VARIoT IoT vulnerabilities database

Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Archive::Zip does not properly parse Zip files and may incorrectly interpret malformed zip archives to contain zero length/size files. As a a result, anti-virus software using Archive::Zip may fail to detect malicious content within a Zip archive. Archive::Zip is a free perl module for working with zip compressed files. Archive::Zip versions prior to 1.14 have security bypass vulnerabilities when used in antivirus programs

sudo before 1.6.8p2 allows local users to execute arbitrary commands by using "()" style environment variables to create functions that have the same name as any program within the bash script that is called without using the program's full pathname. A restricted command execution bypass vulnerability affects GratiSoft's Sudo application. This issue is due to a design error that causes the application to fail to properly sanitize user-supplied environment variables. An attacker with sudo privileges may leverage this issue to execute commands that are explicitly disallowed. This may facilitate privileges escalation and certainly leads to a false sense of security

Cisco IOS 2.2(18)EW, 12.2(18)EWA, 12.2(14)SZ, 12.2(18)S, 12.2(18)SE, 12.2(18)SV, 12.2(18)SW, and other versions without the "no service dhcp" command, keep undeliverable DHCP packets in the queue instead of dropping them, which allows remote attackers to cause a denial of service (dropped traffic) via multiple undeliverable DHCP packets that exceed the input queue size. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow remote attackers to conduct denial-of-service attacks on an affected device. 7600 is prone to a denial-of-service vulnerability. Reportedly, DHCP packets containing certain unspecified content have the capability to block the input queue of interfaces on affected devices. Once an input queue is blocked, further ARP, and routing protocol packets will not be processed. This condition can only be corrected by rebooting the affected device. An attacker with the ability to send malicious DHCP packets to an affected device may be able to interrupt the routing services of the affected device, potentially denying further network service to legitimate users. Cisco IOS is the system used by Cisco networking equipment. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA04-316A Cisco IOS Input Queue Vulnerability Original release date: November 11, 2004 Last revised: -- Source: US-CERT Systems Affected * Cisco routers, switches, and line cards running vulnerable versions of IOS The following versions of IOS are known to be affected: * 12.2(18)EW * 12.2(18)EWA * 12.2(18)S * 12.2(18)SE * 12.2(18)SV * 12.2(18)SW * 12.2(14)SZ Overview There is a vulnerability in the way Cisco IOS processes DHCP packets. Exploitation of this vulnerability may lead to a denial of service. The processing of DHCP packets is enabled by default. I. Description The Dynamic Host Configuration Protocol (DHCP) provides a means for distributing configuration information to hosts on a TCP/IP network.The Cisco Internetwork Operating System (IOS) contains a vulnerability that allows malformed DHCP packets to cause an affected device to stop processing incoming network traffic. Cisco devices can act as a DHCP server, providing host configuration information to clients, or they can forward DHCP and BootP requests as a relay agent. The affected devices have the DHCP service enabled by default and will accept and process incoming DHCP packets. When the queue becomes full, the device will stop accepting all traffic on that interface, not just DHCP traffic. The DHCP service is enabled by default in IOS. DHCP can only be disabled when the no service dhcp command is specified in the running configuration. Cisco notes the following in their advisory: "Cisco routers are configured to process and accept DHCP packets by default, therefore the command service dhcp does not appear in the running configuration display, and only the command for the disabled feature, no service dhcp, will appear in the running configuration display when the feature is disabled. The vulnerability is present, regardless if the DHCP server or relay agent configurations are present on an affected product. US-CERT is tracking this issue as VU#630104. II. Repeated exploitation of this vulnerability could lead to a sustained denial-of-service condition. In order to regain functionality, the device must be rebooted to clear the input queue on the interface. III. Solution Upgrade to fixed versions of IOS Cisco has published detailed information about upgrading affected Cisco IOS software to correct this vulnerability. System managers are encouraged to upgrade to one of the non-vulnerable releases. For additional information regarding availability of repaired releases, please refer to the "Software Versions and Fixes" section of the Cisco Security Advisory. Workarounds Cisco recommends a number of workarounds. For a complete list of workarounds, see the Cisco Security Advisory. Appendix A. References * Vulnerability Note VU#630104 - <http://www.kb.cert.org/vuls/id/630104> * Cisco Security Advisory: "Cisco IOS DHCP Blocked Interface Denial-of-Service" - <http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml > _________________________________________________________________ US-CERT thanks Cisco Systems for notifying us about this problem. _________________________________________________________________ Feedback can be directed to the authors: Jeff Havrilla, Damon Morda, and Jason Rafail _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA04-316A.html> _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History Nov 11, 2004: Initial release Last updated November 11, 2004 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQZP5KBhoSezw4YfQAQLfEAgAlabhwlqCsQXLVFjedNKxa2CmRPYta5aC GXy6I+TDAVv7V57pz4QE4LxreUEb2vyc8CE4TWUy5PL7+tR0IEduur7XXnOs13Is O77GyYxBzxtOi+12zAui2wVM8gepobMS6JwYY7V5tyCRZ7mT7lGkVXzO2xHwFsM7 l6meXU/3eO0AjUv5NmJWBuWuGcPny3qyy3M4rgAcRCXIEWaVMnSCAALfSfPS6Ea8 6qYTmXOCbOnEC1RfdnRDgfmnWGwX5RlOPSrDJr3uS5DEkuEvFwaBnIDWMVtQUnvv oL1jZwbFVY1WNuPIosKSFSBs0U4l7RStiwSw3BF/EbgPrUBg3ugYyw== =gshZ -----END PGP SIGNATURE-----

