VARIoT IoT vulnerabilities database
VAR-200509-0169 | CVE-2005-2847 | Barracuda Spam Firewall IMG.PL Remote Command Execution Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter.
This issue arises when user-specified commands are supplied to the Web interface of the device.
An attacker can supply arbitrary commands and have them executed in the context of the server. This issue may facilitate unauthorized remote access.
Barracuda Spam Firewall firmware 3.1.17 and prior versions are affected by this issue. The img.pl script tries to disconnect the file when the user finishes reading it. In /cgi-bin/img.pl script: my $file_img=\"/tmp/\".CGI::param(\'\'f\'\'); open (IMG, $file_img) or die \ "Could not open image because: $!\n\"; ... unlink ($file_img); The perl open function can also be used to execute commands. If the string ends with \"|\", the script executes the command
VAR-200509-0170 | CVE-2005-2848 | Barracuda Spam Firewall IMG.PL Remote Directory Traversal Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter. This issue affects the Web interface of the appliance.
Exploitation of this vulnerability could lead to a loss of confidentiality as arbitrary files are disclosed to an attacker. Information obtained through this attack may aid in further attacks against the underlying system.
Barracuda Spam Firewall firmware 3.1.17 and prior versions are affected by this issue. The img.pl script tries to disconnect the file when the user finishes reading it. In /cgi-bin/img.pl script: my $file_img=\"/tmp/\".CGI::param(\'\';f\'\'); open (IMG, $file_img) or die \"Could not open image because: $!\n\"; ... unlink ($file_img); The perl open function can also be used to execute commands. If the string ends with \"|\", the script executes the command, piping the output to the IMG file descriptor. File retrieval: f=../etc/passwd An attacker could exploit this vulnerability to obtain sensitive information such as administrator passwords
VAR-200509-0196 | CVE-2005-2766 | Symantec AntiVirus Update Local Information Disclosure Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Symantec AntiVirus Corporate Edition 9.0.1.x and 9.0.4.x, and possibly other versions, when obtaining updates from an internal LiveUpdate server, stores sensitive information in cleartext in the Log.Liveupdate log file, which allows attackers to obtain the username and password to the internal LiveUpdate server. Symantec LiveUpdate Client is susceptible to a local information disclosure vulnerability.
A local attacker can subsequently access the file and disclose authentication credentials to access the server. This may lead to various attacks including the potential compromise of the server. Symantec Antivirus is an antivirus software produced by Symantec Corporation
VAR-200508-0061 | CVE-2005-2678 | Microsoft IIS In SERVER_NAME Variable spoofing vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Microsoft IIS 5.1 and 6 allows remote attackers to spoof the SERVER_NAME variable to bypass security checks and conduct various attacks via a GET request with an http://localhost URI, which makes it appear as if the request is coming from localhost. Microsoft IIS In SERVER_NAME Incorrect handling of variables HTTP A vulnerability exists in which a variable can be changed to an arbitrary value by sending a request.It is possible to obtain important information in the system. IIS Far East Edition is prone to a remote security vulnerability.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Microsoft IIS "SERVER_NAME" Variable Spoofing Vulnerability
SECUNIA ADVISORY ID:
SA16548
VERIFY ADVISORY:
http://secunia.com/advisories/16548/
CRITICAL:
Less critical
IMPACT:
Spoofing
WHERE:
>From remote
SOFTWARE:
Microsoft Internet Information Services (IIS) 5.x
http://secunia.com/product/39/
Microsoft Internet Information Services (IIS) 6
http://secunia.com/product/1438/
DESCRIPTION:
Inge Henriksen has discovered a vulnerability in Microsoft Internet
Information Services (IIS), which can be exploited by malicious
people to spoof certain information.
The vulnerability is caused due to an error when determining the
"SERVER_NAME" variable and can be exploited to spoof it via a
specially crafted HTTP request.
Successful exploitation may e.g. disclose parts of an ASP scripts'
source code or make it possible to bypass security checks performed
by a web application based on the "SERVER_NAME" variable.
The vulnerability has been confirmed in IIS 5.1 and has also been
reported in versions 5.0 and 6.0.
SOLUTION:
Don't make assumptions based on the "SERVER_NAME" variable in web
applications.
Don't use the default 500-100.asp error page, as it makes assumptions
based on the "SERVER_NAME" variable and may return script contents
when encountering errors.
PROVIDED AND/OR DISCOVERED BY:
Inge Henriksen
ORIGINAL ADVISORY:
http://ingehenriksen.blogspot.com/2005/08/remote-iis-5x-and-iis-60-server-name.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200508-0055 | CVE-2005-2672 | LM_sensors PWMConfig Insecure Temporary File Creation Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
pwmconfig in LM_sensors before 2.9.1 creates temporary files insecurely, which allows local users to overwrite arbitrary files via a symlink attack on the fancontrol temporary file. lm_sensors Implemented in pwmconfig The script contains temporary files in a security inappropriate manner (/tmp/fancontrol) Therefore, there is a vulnerability that is subject to symbolic link attacks.pwmconfig Any file may be overwritten with the authority of the user who executes the command. The issue exists in the 'pwmconfig' script.
