VARIoT IoT vulnerabilities database

Php-Nuke 7.5 allows remote attackers to determine the full path of the web server via invalid or missing arguments to (1) db.php, (2) mainfile.php, (3) Downloads/index.php, or (4) Web_Links/index.php, which lists the path in a PHP error message. It is reported that PHP-Nuke is affected by various cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input. These issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials. PHP-Nuke is a widely popular website creation and management tool

vsdatant.sys in Zone Lab ZoneAlarm before 5.5.062.011, ZoneAlarm Wireless before 5.5.080.000, Check Point Integrity Client 4.x before 4.5.122.000 and 5.x before 5.1.556.166 do not properly verify that the ServerPortName argument to the NtConnectPort function is a valid memory address, which allows local users to cause a denial of service (system crash) when ZoneAlarm attempts to dereference an invalid pointer. Multiple ZoneAlarm products and Check Point Integrity Client are reported prone to a local denial of service vulnerability. This issue exists due to an invalid pointer dereference. A successful attack can result in a denial of service condition in the kernel. ZoneAlarm Security Suite, ZoneAlarm Pro, and ZoneAlarm versions prior to 5.5.062.011 and Check Point Integrity Client versions prior to 4.5.122.000 and 5.1.556.166 are considered vulnerable to this issue. ZoneAlarm is a popular desktop firewall system. BACKGROUND Zone Labs ZoneAlarm provides personal firewall protection. More information is available from: http://www.zonelabs.com/ II. ZoneAlarm offers process specific protection by hooking the kernel API routine NtConnectPort(). NtConnectPort() is used by programs to implement advanced inter-process communication (IPC). The NtConnectPort() function is declared as follows: NtConnectPort( OUT PHANDLE ClientPortHandle, IN PUNICODE_STRING ServerPortName, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory OPTIONAL, OUT PLPC_SECTION_MEMORY ServerSharedMemory OPTIONAL, OUT PULONG MaximumMessageLength OPTIONAL, IN OUT PVOID ConnectionInfo OPTIONAL, IN OUT PULONG ConnectionInfoLength OPTIONAL); The problem specifically exists within vsdatant.sys as ZoneAlarm fails to verify the second argument. 'ServerPortName' is a valid address prior to derefencing it as a pointer. The vulnerable section of code is displayed here: 0001EE93 mov esi, [esp+108h+ServerPortName] 0001EE9A mov edi, eax 0001EE9C test esi, esi 0001EE9E jz short loc_1EEB6 0001EEA0 mov edx, [esi+4] The argument 'ServerPortName' is stored in the register ESI. A check is made to ensure that the value is not NULL. Any non-zero invalid memory address can be passed as the second argument to NtConnectPort(), resulting in a system crash. III. ANALYSIS Exploitation allows local and remote attackers who have exploited another vulnerability to trigger a DoS in kernel space, resulting in a "blue screen of death." IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in ZoneAlarm version 5.1. It is suspected that previous versions of ZoneAlarm are vulnerable as well. V. WORKAROUND iDEFENSE is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE A vendor advisory for this issue is available at: http://download.zonelabs.com/bin/free/securityAlert/19.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2005-0114 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/06/2005 Initial vendor notification 01/07/2005 Initial vendor response 02/11/2005 Coordinated public disclosure IX. CREDIT iDEFENSE Labs is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Heap-based buffer overflow in the DEC2EXE module for Symantec AntiVirus Library allows remote attackers to execute arbitrary code via a UPX compressed file containing a negative virtual offset to a crafted PE header. The Symantec AntiVirus Library DEC2EXE component is vulnerable to remote arbitrary code execution. Various Symantec products are reported prone to a remote heap overflow vulnerability. This issue affects the UPX Parsing Engine shipped with the products. The Symantec Antivirus library is used to parse different file formats to detect malicious programs, and one of the modules, DEC2EXE, is used to detect UPX file formats. The module of the Symantec Antivirus library used to detect UPX files lacks correct handling of virtual file offsets. Remote attackers can exploit this vulnerability to construct malicious UPX files, trick users into processing them, and possibly execute arbitrary commands on the system with user process privileges. TITLE: Symantec Multiple Products UPX Parsing Engine Buffer Overflow SECUNIA ADVISORY