VARIoT IoT vulnerabilities database
VAR-200502-0080 | CVE-2005-0433 | PHP-Nuke Multiple file parameters Path information disclosure vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Php-Nuke 7.5 allows remote attackers to determine the full path of the web server via invalid or missing arguments to (1) db.php, (2) mainfile.php, (3) Downloads/index.php, or (4) Web_Links/index.php, which lists the path in a PHP error message. It is reported that PHP-Nuke is affected by various cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input.
These issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials. PHP-Nuke is a widely popular website creation and management tool
VAR-200502-0086 | CVE-2005-0114 | ZoneAlarm 5.1 Illegal pointer discards local denial of service vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
vsdatant.sys in Zone Lab ZoneAlarm before 5.5.062.011, ZoneAlarm Wireless before 5.5.080.000, Check Point Integrity Client 4.x before 4.5.122.000 and 5.x before 5.1.556.166 do not properly verify that the ServerPortName argument to the NtConnectPort function is a valid memory address, which allows local users to cause a denial of service (system crash) when ZoneAlarm attempts to dereference an invalid pointer. Multiple ZoneAlarm products and Check Point Integrity Client are reported prone to a local denial of service vulnerability. This issue exists due to an invalid pointer dereference.
A successful attack can result in a denial of service condition in the kernel.
ZoneAlarm Security Suite, ZoneAlarm Pro, and ZoneAlarm versions prior to 5.5.062.011 and Check Point Integrity Client versions prior to 4.5.122.000 and 5.1.556.166 are considered vulnerable to this issue. ZoneAlarm is a popular desktop firewall system. BACKGROUND
Zone Labs ZoneAlarm provides personal firewall protection. More
information is available from:
http://www.zonelabs.com/
II.
ZoneAlarm offers process specific protection by hooking the kernel API
routine NtConnectPort(). NtConnectPort() is used by programs to
implement advanced inter-process communication (IPC). The
NtConnectPort() function is declared as follows:
NtConnectPort(
OUT PHANDLE ClientPortHandle,
IN PUNICODE_STRING ServerPortName,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory OPTIONAL,
OUT PLPC_SECTION_MEMORY ServerSharedMemory OPTIONAL,
OUT PULONG MaximumMessageLength OPTIONAL,
IN OUT PVOID ConnectionInfo OPTIONAL,
IN OUT PULONG ConnectionInfoLength OPTIONAL);
The problem specifically exists within vsdatant.sys as ZoneAlarm fails
to verify the second argument. 'ServerPortName' is a valid address
prior to derefencing it as a pointer. The vulnerable section of code is
displayed here:
0001EE93 mov esi, [esp+108h+ServerPortName]
0001EE9A mov edi, eax
0001EE9C test esi, esi
0001EE9E jz short loc_1EEB6
0001EEA0 mov edx, [esi+4]
The argument 'ServerPortName' is stored in the register ESI. A check is
made to ensure that the value is not NULL. Any non-zero invalid memory address
can be passed as the second argument to NtConnectPort(), resulting in a
system crash.
III. ANALYSIS
Exploitation allows local and remote attackers who have exploited
another vulnerability to trigger a DoS in kernel space, resulting in a
"blue screen of death."
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in ZoneAlarm
version 5.1. It is suspected that previous versions of ZoneAlarm are
vulnerable as well.
V. WORKAROUND
iDEFENSE is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE
A vendor advisory for this issue is available at:
http://download.zonelabs.com/bin/free/securityAlert/19.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0114 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
01/06/2005 Initial vendor notification
01/07/2005 Initial vendor response
02/11/2005 Coordinated public disclosure
IX. CREDIT
iDEFENSE Labs is credited with this discovery.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright (c) 2005 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
VAR-200502-0085 | CVE-2005-0249 | Symantec products vulnerable to buffer overflow via a specially crafted UPX file |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in the DEC2EXE module for Symantec AntiVirus Library allows remote attackers to execute arbitrary code via a UPX compressed file containing a negative virtual offset to a crafted PE header. The Symantec AntiVirus Library DEC2EXE component is vulnerable to remote arbitrary code execution. Various Symantec products are reported prone to a remote heap overflow vulnerability. This issue affects the UPX Parsing Engine shipped with the products. The Symantec Antivirus library is used to parse different file formats to detect malicious programs, and one of the modules, DEC2EXE, is used to detect UPX file formats. The module of the Symantec Antivirus library used to detect UPX files lacks correct handling of virtual file offsets. Remote attackers can exploit this vulnerability to construct malicious UPX files, trick users into processing them, and possibly execute arbitrary commands on the system with user process privileges.