Exploitation would most likely result in loss of data or a denial of service if critical files are overwritten in the attack. Other attacks may be possible as well.
lm_sensors version 2.9.1 is reportedly affected, however, other versions may be vulnerable as well. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 814-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
September 15th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : lm-sensors
Vulnerability : insecure temporary file
Problem type : local
Debian-specific: no
CVE ID : CAN-2005-2672]
Debian Bug : 324193
Javier Fern\xe1ndez-Sanguino Pe\xf1a discovered that a script of lm-sensors,
utilities to read temperature/voltage/fan sensors, creates a temporary
file with a predictable filename, leaving it vulnerable for a symlink
attack.
The old stable distribution (woody) is not affected by this problem.
For the stable distribution (sarge) this problem has been fixed in
version 2.9.1-1sarge2.
For the unstable distribution (sid) this problem has been fixed in
version 2.9.1-7.
We recommend that you upgrade your lm-sensors package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2.dsc
Size/MD5 checksum: 1089 b29b66e67c0cdc230e00e5183724427a
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2.diff.gz
Size/MD5 checksum: 32896 551c338fbc31a17f7fd909c8c18f495e
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1.orig.tar.gz
Size/MD5 checksum: 870765 f5af615e39441d95471bdb72a3f01709
Architecture independent components:
http://security.debian.org/pool/updates/main/l/lm-sensors/kernel-patch-2.4-lm-sensors_2.9.1-1sarge2_all.deb
Size/MD5 checksum: 304604 9b936604bcb60dd90c26de965bc8ae7f
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-source_2.9.1-1sarge2_all.deb
Size/MD5 checksum: 956166 a4cc7cf62245912cca061249e7ff153e
Alpha architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_alpha.deb
Size/MD5 checksum: 107734 6672ce70e0a11a3db57b5cc5410a887f
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_alpha.deb
Size/MD5 checksum: 88004 07333a65127b12aaa3bb7593ca998fc8
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_alpha.deb
Size/MD5 checksum: 469638 2894c427fa1a171588ee25ec7944aeae
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_alpha.deb
Size/MD5 checksum: 60162 996e3f4caa6f99a509612ed9409538a1
AMD64 architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_amd64.deb
Size/MD5 checksum: 99604 5a2ecb59416841693f291c18ffc36b9f
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_amd64.deb
Size/MD5 checksum: 86024 be04743cfbe7a3dba14522ce35807a46
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_amd64.deb
Size/MD5 checksum: 471644 de8c9584f1d5bc2a2fc4134ebb0a5958
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_amd64.deb
Size/MD5 checksum: 57960 7d2bcf38f644cc293814d9be97e7e462
ARM architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_arm.deb
Size/MD5 checksum: 95374 76afc070abfaca6877c53b3dc97e2efe
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_arm.deb
Size/MD5 checksum: 77598 688a884f1c1a3d9966863f9dd13e6378
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_arm.deb
Size/MD5 checksum: 466524 f60ec616c55ffecd7d32d9ce6701520b
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_arm.deb
Size/MD5 checksum: 56518 001487c8ebf59a64eca3c4b1ebd3a4fc
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 93822 18985e4483e7ba7f1ee4e08c31e77ee6
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 77704 c7360febfe8fb136d4edc7447c4a3787
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 471594 4bb236b1ad878a31115d7231f624d53b
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-386_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 258638 9dab2f0c6ca40bb6b1fa648c72dea266
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-586tsc_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 258646 27ec0369b7e5710cfa9b8a2f6dc7f976
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-686_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 258638 7b59494c8c7e836392ec8d29832a37f7
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-686-smp_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 259220 1f84862f63d4b84ca52d3b0188eae27f
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-k6_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 258658 f44895c10b0a2a66f9f8fc2fc1c08945
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-k7_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 258950 fc63b5a3190378d192810b865db159d7
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-k7-smp_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 259496 acbd3d286c9f83c33075207a32297bfe
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 56282 4aaa87fa8ec4a9c7a80cc5fa2a2a65c7
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_ia64.deb
Size/MD5 checksum: 110518 31b9a4a92124027fc290af68a33c9d72
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_ia64.deb
Size/MD5 checksum: 94704 1c7b33cb67d43b00bc5c560e010cba42
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_ia64.deb
Size/MD5 checksum: 487502 b2c2e822feccd91e2cf4e16b788ee8b2
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_ia64.deb
Size/MD5 checksum: 63894 6f5dd42f2e9bfe4e6f6dfc0d657c231c
HP Precision architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_hppa.deb
Size/MD5 checksum: 103444 b90312374564a949899f1fc5efe0afca
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_hppa.deb
Size/MD5 checksum: 88110 c2c6817f83c05784e7ae6dfb342c3f45
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_hppa.deb
Size/MD5 checksum: 470520 cff17a1708ab3698cbe576845758f040
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_hppa.deb
Size/MD5 checksum: 59432 2316f77020a58c9bbcb4680e39093872
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_m68k.deb
Size/MD5 checksum: 95016 2570abfafb354bf68ff57e294010d9bd
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_m68k.deb
Size/MD5 checksum: 82760 8575a48b3ae56c05aa33b1dec7b7e7d8
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_m68k.deb
Size/MD5 checksum: 457278 2b04efc7078bfcac49bae53de1fa37f4
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_m68k.deb