ID: SA14179 VERIFY ADVISORY: http://secunia.com/advisories/14179/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Symantec Gateway Security 1.x http://secunia.com/product/876/ Symantec Gateway Security 2.x http://secunia.com/product/3104/ SOFTWARE: Norton Internet Security 2004 http://secunia.com/product/2441/ Norton Internet Security 2004 Professional http://secunia.com/product/2442/ Norton SystemWorks 2004 http://secunia.com/product/2796/ Symantec AntiVirus Corporate Edition 8.x http://secunia.com/product/659/ Symantec AntiVirus Corporate Edition 9.x http://secunia.com/product/3549/ Symantec AntiVirus for Caching 4.x http://secunia.com/product/4626/ Symantec AntiVirus for Network Attached Storage 4.x http://secunia.com/product/4625/ Symantec AntiVirus for SMTP Gateways 3.x http://secunia.com/product/2231/ Symantec AntiVirus Scan Engine 4.x http://secunia.com/product/3040/ Symantec AntiVirus/Filtering for Domino http://secunia.com/product/2029/ Symantec Brightmail AntiSpam 4.x http://secunia.com/product/4627/ Symantec Brightmail AntiSpam 5.x http://secunia.com/product/4628/ Symantec Client Security 1.x http://secunia.com/product/2344/ Symantec Client Security 2.x http://secunia.com/product/3478/ Symantec Mail Security for Exchange 4.x http://secunia.com/product/2820/ Symantec Mail Security for SMTP 4.x http://secunia.com/product/3558/ Symantec Norton AntiVirus 2004 http://secunia.com/product/2800/ Symantec Norton AntiVirus for Microsoft Exchange 2.x http://secunia.com/product/1017/ Symantec Web Security 3.x http://secunia.com/product/2813/ DESCRIPTION: ISS X-Force has reported a vulnerability in multiple Symantec products, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the DEC2EXE parsing engine used by the antivirus scanning functionality when processing UPX compressed files. This can be exploited to cause a heap-based buffer overflow via a specially crafted UPX file. The vulnerability affects the following products: * Norton AntiVirus for Microsoft Exchange 2.1 (prior to build 2.18.85) * Symantec Mail Security for Microsoft Exchange 4.0 (prior to build 4.0.10.465) * Symantec Mail Security for Microsoft Exchange 4.5 (prior to build 4.5.3) * Symantec AntiVirus/Filtering for Domino NT 3.1 (prior to build 3.1.1) * Symantec Mail Security for Domino 4.0 (prior to build 4.0.1) * Symantec AntiVirus/Filtering for Domino Ports 3.0 for AIX (prior to build 3.0.6) * Symantec AntiVirus/Filtering for Domino Ports 3.0 for OS400, Linux, Solaris (prior to build 3.0.7) * Symantec AntiVirus Scan Engine 4.3 (prior to build 4.3.3) * Symantec AntiVirus for Network Attached Storage (prior to build 4.3.3) * Symantec AntiVirus for Caching (prior to build 4.3.3) * Symantec AntiVirus for SMTP 3.1 (prior to build 3.1.7) * Symantec Mail Security for SMTP 4.0 (prior to build 4.0.2) * Symantec Web Security 3.0 (prior to build 3.0.1.70) * Symantec BrightMail AntiSpam 4.0 * Symantec BrightMail AntiSpam 5.5 * Symantec AntiVirus Corporate Edition 9.0 (prior to build 9.01.1000) * Symantec AntiVirus Corporate Edition 8.01, 8.1.1 * Symantec Client Security 2.0 (prior to build 9.01.1000) * Symantec Client Security 1.0 * Symantec Gateway Security 2.0, 2.0.1 - 5400 Series * Symantec Gateway Security 1.0 - 5300 Series * Symantec Norton Antivirus 2004 for Windows * Symantec Norton Internet Security 2004 (pro) for Windows * Symantec Norton System Works 2004 for Windows * Symantec Norton Antivirus 2004 for Macintosh * Symantec Norton Internet Security 2004 for Macintosh * Symantec Norton System Works 2004 for Macintosh * Symantec Norton Antivirus 9.0 for Macintosh * Symantec Norton Internet Security for Macintosh 3.0 * Symantec Norton System Works for Macintosh 3.0 SOLUTION: Updates are available (see the vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Alex Wheeler, ISS X-Force. ORIGINAL ADVISORY: Symantec: http://www.sarc.com/avcenter/security/Content/2005.02.08.html ISS X-Force: http://xforce.iss.net/xforce/alerts/id/187 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer signedness error in Apple File Service (AFP Server) allows remote attackers to cause a denial of service (application crash) via a negative UAM string length in a FPLoginExt packet. A remote integer overflow vulnerability reportedly affects Apple Mac OS X AppleFileServer. This issue is due to a failure of the application to properly handle integer signedness while copying data into finite process buffers. An attacker may leverage this issue to cause the affected server process to consume memory resources until triggering an EXC_BAD_ACCESS signal, ultimately causing a denial of service condition

