VARIoT IoT vulnerabilities database
VAR-200511-0348 | CVE-2005-3481 | Cisco IOS heap integrity checks are insufficient |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Cisco IOS 12.0 to 12.4 might allow remote attackers to execute arbitrary code via a heap-based buffer overflow in system timers. NOTE: this issue does not correspond to a specific vulnerability, rather a general weakness that only increases the feasibility of exploitation of any vulnerabilities that might exist. Such design-level weaknesses normally are not included in CVE, so perhaps this issue should be REJECTed. Cisco IOS Has a function to check the consistency of the contents of the heap memory in case of a heap overflow ( heap integrity check ) Is included, but this heap integrity check A vulnerability exists that could allow arbitrary code to be bypassed. Also, Cisco Provides a Japanese translation of the information, but recommends that you consult the English version of the advisory for the latest information.Cisco IOS Is vulnerable to a heap overflow vulnerability, which could lead to the execution of arbitrary code on the router. Cisco IOS is prone to heap-based buffer-overflow issues. Cisco has released an advisory stating that IOS upgrades are available to address the possibility of exploits of heap-based buffer-overflow vulnerabilities. It is not known at this time if the advisory addresses a specific heap overflow or just provides security enhancements to mitigate attempts to exploit heap-overflow vulnerabilities. In many cases, the overflow will only corrupt system memory and trigger a system reload if detected by the \"Check Heaps\" process that has been monitoring memory corruption.
The vulnerability has been reported to affect all Cisco products that
run Cisco IOS Software.
Note: The vendor has reported that the vulnerability was fixed as a
result of continued research related to the demonstration of an
exploit for the IPv6 vulnerability.
For more information:
SA16272
SOLUTION:
Fixes are available for IOS 12.0, 12.1, 12.2, 12.3 and 12.4 (see
patch matrix in vendor advisory).
http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml#software
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml
OTHER REFERENCES:
SA16272:
http://secunia.com/advisories/16272/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0475 | CVE-2005-3468 | F-Secure Web Console Directory Traversal Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in F-Secure Anti-Virus for Microsoft Exchange 6.40 and Internet Gatekeeper 6.40 to 6.42 allows limited remote attackers to bypass Web Console authentication and read files. The remote threat only arises if the application has been configured to accept connections from elsewhere. The default configuration only poses a local threat. This can be exploited to read arbitrary files on the
server via directory traversal attacks.
Successful exploitation requires that the attacker is able to connect
to the Web Console via an allowed host.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Mikko Korppi.
ORIGINAL ADVISORY:
http://www.f-secure.com/security/fsc-2005-2.shtml
ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse640-01_readme.txt
ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk642-01_readme.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0479 | CVE-2005-3472 | Sun Java System Communications Express Information Disclosure Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Sun Java System Communications Express 2005Q1 and 2004Q2 allows local and remote attackers to read sensitive information from configuration files.
A remote attacker may obtain application configuration files.
SOLUTION:
Apply patches.
-- SPARC Platform (Solaris 8, 9 and 10) --
Apply patch 118540-21 or later.
-- x86 Platform (Solaris 8, 9 and 10) --
Apply patch 118541-21 or later.
-- Linux Platform --
Apply patch 118542-21 or later.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101948-1
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0357 | CVE-2005-3490 | Asus VideoSecurity WEB Server Directory Traversal Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in the web server in Asus Video Security 3.5.0.0 and earlier allows remote attackers to read arbitrary files via "../" or "..\" sequences in the URL. Asus VideoSecurity Online is prone to a directory traversal vulnerability. Exploitation could allow a remote attacker to obtain sensitive information that could be used to mount further attacks.
The Web server included with Asus VideoSecurity Online is not enabled by default.
This vulnerability is reported to affect Asus VideoSecurity Online 3.5.0 and earlier. VideoSecurity is a powerful video surveillance software.
TITLE:
Asus VideoSecurity Online Two Vulnerabilities
SECUNIA ADVISORY ID:
SA17419
VERIFY ADVISORY:
http://secunia.com/advisories/17419/
CRITICAL:
Moderately critical
IMPACT:
Unknown, Exposure of sensitive information
WHERE:
>From remote
SOFTWARE:
Asus VideoSecurity Online 3.x
http://secunia.com/product/6043/
DESCRIPTION:
Luigi Auriemma has reported two vulnerabilities in Asus VideoSecurity
Online, where one has an unknown impact, and the other can be
exploited by malicious people to disclose sensitive information.
1) A boundary error in the authorisation handling can be exploited to
cause a buffer overflow by sending a specially crafted request to the
web server.
2) An input validation error in the request handling can be exploited
to disclose the content of arbitrary files via directory traversal
attacks.
The vulnerabilities have been reported in version 3.5.0.0 and prior.
Other versions may also be affected.
SOLUTION:
Disable the built-in web server.