Size/MD5 checksum: 55334 acf8cedc0bc7b9fcce51bf4028346aa4
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_mips.deb
Size/MD5 checksum: 101340 65525f23eed1bb8bd56104db43613b64
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_mips.deb
Size/MD5 checksum: 80346 78e1796d19b2a450001b7db46fa00971
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_mips.deb
Size/MD5 checksum: 464976 77c81982d7dc7a6e3059e9b7bfe843ae
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_mips.deb
Size/MD5 checksum: 58392 fce20208178fcf5e8b34f037a89ebeb8
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_mipsel.deb
Size/MD5 checksum: 99308 561831d67a0b6c5a2c23ce19d63fd4e9
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_mipsel.deb
Size/MD5 checksum: 78318 bf864fc9cc93f35f74cb383916b93187
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_mipsel.deb
Size/MD5 checksum: 465612 90be081b2fe5d58208cdc22f922ace6a
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_mipsel.deb
Size/MD5 checksum: 58452 862e8a3b5f5bf5ab9a7e37f91828a96a
PowerPC architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_powerpc.deb
Size/MD5 checksum: 105926 1c01fa48983ca51785fb6cebcb1352e7
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_powerpc.deb
Size/MD5 checksum: 84122 362b899e12a413c46a1aa3bb80ae9564
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_powerpc.deb
Size/MD5 checksum: 476730 326fe3274869079637c4a425430d9cc9
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_powerpc.deb
Size/MD5 checksum: 59362 2be27fc39b66107b8bc28df51bfd929f
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_s390.deb
Size/MD5 checksum: 105122 aa913f7a24298b97954809094c966d13
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_s390.deb
Size/MD5 checksum: 86884 2c6ebcada8848923a727f21d348089bf
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_s390.deb
Size/MD5 checksum: 463706 d0d5e649c114bd891c9dd5a742b3dd7f
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_s390.deb
Size/MD5 checksum: 57970 fccda7621dfee8331517dc5f47587246
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_sparc.deb
Size/MD5 checksum: 100274 63098e8e9f4c3fab8147c04aa17d811c
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_sparc.deb
Size/MD5 checksum: 80906 18db5ab878c2185c7a999f968b36e204
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_sparc.deb
Size/MD5 checksum: 470238 3edce01e75344d0a8a3985c564060243
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_sparc.deb
Size/MD5 checksum: 56654 c47257c9c9263f657a3e96f55b14c40b
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDKYEPW5ql+IAeqTIRAvkXAJsG3t7J+SurPWsgUlq3bgSvDTBr3gCgtCBV
zykdnzOaXU1T+P83Q3O0KLQ=
=z0Ex
-----END PGP SIGNATURE-----
.
For more information:
SA16501
SOLUTION:
Update to "sys-apps/lm_sensors-2.9.1-r1" or later.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
LM Sensors Insecure Temporary File Creation Vulnerability
SECUNIA ADVISORY ID:
SA16501
VERIFY ADVISORY:
http://secunia.com/advisories/16501/
CRITICAL:
Less critical
IMPACT:
Privilege escalation
WHERE:
Local system
SOFTWARE:
LM Sensors 2.x
http://secunia.com/product/5572/
DESCRIPTION:
Javier Fernandez-Sanguino Pena has reported a vulnerability in LM
Sensors, which can be exploited by malicious, local users to perform
certain actions on a vulnerable system with escalated privileges.
SOLUTION:
Grant only trusted users access to vulnerable systems.
PROVIDED AND/OR DISCOVERED BY:
Javier Fernandez-Sanguino Pena
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200508-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: lm_sensors: Insecure temporary file creation
Date: August 30, 2005
Bugs: #103568
ID: 200508-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
lm_sensors is vulnerable to linking attacks, potentially allowing a
local user to overwrite arbitrary files.
Background
==========
lm_sensors is a software package that provides drivers for monitoring
the temperatures, voltages, and fans of Linux systems with hardware
monitoring devices. When
the pwmconfig script of lm_sensors is executed, this would result in
the file being overwritten with the rights of the user running the
script, which typically is the root user.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All lm_sensors users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/lm_sensors-2.9.1-r1"
References
==========
[ 1 ] CAN-2005-2672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2672
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200508-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
.
For more information:
SA16501
SOLUTION:
Updated packages are available from Red Hat Network
VAR-200508-0046 | CVE-2005-2695 | Cisco IDS sensor CiscoWorks control center SSL Certificate Verification Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the SSL certificate checking functionality in Cisco CiscoWorks Management Center for IDS Sensors (IDSMC) 2.0 and 2.1, and Monitoring Center for Security (Security Monitor or Secmon) 1.1 through 2.0 and 2.1, allows remote attackers to spoof a Cisco Intrusion Detection Sensor (IDS) or Intrusion Prevention System (IPS). This issue is due to a failure of the software to properly validate SSL certificates.
By spoofing these connections attackers may gain access to login credentials, aiding them in further attacks. Spoofed connections may also allow for the insertion of false data or the modification or destruction of other valid data contained in the affected management software. This allows attackers to hide the traces of their malicious activity, creating a false sense of security. Other attacks may also be possible
VAR-200508-0064 | CVE-2005-2681 | Cisco Local privilege vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the command line processing (CLI) logic in Cisco Intrusion Prevention System 5.0(1) and 5.0(2) allows local users with OPERATOR or VIEWER privileges to gain additional privileges via unknown vectors. Cisco IPS is susceptible to a local privilege escalation vulnerability. This issue is due to a flaw in the logic of the command line interface (CLI). These privileges are non-privileged accounts designated for monitoring and troubleshooting of IPS devices.
