Length-Value (TLV). ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Cisco IOS Implemented in EIGRP There are several problems: 1) EIGRP Adjacent devices are notified when the routing process ends Goodbye Message There is a problem with improper handling. Intentionally created by a remote attacker Goodbye Message If is sent, adjacency with the device may be lost. 2) Authenticated EIGRP There is a flaw in the packet verification method, MD5 Contains a hash value EIGRP There is a problem that allows eavesdropping on packets and reusing their hash values. A remote attacker EIGRP HELLO If a packet is sent to the target device, the response from the target device EIGRP You may get information about your domain. Also, BID 6443 Like the problem of network bandwidth ARP It can be exhausted with requests and eventually result in an unusable network.Please refer to the “Overview” for the impact of this vulnerability. This issue allows attackers to gain access to potentially sensitive network information in EIGRP UPDATE reply packets, or to cause a denial of service condition by flooding routers with HELLO packets. By utilizing replayed HELLO packets with MD5 enabled, attackers may cause a more severe denial of service condition. The Cisco EIGRP protocol is susceptible to a remote denial of service vulnerability. This issue is possible when MD5 neighbor authentication is not in use. This issue allows attackers to cause routing relationships to be torn down, forcing them to be reestablished. The routing link will be unavailable during the time that the link is torn down, until it is reestablished. By repeating the attack, a sustained denial of network service is possible. This issue is being tracked by Cisco Bug ID CSCsc13698. Internet Operating System (IOS) is an operating system used on CISCO routers. There is a loophole in the EIGRP implementation of IOS, and attackers may use this loophole to carry out denial-of-service attacks on routers. Attackers can inject forged packets into the network outside the perimeter so that receiving hosts will believe them. Successful exploitation of this vulnerability could lead to the destruction and reconstruction of routing neighbor relationships, and repeated attacks could lead to persistent denial of service

Cross-site scripting (XSS) vulnerability in damoon allows remote attackers to inject arbitrary web script or HTML via unspecified search parameters, possibly the q parameter. lemoon and damoon are prone to a cross-site scripting vulnerability. This issue is due to a failure in the applications to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. Further information from the vendor states this issue does not affect lemoon or damoon directly, or sites utilizing the core elements of the software. This BID is being retired. TITLE: damoon "q" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA18118 VERIFY ADVISORY: http://secunia.com/advisories/18118/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: damoon http://secunia.com/product/6563/ DESCRIPTION: r0t has reported a vulnerability in damoon, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "q" parameter when performing a search isn't properly sanitised before being returned to the user. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: r0t ORIGINAL ADVISORY: http://pridels.blogspot.com/2005/12/damoon-xss-vuln.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

NOTE: the vendor has disputed this issue. Cross-site scripting (XSS) vulnerability in lemoon 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified search parameters, possibly the q parameter. NOTE: the vendor has disputed this issue, saying "Sites are built on top of ASP.NET and you use lemoon core objects to easily manage and render content. The XSS vuln. you are referring to exists in one of our public sites built on lemoon i.e. a custom made site (as all sites are). The problem exists in a UserControl that handles form input and is in no way related to the lemoon core product. lemoon and damoon are prone to a cross-site scripting vulnerability. This issue is due to a failure in the applications to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. This BID is being retired. TITLE: lemoon "q" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA18119 VERIFY ADVISORY: http://secunia.com/advisories/18119/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: lemoon 2.x http://secunia.com/product/6564/ DESCRIPTION: r0t has reported a vulnerability in lemoon, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "q" parameter when performing a search isn't properly sanitised before being returned to the user. The vulnerability has been reported in version 2.0 and prior. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: r0t ORIGINAL ADVISORY: http://pridels.blogspot.com/2005/12/lemoon-xss-vuln.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

