VARIoT IoT vulnerabilities database
VAR-200503-0052 | CVE-2005-0715 | Mac OS X Buffer overflow vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
AFP Server in Mac OS X before 10.3.8 uses insecure permissions for "Drop Boxes," which allows local users to read the contents of a Drop Box. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
This BID will be updated and split into unique BIDs as soon as further information is available. The issue arises because file permissions are not properly validated. A buffer overflow vulnerability exists in the Core Foundation libraries bundled with Mac OS X by default, which could allow an attacker to gain root user privileges. The vulnerability is caused by improper handling of the CF_CHARSET_PATH environment variable. If a string larger than 1024 characters is passed through this variable, it may cause a stack overflow, allowing the attacker to control the program flow by overwriting the return address of the function on the stack. Some vulnerable setuid root binaries include su, pppd, and login
VAR-200503-0051 | CVE-2005-0713 | Mac OS X CF_CHARSET_PATH Environment Variable Handling Buffer Overflow Vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
The Bluetooth Setup Assistant for Mac OS X before 10.3.8 can be launched without a keyboard or Bluetooth device, which allows local users to bypass access restrictions and gain privileges. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory.
Insecure permissions are reported to be set on certain Apple Mac OS X folders . It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
This BID will be updated and split into unique BIDs as soon as further information is available. Exploitation could allow an attacker to bypass local security settings. The vulnerability is caused by improper handling of the CF_CHARSET_PATH environment variable. If a string larger than 1024 characters is passed through this variable, it may cause a stack overflow, allowing the attacker to control the program flow by overwriting the return address of the function on the stack. Some vulnerable setuid root binaries include su, pppd, and login
VAR-200503-0022 | CVE-2005-0716 | Mac OS X CF_CHARSET_PATH Environment Variable Handling Buffer Overflow Vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the Core Foundation Library in Mac OS X 10.3.5 and 10.3.6, and possibly earlier versions, allows local users to execute arbitrary code via a long CF_CHARSET_PATH environment variable. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory.
Insecure permissions are reported to be set on certain Apple Mac OS X folders . It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
This BID will be updated and split into unique BIDs as soon as further information is available.
More information is available at the following link:
http://www.apple.com/macosx/
II.
The vulnerability specifically exists due to improper handling of the
CF_CHARSET_PATH environment variable. When a string greater than 1,024
characters is passed via this variable, a stack-based overflow occurs,
allowing the attacker to control program flow by overwriting the
function's return address on the stack. Some of the setuid root
binaries that are vulnerable include su, pppd and login.
III. ANALYSIS
Successful exploitation of this vulnerability allows for root access. This vulnerability is difficult to workaround due to the
fact that a large number of system binaries are linked against the
vulnerable code.
IV.
V. WORKAROUND
Restrict local access to trusted users only, as it is impossible to
remove the setuid bit from the affected binaries without severely
limiting the function of the system.
VI. VENDOR RESPONSE
This vulnerability is addressed in Apple Security Update 2005-003
available at:
http://docs.info.apple.com/article.html?artnum=301061
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0716 to this issue. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
02/04/2005 Initial vendor notification
02/04/2005 Initial vendor response
03/21/2005 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright (c) 2005 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
VAR-200505-0406 | CVE-2005-0833 | Belkin 54G Access control vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Belkin 54G (F5D7130) wireless router allows remote attackers to access restricted resources by sniffing URIs from UPNP datagrams, then accessing those URIs, which do not require authentication. The Belkin 54G (F5D7130) appliance is reported prone to multiple remote vulnerabilities. The following individual issues are reported:
It is reported that the Belkin 54G appliance transmits UPNP datagrams to the connected private network at regular intervals. Reports indicate that these datagrams contain a URI, this URI may be accessed by local network users without requiring authentication.
A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information.
It is reported that SNMP support is enabled on the affected appliance under a default configuration.
A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information.
Finally, it is reported that the SNMP service may be exploited to deny service for legitimate users.