By exploiting this vulnerability, attackers may gain full administrative privileges on affected devices. This allows them to bypass the network security features of the device, aiding them in further attacks. Arbitrary code execution and denial of network services is also possible.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Cisco Intrusion Prevention System Privilege Escalation
SECUNIA ADVISORY ID:
SA16545
VERIFY ADVISORY:
http://secunia.com/advisories/16545/
CRITICAL:
Less critical
IMPACT:
Privilege escalation
WHERE:
Local system
OPERATING SYSTEM:
Cisco Intrusion Prevention System (IPS) 5.x
http://secunia.com/product/5600/
DESCRIPTION:
A vulnerability has been reported in Cisco Intrusion Prevention
System, which can be exploited by malicious, local users to gain
escalated privileges.
The vulnerability affects versions 5.0(1) and 5.0(2). Versions 4.x
and prior are not vulnerable.
SOLUTION:
Update to version 5.0(3).
http://www.cisco.com/pcgi-bin/tablebuild.pl/ips5
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20050824-ips.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200508-0052 | CVE-2005-2669 | Computer Associates Message Queuing software vulnerable to buffer overflows |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allows remote attackers to execute arbitrary commands via spoofed CAFT packets. CAM is prone to a vulnerability that could permit the spoofing of a CAFT application utilizing the CAM instance. This may ultimately allow the execution of arbitrary commands.
CAFT is a file transfer application that utilizes CAM to send and receive the files. The problem presents itself due to a failure in the CAM service to verify the legitimacy of the CAFT application.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
CA Various Products Message Queuing Vulnerabilities
SECUNIA ADVISORY ID:
SA16513
VERIFY ADVISORY:
http://secunia.com/advisories/16513/
CRITICAL:
Moderately critical
IMPACT:
Spoofing, DoS, System access
WHERE:
>From local network
SOFTWARE:
CA Unicenter TNG 2.x
http://secunia.com/product/3206/
CA Unicenter Software Delivery 4.x
http://secunia.com/product/5597/
CA Unicenter Software Delivery 3.x
http://secunia.com/product/5596/
CA Unicenter Service Level Management 3.x
http://secunia.com/product/5595/
CA Unicenter Remote Control 6.x
http://secunia.com/product/2622/
CA Unicenter Performance Management for OpenVMS 2.x
http://secunia.com/product/5573/
CA Unicenter Network and Systems Management (NSM) Wireless Network
Management Option 3.x
http://secunia.com/product/5594/
CA Unicenter Network and Systems Management (NSM) 3.x
http://secunia.com/product/1683/
CA Unicenter Management for WebSphere MQ 3.x
http://secunia.com/product/5590/
CA Unicenter Management for Web Servers 5.x
http://secunia.com/product/5593/
CA Unicenter Management for Microsoft Exchange 4.x
http://secunia.com/product/5591/
CA Unicenter Management for Lotus Notes/Domino 4.x
http://secunia.com/product/5592/
CA Unicenter Jasmine 3.x
http://secunia.com/product/5589/
CA Unicenter Enterprise Job Manager 1.x
http://secunia.com/product/5588/
CA Unicenter Data Transport Option 2.x
http://secunia.com/product/5587/
CA Unicenter Asset Management 4.x
http://secunia.com/product/1682/
CA Unicenter Asset Management 3.x
http://secunia.com/product/5586/
CA Unicenter Application Performance Monitor 3.x
http://secunia.com/product/5585/
CA eTrust Admin 8.x
http://secunia.com/product/5584/
CA eTrust Admin 2.x
http://secunia.com/product/5583/
CA CleverPath Predictive Analysis Server 3.x
http://secunia.com/product/5581/
CA CleverPath Predictive Analysis Server 2.x
http://secunia.com/product/5580/
CA CleverPath OLAP 5.x
http://secunia.com/product/5578/
CA CleverPath Enterprise Content Manager (ECM) 3.x
http://secunia.com/product/5579/
CA CleverPath Aion 10.x
http://secunia.com/product/5582/
CA BrightStor SAN Manager 11.x
http://secunia.com/product/5576/
CA BrightStor SAN Manager 1.x
http://secunia.com/product/5575/
CA BrightStor Portal 11.x
http://secunia.com/product/5577/
CA Advantage Data Transport 3.x
http://secunia.com/product/5574/
DESCRIPTION:
Some vulnerabilities have been reported in various products within
the CA Message Queuing (CAM / CAFT) software, which can be exploited
by malicious people to cause a DoS (Denial of Service) or compromise
a vulnerable system.
1) An unspecified error in the CAM service can be exploited to cause
a DoS by sending specially crafted packets to the TCP port.
2) Unspecified boundary errors can be exploited to cause buffer
overflows by sending specially crafted packets to the service.