MD5 Neighbor Authentication in Extended Interior Gateway Routing Protocol (EIGRP) 1.2, as implemented in Cisco IOS 11.3 and later, does not include the Message Authentication Code (MAC) in the checksum, which allows remote attackers to sniff message hashes and (1) replay EIGRP HELLO messages or (2) cause a denial of service by sending a large number of spoofed EIGRP neighbor announcements, which results in an ARP storm on the local network. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Cisco IOS As a routing protocol Cisco Proprietary extended distance vector protocol EIGRP (Enhanced Interior Gateway Routing Protocol) Has been implemented. Cisco IOS Implemented in EIGRP There are several problems: 1) EIGRP Adjacent devices are notified when the routing process ends Goodbye Message There is a problem with improper handling. Intentionally created by a remote attacker Goodbye Message If is sent, adjacency with the device may be lost. 2) Authenticated EIGRP There is a flaw in the packet verification method, MD5 Contains a hash value EIGRP There is a problem that allows eavesdropping on packets and reusing their hash values. A remote attacker EIGRP HELLO If a packet is sent to the target device, the response from the target device EIGRP You may get information about your domain. Also, BID 6443 Like the problem of network bandwidth ARP It can be exhausted with requests and eventually result in an unusable network.Please refer to the “Overview” for the impact of this vulnerability. This issue allows attackers to gain access to potentially sensitive network information in EIGRP UPDATE reply packets, or to cause a denial of service condition by flooding routers with HELLO packets. By utilizing replayed HELLO packets with MD5 enabled, attackers may cause a more severe denial of service condition. The Cisco EIGRP protocol is susceptible to a remote denial of service vulnerability. This issue is possible when MD5 neighbor authentication is not in use. This issue allows attackers to cause routing relationships to be torn down, forcing them to be reestablished. The routing link will be unavailable during the time that the link is torn down, until it is reestablished. By repeating the attack, a sustained denial of network service is possible. This issue is being tracked by Cisco Bug ID CSCsc13698