The F5 BIG-IP appliance is reported prone to an information leakage vulnerability. It is reported that the vulnerability is triggered when a browser that is using HTTP pipelining is employed to request a web page from a web server that is being load-balanced by a BIG-IP appliance. It is not believed that a remote attacker will be able to control the behavior of the affected appliance during a pipelined request, as a result it is conjectured that this vulnerability may be exploited to trigger a partial denial of service. Additionally, a successful attack may result in a disclosure of potentially sensitive information to unauthorized users. This vulnerability is reported to affect BIG-IP versions 4.0 through 4.6.2 and BIG-IP Blade Controller versions 4.2.1 through 4.6.2, that have 'OneConnect/Web Aggregation' functionality enabled.

The International Domain Name (IDN) support in Safari 1.2.5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. Multiple browsers are reported prone to vulnerabilities that surround the handling of International Domain Names. The vulnerabilities are caused by inconsistencies in how International Domain Names are processed. Reports indicate that attackers can leverage this to spoof address bars, status bars, and SSL certificate values. Remote attackers may exploit these vulnerabilities in phishing-style attacks. Through a false sense of trust, users may voluntarily disclose sensitive information to a malicious website. Although these vulnerabilities are reported to affect browsers, mail clients that depend on the browser to generate HTML code may also be affected. KDE is a free and open source X desktop management program for Linux and Unix workstations. Since version 3.2, KDE and its web browser Konqueror have supported International Domain Names (IDNs), which makes KDE vulnerable to a phishing technique called Homograph

The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file. An insecure file creation vulnerability affects Apple Mac OS X Finder. This issue is due to a failure of the application to validate the existence of files prior to creating or writing to them. An attacker may leverage this issue to cause a system-wide denial of service or to gain escalated privileges on an affected computer, potentially leading to unauthorized superuser access. TITLE: SunShop Shopping Cart "search" Cross-Site Scripting SECUNIA ADVISORY ID: SA14118 VERIFY ADVISORY: http://secunia.com/advisories/14118/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: SunShop Shopping Cart 3.x http://secunia.com/product/4602/ DESCRIPTION: SmOk3 has reported a vulnerability in SunShop Shopping Cart, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "search" parameter in "index.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. The vulnerability has been reported in version 3.4 RC 4. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: SmOk3 ORIGINAL ADVISORY: http://www.systemsecure.org/wwwboard/messages/227.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Linksys PSUS4 running firmware 6032 allows remote attackers to cause a denial of service (device crash) via an HTTP POST request containing an unknown parameter without a value. Cisco Systems (Linksys) of psus4 printserver Exists in unspecified vulnerabilities.None. Linksys PSUS4 is an embedded linksys wireless print server.  Linksys PSUS4 has problems processing wireless HTTP requests. Remote attackers can use this vulnerability to conduct denial of service attacks. An attacker may exploit this condition to deny service to the affected PrintServer