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/asusvsbugs-adv.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0356 | CVE-2005-3489 | Asus Video Security Buffer overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in Asus Video Security 3.5.0.0 and earlier, when using authorization, allows remote attackers to execute arbitrary code via a long username/password string. Asus VideoSecurity Online is prone to a buffer overflow in the authentication mechanism of the included Web server. This issue only exists if authentication is enabled on the Web server.
The Web server included with Asus VideoSecurity Online is not enabled by default.
This vulnerability is reported to affect Asus VideoSecurity Online 3.5.0 and earlier. VideoSecurity is a powerful video surveillance software.
TITLE:
Asus VideoSecurity Online Two Vulnerabilities
SECUNIA ADVISORY ID:
SA17419
VERIFY ADVISORY:
http://secunia.com/advisories/17419/
CRITICAL:
Moderately critical
IMPACT:
Unknown, Exposure of sensitive information
WHERE:
>From remote
SOFTWARE:
Asus VideoSecurity Online 3.x
http://secunia.com/product/6043/
DESCRIPTION:
Luigi Auriemma has reported two vulnerabilities in Asus VideoSecurity
Online, where one has an unknown impact, and the other can be
exploited by malicious people to disclose sensitive information.
1) A boundary error in the authorisation handling can be exploited to
cause a buffer overflow by sending a specially crafted request to the
web server.
2) An input validation error in the request handling can be exploited
to disclose the content of arbitrary files via directory traversal
attacks.
The vulnerabilities have been reported in version 3.5.0.0 and prior.
Other versions may also be affected.
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/asusvsbugs-adv.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0399 | CVE-2005-3427 | Cisco IPS MC Malformed Configuration Download Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The Cisco Management Center (MC) for IPS Sensors (IPS MC) 2.1 can omit port field values while generating the Cisco IOS IPS configuration file, wich can cause some signatures to be disabled and makes it easier for attackers to escape detection. Cisco IDS/IPS solution, configured by either Cisco IPS MC v2.1, Cisco IDS MC, Cisco SDM or by using the Cisco IOS CLI are vulnerable as well. This causes some
signatures belonging to certain classes to be incorrectly disabled,
potentially allowing malicious traffic to pass through.
SOLUTION:
Apply patches.
http://www.cisco.com/pcgi-bin/tablebuild.pl/mgmt-ctr-ids-app
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0135 | CVE-2005-3400 | Fortinet Virus scanning bypass vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Multiple interpretation error in Fortinet 2.48.0.0 allows remote attackers to bypass virus scanning via a file such as BAT, HTML, and EML with an "MZ" magic byte sequence which is normally associated with EXE, which causes the file to be treated as a safe type that could still be executed as a dangerous file type by applications on the end system, as demonstrated by a "triple headed" program that contains EXE, EML, and HTML content, aka the "magic byte bug.". Fortinet is prone to a security bypass vulnerability. TheHacker is an antivirus engine
VAR-200510-0068 | CVE-2005-3304 | PHP-Nuke Multiple modules remote SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple SQL injection vulnerabilities in PHP-Nuke 7.8 allow remote attackers to modify SQL queries and execute arbitrary PHP code via (1) the username parameter in the Your Account page, (2) the url parameter in the Downloads module, and (3) the description parameter in the Web_Links module. PHPNuke is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. Remote attackers can insert malicious SQL statement strings into the input data to operate the database without authorization.
TITLE:
PHP-Nuke SQL Injection Vulnerabilities
SECUNIA ADVISORY ID:
SA17315
VERIFY ADVISORY:
http://secunia.com/advisories/17315/
CRITICAL:
Moderately critical
IMPACT:
Manipulation of data
WHERE:
>From remote
SOFTWARE:
PHP-Nuke 7.x
http://secunia.com/product/2385/
DESCRIPTION:
rgod has discovered some vulnerabilities in PHP-Nuke, which can be
exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
The vulnerabilities have been confirmed in version 7.8. Other
versions may also be affected.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
rgod
ORIGINAL ADVISORY:
http://rgod.altervista.org/phpnuke78sql.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200510-0260 | CVE-2005-3270 | Symantec LiveUpdate for Macintosh Local privilege elevation vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Untrusted search path vulnerability in DiskMountNotify for Symantec Norton AntiVirus 9.0.3 allows local users to gain privileges by modifying the PATH to reference a malicious (1) ps or (2) grep file.