A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to deny service for legitimate users
VAR-200505-0407 | CVE-2005-0834 | Belkin 54G Wireless Router Multiple Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Belkin 54G (F5D7130) wireless router enables SNMP by default in a manner that allows remote attackers to obtain sensitive information. The Belkin 54G (F5D7130) appliance is reported prone to multiple remote vulnerabilities. The following individual issues are reported:
It is reported that the Belkin 54G appliance transmits UPNP datagrams to the connected private network at regular intervals. Reports indicate that these datagrams contain a URI, this URI may be accessed by local network users without requiring authentication.
A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information.
It is reported that SNMP support is enabled on the affected appliance under a default configuration.
A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information.
Finally, it is reported that the SNMP service may be exploited to deny service for legitimate users.
A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to deny service for legitimate users
VAR-200505-0408 | CVE-2005-0835 | Belkin 54G Wireless Router Multiple Denial of Service Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The SNMP service in the Belkin 54G (F5D7130) wireless router allows remote attackers to cause a denial of service via unknown vectors. The Belkin 54G (F5D7130) appliance is reported prone to multiple remote vulnerabilities. The following individual issues are reported:
It is reported that the Belkin 54G appliance transmits UPNP datagrams to the connected private network at regular intervals. Reports indicate that these datagrams contain a URI, this URI may be accessed by local network users without requiring authentication.
A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information.
It is reported that SNMP support is enabled on the affected appliance under a default configuration.
A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information.
Finally, it is reported that the SNMP service may be exploited to deny service for legitimate users.
A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to deny service for legitimate users
VAR-200505-0164 | CVE-2005-0515 | Webroot My Firewall Local unsafe file creation vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Smc.exe in My Firewall Plus 5.0 build 1117, and possibly other versions, does not drop privileges before launching the Log Viewer export functionality, which allows local users to corrupt arbitrary files by saving log files. A local insecure file creation vulnerability affects Webroot My Firewall. This issue is due to an access validation issue that allows an unprivileged user to create files with escalated privileges.
This issue may be exploited by a local attacker to corrupt arbitrary files on an affected computer with SYSTEM privileges.
----------------------------------------------------------------------
Want a new IT Security job?
Vacant positions at Secunia:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
My Firewall Plus Arbitrary File Corruption Vulnerability
SECUNIA ADVISORY ID:
SA13577
VERIFY ADVISORY:
http://secunia.com/advisories/13577/
CRITICAL:
Not critical
IMPACT:
Manipulation of data, DoS
WHERE:
Local system
SOFTWARE:
My Firewall Plus 5.x
http://secunia.com/product/4276/
DESCRIPTION:
Secunia Research has discovered a vulnerability in My Firewall Plus,
which can be exploited by malicious, local users to manipulate the
content of arbitrary files on a vulnerable system.
Successful exploitation requires that the user has access to the Log
Viewer (all users by default).
The vulnerability has been confirmed in version 5.0 (build 1117).
Other versions may also be affected.
NOTE: This vulnerability has been rated "Not critical" as only
trusted users should have access to the configuration and logging
functionality.
SOLUTION:
Update to version 5.0 (build 1119) or apply patch.
Patch:
http://www.webroot.com/services/mfp_patch.exe
Use the "Password Protection" feature to restrict access to the
configuration and logging functionality.
PROVIDED AND/OR DISCOVERED BY:
Carsten Eiram, Secunia Research.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2004-20/
Webroot:
http://www.webroot.com/services/mfp_advisory.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200505-0530 | CVE-2005-0817 | Symantec Gateway Security Unknown remote DNS Cache poisoning vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unknown vulnerability in the DNSd proxy, as used in Symantec Gateway Security 5400 2.x and 5300 1.x, Enterprise Firewall 7.0.x and 8.x, and VelociRaptor 1100/1200/1300 1.5, allows remote attackers to poison the DNS cache and redirect users to malicious sites. The underlying issue causing this vulnerability is currently unknown.
An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site impersonation, or denial of service attacks.
The vulnerability is caused due to an unspecified error in the DNS
proxy (DNSd) when functioning as a DNS caching server or primary DNS
server and can be exploited to poison the DNS cache.