Cisco IP/VC Videoconferencing System 3510, 3520, 3525 and 3530 contain hard-coded default SNMP community strings, which allows remote attackers to gain access, cause a denial of service, and modify configuration. A default community string vulnerability affects Cisco IP/VC Videoconferencing System devices. This issue is due to a design flaw where hard-coded community strings are stored on the device. This issue may be leveraged to gain unauthorized administrator access to affected devices. This would allow an attacker to create new services, terminate or affect existing sessions, and redirect traffic to a different destination, among other attacks

Ingate Firewall 4.1.3 and earlier does not terminate the PPTP session for an active user when the administrator disables that user from a resource, which could allow remote authenticated users to retain unauthorized access to resources. Ingate Firewall does not remove PPTP tunnels created by a user that has been disabled by the firewall administrator. Even if the user has been disabled, any PPTP tunnels they have created will persist

Cisco IOS 12.0S through 12.3YH allows remote attackers to cause a denial of service (device restart) via a crafted IPv6 packet. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow attackers to conduct denial-of-service attacks on an affected device. Cisco IOS In IPv6 Physical and logical interfaces due to improper handling of packets (6to4 Tunnel ) At IPv6 If you have enabled multiple invalid IPv6 A vulnerability exists in which a device is restarted by interpreting a packet.System disrupted service operation (DoS) May be in a state. This issue is due to a failure of the affected operating system to properly handle specially crafted network data. It is possible for an attacker to produce a sustained denial of service condition against an affected device by continually sending the malicious network data. An attacker may leverage this issue to cause an affected device to reload, denying service to legitimate users. Cisco IOS is the operating system that runs on many Cisco devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA05-026A Multiple Denial-of-Service Vulnerabilities in Cisco IOS Original release date: January 26, 2005 Last revised: -- Source: US-CERT Systems Affected * Cisco routers and switches running IOS in various configurations Overview Several denial-of-service vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). I. Further details are available in the following vulnerability notes: VU#583638 - Cisco IOS contains DoS vulnerability in MPLS packet processing The IOS implementation of Multi Protocol Label Switching (MPLS) contains a vulnerability that allows malformed MPLS packets to cause an affected device to reload. An unauthenticated attacker can send these malformed packets on a local network segment that is connected to a vulnerable device interface. The vulnerability is exposed on both physical interfaces (i.e., hardware interfaces), and logical interfaces (i.e., software defined interfaces such as tunnels) that are configured for IPv6. VU#689326 - Cisco IOS vulnerable to DoS via malformed BGP packet An IOS device that is enabled for Border Gateway Protocol (BGP) and set up with the bgp log-neighbor-changes option is vulnerable to a denial-of-service attack via a malformed BGP packet. II. Repeated exploitation of these vulnerabilites would result in a sustained denial-of-service condition. Since devices running IOS may transit traffic for a number of other networks, the secondary impacts of a denial of service may be severe. III. Solution Upgrade to a fixed version of IOS Cisco has updated versions of its IOS software to address these vulnerabilities. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in Appendix A for more information on upgrading. Workaround Cisco has also published practical workarounds for VU#689326 and VU#583638. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in Appendix A for more information. Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds. Appendix A. References * Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml> * Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml> * Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml> * US-CERT Vulnerability Note VU#583638 - <http://www.kb.cert.org/vuls/id/583638> * US-CERT Vulnerability Note VU#472582 - <http://www.kb.cert.org/vuls/id/472582> * US-CERT Vulnerability Note VU#689326 - <http://www.kb.cert.org/vuls/id/689326> _________________________________________________________________ Feedback can be directed to the authors: Will Dormann, Chad Dougherty, and Damon Morda _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA05-026A.html> _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History January 26, 2005: Initial release Last updated January 26, 2005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQfgfthhoSezw4YfQAQJQKAf8DxKPd+9aXGsomYzRhFPyCcnjEfy6dv/N 3GcqV8GR5WyshB207vhvw1PDfZdQVFIXiNr/xE9dmBKEhm38En3a70DnVe2UCmXO UobYXGk9tSW+pnR7Cdd3hc8yeZq0ys+LFKF/sztgpPJji/zFWojPnuS1wCcYggA1 kuGCQ9VD6My64Hlh/PStCYqx5C9azgGHNv086W6fQyCssgjwBz51YxdV9gZ9wJUt I8LGjq6T0Fp+5kEEd9SPoUjA+r7bNft3xUPAabb+N4dt8sZUYqzXDP71lYYXgZay z2FE7jkbtX/LYVQCiA4LfgGCbw1sI6p+UQABtj74CPte2CyJZO5hJw== =aHIO -----END PGP SIGNATURE-----