TITLE:
Symantec Norton AntiVirus / LiveUpdate for Macintosh Privilege
Escalation
SECUNIA ADVISORY ID:
SA17268
VERIFY ADVISORY:
http://secunia.com/advisories/17268/
CRITICAL:
Less critical
IMPACT:
Privilege escalation
WHERE:
Local system
SOFTWARE:
Symantec Norton Utilities for Macintosh 8.x
http://secunia.com/product/5953/
Symantec LiveUpdate for Macintosh 3.x
http://secunia.com/product/5954/
Symantec Norton AntiVirus for Macintosh 10.x
http://secunia.com/product/5949/
Symantec Norton AntiVirus for Macintosh 9.x
http://secunia.com/product/5948/
Symantec Norton Internet Security for Macintosh 3.x
http://secunia.com/product/5951/
Symantec Norton Personal Firewall for Macintosh 3.x
http://secunia.com/product/5950/
Symantec Norton SystemWorks for Macintosh 3.x
http://secunia.com/product/5952/
DESCRIPTION:
Some vulnerabilities have been reported in Symantec Norton AntiVirus
for Macintosh and Symantec LiveUpdate for Macintosh, which can be
exploited by malicious, local users to gain escalated privileges.
1) The suid "DiskMountNotify" component of Symantec Norton AntiVirus
for Macintosh fails to set its execution path environment. This may
be exploited by malicious users to execute arbitrary commands with
System Administrative privileges by modifying the execution path that
the component uses to locate system commands.
The vulnerability has been reported in the following versions :
* version 9.0.0, 9.0.1
* version 9.0.2 (English, Japanese)
* version 9.0.2 Build 5 (French, German, Italian)
* version 9.0.3 (English, Japanese)
* version 10.0.0, 10.0.1
2) The LiveUpdate component uses a suid command-line application to
interface with the Java interpreter. This can be exploited by
malicious users to execute arbitrary Java code with System
Administrative privileges using the interface application.
The vulnerability has been reported in the following products:
* LiveUpdate for Macintosh versions 3.0.0, 3.0.1 and 3.0.2
* LiveUpdate for Macintosh version 3.0.3 Build 5 (English)
* LiveUpdate for Macintosh version 3.0.3 Build 11, 3.5.0 Build 47
* Norton AntiVirus 9.0.x, 10.0.0, 10.0.1
* Norton Personal Firewall 3.0.x, 3.1.0
* Norton Internet Security 3.0.x
* Norton Utilities 8.0.x
* Norton SystemWorks 3.0.x
SOLUTION:
Update to the latest version via Live Update.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits iDEFENSE.
ORIGINAL ADVISORY:
http://securityresponse.symantec.com/avcenter/security/Content/2005.10.19.html
http://securityresponse.symantec.com/avcenter/security/Content/2005.10.19a.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200510-0133 | CVE-2005-2759 | Symantec Norton Antivirus For Macintosh DiskMountNotify Local privilege elevation vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
** SPLIT ** The jlucaller program in LiveUpdate for Symantec Norton AntiVirus 9.0.3 on Macintosh runs setuid when executing Java programs, which allows local users to gain privileges. NOTE: due to a CNA error, this candidate was also originally assigned to an issue in DiskMountNotify. Use CVE-2005-3270 for the DiskMountNotify issue, and CVE-2005-2759 for the LiveUpdate issue. This issue is due to a failure of the application to properly utilize the PATH environment variable in a setuid-superuser binary.
This vulnerability allows local attackers to gain superuser privileges, leading to complete compromise of the affected computer. This may
be exploited by malicious users to execute arbitrary commands with
System Administrative privileges by modifying the execution path that
the component uses to locate system commands.
The vulnerability has been reported in the following versions :
* version 9.0.0, 9.0.1
* version 9.0.2 (English, Japanese)
* version 9.0.2 Build 5 (French, German, Italian)
* version 9.0.3 (English, Japanese)
* version 10.0.0, 10.0.1
2) The LiveUpdate component uses a suid command-line application to
interface with the Java interpreter. This can be exploited by
malicious users to execute arbitrary Java code with System
Administrative privileges using the interface application.
The vulnerability has been reported in the following products:
* LiveUpdate for Macintosh versions 3.0.0, 3.0.1 and 3.0.2
* LiveUpdate for Macintosh version 3.0.3 Build 5 (English)
* LiveUpdate for Macintosh version 3.0.3 Build 11, 3.5.0 Build 47
* Norton AntiVirus 9.0.x, 10.0.0, 10.0.1
* Norton Personal Firewall 3.0.x, 3.1.0
* Norton Internet Security 3.0.x
* Norton Utilities 8.0.x
* Norton SystemWorks 3.0.x
SOLUTION:
Update to the latest version via Live Update.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits iDEFENSE.
ORIGINAL ADVISORY:
http://securityresponse.symantec.com/avcenter/security/Content/2005.10.19.html
http://securityresponse.symantec.com/avcenter/security/Content/2005.10.19a.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0398 | CVE-2005-3426 | Cisco 11500 Content Services Switch Malformed SSL Certificate Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco CSS 11500 Content Services Switch (CSS) with SSL termination services allows remote attackers to cause a denial of service (memory corruption and device reload) via a malformed client certificate during SSL session negotiation. This vulnerability only occurs if the CSS is configured to support SSL terminal services, and SSL terminal services are not configured by default.