SOLUTION:
The vendor has issued hotfixes.
http://www.symantec.com/techsupp
ORIGINAL ADVISORY:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2005.03.15.html
http://service1.symantec.com/support/ent-gate.nsf/docid/2005030417285454
OTHER REFERENCES:
SA11888:
http://secunia.com/advisories/11888/
Internet Storm Center:
http://www.isc.sans.org/diary.php?date=2005-03-04
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200505-0076 | CVE-2005-0707 | Ipswitch Collaboration Suite IMAP EXAMINE Command buffer overflow vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Buffer overflow in the IMAP daemon (IMAP4d32.exe) for Ipswitch Collaboration Suite (ICS) before 8.15 Hotfix 1 allows remote authenticated users to execute arbitrary code via a long EXAMINE command. The Ipswitch Collaboration Suite IMail IMAP service is reported prone to a buffer overflow vulnerability. The issue exists due to a lack of sufficient boundary checks performed on arguments that are passed to the EXAMINE command.
It is conjectured that a remote authenticated attacker may exploit this vulnerability to execute arbitrary code in the context of the affected service. Immediate consequences of a failed exploit attempt would be a denial of service due to the application crashing on an access violation.
IMail Server version 8.13 an earlier are reported prone to this vulnerability.
----------------------------------------------------------------------
Monitor, Filter, and Manage Security Information
- Filtering and Management of Secunia advisories
- Overview, documentation, and detailed reports
- Alerting via email and SMS
Request Trial:
https://ca.secunia.com/?f=l
----------------------------------------------------------------------
TITLE:
Ipswitch Collaboration Suite IMAP EXAMINE Buffer Overflow
SECUNIA ADVISORY ID:
SA14546
VERIFY ADVISORY:
http://secunia.com/advisories/14546/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Ipswitch Collaboration Suite (ICS) 1.x
http://secunia.com/product/4773/
IMail Server 8.x
http://secunia.com/product/3048/
DESCRIPTION:
Nico Steinhardt has reported a vulnerability in Ipswitch
Collaboration Suite, which can be exploited by malicious users to
compromise a vulnerable system.
SOLUTION:
Apply IMail Server 8.15 Hotfix 1:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM815HF1.exe
PROVIDED AND/OR DISCOVERED BY:
Nico Steinhardt
ORIGINAL ADVISORY:
iDEFENSE:
http://www.idefense.com/application/poi/display?id=216&type=vulnerabilities
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. BACKGROUND
Ipswitch Collaboration Suite (ICS) is a comprehensive communication and
collaboration solution for Microsoft Windows with a customer base of
over 53 million users. More information is available on the vendor's
website:
http://www.ipswitch.com/products/IMail_Server/index.html
II. The
EXAMINE command selects a mailbox so that messages within the mailbox
may be accessed with read-only privileges. EXAMINE requests with
malformed mailbox names of 259 bytes will overwrite the saved stack
frame pointer, resulting in potential process execution control. It
should be noted that IMAP will append a '/' character to your supplied
mailbox name so the most significant byte of the frame pointer will be
0x2e. The output below shows successful control of the frame pointer.
(668.f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000006 ebx=008943b0 ecx=42424242
edx=00c8fad4 esi=008943b0 edi=00000013
eip=0078626d esp=00c9fd20 ebp=2e434343
iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023
fs=0038 gs=0000 efl=00000246
0078626d ?? ???
Frame pointer overwrites may allow attackers to redirect program flow
when the current function returns. It should be noted that the IMAP
EXAMINE command is only available after successful authentication.
III. The EXAMINE IMAP command is only
valid after authentication has occurred, however due to the nature of
IMAP servers serving a large user base, this requirement only slightly
reduces exposure to the vulnerability.
IV. DETECTION
iDEFENSE has confirmed that the IMAP4 daemon (IMAP4d32.exe ver.
IMail Server is now packaged as part of Ipswitch Collaboration Suite.
V. WORKAROUND
Use application level content filtering on overly long IMAP commands.