Cisco IOS 12.0 through 12.3YL, with BGP enabled and running the bgp log-neighbor-changes command, allows remote attackers to cause a denial of service (device reload) via a malformed BGP packet. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow attackers to conduct denial-of-service attacks on an affected device. A vulnerability in the way Cisco IOS handles IPv6 packets could result in a remotely exploitable denial of service. This issue is due to a failure of the application to handle malformed network data. A persistent denial of service attack can be triggered as well. Cisco IOS is the operating system that runs on many Cisco devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA05-026A Multiple Denial-of-Service Vulnerabilities in Cisco IOS Original release date: January 26, 2005 Last revised: -- Source: US-CERT Systems Affected * Cisco routers and switches running IOS in various configurations Overview Several denial-of-service vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). I. An unauthenticated attacker can send these malformed packets on a local network segment that is connected to a vulnerable device interface. The vulnerability is exposed on both physical interfaces (i.e., hardware interfaces), and logical interfaces (i.e., software defined interfaces such as tunnels) that are configured for IPv6. II. Impact Although the underlying causes of these three vulnerabilities is different, in each case a remote attacker could cause an affected device to reload the operating system. Repeated exploitation of these vulnerabilites would result in a sustained denial-of-service condition. Since devices running IOS may transit traffic for a number of other networks, the secondary impacts of a denial of service may be severe. III. Solution Upgrade to a fixed version of IOS Cisco has updated versions of its IOS software to address these vulnerabilities. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in Appendix A for more information on upgrading. Workaround Cisco has also published practical workarounds for VU#689326 and VU#583638. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in Appendix A for more information. Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds. Appendix A. References * Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml> * Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml> * Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml> * US-CERT Vulnerability Note VU#583638 - <http://www.kb.cert.org/vuls/id/583638> * US-CERT Vulnerability Note VU#472582 - <http://www.kb.cert.org/vuls/id/472582> * US-CERT Vulnerability Note VU#689326 - <http://www.kb.cert.org/vuls/id/689326> _________________________________________________________________ Feedback can be directed to the authors: Will Dormann, Chad Dougherty, and Damon Morda _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA05-026A.html> _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History January 26, 2005: Initial release Last updated January 26, 2005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQfgfthhoSezw4YfQAQJQKAf8DxKPd+9aXGsomYzRhFPyCcnjEfy6dv/N 3GcqV8GR5WyshB207vhvw1PDfZdQVFIXiNr/xE9dmBKEhm38En3a70DnVe2UCmXO UobYXGk9tSW+pnR7Cdd3hc8yeZq0ys+LFKF/sztgpPJji/zFWojPnuS1wCcYggA1 kuGCQ9VD6My64Hlh/PStCYqx5C9azgGHNv086W6fQyCssgjwBz51YxdV9gZ9wJUt I8LGjq6T0Fp+5kEEd9SPoUjA+r7bNft3xUPAabb+N4dt8sZUYqzXDP71lYYXgZay z2FE7jkbtX/LYVQCiA4LfgGCbw1sI6p+UQABtj74CPte2CyJZO5hJw== =aHIO -----END PGP SIGNATURE-----