SOLUTION:
Apply patches (see vendor advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
Computer Associates:
http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asp
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200508-0051 | CVE-2005-2668 | Computer Associates Message Queuing software vulnerable to buffer overflows |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allow remote attackers to execute arbitrary code via unknown vectors. This may allow an attacker to escalate their privileges to SYSTEM level. CA Unicenter Management Portal provides access to enterprise management information and various Unicenter management solutions such as personalized WEB interface.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
CA Various Products Message Queuing Vulnerabilities
SECUNIA ADVISORY ID:
SA16513
VERIFY ADVISORY:
http://secunia.com/advisories/16513/
CRITICAL:
Moderately critical
IMPACT:
Spoofing, DoS, System access
WHERE:
>From local network
SOFTWARE:
CA Unicenter TNG 2.x
http://secunia.com/product/3206/
CA Unicenter Software Delivery 4.x
http://secunia.com/product/5597/
CA Unicenter Software Delivery 3.x
http://secunia.com/product/5596/
CA Unicenter Service Level Management 3.x
http://secunia.com/product/5595/
CA Unicenter Remote Control 6.x
http://secunia.com/product/2622/
CA Unicenter Performance Management for OpenVMS 2.x
http://secunia.com/product/5573/
CA Unicenter Network and Systems Management (NSM) Wireless Network
Management Option 3.x
http://secunia.com/product/5594/
CA Unicenter Network and Systems Management (NSM) 3.x
http://secunia.com/product/1683/
CA Unicenter Management for WebSphere MQ 3.x
http://secunia.com/product/5590/
CA Unicenter Management for Web Servers 5.x
http://secunia.com/product/5593/
CA Unicenter Management for Microsoft Exchange 4.x
http://secunia.com/product/5591/
CA Unicenter Management for Lotus Notes/Domino 4.x
http://secunia.com/product/5592/
CA Unicenter Jasmine 3.x
http://secunia.com/product/5589/
CA Unicenter Enterprise Job Manager 1.x
http://secunia.com/product/5588/
CA Unicenter Data Transport Option 2.x
http://secunia.com/product/5587/
CA Unicenter Asset Management 4.x
http://secunia.com/product/1682/
CA Unicenter Asset Management 3.x
http://secunia.com/product/5586/
CA Unicenter Application Performance Monitor 3.x
http://secunia.com/product/5585/
CA eTrust Admin 8.x
http://secunia.com/product/5584/
CA eTrust Admin 2.x
http://secunia.com/product/5583/
CA CleverPath Predictive Analysis Server 3.x
http://secunia.com/product/5581/
CA CleverPath Predictive Analysis Server 2.x
http://secunia.com/product/5580/
CA CleverPath OLAP 5.x
http://secunia.com/product/5578/
CA CleverPath Enterprise Content Manager (ECM) 3.x
http://secunia.com/product/5579/
CA CleverPath Aion 10.x
http://secunia.com/product/5582/
CA BrightStor SAN Manager 11.x
http://secunia.com/product/5576/
CA BrightStor SAN Manager 1.x
http://secunia.com/product/5575/
CA BrightStor Portal 11.x
http://secunia.com/product/5577/
CA Advantage Data Transport 3.x
http://secunia.com/product/5574/
DESCRIPTION:
Some vulnerabilities have been reported in various products within
the CA Message Queuing (CAM / CAFT) software, which can be exploited
by malicious people to cause a DoS (Denial of Service) or compromise
a vulnerable system.
1) An unspecified error in the CAM service can be exploited to cause
a DoS by sending specially crafted packets to the TCP port.
2) Unspecified boundary errors can be exploited to cause buffer
overflows by sending specially crafted packets to the service.
3) An error can be exploited to spoof CAFT and execute arbitrary
commands with escalated privileges.
The vulnerabilities affect all versions of the CA Message Queuing
software prior to versions 1.07 Build 220_13 and 1.11 Build 29_13.
SOLUTION:
Apply patches (see vendor advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
Computer Associates:
http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asp
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200508-0142 | CVE-2005-2640 | Juniper Netscreen VPN Username Enumeration Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Behavioral discrepancy information leak in Juniper Netscreen VPN running ScreenOS 5.2.0 and earlier, when using IKE with pre-shared key authentication, allows remote attackers to enumerate valid usernames via an IKE Aggressive Mode packet, which generates a response if the username is valid but does not respond when the username is invalid. NetScreen ScreenOS of IKE In the protocol implementation, IKE User name included in aggressive mode messages (IKE ID) Is valid VPN There are vulnerabilities that respond differently depending on whether you are a user.An effective VPN You may get your username and password hash. This allows for attackers to obtain a list of valid VPN users. With a valid username, an attacker can obtain hashed credentials against which a brute force attack may be performed. A successful crack would mean that the attacker has complete access to the network. Netscreen is one of Juniper's leading line of networking and security products. Juniper Netscreen's integrated firewall/VPN product has a VPN user name enumeration vulnerability when performing VPN security tests for customers. Once a username is discovered, an attacker can use that username to get a hash from Netscreen and then crack the associated password offline.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Juniper Netscreen IPSec VPN Username Enumeration Weakness
SECUNIA ADVISORY ID:
SA16474
VERIFY ADVISORY:
http://secunia.com/advisories/16474/
CRITICAL:
Not critical
IMPACT:
Exposure of system information
WHERE:
>From remote
OPERATING SYSTEM:
NetScreen ScreenOS 5.x
http://secunia.com/product/2569/
NetScreen ScreenOS 4.x
http://secunia.com/product/695/
NetScreen ScreenOS 3.x
http://secunia.com/product/798/
NetScreen ScreenOS 2.x
http://secunia.com/product/1395/
DESCRIPTION:
NTA Monitor has reported a weakness in Juniper Netscreen VPN, which
can be exploited by malicious people to gain knowledge of certain
information.
The weakness is caused due to the device returning different
responses depending on whether or not a valid username is supplied.
This can be exploited to enumerate valid usernames, which can be used
to obtain password hashes.
The weakness has been reported in ScreenOS software versions up to
5.2.0.
SOLUTION:
Use certificate authentication instead of pre-shared key
authentication.