VI. VENDOR RESPONSE
This vulnerability is addressed in IMail Server 8.15 Hotfix 1 (February
3, 2005), which is available for download at:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM815HF1.exe
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0707 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
03/02/2005 Initial vendor notification
03/08/2005 Initial vendor response
03/10/2005 Public disclosure
IX. CREDIT
Nico Steinhardt is credited with this discovery.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright (c) 2005 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
VAR-200505-0030 | CVE-2005-0618 | Symantec Gateway Security SMTP Data breach vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
The SMTP binding function in Symantec Firewall/VPN Appliance 200/200R firmware after 1.5Z and before 1.68, Gateway Security 360/360R and 460/460R firmware before vuild 858, and Nexland Pro800turbo, when configured for load balancing between two WANs, might send SMTP traffic to a trusted network through an untrusted network. Symantec Gateway Security is reported prone to a vulnerability that may result in the leakage of potentially sensitive SMTP data.
It is reported that this issue manifests when an affected appliance is configured to load-balance two WAN network connections and SMTP binding is configured for a single WAN interface.
This may result in SMTP data leakage in deployments where one WAN interface is trusted and the other is not. SMTP traffic bound to the trusted WAN interface is load-balanced onto the untrusted WAN.
----------------------------------------------------------------------
Monitor, Filter, and Manage Security Information
- Filtering and Management of Secunia advisories
- Overview, documentation, and detailed reports
- Alerting via email and SMS
Request Trial:
https://ca.secunia.com/?f=l
----------------------------------------------------------------------
TITLE:
Symantec Firewall Devices SMTP Binding Configuration Bypass
SECUNIA ADVISORY ID:
SA14428
VERIFY ADVISORY:
http://secunia.com/advisories/14428/
CRITICAL:
Less critical
IMPACT:
Exposure of sensitive information
WHERE:
>From remote
OPERATING SYSTEM:
Symantec Firewall/VPN Appliance 100/200/200R
http://secunia.com/product/552/
Symantec Gateway Security 2.x
http://secunia.com/product/3104/
Symantec Nexland Firewall Appliances 1.x
http://secunia.com/product/4466/
DESCRIPTION:
Arthur Hagen has reported a security issue in various Symantec
firewall devices, which may disclose sensitive information to
malicious people.
The problem is caused due to an error in the SMTP binding
functionality of certain devices with ISP load-balancing
capabilities.
The security issue has been reported in the following versions:
* Symantec Firewall/VPN Appliance 200/200R (firmware builds prior to
build 1.68 and later than 1.5Z)
* Symantec Gateway Security 360/360R (firmware builds prior to build
858)
* Symantec Gateway Security 460/460R (firmware builds prior to build
858)
* Nexland Pro800turbo (firmware builds prior to build 1.6X and later
than 1.5Z)
SOLUTION:
The vendor has issued updated firmware releases.
http://www.symantec.com/techsupp
Symantec Firewall/VPN Appliance models 200 and 200R:
Update to build 1.68.
Symantec Gateway Security Appliance 300 and 400 series:
Update to build 858.
Nexland Pro800turbo:
Update to build 1.6X.
PROVIDED AND/OR DISCOVERED BY:
Arthur Hagen
ORIGINAL ADVISORY:
http://securityresponse.symantec.com/avcenter/security/Content/2005.02.28.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200505-0197 | CVE-2005-0599 | Cisco Application and Content Networking System Multiple Remote Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco devices running Application and Content Networking System (ACNS) 4.x, 5.0, or 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (CPU consumption) via malformed IP packets. This issue is due to a failure of the affected software to properly handle malformed network data.
Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device
VAR-200505-0196 | CVE-2005-0597 | Cisco ACNS RealServer RealSubscruber vulnerable to DoS via malformed IP packets |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco devices running Application and Content Networking System (ACNS) 5.0 before 5.0.17.6 and 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (process restart) via a "crafted TCP connection.". This issue is due to a failure of the affected software to properly handle malformed network data.
Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device
VAR-200505-0071 | CVE-2005-0601 | Cisco ACNS RealServer RealSubscruber vulnerable to DoS via malformed IP packets |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Cisco devices running Application and Content Networking System (ACNS) 4.x, 5.0, 5.1, or 5.2 use a default password when the setup dialog has not been run, which allows remote attackers to gain access. A vulnerability in Cisco ACNS may allow a remote attacker to cause a denial of service on an affected device. This issue is due to a failure of the affected software to properly handle malformed network data.
Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device
VAR-200502-0053 | CVE-2005-0598 | Cisco ACNS RealServer RealSubscruber vulnerable to DoS via malformed IP packets |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The RealServer RealSubscriber on Cisco devices running Application and Content Networking System (ACNS) 5.1 allow remote attackers to cause a denial of service (CPU consumption) via malformed packets. This issue is due to a failure of the affected software to properly handle malformed network data.
Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device. ACNS is a Cisco digital media delivery solution that optimizes the delivery quality of video traffic from the data center to branch offices over the WAN
VAR-200502-0032 | CVE-2005-0600 | Cisco ACNS RealServer RealSubscruber vulnerable to DoS via malformed IP packets |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco devices running Application and Content Networking System (ACNS) 5.0, 5.1 before 5.1.13.7, or 5.2 before 5.2.3.9 allow remote attackers to cause a denial of service (bandwidth consumption) via "crafted IP packets" that are continuously forwarded. This issue is due to a failure of the affected software to properly handle malformed network data.
Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device. ACNS is a Cisco digital media delivery solution that optimizes the delivery quality of video traffic from the data center to branch offices over the WAN
VAR-200502-0046 | CVE-2005-0521 | SendLink data.eat File sensitive information disclosure vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
SendLink 1.5 stores sensitive information, possibly including passwords, in plaintext in the data.eat file, which allows local users to gain privileges. SendLink is a small and convenient network sharing software
VAR-200505-0198 | CVE-2005-0490 |
cURL/libcURL of Kerberos Authentication and NTLM Buffer overflow vulnerability in authentication
Related entries in the VARIoT exploits database: VAR-E-200502-0248 |
CVSS V2: 5.1 CVSS V3: 8.8 Severity: HIGH |
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication. cURL/libcURL 7.13.0 Previously, Kerberos Authentication and NTLM from the site performing the authentication. It has been reported that cURL and libcURL are vulnerable to a remotely exploitable stack-based buffer overflow vulnerability. The cURL and libcURL NTML response processing code fails to ensure that a buffer overflow cannot occur when response data is decoded.
The overflow occurs in the stack region, and remote code execution is possible if the saved instruction pointer is overwritten with a pointer to embedded instructions.
Background
==========
curl is a command line tool for transferring files via many different
protocols.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/curl < 7.13.1 >= 7.13.1
Description
===========
curl fails to properly check boundaries when handling NTLM
authentication.
Impact
======
With a malicious server an attacker could send a carefully crafted NTLM
response to a connecting client leading to the execution of arbitrary
code with the permissions of the user running curl.
Workaround
==========
Disable NTLM authentication by not using the --anyauth or --ntlm
options.
Resolution
==========
All curl users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-7.13.1"
References
==========
[ 1 ] CAN-2005-0490
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200503-20.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
VAR-200502-0054 | CVE-2005-0494 | Thomason cable modem RgSecurity Form Verification Remote Attack Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The RgSecurity form in the HTTP server for the Thomson TCW690 cable modem running firmware 2.1 and software ST42.03.0a does not properly validate the password before performing changes, which allows remote attackers on the LAN to gain access via a direct POST request. Thomson Cable Modem is prone to a denial-of-service vulnerability
VAR-200502-0057 | CVE-2005-0499 | Gigafast router abnormal DNS Query denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Gigafast router (aka CompUSA router) with the DNS proxy option enabled allows remote attackers to cause a denial of service via malformed DNS queries. Gigafast Router is prone to a denial-of-service vulnerability. Gigafast is a router produced by GigaFast E company
VAR-200502-0081 | CVE-2005-0434 | PHP-Nuke Multi-file parameter cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 7.5 allow remote attackers to inject arbitrary HTML or web script via (1) the newdownloadshowdays parameter in a NewDownloads operation or (2) the newlinkshowdays parameter in a NewLinks operation. It is reported that PHP-Nuke is affected by various cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input.
These issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials. PHP-Nuke is a widely popular website creation and management tool