SOLUTION:
Fixes are available (see patch matrix in vendor advisory).
http://www.cisco.com/en/US/products/products_security_advisory09186a008054bc9b.shtml#software
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20051019-css.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200607-0506 | CVE-2006-3734 | Snort Back Orifice preprocessor buffer overflow |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in the Command Line Interface (CLI) for Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.1, allow local CS-MARS administrators to execute arbitrary commands as root. A buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges. This may facilitate a remote compromise of affected computers.
Cisco has released version 4.2.1 to address these issues; prior versions are reported vulnerable. Snort is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the Back Orifice preprocessor. This may facilitate unauthorized access or privilege escalation.
Due to the nature of this issue, attackers may exploit it by sending a single UDP packet with a potentially spoofed source address to an arbitrary destination address and port. As long as the application can sniff the packet, it may be exploited. These aspects of this issue may aid attackers in bypassing firewalls in order to compromise a wider number of computers.
Reportedly, this issue is difficult to reliably exploit across differing operating systems and compiler versions. Failed exploit attempts likely result in crashing the application, thereby disabling detection of other attacks.
Snort versions 2.4.0 through 2.4.2 are affected by this issue. Other versions may also be affected, but this has not been confirmed. The CS-MARS CLI is a restricted shell environment that allows authenticated administrators to perform system maintenance tasks.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-291A
Snort Back Orifice Preprocessor Buffer Overflow
Original release date: October 18, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Snort versions 2.4.0 to 2.4.2
* Sourcefire Intrusion Sensors
Other products that use Snort or Snort components may be affected.
I. Description
Snort is a widely-deployed, open-source network intrusion detection
system (IDS). Snort and its components are used in other IDS
products, notably Sourcefire Intrusion Sensors, and Snort is
included with a number of operating system distributions.
Snort preprocessors are modular plugins that extend functionality
by operating on packets before the detection engine is run. The ping detection code does
not adequately limit the amount of data that is read from the
packet into a fixed-length buffer, thus creating the potential for
a buffer overflow.
The vulnerable code will process any UDP packet that is not
destined to or sourced from the default Back Orifice port
(31337/udp). An attacker could exploit this vulnerability by
sending a specially crafted UDP packet to a host or network
monitored by Snort.
US-CERT is tracking this vulnerability as VU#175500. Further
information is available in an advisory from Internet Security
Systems (ISS).
II. Snort typically runs with root or
SYSTEM privileges, so an attacker could take complete control of a
vulnerable system. An attacker does not need to target a Snort
sensor directly; the attacker can target any host or network
monitored by Snort.
III. Solution
Upgrade
Sourcefire has released Snort 2.4.3 which is available from the
Snort download site. For information about other vendors, please
see the Systems Affected section of VU#175500.
Disable Back Orifice Preprocessor
To disable the Back Orifice preprocessor, comment out the line that
loads the preprocessor in the Snort configuration file (typically
/etc/snort.conf on UNIX and Linux systems):
[/etc/snort.conf]
...
#preprocessor bo
...
Restart Snort for the change to take effect.
Restrict Outbound Traffic
Consider preventing Snort sensors from initiating outbound
connections and restricting outbound traffic to only those hosts
and networks that have legitimate requirements to communicate with
the sensors. While this will not prevent exploitation of the
vulnerability, it may make it more difficult for an attacker to
access a compromised system or reconnoiter other systems.
Appendix A. References
* US-CERT Vulnerability Note VU#175500 -
<http://www.kb.cert.org/vuls/id/177500>
* Fixes and Mitigation Instructions Available for Snort Back
Orifice Vulnerability -
<http://www.snort.org/pub-bin/snortnews.cgi#99>
* Snort downloads - <http://www.snort.org/dl/>
* Snort 2.4.3 Changelog -
<http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>
* Preprocessors -
<http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
node11.html#SECTION00310000000000000000>
* Snort Back Orifice Parsing Remote Code Execution -
<http://xforce.iss.net/xforce/alerts/id/207>
____________________________________________________________________
This vulnerability was researched and reported by Internet Security
Systems (ISS).
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Oct 18, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3
T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H
+qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX
4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM
nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme
jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ==
=jjID
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
Hardcore Disassembler / Reverse Engineer Wanted!
Want to work with IDA and BinDiff?
Want to write PoC's and Exploits?
Your nationality is not important.
We will get you a work permit, find an apartment, and offer a
relocation compensation package.
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
----------------------------------------------------------------------
TITLE:
CS-MARS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA21118
VERIFY ADVISORY:
http://secunia.com/advisories/21118/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, Exposure of system information, System access
WHERE:
>From local network
OPERATING SYSTEM:
Cisco Security Monitoring, Analysis and Response System (CS-MARS) 4.x
http://secunia.com/product/6780/
DESCRIPTION:
Multiple vulnerabilities have been reported in CS-MARS, which can be
exploited by malicious, local users to bypass certain security
restrictions and malicious people to gain knowledge of system
information and compromise a vulnerable system.