PROVIDED AND/OR DISCOVERED BY:
NTA Monitor
ORIGINAL ADVISORY:
NTA Monitor:
http://www.nta-monitor.com/news/vpn-flaws/juniper/netscreen/index.htm
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200508-0080 | CVE-2005-2631 | Cisco Clean Access API Access verification vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Cisco Clean Access (CCA) 3.3.0 to 3.3.9, 3.4.0 to 3.4.5, and 3.5.0 to 3.5.3 does not properly authenticate users when invoking API methods, which could allow remote attackers to bypass security checks, change the assigned role of a user, or disconnect users. Cisco Clean Access (CCA) is a software solution that automatically detects, quarantines, and cleans infected or vulnerable devices attempting to access the network.
The vulnerability is caused due to missing authentication when
invoking CCA Manager API methods. or gain knowledge of information on
configured users.
The vulnerability affects versions 3.3.0 through 3.3.9, 3.4.0 through
3.4.5, and 3.5.0 through 3.5.3.
SOLUTION:
Update to version 3.5.4 or later or apply patch.
http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches
Versions 3.3.0 and prior are not affected.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Troy Holder.
ORIGINAL ADVISORY:
Cisco Systems:
http://www.cisco.com/warp/public/707/cisco-sa-20050817-cca.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200508-0106 | CVE-2005-2579 | Nortel Contivity VPN Client Privilege escalation vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Nortel Contivity VPN Client V05_01.030, when configuring a certificate to be used as authentication, does not properly drop system privileges, which allows local users to gain privileges by opening a program with the File Open dialog box. Contivity is prone to a local security vulnerability
VAR-200508-0116 | CVE-2005-2589 | Linksys WRT54GS Authentication bypass vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Unknown vulnerability in Linksys WRT54GS wireless router with firmware 4.50.6, with WPA Personal/TKIP authentication enabled, allows remote clients to bypass authentication by connecting without using encryption. Reportedly the device permits client devices that are using no encryption to connect when an encryption setting is being used. This results in a false sense of security.
This issue is reported to affect firmware version 4.50.6; other firmware versions may also be affected.
This issue also appears to have been addressed in firmware version 4.70.6; this has not been confirmed by Symantec or the vendor.
Further information suggests this issue occurs when a firmware upgrade to version 4.50.6 has occurred but the unit has not been reset to factory defaults. Resetting the unit once the firmware has been upgraded is part of the recommended Linksys upgrade procedure. Linksys WRT54GS is a wireless router device that combines several functions.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Linksys WRT54GS Wireless Encryption Security Bypass
SECUNIA ADVISORY ID:
SA16457
VERIFY ADVISORY:
http://secunia.com/advisories/16457/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass
WHERE:
>From remote
OPERATING SYSTEM:
Linksys WRT54GS Wireless-G Broadband Router with SpeedBooster
http://secunia.com/product/5549/
DESCRIPTION:
Steve Scherf has reported a security issue in Linksys WRT54GS, which
can be exploited by malicious people to bypass certain security
restrictions.
PROVIDED AND/OR DISCOVERED BY:
Steve Scherf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200508-0159 | CVE-2005-2017 | Symantec AntiVirus Corporate Edition Local Privilege Escalation Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Symantec AntiVirus 9 Corporate Edition allows local users to gain privileges via the "Scan for viruses" option, which launches a help window with raised privileges, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2002-1540. Applications or Services that call the Windows Help function in an insecure manner may allow a user unauthorized access to resrouces on the system. Applications or Services that call the Windows Help function in an insecure manner may allow a user unauthorized access to resrouces on the system. This issue may occur in applications or services where the Help function is not called in a secure manner. An example of this is when Anti-virus software or a personal firewall is running on the local system with the privileges of an administrator on the local system, and has an interface to "communicate" with the user. ISIHARA Takanori reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A user may gain unauthorized access to resources on the system. Symantec AntiVirus Corporate Edition is susceptible to a local privilege escalation vulnerability. This issue is due to a failure of the application to properly lower the privileges of the running process when required.
Due to the nature of the affected application, it executes with SYSTEM privileges. When a local user opens the HTML help browser from the affected application, it is executed with the same elevated privileges as the calling application.
This vulnerability allows local attackers to access and execute arbitrary files with SYSTEM privileges, facilitating the compromise of the local computer.
More information can be found at the following location:
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=1
55
II.
Exploitation can occur when a user chooses the right click "Scan for
viruses" option. The Symantec scan file interface allows the user to
launch a help window through the use of a toolbar icon. If the user
then right clicks the help window title bar they can choose the "Jump
to URL" menu option, which will then allow them to browse the local
file system and execute files as the SYSTEM user.
This vulnerability is a re-appearance of an old bug formerly found in
the Symantec 7.x series virus scan product.
http://cert.uni-stuttgart.de/archive/bugtraq/2002/10/msg00357.html
http://cert.uni-stuttgart.de/archive/bugtraq/2002/10/msg00379.html
III.
IV. This is a re-appearance of an old bug that was
reportedly fixed in versions 7.5.1 Build 62 and later, and version
7.6.1 Build 35a.
V. WORKAROUND
iDEFENSE is currently unaware of any workaround for this issue.
VI. VENDOR RESPONSE
"Symantec engineers have verified this issue and corrected it in
Maintenance Release (MR) 3 and all subsequent MRs and upgrades for
Symantec AntiVirus Corporate Edition and Symantec Client Security."