Cisco IOS 12.1T, 12.2, 12.2T, 12.3 and 12.3T, with Multi Protocol Label Switching (MPLS) installed but disabled, allows remote attackers to cause a denial of service (device reload) via a crafted packet sent to the disabled interface. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow attackers to conduct denial-of-service attacks on an affected device. A vulnerability in the way Cisco IOS handles IPv6 packets could result in a remotely exploitable denial of service. It is reported that the vulnerability presents itself when an affected router handles an unspecified malicious packet on a MPLS disabled interface. A remote attacker that resides on the same network segment as the vulnerable router may exploit this vulnerability continuously to effectively deny network-based services to legitimate users. Cisco IOS is the operating system that runs on many Cisco devices. There is a problem in the processing of special MPLS packets in Cisco IOS devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA05-026A Multiple Denial-of-Service Vulnerabilities in Cisco IOS Original release date: January 26, 2005 Last revised: -- Source: US-CERT Systems Affected * Cisco routers and switches running IOS in various configurations Overview Several denial-of-service vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). I. An unauthenticated attacker can send these malformed packets on a local network segment that is connected to a vulnerable device interface. The vulnerability is exposed on both physical interfaces (i.e., hardware interfaces), and logical interfaces (i.e., software defined interfaces such as tunnels) that are configured for IPv6. VU#689326 - Cisco IOS vulnerable to DoS via malformed BGP packet An IOS device that is enabled for Border Gateway Protocol (BGP) and set up with the bgp log-neighbor-changes option is vulnerable to a denial-of-service attack via a malformed BGP packet. II. Impact Although the underlying causes of these three vulnerabilities is different, in each case a remote attacker could cause an affected device to reload the operating system. Repeated exploitation of these vulnerabilites would result in a sustained denial-of-service condition. Since devices running IOS may transit traffic for a number of other networks, the secondary impacts of a denial of service may be severe. III. Solution Upgrade to a fixed version of IOS Cisco has updated versions of its IOS software to address these vulnerabilities. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in Appendix A for more information on upgrading. Workaround Cisco has also published practical workarounds for VU#689326 and VU#583638. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in Appendix A for more information. Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds. Appendix A. References * Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml> * Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml> * Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml> * US-CERT Vulnerability Note VU#583638 - <http://www.kb.cert.org/vuls/id/583638> * US-CERT Vulnerability Note VU#472582 - <http://www.kb.cert.org/vuls/id/472582> * US-CERT Vulnerability Note VU#689326 - <http://www.kb.cert.org/vuls/id/689326> _________________________________________________________________ Feedback can be directed to the authors: Will Dormann, Chad Dougherty, and Damon Morda _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA05-026A.html> _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History January 26, 2005: Initial release Last updated January 26, 2005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQfgfthhoSezw4YfQAQJQKAf8DxKPd+9aXGsomYzRhFPyCcnjEfy6dv/N 3GcqV8GR5WyshB207vhvw1PDfZdQVFIXiNr/xE9dmBKEhm38En3a70DnVe2UCmXO UobYXGk9tSW+pnR7Cdd3hc8yeZq0ys+LFKF/sztgpPJji/zFWojPnuS1wCcYggA1 kuGCQ9VD6My64Hlh/PStCYqx5C9azgGHNv086W6fQyCssgjwBz51YxdV9gZ9wJUt I8LGjq6T0Fp+5kEEd9SPoUjA+r7bNft3xUPAabb+N4dt8sZUYqzXDP71lYYXgZay z2FE7jkbtX/LYVQCiA4LfgGCbw1sI6p+UQABtj74CPte2CyJZO5hJw== =aHIO -----END PGP SIGNATURE-----