2) The included JBoss web application server is also affected by an
information disclosure weakness.
CS-MARS also ships with an Oracle database containing several default
Oracle accounts with well-known passwords.
SOLUTION:
Update to version 4.2.1 or later.
PROVIDED AND/OR DISCOVERED BY:
1+2) Jon Hart
3) Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml
OTHER REFERENCES:
SA15746:
http://secunia.com/advisories/15746/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
The vulnerability is caused due to a boundary error in the handling
of Back Orifice packets.
Alternatively, disable the Back Orifice pre-processor
VAR-200607-0505 | CVE-2006-3733 | Snort Back Orifice preprocessor buffer overflow |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
jmx-console/HtmlAdaptor in the jmx-console in the JBoss web application server, as shipped with Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.1, allows remote attackers to gain privileges as the CS-MARS administrator and execute arbitrary Java code via an invokeOp action in the BSHDeployer jboss.scripts service name. A buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges. Cisco Security Monitoring, Analysis and Response System (CS-MARS) is prone to multiple vulnerabilities, including privilege-escalation, arbitrary command-execution, and information-disclosure issues. This may facilitate a remote compromise of affected computers.
Cisco has released version 4.2.1 to address these issues; prior versions are reported vulnerable. Snort is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the Back Orifice preprocessor. This may facilitate unauthorized access or privilege escalation.
Due to the nature of this issue, attackers may exploit it by sending a single UDP packet with a potentially spoofed source address to an arbitrary destination address and port. As long as the application can sniff the packet, it may be exploited. These aspects of this issue may aid attackers in bypassing firewalls in order to compromise a wider number of computers.
Reportedly, this issue is difficult to reliably exploit across differing operating systems and compiler versions. Failed exploit attempts likely result in crashing the application, thereby disabling detection of other attacks.
Snort versions 2.4.0 through 2.4.2 are affected by this issue. Other versions may also be affected, but this has not been confirmed. There is a loophole when the server processes user requests.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-291A
Snort Back Orifice Preprocessor Buffer Overflow
Original release date: October 18, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Snort versions 2.4.0 to 2.4.2
* Sourcefire Intrusion Sensors
Other products that use Snort or Snort components may be affected.
I. Description
Snort is a widely-deployed, open-source network intrusion detection
system (IDS). Snort and its components are used in other IDS
products, notably Sourcefire Intrusion Sensors, and Snort is
included with a number of operating system distributions.
Snort preprocessors are modular plugins that extend functionality
by operating on packets before the detection engine is run. The ping detection code does
not adequately limit the amount of data that is read from the
packet into a fixed-length buffer, thus creating the potential for
a buffer overflow.
The vulnerable code will process any UDP packet that is not
destined to or sourced from the default Back Orifice port
(31337/udp). An attacker could exploit this vulnerability by
sending a specially crafted UDP packet to a host or network
monitored by Snort.
US-CERT is tracking this vulnerability as VU#175500. Further
information is available in an advisory from Internet Security
Systems (ISS).
II. Snort typically runs with root or
SYSTEM privileges, so an attacker could take complete control of a
vulnerable system. An attacker does not need to target a Snort
sensor directly; the attacker can target any host or network
monitored by Snort.
III. Solution
Upgrade
Sourcefire has released Snort 2.4.3 which is available from the
Snort download site. For information about other vendors, please
see the Systems Affected section of VU#175500.
Disable Back Orifice Preprocessor
To disable the Back Orifice preprocessor, comment out the line that
loads the preprocessor in the Snort configuration file (typically
/etc/snort.conf on UNIX and Linux systems):
[/etc/snort.conf]
...
#preprocessor bo
...
Restart Snort for the change to take effect.
Restrict Outbound Traffic
Consider preventing Snort sensors from initiating outbound
connections and restricting outbound traffic to only those hosts
and networks that have legitimate requirements to communicate with
the sensors. While this will not prevent exploitation of the
vulnerability, it may make it more difficult for an attacker to
access a compromised system or reconnoiter other systems.
Appendix A. References
* US-CERT Vulnerability Note VU#175500 -
<http://www.kb.cert.org/vuls/id/177500>
* Fixes and Mitigation Instructions Available for Snort Back
Orifice Vulnerability -
<http://www.snort.org/pub-bin/snortnews.cgi#99>
* Snort downloads - <http://www.snort.org/dl/>
* Snort 2.4.3 Changelog -
<http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>
* Preprocessors -
<http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
node11.html#SECTION00310000000000000000>
* Snort Back Orifice Parsing Remote Code Execution -
<http://xforce.iss.net/xforce/alerts/id/207>
____________________________________________________________________
This vulnerability was researched and reported by Internet Security
Systems (ISS).
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Oct 18, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3
T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H
+qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX
4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM
nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme
jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ==
=jjID
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
Hardcore Disassembler / Reverse Engineer Wanted!
Want to work with IDA and BinDiff?