TITLE:
Symantec Multiple Products UPX Parsing Engine Buffer Overflow
SECUNIA ADVISORY ID:
SA14179
VERIFY ADVISORY:
http://secunia.com/advisories/14179/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
OPERATING SYSTEM:
Symantec Gateway Security 1.x
http://secunia.com/product/876/
Symantec Gateway Security 2.x
http://secunia.com/product/3104/
SOFTWARE:
Norton Internet Security 2004
http://secunia.com/product/2441/
Norton Internet Security 2004 Professional
http://secunia.com/product/2442/
Norton SystemWorks 2004
http://secunia.com/product/2796/
Symantec AntiVirus Corporate Edition 8.x
http://secunia.com/product/659/
Symantec AntiVirus Corporate Edition 9.x
http://secunia.com/product/3549/
Symantec AntiVirus for Caching 4.x
http://secunia.com/product/4626/
Symantec AntiVirus for Network Attached Storage 4.x
http://secunia.com/product/4625/
Symantec AntiVirus for SMTP Gateways 3.x
http://secunia.com/product/2231/
Symantec AntiVirus Scan Engine 4.x
http://secunia.com/product/3040/
Symantec AntiVirus/Filtering for Domino
http://secunia.com/product/2029/
Symantec Brightmail AntiSpam 4.x
http://secunia.com/product/4627/
Symantec Brightmail AntiSpam 5.x
http://secunia.com/product/4628/
Symantec Client Security 1.x
http://secunia.com/product/2344/
Symantec Client Security 2.x
http://secunia.com/product/3478/
Symantec Mail Security for Exchange 4.x
http://secunia.com/product/2820/
Symantec Mail Security for SMTP 4.x
http://secunia.com/product/3558/
Symantec Norton AntiVirus 2004
http://secunia.com/product/2800/
Symantec Norton AntiVirus for Microsoft Exchange 2.x
http://secunia.com/product/1017/
Symantec Web Security 3.x
http://secunia.com/product/2813/
DESCRIPTION:
ISS X-Force has reported a vulnerability in multiple Symantec
products, which can be exploited by malicious people to compromise a
vulnerable system.
The vulnerability is caused due to a boundary error in the DEC2EXE
parsing engine used by the antivirus scanning functionality when
processing UPX compressed files. This can be exploited to cause a
heap-based buffer overflow via a specially crafted UPX file.