The URL parser in Microsoft Internet Information Services (IIS) 5.1 on Windows XP Professional SP2 allows remote attackers to execute arbitrary code via multiple requests to ".dll" followed by arguments such as "~0" through "~9", which causes ntdll.dll to produce a return value that is not correctly handled by IIS, as demonstrated using "/_vti_bin/.dll/*/~0". NOTE: the consequence was originally believed to be only a denial of service (application crash and reboot). Microsoft IIS To the virtual directory [ Scripts and executables ] If you have enabled execute access for a specific directory for this virtual directory, HTTP request (URL) Because there are deficiencies in handling inetinfo.exe Contains a vulnerability that crashes.Microsoft IIS so ASP And CGI Using Web Application disrupted service operation (DoS) It may be in a state. Microsoft IIS is prone to a remote code-execution vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the vulnerable application, which may lead to the complete compromise of affected computers. This issue affects Microsoft IIS 5.1 running on Windows XP SP2. Note: this issue was previously reported as a denial-of-service vulnerability. New information from the vendor states that code execution is possible. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-191A Microsoft Updates for Multiple Vulnerabilities Original release date: July 10, 2007 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Excel * Microsoft Publisher * Microsoft .NET Framework * Microsoft Internet Information Services (IIS) * Microsoft Windows Vista Firewall Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Excel, Publisher, .NET Framework, Internet Information Services, and Windows Vista Firewall. I. Description Microsoft has released updates to address vulnerabilities that affect Microsoft Windows, Excel, Publisher, .NET Framework, Internet Information Services, and Windows Vista Firewall as part of the Microsoft Security Bulletin Summary for July 2007. Further information about the vulnerabilities addressed by these updates is available in the Vulnerability Notes Database II. An attacker may also be able to cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the July 2007 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Administrators are encouraged to note any known issues that are described in the Bulletins and test for any potentially adverse effects. System administrators may wish to consider using an automated patch distribution system such as Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft July 2007 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms07-jul> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * Microsoft Security Bulletin Summary for July 2007 - <http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx> * Microsoft Update - <https://update.microsoft.com/microsoftupdate/> * Microsoft Office Update - <http://officeupdate.microsoft.com/> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-191A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-191A Feedback VU#487905" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History July 10, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRpPwhvRFkHkM87XOAQKWiQf/XFpYurcCFZ1qG700NatqdY7wL6pO4qbv hGzdzUJH+aRN7b6XaEE/ZLprWnyj2H8HbH+HAHOuKDOxBI7N6PQ4WPaeZ14tDsNP pNFg81LjE5Hlj6h5N2p8XML3t/4X7a7wk5YB7nhiBdisxAJ7iNjQ1BawjTlA9/kl dTaIRW2njHpupGLWuin60U/di12jI3JirgJHfiRK6Ruiqnv56rM7LS9IOT1HV5RR 0otIr1Dttdnmgveb0YOiz7A36nwMiCEUzcUu2rKzARpZ4gMBIrSbfkAJpyUE0w3K WMh1tgEt3fooTgvBUhpDjfxbMNka85wGbpizcsKnw6VVzIQAlr0y3Q== =FRhW -----END PGP SIGNATURE----- . The vulnerability is caused due to an error in the handling of certain malformed URL. Example: http://[host]/[dir]/.dll/%01~0 Successful exploitation requires that "[dir]" is a virtual directory that is configured with "Scripts & Executables" execution permissions. Note: IIS will automatically restart after the crash. SOLUTION: Filter potential malicious characters or character sequences with a HTTP proxy. IIS 5.0 and 6.0 are reportedly not affected. PROVIDED AND/OR DISCOVERED BY: Inge Henriksen ORIGINAL ADVISORY: http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote-dos-dll-url.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Clean Access 3.5.5 and earlier on the Secure Smart Manager allows remote attackers to bypass authentication and cause a denial of service or upload files via direct requests to obsolete JSP files including (1) admin/uploadclient.jsp, (2) apply_firmware_action.jsp, and (3) file.jsp. Cisco Clean Access is prone to a vulnerability that could allow unauthorized users to access various Web server JSP pages. This could allow an attacker to upload unauthorized data, cause denial of service issues, and possibly take unauthorized actions through accessing inappropriate JSP pages. Cisco Clean Access version 3.5.5 is reported vulnerable; prior versions may also be affected. Cisco has stated that this issue is being tracked by bug ID CSCsc85405. Similar issues exist in apply_firmware_action.jsp and file.jsp. The vulnerability is caused due to missing authentication on several obsolete JSP files (e.g. "/admin/uploadclient.jsp", "apply_firmware_action.jsp" and "file.jsp") that is present on the Secure Smart Manager. This can be exploited to upload files onto the affected system without requiring authentication, potentially to cause a DoS by filling up the disk space. The vulnerability has been reported in 3.5.5. Other versions may also be affected. SOLUTION: Apply patch. http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Alex Lanstein ORIGINAL ADVISORY: CISCO: http://www.cisco.com/warp/public/707/cisco-response-20051221-CCA.shtml Alex Lanstein: http://www.awarenetwork.org/forum/viewtopic.php?p=2236 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Wireless Access Points (AP) for (1) Avaya AP-3 through AP-6 2.5 to 2.5.4, and AP-7/AP-8 2.5 and other versions before 3.1, and (2) Proxim AP-600 and AP-2000 before 2.5.5, and Proxim AP-700 and AP-4000 after 2.4.11 and before 3.1, use a static WEP key of "12345", which allows remote attackers to bypass authentication. Both Avaya wireless AP and Proxim wireless AP are very popular wireless access devices. The problem is caused due to the presence of a static WEP key set to "12345". This can be exploited to bypass the 802.1x authentication process. Successful exploitation allows access to network resources. The security issue affects the following products: * Avaya Wireless Access Points AP-3, AP-4, AP-5, and AP-6 (All versions after 2.5 to 2.5.4) * Avaya Wireless Access Points AP-7 and AP-8 (All versions after 2.5 and prior to 3.1) SOLUTION: Avaya Wireless AP-3: Apply Software Update 2.5.5 for AP3. http://support.avaya.com/japple/css/japple?temp.documentID=280939&temp.productID=107770&temp.bucketID=108025&PAGE=Document Avaya Wireless AP-4, 5, and 6: Apply Software Update 2.5.5 for AP4, 5, and 6. http://support.avaya.com/japple/css/japple?temp.documentID=280948&temp.productID=107770&temp.bucketID=108025&PAGE=Document Avaya Wireless AP-7: Apply Software Update 3.1 for AP7. http://support.avaya.com/japple/css/japple?temp.documentID=280946&temp.productID=107770&temp.bucketID=108025&PAGE=Document Avaya Wireless AP-8: Apply Software Update 2.5.5 for AP4, 5, and 6. http://support.avaya.com/japple/css/japple?temp.documentID=280948&temp.productID=107770&temp.bucketID=108025&PAGE=Document PROVIDED AND/OR DISCOVERED BY: Urmas Kahar and Tarmo Kaljumae ORIGINAL ADVISORY: http://support.avaya.com/elmodocs2/security/ASA-2005-233.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Scientific Atlanta DPX2100 Cable Modem allows remote attackers to cause a denial of service (device crash) via an IP packet with the same source and destination IPs and ports, and with the SYN flag set (aka LanD), as demonstrated using hping2. NOTE: the provenance of this issue is unknown; the details are obtained solely from third party information. Scientific Atlanta DPX2100 cable modems are prone to a denial of service vulnerability. These devices are susceptible to a remote denial of service vulnerability when handling TCP 'LanD' packets. This issue allows remote attackers to crash affected devices, or to temporarily block further network routing functionality. This will deny further network services to legitimate users. Scientific Atlanta DPX2100 cable modems are reportedly affected by this issue. Due to code reuse among devices, other devices may also be affected