Want to write PoC's and Exploits?
Your nationality is not important.
We will get you a work permit, find an apartment, and offer a
relocation compensation package.
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
----------------------------------------------------------------------
TITLE:
CS-MARS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA21118
VERIFY ADVISORY:
http://secunia.com/advisories/21118/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, Exposure of system information, System access
WHERE:
>From local network
OPERATING SYSTEM:
Cisco Security Monitoring, Analysis and Response System (CS-MARS) 4.x
http://secunia.com/product/6780/
DESCRIPTION:
Multiple vulnerabilities have been reported in CS-MARS, which can be
exploited by malicious, local users to bypass certain security
restrictions and malicious people to gain knowledge of system
information and compromise a vulnerable system.
2) The included JBoss web application server is also affected by an
information disclosure weakness.
CS-MARS also ships with an Oracle database containing several default
Oracle accounts with well-known passwords.
SOLUTION:
Update to version 4.2.1 or later.
PROVIDED AND/OR DISCOVERED BY:
1+2) Jon Hart
3) Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml
OTHER REFERENCES:
SA15746:
http://secunia.com/advisories/15746/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
The vulnerability is caused due to a boundary error in the handling
of Back Orifice packets.
Alternatively, disable the Back Orifice pre-processor
VAR-200607-0504 | CVE-2006-3732 | Snort Back Orifice preprocessor buffer overflow |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.1 ships with an Oracle database that contains several default accounts and passwords, which allows attackers to obtain sensitive information. A buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges. This may facilitate a remote compromise of affected computers.
Cisco has released version 4.2.1 to address these issues; prior versions are reported vulnerable. Snort is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the Back Orifice preprocessor. This may facilitate unauthorized access or privilege escalation.
Due to the nature of this issue, attackers may exploit it by sending a single UDP packet with a potentially spoofed source address to an arbitrary destination address and port. As long as the application can sniff the packet, it may be exploited. These aspects of this issue may aid attackers in bypassing firewalls in order to compromise a wider number of computers.
Reportedly, this issue is difficult to reliably exploit across differing operating systems and compiler versions. Failed exploit attempts likely result in crashing the application, thereby disabling detection of other attacks.
Snort versions 2.4.0 through 2.4.2 are affected by this issue. Other versions may also be affected, but this has not been confirmed. CS-MARS uses an Oracle database to store sensitive network events and configuration data. Information in the database may include authentication credentials for network devices, such as firewalls, routers and IPS devices, and details of network security events.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-291A
Snort Back Orifice Preprocessor Buffer Overflow
Original release date: October 18, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Snort versions 2.4.0 to 2.4.2
* Sourcefire Intrusion Sensors
Other products that use Snort or Snort components may be affected.
I. Description
Snort is a widely-deployed, open-source network intrusion detection
system (IDS). Snort and its components are used in other IDS
products, notably Sourcefire Intrusion Sensors, and Snort is
included with a number of operating system distributions.
Snort preprocessors are modular plugins that extend functionality
by operating on packets before the detection engine is run. The ping detection code does
not adequately limit the amount of data that is read from the
packet into a fixed-length buffer, thus creating the potential for
a buffer overflow.
The vulnerable code will process any UDP packet that is not
destined to or sourced from the default Back Orifice port
(31337/udp). An attacker could exploit this vulnerability by
sending a specially crafted UDP packet to a host or network
monitored by Snort.
US-CERT is tracking this vulnerability as VU#175500. Further
information is available in an advisory from Internet Security
Systems (ISS).
II. Snort typically runs with root or
SYSTEM privileges, so an attacker could take complete control of a
vulnerable system. An attacker does not need to target a Snort
sensor directly; the attacker can target any host or network
monitored by Snort.
III. Solution
Upgrade
Sourcefire has released Snort 2.4.3 which is available from the
Snort download site. For information about other vendors, please
see the Systems Affected section of VU#175500.
Disable Back Orifice Preprocessor
To disable the Back Orifice preprocessor, comment out the line that
loads the preprocessor in the Snort configuration file (typically
/etc/snort.conf on UNIX and Linux systems):
[/etc/snort.conf]
...
#preprocessor bo
...
Restart Snort for the change to take effect.
Restrict Outbound Traffic
Consider preventing Snort sensors from initiating outbound
connections and restricting outbound traffic to only those hosts
and networks that have legitimate requirements to communicate with
the sensors. While this will not prevent exploitation of the
vulnerability, it may make it more difficult for an attacker to
access a compromised system or reconnoiter other systems.
Appendix A. References
* US-CERT Vulnerability Note VU#175500 -
<http://www.kb.cert.org/vuls/id/177500>
* Fixes and Mitigation Instructions Available for Snort Back
Orifice Vulnerability -
<http://www.snort.org/pub-bin/snortnews.cgi#99>
* Snort downloads - <http://www.snort.org/dl/>
* Snort 2.4.3 Changelog -
<http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>
* Preprocessors -
<http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
node11.html#SECTION00310000000000000000>
* Snort Back Orifice Parsing Remote Code Execution -
<http://xforce.iss.net/xforce/alerts/id/207>
____________________________________________________________________
This vulnerability was researched and reported by Internet Security
Systems (ISS).