The vulnerability affects the following products:
* Norton AntiVirus for Microsoft Exchange 2.1 (prior to build
2.18.85)
* Symantec Mail Security for Microsoft Exchange 4.0 (prior to build
4.0.10.465)
* Symantec Mail Security for Microsoft Exchange 4.5 (prior to build
4.5.3)
* Symantec AntiVirus/Filtering for Domino NT 3.1 (prior to build
3.1.1)
* Symantec Mail Security for Domino 4.0 (prior to build 4.0.1)
* Symantec AntiVirus/Filtering for Domino Ports 3.0 for AIX (prior to
build 3.0.6)
* Symantec AntiVirus/Filtering for Domino Ports 3.0 for OS400, Linux,
Solaris (prior to build 3.0.7)
* Symantec AntiVirus Scan Engine 4.3 (prior to build 4.3.3)
* Symantec AntiVirus for Network Attached Storage (prior to build
4.3.3)
* Symantec AntiVirus for Caching (prior to build 4.3.3)
* Symantec AntiVirus for SMTP 3.1 (prior to build 3.1.7)
* Symantec Mail Security for SMTP 4.0 (prior to build 4.0.2)
* Symantec Web Security 3.0 (prior to build 3.0.1.70)
* Symantec BrightMail AntiSpam 4.0
* Symantec BrightMail AntiSpam 5.5
* Symantec AntiVirus Corporate Edition 9.0 (prior to build
9.01.1000)
* Symantec AntiVirus Corporate Edition 8.01, 8.1.1
* Symantec Client Security 2.0 (prior to build 9.01.1000)
* Symantec Client Security 1.0
* Symantec Gateway Security 2.0, 2.0.1 - 5400 Series
* Symantec Gateway Security 1.0 - 5300 Series
* Symantec Norton Antivirus 2004 for Windows
* Symantec Norton Internet Security 2004 (pro) for Windows
* Symantec Norton System Works 2004 for Windows
* Symantec Norton Antivirus 2004 for Macintosh
* Symantec Norton Internet Security 2004 for Macintosh
* Symantec Norton System Works 2004 for Macintosh
* Symantec Norton Antivirus 9.0 for Macintosh
* Symantec Norton Internet Security for Macintosh 3.0
* Symantec Norton System Works for Macintosh 3.0
SOLUTION:
Updates are available (see the vendor advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Alex Wheeler, ISS X-Force.
ORIGINAL ADVISORY:
Symantec:
http://www.sarc.com/avcenter/security/Content/2005.02.08.html
ISS X-Force:
http://xforce.iss.net/xforce/alerts/id/187
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200505-0615 | CVE-2005-0340 | Apple Mac OS X AppleFileServer Remote Integer Overflow Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Integer signedness error in Apple File Service (AFP Server) allows remote attackers to cause a denial of service (application crash) via a negative UAM string length in a FPLoginExt packet. A remote integer overflow vulnerability reportedly affects Apple Mac OS X AppleFileServer. This issue is due to a failure of the application to properly handle integer signedness while copying data into finite process buffers.
An attacker may leverage this issue to cause the affected server process to consume memory resources until triggering an EXC_BAD_ACCESS signal, ultimately causing a denial of service condition
VAR-200502-0160 | No CVE | F5 BIG-IP HTTP Pipelining OneConnect Information Leakage Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The F5 BIG-IP appliance is reported prone to an information leakage vulnerability. It is reported that the vulnerability is triggered when a browser that is using HTTP pipelining is employed to request a web page from a web server that is being load-balanced by a BIG-IP appliance.
It is not believed that a remote attacker will be able to control the behavior of the affected appliance during a pipelined request, as a result it is conjectured that this vulnerability may be exploited to trigger a partial denial of service. Additionally, a successful attack may result in a disclosure of potentially sensitive information to unauthorized users.
This vulnerability is reported to affect BIG-IP versions 4.0 through 4.6.2 and BIG-IP Blade Controller versions 4.2.1 through 4.6.2, that have 'OneConnect/Web Aggregation' functionality enabled.
VAR-200505-1101 | CVE-2005-0234 | Konqueror Vulnerable to international domain name spoofing vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The International Domain Name (IDN) support in Safari 1.2.5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. Multiple browsers are reported prone to vulnerabilities that surround the handling of International Domain Names.
The vulnerabilities are caused by inconsistencies in how International Domain Names are processed. Reports indicate that attackers can leverage this to spoof address bars, status bars, and SSL certificate values.
Remote attackers may exploit these vulnerabilities in phishing-style attacks. Through a false sense of trust, users may voluntarily disclose sensitive information to a malicious website.
Although these vulnerabilities are reported to affect browsers, mail clients that depend on the browser to generate HTML code may also be affected. KDE is a free and open source X desktop management program for Linux and Unix workstations. Since version 3.2, KDE and its web browser Konqueror have supported International Domain Names (IDNs), which makes KDE vulnerable to a phishing technique called Homograph
VAR-200505-0617 | CVE-2005-0342 | Apple Mac OS X Finder DS_Store Unsafe file creation vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file. An insecure file creation vulnerability affects Apple Mac OS X Finder. This issue is due to a failure of the application to validate the existence of files prior to creating or writing to them.