A vendor advisory for this issue is available at the following URL:
http://www.symantec.com/avcenter/security/Content/2005.08.24.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-2017 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
06/15/2005 Initial vendor notification
06/15/2005 Initial vendor response
08/29/2005 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright (c) 2005 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
VAR-200508-0121 | CVE-2005-2594 | Apple Safari Web Browser Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple Safari 1.3 (132) on Mac OS X 1.3.9 allows remote attackers to cause a denial of service (crash) via certain Javascript, possibly involving a function that defines a handler for itself within the function body. Apple Safari Web Browser is prone to a vulnerability that may result in a browser crash. This issue is exposed when the browser performs certain JavaScript operations.
The exact cause of this issue is currently unknown. This BID will be updated as further information is disclosed.
This vulnerability allows remote attackers to crash affected Web browsers by causing an invalid memory access exception.
Safari version 1.3 is reported susceptible to this issue. Other versions may also be affected. Safari is the default web browser on Mac OS X
VAR-200508-0211 | CVE-2005-2487 | McDATA E/OS Remote Denial Of Service Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Unknown vulnerability in Sun McData switches and directors 4300, 4500, 6064, and 6140 before E/OS 6.0.0 may allow attackers to cause a denial of service (connectivity and array access loss) via a network broadcast storm. McDATA Sphereon 4300, and 4500 Fabric Switches, Intrepid 6064, and 6140 Director Switches are susceptible to a remote denial of service vulnerability when running E/OS versions prior to 6.0.0. This issue is due to the affected devices failing to properly handle network broadcast storms.
Hosts utilizing the SAN for storage may loose complete access to the attached storage.
This vulnerability allows attackers to simultaneously deny storage service to potentially numerous servers connected to a SAN.
Versions of E/OS prior to 6.0.0 are affected by this vulnerability. There are unknown vulnerabilities in Sun McData switches and director4300, 4500, 6064 and 6140, and versions before E/OS 6.0.0.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
McDATA Switches / Directors Network Broadcast Storm Denial of Service
SECUNIA ADVISORY ID:
SA16295
VERIFY ADVISORY:
http://secunia.com/advisories/16295/
CRITICAL:
Less critical
IMPACT:
DoS
WHERE:
>From local network
OPERATING SYSTEM:
McDATA Sphereon 4300 Fabric Switch
http://secunia.com/product/5484/
McDATA Intrepid 6140 Director
http://secunia.com/product/5485/
McDATA Intrepid 6064 Director
http://secunia.com/product/5486/
McDATA Sphereon 4500 Fabric Switch
http://secunia.com/product/5483/
DESCRIPTION:
A vulnerability has been reported in McDATA Switches and Directors,
which can be exploited by malicious people to cause a DoS (Denial of
Service). This can lead to multiple path failures and loss
of host access to the array.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
Sun Microsystems:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101833-1
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200508-0264 | CVE-2005-2434 | Linksys WRT54G Wireless Router Default SSL Certificate and Private Key Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Linksys WRT54G router uses the same private key and certificate for every router, which allows remote attackers to sniff the SSL connection and obtain sensitive information.
This constant certificate/key pair is always used to access the device.
This can allow an attacker to obtain the certificate/key pair and carry out various attacks.
A complete compromise of the device is possible. Linksys WRT54G is a wireless router device that combines several functions.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Linksys WRT54G Router Common SSL Private Key Disclosure
SECUNIA ADVISORY ID:
SA16271
VERIFY ADVISORY:
http://secunia.com/advisories/16271/
CRITICAL:
Less critical
IMPACT:
Exposure of sensitive information
WHERE:
>From local network
OPERATING SYSTEM:
Linksys WRT54G Wireless-G Broadband Router
http://secunia.com/product/3523/
DESCRIPTION:
Nick Simicich has reported a security issue in WRT54G, which
potentially can be exploited by malicious people to gain knowledge of
certain sensitive information. A user with knowledge with the
private key can potentially decrypt router management traffic
captured from the network.
PROVIDED AND/OR DISCOVERED BY:
Nick Simicich
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200508-0320 | CVE-2005-2451 |
Cisco IOS vulnerable to DoS or arbitrary code execution via specially crafted IPv6 packet
Related entries in the VARIoT exploits database: VAR-E-200507-0340 |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Cisco IOS 12.0 through 12.4 and IOS XR before 3.2, with IPv6 enabled, allows remote attackers on a local network segment to cause a denial of service (device reload) and possibly execute arbitrary code via a crafted IPv6 packet.
A successful attack may allow the attacker to execute arbitrary code and gain unauthorized access to the device. The attacker can also leverage this issue to cause an affected device to reload, denying service to legitimate users.
Cisco has stated that exploits of this vulnerability in Cisco IOS XR may cause the IPv6 neighbor discovery process to restart. If exploited repeatedly, this could result in a prolonged denial of service affecting IPv6 traffic traveling through the device.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-210A
Cisco IOS IPv6 Vulnerability
Original release date: July 29, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Cisco IOS devices with IPv6 enabled
For specific information, please see the Cisco Advisory.
I. US-CERT has not confirmed further technical details.
According to the Cisco Advisory, this vulnerability could be exploited
by an attacker on the same IP subnet:
Crafted packets from the local segment received on logical
interfaces (that is, tunnels including 6to4 tunnels) as well as
physical interfaces can trigger this vulnerability. Crafted packets
can not traverse a 6to4 tunnel and attack a box across the tunnel.
The crafted packet must be sent from a local network segment to
trigger the attack. This vulnerability can not be exploited one or
more hops from the IOS device.