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Oct 18, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3
T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H
+qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX
4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM
nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme
jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ==
=jjID
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
Hardcore Disassembler / Reverse Engineer Wanted!
Want to work with IDA and BinDiff?
Want to write PoC's and Exploits?
Your nationality is not important.
We will get you a work permit, find an apartment, and offer a
relocation compensation package.
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
----------------------------------------------------------------------
TITLE:
CS-MARS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA21118
VERIFY ADVISORY:
http://secunia.com/advisories/21118/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, Exposure of system information, System access
WHERE:
>From local network
OPERATING SYSTEM:
Cisco Security Monitoring, Analysis and Response System (CS-MARS) 4.x
http://secunia.com/product/6780/
DESCRIPTION:
Multiple vulnerabilities have been reported in CS-MARS, which can be
exploited by malicious, local users to bypass certain security
restrictions and malicious people to gain knowledge of system
information and compromise a vulnerable system.
2) The included JBoss web application server is also affected by an
information disclosure weakness.
SOLUTION:
Update to version 4.2.1 or later.
PROVIDED AND/OR DISCOVERED BY:
1+2) Jon Hart
3) Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml
OTHER REFERENCES:
SA15746:
http://secunia.com/advisories/15746/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
The vulnerability is caused due to a boundary error in the handling
of Back Orifice packets.
Alternatively, disable the Back Orifice pre-processor
VAR-200510-0204 | CVE-2005-3221 | Fortinet Antivirus Malicious RAR File bypass virus detection vulnerability |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Multiple interpretation error in unspecified versions of Fortinet Antivirus allows remote attackers to bypass virus detection via a malicious executable in a specially crafted RAR file with malformed central and local headers, which can still be opened by products such as Winrar and PowerZip, even though they are rejected as corrupted by Winzip and BitZipper. Fortinet Antivirus is prone to a security bypass vulnerability. Fortinet Antivirus is an antivirus software designed by Fortinet Company using signature database and heuristic scanning engine. Fortinet Antivirus unidentified version has multiple interpretation errors. The specially crafted RAR file contains malformed central and partial headers. Although it is considered damaged by Winzip and BitZipper and rejected, it can still be opened by products such as Winrar and PowerZip
VAR-200510-0113 | CVE-2005-3286 | Kerio Personal firewall and server firewall PEB lockout Denial of service vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The FWDRV driver in Kerio Personal Firewall 4.2 and Server Firewall 1.1.1 allows local users to cause a denial of service (crash) by setting the PAGE_NOACCESS or PAGE_GUARD protection on the Page Environment Block (PEB), which triggers an exception, aka the "PEB lockout vulnerability.". Kerio Personal Firewall and ServerFirewall are prone to a local denial of service vulnerability.
Reports indicate that the FWDRV driver does not verify access to memory associated with the Process Environment Block (PEB) of the application. An attacker can trigger fatal exceptions and cause the firewall process to terminate.
A denial of service condition in the firewall can expose computers to further attacks. Kerio Personal Firewall and Server Firewall are easy-to-use firewall products. Kerio Personal Firewall and Server Firewall are easy-to-use firewall products. When parsing the PEB, FWDRV does not check whether the memory is accessible, that is to say, if the attacker can set PAGE_NOACCESS or PAGE_GUARD protection on the PEB, it will cause an exception and the machine will blue screen of death. This can be exploited to crash the system via a malicious
application that locks the memory page where its PEB resides before
connecting to the network.
* Kerio ServerFirewall version 1.1.1 and prior.
SOLUTION:
Kerio Personal Firewall:
Update to version 4.2.1 or later.
Kerio ServerFirewall:
Update to version 1.1.2 or later.
PROVIDED AND/OR DISCOVERED BY:
Piotr Bania
ORIGINAL ADVISORY:
Kerio:
http://www.kerio.com/security_advisory.html
Piotr Bania:
http://pb.specialised.info/all/adv/kerio-fwdrv-dos-adv.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0109 | CVE-2005-3664 | Kaspersky Antivirus engine CHM File parser remote overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Kaspersky Anti-Virus Engine, as used in Kaspersky Personal 5.0.227, Anti-Virus On-Demand Scanner for Linux 5.0.5, and F-Secure Anti-Virus for Linux 4.50 allows remote attackers to execute arbitrary code via a crafted CHM file. On Microsoft platforms, the affected software cannot execute arbitrary code, but prevents Kaspersky Anti-Virus from scanning any files, thus potentially allowing later malicious code to reach its target.
For more information:
SA17130
The vulnerability has been reported in version 4.50. Prior versions
may also be affected.