An attacker may leverage this issue to cause a system-wide denial of service or to gain escalated privileges on an affected computer, potentially leading to unauthorized superuser access.
TITLE:
SunShop Shopping Cart "search" Cross-Site Scripting
SECUNIA ADVISORY ID:
SA14118
VERIFY ADVISORY:
http://secunia.com/advisories/14118/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
SOFTWARE:
SunShop Shopping Cart 3.x
http://secunia.com/product/4602/
DESCRIPTION:
SmOk3 has reported a vulnerability in SunShop Shopping Cart, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Input passed to the "search" parameter in "index.php" isn't properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of a vulnerable site.
The vulnerability has been reported in version 3.4 RC 4. Other
versions may also be affected.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
SmOk3
ORIGINAL ADVISORY:
http://www.systemsecure.org/wwwboard/messages/227.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200505-0609 | CVE-2005-0334 | Cisco Systems (Linksys) of psus4 printserver Vulnerability in |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Linksys PSUS4 running firmware 6032 allows remote attackers to cause a denial of service (device crash) via an HTTP POST request containing an unknown parameter without a value. Cisco Systems (Linksys) of psus4 printserver Exists in unspecified vulnerabilities.None. Linksys PSUS4 is an embedded linksys wireless print server.
Linksys PSUS4 has problems processing wireless HTTP requests. Remote attackers can use this vulnerability to conduct denial of service attacks.
An attacker may exploit this condition to deny service to the affected PrintServer
VAR-200505-0026 | CVE-2005-0612 | Cisco IP/VC Default SNMP Public string vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Cisco IP/VC Videoconferencing System 3510, 3520, 3525 and 3530 contain hard-coded default SNMP community strings, which allows remote attackers to gain access, cause a denial of service, and modify configuration. A default community string vulnerability affects Cisco IP/VC Videoconferencing System devices. This issue is due to a design flaw where hard-coded community strings are stored on the device.
This issue may be leveraged to gain unauthorized administrator access to affected devices. This would allow an attacker to create new services, terminate or affect existing sessions, and redirect traffic to a different destination, among other attacks
VAR-200505-0595 | CVE-2005-0311 | Ingate Firewall Persistent PPTP Tunnel Vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Ingate Firewall 4.1.3 and earlier does not terminate the PPTP session for an active user when the administrator disables that user from a resource, which could allow remote authenticated users to retain unauthorized access to resources. Ingate Firewall does not remove PPTP tunnels created by a user that has been disabled by the firewall administrator. Even if the user has been disabled, any PPTP tunnels they have created will persist
VAR-200505-1154 | CVE-2005-0195 |
Cisco IOS vulnerable to DoS via malformed BGP packet
Related entries in the VARIoT exploits database: VAR-E-200501-0112 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS 12.0S through 12.3YH allows remote attackers to cause a denial of service (device restart) via a crafted IPv6 packet. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow attackers to conduct denial-of-service attacks on an affected device. Cisco IOS In IPv6 Physical and logical interfaces due to improper handling of packets (6to4 Tunnel ) At IPv6 If you have enabled multiple invalid IPv6 A vulnerability exists in which a device is restarted by interpreting a packet.System disrupted service operation (DoS) May be in a state. This issue is due to a failure of the affected operating system to properly handle specially crafted network data.
It is possible for an attacker to produce a sustained denial of service condition against an affected device by continually sending the malicious network data.
An attacker may leverage this issue to cause an affected device to reload, denying service to legitimate users. Cisco IOS is the operating system that runs on many Cisco devices.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA05-026A
Multiple Denial-of-Service Vulnerabilities in Cisco IOS
Original release date: January 26, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Cisco routers and switches running IOS in various configurations
Overview
Several denial-of-service vulnerabilities have been discovered in
Cisco's Internet Operating System (IOS).