Mail in Mac OS X 10.3.7, when generating a Message-ID header, generates a GUUID that includes information that identifies the Ethernet hardware being used, which allows remote attackers to link mail messages to a particular machine. The Mail application supplied with Apple's Mac OS X operating system identifies the system from which any electronic mail is sent. Apple's Mac OS X operating system contains a flaw in the handling of ICC color profiles, which may allow arbitrary code execution through a heap-based buffer overflow. An information disclosure vulnerability affects the email message ID generation of Apple Mail. This issue is due to a design error that causes the application to insecurely generate email message IDs. An attacker may leverage this issue to identify the specific computer that an email has been sent from, other attacks may also be possible

ColorSync on Mac OS X 10.3.7 and 10.3.8 allows attackers to execute arbitrary code via malformed ICC color profiles that modify the heap. The Mail application supplied with Apple's Mac OS X operating system identifies the system from which any electronic mail is sent. A remote buffer overflow vulnerability affects the International Color Consortium (ICC) color profile processing functionality of Apple ColorSync. This issue is due to a failure of the application to properly validate user-supplied data prior to copying it into static process buffers. An attacker may leverage this issue to execute arbitrary code in the context of the ColorSync utility; it is currently unknown whether the ColorSync utility runs with superuser privileges, although it is likely

Buffer overflow in the (1) -v and (2) -a switches in mRouter in iSync 1.5 in Mac OS X 10.3.7 and earlier allows local users to execute arbitrary code. iSync's 'mRouter' binary is reportedly susceptible to a local command line argument buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied input data prior to copying it into an insufficiently sized memory buffer. The 'mRouter' binary is installed by default with setuid superuser permissions. This vulnerability allows users with local interactive access to a computer with the affected application installed to gain superuser privileges. Apple Mac OS X is a dedicated operating system developed by Apple for Mac computers. A local user could exploit this vulnerability to execute arbitrary code

Buffer overflow in the Foundation framework for Mac OS X 10.3.9 allows local users to execute arbitrary code via a long environment variable. An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code

Bluetooth-enabled systems in Mac OS X 10.3.9 enables the Bluetooth file exchange service by default, which allows remote attackers to access files without the user being notified, and local users to access files via the default directory. An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code. Apple Mac OS X Directory Service utilities use external programs insecurely, potentially allowing an attacker to execute arbitrary code. Due to the availability of more information, this issue is being assigned a new BID. Apple has supported Bluetooth devices since Mac OSX 10.2

Buffer overflow in the Netinfo Setup Tool (NeST) allows local users to execute arbitrary code. Apple Mac OS X Server NeST tool contains a vulnerability in the processing of command line arguments that could allow an attacker to execute arbitrary code. The vulnerability presents itself when the application handles excessive string values through a command line parameter. An attacker can gain superuser privileges by exploiting this issue. Due to the availability of more information, this issue is being assinged a new BID. Netinfo Setup Tool (NeST) is a SUID tool

Cisco IOS 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the IOS Telephony Service (ITS), CallManager Express (CME) or Survivable Remote Site Telephony (SRST), allows remote attackers to cause a denial of service (device reboot) via a malformed packet to the SCCP port. Cisco IOS Implemented in ITS , CME ,and SRST Is SCCP Packets are not processed properly, so if these are enabled, illegal SCCP A vulnerability exists that causes the device to restart after interpreting the packet.System disrupts service operation (DoS) It may be in a state. IOS is prone to a denial-of-service vulnerability. The issue is reported to exist in the Skinny Call Control Protocol (SCCP) handler. A remote attacker may exploit this vulnerability continuously to effectively deny network-based services to legitimate users. Cisco IOS is the underlying operating system for Cisco networking equipment