TITLE:
Kaspersky Anti-Virus Engine CHM File Parsing Buffer Overflow
SECUNIA ADVISORY ID:
SA17130
VERIFY ADVISORY:
http://secunia.com/advisories/17130/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Kaspersky Anti-Virus 5.x
http://secunia.com/product/2781/
DESCRIPTION:
A vulnerability has been reported in Kaspersky Anti-Virus, which can
be exploited by malicious people to cause a DoS (Denial of Service),
or compromise a vulnerable system.
The vulnerability is caused due to a boundary error in the scan
engine when parsing a malformed CHM file. This can be exploited to
cause a heap-based buffer overflow when a specially crafted CHM file
is scanned. On Windows platforms, the anti-virus may fail to scan any
other files after a malformed CHM file has been encountered.
SOLUTION:
The vulnerability has reportedly been fixed via a signature update
after July 2005.
PROVIDED AND/OR DISCOVERED BY:
Discovered by anonymous person and reported via iDEFENSE.
ORIGINAL ADVISORY:
iDEFENSE:
http://www.idefense.com/application/poi/display?id=318&type=vulnerabilities
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200510-0158 | CVE-2005-3196 | Planet Technology FGSW-2402RS Switch Backdoor Password Reset Vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Planet Technology Corp FGSW2402RS switch with firmware 1.2 has a default password, which allows attackers with physical access to the device's serial port to gain privileges.
An attacker can exploit this vulnerability to gain administrative access to the switch; the consequences will vary depending on the network configuration.
Reports indicate to exploit this vulnerability an attacker must have access to a machine directly connected to the vulnerable device through the RS-232 port connection.
Though uncomfirmed this vulnerability may be remotely exploitable if access to the affected device exists using some other means. This would greatly affect possible exposure to this vulnerability
VAR-200510-0180 | CVE-2005-3197 | Webroot Software Desktop Firewall Multiple Local Vulnerabilities |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in PWIWrapper.dll for Webroot Desktop Firewall before 1.3.0build52 allows local users to execute arbitrary code as SYSTEM by sending a crafted DeviceIoControl command, then removing an allowed program from the firewall list. Webroot Software Desktop Firewall is susceptible to multiple local vulnerabilities.
The first issue is a buffer overflow vulnerability, due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer.
Local attackers may exploit this first issue to execute arbitrary machine code with SYSTEM privileges. Attackers require the ability to modify the firewall's list of allowed applications.
The second issue is an authentication bypass vulnerability. This issue is due to a failure of the firewall to properly enforce built-in password protection, allowing local attackers to disable the firewall.
Local attackers may exploit the second issue to disable the firewall, aiding them in further attacks.
These issues may only be exploited by local attackers with privileges allowing them to utilize 'DeviceIoControl()' to send commands to the firewall driver.
These issues are reported to exist in version 1.3.0.43. Other versions may also be affected.
SOLUTION:
Update to version 1.3.0 build 52.
PROVIDED AND/OR DISCOVERED BY:
Tan Chew Keong, Secunia Research.
ORIGINAL ADVISORY:
Webroot:
http://support.webroot.com/ics/support/KBAnswer.asp?questionID=2332
Secunia Research:
http://secunia.com/secunia_research/2005-10/advisory/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200510-0155 | CVE-2005-3190 | Computer Associates Multiple products HTTP Request remote overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in Computer Associates (CA) iGateway 3.0 and 4.0 before 4.0.050623, when running in debug mode, allows remote attackers to execute arbitrary code via HTTP GET requests. Multiple Computer Associates products are susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the affected products to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer.
This issue exists in the iTechnology iGateway component that is included in multiple Computer Associates products.
Versions 1.x, 2.x, and the current 4.x versions of the iGateway component are not affected by this issue. Version 3.0.040107 and earlier 3.x versions are affected. This issue is only exploitable if the non-default components are installed, the 'igateway.conf' configuration file has debugging enabled, and the service is then manually restarted. Computer Associates is the world's leading security vendor, products include a variety of antivirus software.
TITLE:
CA iGateway Debug Mode HTTP GET Request Buffer Overflow
SECUNIA ADVISORY ID:
SA17085
VERIFY ADVISORY:
http://secunia.com/advisories/17085/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
CA iGateway 4.x
http://secunia.com/product/5821/
CA iGateway 3.x
http://secunia.com/product/5820/
DESCRIPTION:
Erika Mendoza has reported a vulnerability in CA iGateway, which can
be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error when parsing HTTP
GET requests.
Successful exploitation requires that debug mode is enabled.
The vulnerability has been reported in version 3.0 and 4.0 released
prior to 2005-06-23.
Note: Exploit code for this vulnerability is publicly available.
SOLUTION:
The vendor recommends that iGateway should not be run in debug mode.
PROVIDED AND/OR DISCOVERED BY:
Erika Mendoza
ORIGINAL ADVISORY:
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?id=33485
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------