I.
Further details are available in the following vulnerability notes:
VU#583638 - Cisco IOS contains DoS vulnerability in MPLS packet
processing
The IOS implementation of Multi Protocol Label Switching (MPLS)
contains a vulnerability that allows malformed MPLS packets to cause
an affected device to reload. An unauthenticated attacker can send
these malformed packets on a local network segment that is connected
to a vulnerable device interface. The vulnerability is exposed on both
physical interfaces (i.e., hardware interfaces), and logical
interfaces (i.e., software defined interfaces such as tunnels) that
are configured for IPv6.
VU#689326 - Cisco IOS vulnerable to DoS via malformed BGP packet
An IOS device that is enabled for Border Gateway Protocol (BGP) and
set up with the bgp log-neighbor-changes option is vulnerable to a
denial-of-service attack via a malformed BGP packet.
II. Repeated exploitation of
these vulnerabilites would result in a sustained denial-of-service
condition.
Since devices running IOS may transit traffic for a number of other
networks, the secondary impacts of a denial of service may be severe.
III. Solution
Upgrade to a fixed version of IOS
Cisco has updated versions of its IOS software to address these
vulnerabilities. Please refer to the "Software Versions and Fixes"
sections of the Cisco Security Advisories listed in Appendix A for
more information on upgrading.
Workaround
Cisco has also published practical workarounds for VU#689326 and
VU#583638. Please refer to the "Workarounds" section of each Cisco
Security Advisory listed in Appendix A for more information.
Sites that are unable to install an upgraded version of IOS are
encouraged to implement these workarounds.
Appendix A. References
* Cisco Security Advisory: Crafted Packet Causes Reload on Cisco
Routers -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml>
* Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause
Reload -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml>
* Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes
Reload -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml>
* US-CERT Vulnerability Note VU#583638 -
<http://www.kb.cert.org/vuls/id/583638>
* US-CERT Vulnerability Note VU#472582 -
<http://www.kb.cert.org/vuls/id/472582>
* US-CERT Vulnerability Note VU#689326 -
<http://www.kb.cert.org/vuls/id/689326>
_________________________________________________________________
Feedback can be directed to the authors: Will Dormann, Chad Dougherty,
and Damon Morda
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA05-026A.html>
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
January 26, 2005: Initial release
Last updated January 26, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQfgfthhoSezw4YfQAQJQKAf8DxKPd+9aXGsomYzRhFPyCcnjEfy6dv/N
3GcqV8GR5WyshB207vhvw1PDfZdQVFIXiNr/xE9dmBKEhm38En3a70DnVe2UCmXO
UobYXGk9tSW+pnR7Cdd3hc8yeZq0ys+LFKF/sztgpPJji/zFWojPnuS1wCcYggA1
kuGCQ9VD6My64Hlh/PStCYqx5C9azgGHNv086W6fQyCssgjwBz51YxdV9gZ9wJUt
I8LGjq6T0Fp+5kEEd9SPoUjA+r7bNft3xUPAabb+N4dt8sZUYqzXDP71lYYXgZay
z2FE7jkbtX/LYVQCiA4LfgGCbw1sI6p+UQABtj74CPte2CyJZO5hJw==
=aHIO
-----END PGP SIGNATURE-----
VAR-200505-1148 | CVE-2005-0196 |
Cisco IOS vulnerable to DoS via malformed BGP packet
Related entries in the VARIoT exploits database: VAR-E-200501-0306 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS 12.0 through 12.3YL, with BGP enabled and running the bgp log-neighbor-changes command, allows remote attackers to cause a denial of service (device reload) via a malformed BGP packet. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow attackers to conduct denial-of-service attacks on an affected device. A vulnerability in the way Cisco IOS handles IPv6 packets could result in a remotely exploitable denial of service. This issue is due to a failure of the application to handle malformed network data. A persistent denial of service attack can be triggered as well. Cisco IOS is the operating system that runs on many Cisco devices.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA05-026A
Multiple Denial-of-Service Vulnerabilities in Cisco IOS
Original release date: January 26, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Cisco routers and switches running IOS in various configurations
Overview
Several denial-of-service vulnerabilities have been discovered in
Cisco's Internet Operating System (IOS).