US-CERT strongly recommends that sites running Cisco IOS devices
review the Cisco Advisory and upgrade as appropriate. We are tracking
this vulnerability as VU#930892.
II. The attacker may be able to take control of a vulnerable
device.
III. Solutions
Upgrade
Upgrade to a fixed version of IOS. Please see the Software Versions
and Fixes section of the Cisco Advisory for details. On a
router which supports IPv6, this must be done by issuing the
command "no ipv6 enable" and "no ipv6 address" on each interface.
Appendix A. Vendor Information
Cisco Systems, Inc.
Cisco Systems, Inc. has released a security advisory regarding a
vulnerability which was disclosed on July 27, 2005 at the Black Hat
security conference. Security advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml
For up-to-date information on security vulnerabilities in Cisco
Systems, Inc. products, visit http://www.cisco.com/go/psirt.
Appendix B. References
* US-CERT Vulnerability Note VU#930892 -
<http://www.kb.cert.org/vuls/id/930892>
* Cisco Security Advisory: IPv6 Crafted Packet Vulnerability -
<http://www.cisco.com/en/US/products/products_security_advisory091
86a00804d82c9.shtml>
_________________________________________________________________
Information regarding this vulnerability was primarily provided by
Cisco Systems, who in turn acknowledge the disclosure of this
vulnerability at the Black Hat USA 2005 Briefings.
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Send mail to
<cert@cert.org> with "TA05-210A feedback VU#930892" in the subject.
_________________________________________________________________
The most recent version of this document is available at:
<http://www.us-cert.gov/cas/techalerts/TA05-210A.html>
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
_________________________________________________________________
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
July 29, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQuqgLRhoSezw4YfQAQI5iwgAkSYXPNt6Hffg7BfMeYoBaZ4Co6XFVjQ6
nWHKt1inYcYta/DXEuWJAhcjI/t8v74OH0b5sxGEr0mwtzEwV2r5pAF6nQesqyoj
q3r60OE3TZygxUZPrGNmmkSpkhoNap9cSVs97Xt6Fd4evOmp0VZ6pqMdJtQ/r5xk
d67LicCM9NLNoC0LPoen2/7ICu7jqxZnoF4oHDkZS8b2g2mx7vfz3Htj44Nd5/eD
tWe8HqF8ReSyLEiOj8z8vrjcfz+BIwSLXnyr6DDxSvFmhy0CunGFkCQq074CwbVE
GZjAJSn2r/A2Pp3HBP/RxQ9BNv8rHrSF7DkG9gADc5PV8WpaLCHP0Q==
=4jtB
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Cisco IOS IPv6 Packet Handling Vulnerability
SECUNIA ADVISORY ID:
SA16272
VERIFY ADVISORY:
http://secunia.com/advisories/16272/
CRITICAL:
Moderately critical
IMPACT:
DoS, System access
WHERE:
>From local network
OPERATING SYSTEM:
Cisco IOS R12.x
http://secunia.com/product/50/
Cisco IOS 12.x
http://secunia.com/product/182/
DESCRIPTION:
A vulnerability has been reported in Ciso IOS, which can be exploited
by malicious people to cause a DoS (Denial of Service) or potentially
compromise a vulnerable network device.
SOLUTION:
The vendor has issued updated versions (see patch matrix in vendor
advisory).
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200507-0278 | CVE-2005-2374 | Belkin 54g wireless routers Administrator password vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Belkin 54g wireless routers do not properly set an administrative password, which allows remote attackers to gain access via the (1) Telnet or (2) web administration interfaces. Belkin 54G Wireless Router is prone to a remote security vulnerability. Belkin 54g wireless routers is a broadband wireless router produced by Belkin Corporation of the United States
VAR-200508-0254 | CVE-2005-2424 | Siemens Santis 50 Wireless Router Web Interface Denial of Service Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The management interface for Siemens SANTIS 50 running firmware 4.2.8.0, and possibly other products including Ericsson HN294dp and Dynalink RTA300W, allows remote attackers to access the Telnet port without authentication via certain packets to the web interface that cause the interface to freeze. The Siemens Santis 50 wireless router is a wi-fi (802.11b) ADSL router for home and small business networks.
Siemens Santis 50 provides a web management interface and a classic telnet CLI for management purposes. These services are only available through the local network by default, but can also be activated through the WAN interface. Siemens Santis 50 Wireless router Web interface is affected by a remote denial of service vulnerability. The attacker can also erase the FLASH contents.
Information obtained may be used in further attacks against the vulnerable device or the network it operates on.
This issue may also affect the Ericsson HN294dp and Dynalink RTA300W routers. Both devices are believed to use the same hardware as the Siemens Santis 50 Wireless router; this has not been confirmed by Symantec.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Siemens Santis 50 Authentication Bypass Vulnerability
SECUNIA ADVISORY ID:
SA16215
VERIFY ADVISORY:
http://secunia.com/advisories/16215/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass
WHERE:
>From local network
OPERATING SYSTEM:
Siemens Santis 50
http://secunia.com/product/5440/
DESCRIPTION:
Luca Carettoni has reported a vulnerability in Siemens Santis 50,
which can be exploited by malicious people to bypass certain security
restrictions. This can reportedly be exploited to
view configuration information and potentially erase the device's
flash memory.
The vulnerability has been reported in firmware version 4.2.8.0.
Other versions may also be affected.
SOLUTION:
Restrict access to the device.
PROVIDED AND/OR DISCOVERED BY:
Luca Carettoni, Secure Network.
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------