Linksys WRT54GS and BEFW11S4 allows remote attackers to cause a denial of service (device crash) via an IP packet with the same source and destination IPs and ports, and with the SYN flag set (aka LAND). NOTE: the provenance of this issue is unknown; the details are obtained solely from the BID. Multiple Linksys devices are prone to a denial of service vulnerability. These devices are susceptible to a remote denial of service vulnerability when handling TCP 'LanD' packets. This issue allows remote attackers to crash affected devices, or to temporarily block further network routing functionality. This will deny further network services to legitimate users. Linksys BEFW11S4 and WRT54GS devices are reportedly affected by this issue. Due to code reuse among devices, other devices may also be affected

Unspecified Cisco Catalyst Switches allow remote attackers to cause a denial of service (device crash) via an IP packet with the same source and destination IPs and ports, and with the SYN flag set (aka LanD). NOTE: the provenance of this issue is unknown; the details are obtained solely from the BID. Multiple unspecified Cisco Catalyst switches are prone to a denial of service vulnerability. These devices are susceptible to a remote denial of service vulnerability when handling TCP 'LanD' packets. This issue allows remote attackers to crash affected devices, or to temporarily block further network routing functionality. This will deny further network services to legitimate users. As no specific Cisco devices were identified by the reporter of this issue, all Cisco Catalyst devices have been marked as vulnerable. This BID will be updated as further information on affected packages is available

Interpretation conflict in includes/mainfile.php in PHP-Nuke 7.9 and later allows remote attackers to perform cross-site scripting (XSS) attacks by replacing the ">" in the tag with a "<", which bypasses the regular expressions that sanitize the data, but is automatically corrected by many web browsers. NOTE: it could be argued that this vulnerability is due to a design limitation of many web browsers; if so, then this should not be treated as a vulnerability in PHP-Nuke. PHPNuke is prone to a content filtering bypass vulnerability. This issue can allow an attacker to bypass content filters and potentially carry out cross-site scripting, HTML injection and other attacks. PHPNuke 7.9 and prior versions are reported to be vulnerable

Netgear RP114, and possibly other versions and devices, allows remote attackers to cause a denial of service via a SYN flood attack between one system on the internal interface and another on the external interface, which temporarily stops routing between the interfaces, as demonstrated using nmap. NetGear RP114 is a broadband access router suitable for various lines and various access methods.  NetGear RP114 has vulnerabilities in handling a large amount of malicious network traffic, causing the device to malfunction. The NetGear RP114 device is prone to a denial of service vulnerability. This issue allows attackers to block network traffic to arbitrarily targeted network services, effectively denying service to legitimate users of the device