I. An unauthenticated attacker can send
these malformed packets on a local network segment that is connected
to a vulnerable device interface. The vulnerability is exposed on both
physical interfaces (i.e., hardware interfaces), and logical
interfaces (i.e., software defined interfaces such as tunnels) that
are configured for IPv6.
II. Impact
Although the underlying causes of these three vulnerabilities is
different, in each case a remote attacker could cause an affected
device to reload the operating system. Repeated exploitation of
these vulnerabilites would result in a sustained denial-of-service
condition.
Since devices running IOS may transit traffic for a number of other
networks, the secondary impacts of a denial of service may be severe.
III. Solution
Upgrade to a fixed version of IOS
Cisco has updated versions of its IOS software to address these
vulnerabilities. Please refer to the "Software Versions and Fixes"
sections of the Cisco Security Advisories listed in Appendix A for
more information on upgrading.
Workaround
Cisco has also published practical workarounds for VU#689326 and
VU#583638. Please refer to the "Workarounds" section of each Cisco
Security Advisory listed in Appendix A for more information.
Sites that are unable to install an upgraded version of IOS are
encouraged to implement these workarounds.
Appendix A. References
* Cisco Security Advisory: Crafted Packet Causes Reload on Cisco
Routers -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml>
* Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause
Reload -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml>
* Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes
Reload -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml>
* US-CERT Vulnerability Note VU#583638 -
<http://www.kb.cert.org/vuls/id/583638>
* US-CERT Vulnerability Note VU#472582 -
<http://www.kb.cert.org/vuls/id/472582>
* US-CERT Vulnerability Note VU#689326 -
<http://www.kb.cert.org/vuls/id/689326>
_________________________________________________________________
Feedback can be directed to the authors: Will Dormann, Chad Dougherty,
and Damon Morda
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA05-026A.html>
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
January 26, 2005: Initial release
Last updated January 26, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQfgfthhoSezw4YfQAQJQKAf8DxKPd+9aXGsomYzRhFPyCcnjEfy6dv/N
3GcqV8GR5WyshB207vhvw1PDfZdQVFIXiNr/xE9dmBKEhm38En3a70DnVe2UCmXO
UobYXGk9tSW+pnR7Cdd3hc8yeZq0ys+LFKF/sztgpPJji/zFWojPnuS1wCcYggA1
kuGCQ9VD6My64Hlh/PStCYqx5C9azgGHNv086W6fQyCssgjwBz51YxdV9gZ9wJUt
I8LGjq6T0Fp+5kEEd9SPoUjA+r7bNft3xUPAabb+N4dt8sZUYqzXDP71lYYXgZay
z2FE7jkbtX/LYVQCiA4LfgGCbw1sI6p+UQABtj74CPte2CyJZO5hJw==
=aHIO
-----END PGP SIGNATURE-----
VAR-200505-1149 | CVE-2005-0197 |
Cisco IOS vulnerable to DoS via malformed BGP packet
Related entries in the VARIoT exploits database: VAR-E-200501-0178 |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
Cisco IOS 12.1T, 12.2, 12.2T, 12.3 and 12.3T, with Multi Protocol Label Switching (MPLS) installed but disabled, allows remote attackers to cause a denial of service (device reload) via a crafted packet sent to the disabled interface. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow attackers to conduct denial-of-service attacks on an affected device. A vulnerability in the way Cisco IOS handles IPv6 packets could result in a remotely exploitable denial of service.
It is reported that the vulnerability presents itself when an affected router handles an unspecified malicious packet on a MPLS disabled interface.
A remote attacker that resides on the same network segment as the vulnerable router may exploit this vulnerability continuously to effectively deny network-based services to legitimate users. Cisco IOS is the operating system that runs on many Cisco devices. There is a problem in the processing of special MPLS packets in Cisco IOS devices.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA05-026A
Multiple Denial-of-Service Vulnerabilities in Cisco IOS
Original release date: January 26, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Cisco routers and switches running IOS in various configurations
Overview
Several denial-of-service vulnerabilities have been discovered in
Cisco's Internet Operating System (IOS).
I. An unauthenticated attacker can send
these malformed packets on a local network segment that is connected
to a vulnerable device interface. The vulnerability is exposed on both
physical interfaces (i.e., hardware interfaces), and logical
interfaces (i.e., software defined interfaces such as tunnels) that
are configured for IPv6.
VU#689326 - Cisco IOS vulnerable to DoS via malformed BGP packet
An IOS device that is enabled for Border Gateway Protocol (BGP) and
set up with the bgp log-neighbor-changes option is vulnerable to a
denial-of-service attack via a malformed BGP packet.
II. Impact
Although the underlying causes of these three vulnerabilities is
different, in each case a remote attacker could cause an affected
device to reload the operating system. Repeated exploitation of
these vulnerabilites would result in a sustained denial-of-service
condition.
Since devices running IOS may transit traffic for a number of other
networks, the secondary impacts of a denial of service may be severe.
III. Solution
Upgrade to a fixed version of IOS
Cisco has updated versions of its IOS software to address these
vulnerabilities. Please refer to the "Software Versions and Fixes"
sections of the Cisco Security Advisories listed in Appendix A for
more information on upgrading.
Workaround
Cisco has also published practical workarounds for VU#689326 and
VU#583638. Please refer to the "Workarounds" section of each Cisco
Security Advisory listed in Appendix A for more information.
Sites that are unable to install an upgraded version of IOS are
encouraged to implement these workarounds.
Appendix A. References
* Cisco Security Advisory: Crafted Packet Causes Reload on Cisco
Routers -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml>
* Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause
Reload -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml>
* Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes
Reload -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml>
* US-CERT Vulnerability Note VU#583638 -
<http://www.kb.cert.org/vuls/id/583638>
* US-CERT Vulnerability Note VU#472582 -
<http://www.kb.cert.org/vuls/id/472582>
* US-CERT Vulnerability Note VU#689326 -
<http://www.kb.cert.org/vuls/id/689326>
_________________________________________________________________
Feedback can be directed to the authors: Will Dormann, Chad Dougherty,
and Damon Morda
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA05-026A.html>
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
January 26, 2005: Initial release
Last updated January 26, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQfgfthhoSezw4YfQAQJQKAf8DxKPd+9aXGsomYzRhFPyCcnjEfy6dv/N
3GcqV8GR5WyshB207vhvw1PDfZdQVFIXiNr/xE9dmBKEhm38En3a70DnVe2UCmXO
UobYXGk9tSW+pnR7Cdd3hc8yeZq0ys+LFKF/sztgpPJji/zFWojPnuS1wCcYggA1
kuGCQ9VD6My64Hlh/PStCYqx5C9azgGHNv086W6fQyCssgjwBz51YxdV9gZ9wJUt
I8LGjq6T0Fp+5kEEd9SPoUjA+r7bNft3xUPAabb+N4dt8sZUYqzXDP71lYYXgZay
z2FE7jkbtX/LYVQCiA4LfgGCbw1sI6p+UQABtj74CPte2CyJZO5hJw==
=aHIO
-----END PGP SIGNATURE-----
VAR-200505-0907 | CVE-2005-0127 | Apple Mac OS X vulnerable to information disclosure in "Message-ID" header |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Mail in Mac OS X 10.3.7, when generating a Message-ID header, generates a GUUID that includes information that identifies the Ethernet hardware being used, which allows remote attackers to link mail messages to a particular machine. The Mail application supplied with Apple's Mac OS X operating system identifies the system from which any electronic mail is sent. Apple's Mac OS X operating system contains a flaw in the handling of ICC color profiles, which may allow arbitrary code execution through a heap-based buffer overflow. An information disclosure vulnerability affects the email message ID generation of Apple Mail. This issue is due to a design error that causes the application to insecurely generate email message IDs.
An attacker may leverage this issue to identify the specific computer that an email has been sent from, other attacks may also be possible
VAR-200505-0906 | CVE-2005-0126 | Apple Mac OS X vulnerable to information disclosure in "Message-ID" header |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
ColorSync on Mac OS X 10.3.7 and 10.3.8 allows attackers to execute arbitrary code via malformed ICC color profiles that modify the heap. The Mail application supplied with Apple's Mac OS X operating system identifies the system from which any electronic mail is sent. A remote buffer overflow vulnerability affects the International Color Consortium (ICC) color profile processing functionality of Apple ColorSync. This issue is due to a failure of the application to properly validate user-supplied data prior to copying it into static process buffers.
An attacker may leverage this issue to execute arbitrary code in the context of the ColorSync utility; it is currently unknown whether the ColorSync utility runs with superuser privileges, although it is likely
VAR-200501-0323 | CVE-2005-0193 | Apple MacOS iSync mRouter Cache overflow vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Buffer overflow in the (1) -v and (2) -a switches in mRouter in iSync 1.5 in Mac OS X 10.3.7 and earlier allows local users to execute arbitrary code. iSync's 'mRouter' binary is reportedly susceptible to a local command line argument buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied input data prior to copying it into an insufficiently sized memory buffer.
The 'mRouter' binary is installed by default with setuid superuser permissions. This vulnerability allows users with local interactive access to a computer with the affected application installed to gain superuser privileges. Apple Mac OS X is a dedicated operating system developed by Apple for Mac computers. A local user could exploit this vulnerability to execute arbitrary code
VAR-200505-0354 | CVE-2005-1336 | Apple Mac OS X Foundation Framework vulnerable to buffer overflow via incorrect handling of an environmental variable |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Buffer overflow in the Foundation framework for Mac OS X 10.3.9 allows local users to execute arbitrary code via a long environment variable. An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code
VAR-200505-0351 | CVE-2005-1332 | Apple Mac OS X with Bluetooth enabled may allow file exchange without prompting users |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Bluetooth-enabled systems in Mac OS X 10.3.9 enables the Bluetooth file exchange service by default, which allows remote attackers to access files without the user being notified, and local users to access files via the default directory. An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code. Apple Mac OS X Directory Service utilities use external programs insecurely, potentially allowing an attacker to execute arbitrary code. Due to the availability of more information, this issue is being assigned a new BID. Apple has supported Bluetooth devices since Mac OSX 10.2
VAR-200505-0193 | CVE-2005-0594 | Apple Mac OS X Server NetInfo Setup Tool fails to validate command line parameters |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Buffer overflow in the Netinfo Setup Tool (NeST) allows local users to execute arbitrary code. Apple Mac OS X Server NeST tool contains a vulnerability in the processing of command line arguments that could allow an attacker to execute arbitrary code.
The vulnerability presents itself when the application handles excessive string values through a command line parameter.
An attacker can gain superuser privileges by exploiting this issue. Due to the availability of more information, this issue is being assinged a new BID. Netinfo Setup Tool (NeST) is a SUID tool
VAR-200501-0320 | CVE-2005-0186 | Cisco IOS embedded call processing solutions contain unspecified DoS vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the IOS Telephony Service (ITS), CallManager Express (CME) or Survivable Remote Site Telephony (SRST), allows remote attackers to cause a denial of service (device reboot) via a malformed packet to the SCCP port. Cisco IOS Implemented in ITS , CME ,and SRST Is SCCP Packets are not processed properly, so if these are enabled, illegal SCCP A vulnerability exists that causes the device to restart after interpreting the packet.System disrupts service operation (DoS) It may be in a state. IOS is prone to a denial-of-service vulnerability.
The issue is reported to exist in the Skinny Call Control Protocol (SCCP) handler.
A remote attacker may exploit this vulnerability continuously to effectively deny network-based services to legitimate users. Cisco IOS is the underlying operating system for Cisco networking equipment