The buffer overflow trigger in Cisco Security Agent (CSA) before 4.0.3 build 728 waits five minutes for a user response before terminating the process, which could allow remote attackers to bypass the buffer overflow protection by sending additional buffer overflow attacks within the five minute timeout period. This aids attackers in exploiting latent vulnerabilities in services protected by the affected package. Versions prior to 4.0.3.728 are reported susceptible to this vulnerability. Versions before CAS4.0.3build728 do not properly handle buffer overflow attacks. If the user has no choice, it will choose to terminate the operation by default. If the attacker continues to carry out the overflow attack during this period of time waiting for the user response, it will be possible

The FWDRV.SYS driver in Kerio Personal Firewall 4.1.1 and earlier allows remote attackers to cause a denial of service (CPU consumption and system freeze from infinite loop) via a (1) TCP, (2) UDP, or (3) ICMP packet with a zero length IP Option field. A remote denial of service vulnerability affects the IP options filtering functionality of Kerio's Personal Firewall. This issue is caused by a failure of the application to properly handle malformed network packets. A remote attacker can exploit this issue anonymously with a spoofed packet to cause a computer running the affected application to hang indefinitely, denying service to legitimate users. Kerio Personal Firewall is a personal desktop firewall

Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2-1 and earlier as used by Posadis, (2) Axis Network products before firmware 3.13, and (3) Men & Mice Suite 2.2x before 2.2.3 and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (CPU and network bandwidth consumption) by triggering a communications loop via (a) DNS query packets with localhost as a spoofed source address, or (b) a response packet that triggers a response packet. [CERT/CC VU#887766 See also ] DNS A vulnerability in the protocol implementation has been identified. Depending on the implementation, between servers Query - response A storm may occur. Also, localhost UDP 53 Port is From If a query with is sent, the server may continue to respond to the server itself and resources may be exhausted.Denial of service (denial-of-service, DoS) You can be attacked. Multiple DNS vendors are reported susceptible to a denial of service vulnerability

Nortel Networks Contivity VPN Client displays a different error message depending on whether the username is valid or invalid, which could allow remote attackers to gain sensitive information. It is reported that Nortel Contivity VPN client is susceptible to a username enumeration vulnerability. Attackers may exploit this vulnerability to discern valid usernames. This may aid them in brute force password cracking, or other attacks. Versions prior to 5.01_030 are reported susceptible to this issue. Nortel Networks Contivity VPN Client is the client software for Nortel VPN devices. Name: User Account Enumeration in Nortel Contivity VPN Vendor: Nortel Networks Products Affected: Nortel Networks Contivity VPN Client Type: Remote User Account Enumeration Severity: Medium I. This bug was discovered as part of a penetration test we carried out on the VPN server of a client. II. Description 1. III. Impact The different error messages could enable a malicious person to guess valid user names on the Contivity VPN/Firewall, and then launch password-guessing attacks against these accounts. IV. Solution This issue is resolved in Contivity VPN Client for Windows V5.01_030 Refer to the CERT VU Note at http://www.kb.cert.org/vuls/id/830214 and our full advisory at http://www.nii.co.in/vuln/contivity.html for information about vendor response, applying the patches, and other technical details. V. About Network Intelligence India We're a leading provider of information security services and products. Our AuditPro suite of security assessment software provides comprehensive, policy-based security audits for Windows 2000, 2003, XP, Redhat Linux, Sun Solaris, Oracle and MS SQL Servers. For more information, visit us at http://www.nii.co.in **** Happy Diwali AND Eid Mubarak! ****

F-Secure Anti-Virus for Microsoft Exchange 6.30 and 6.31 does not properly detect certain password-protected files in a ZIP file, which allows remote attackers to bypass anti-virus protection. It is reported that a specially crafted archive that is nested within another archive is sufficient to trigger this vulnerability. Such an archive may contain malicious applications and will not be detected and quarantined at the email gateway

Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) 3.3.1, when the EAP-TLS protocol is enabled, does not properly handle expired or untrusted certificates, which allows remote attackers to bypass authentication and gain unauthorized access via a "cryptographically correct" certificate with valid fields such as the username. This issue is due to a failure of the software to properly validate user credentials prior to granting access. The problem presents itself when an attacker attempts to authenticate to the affected server. Apparently the application will grant access to any attacker that presents a valid user name and a certificate that is cryptographically correct. An attacker can leverage this issue to gain unauthorized remote access to any devices or networks that rely on the affected software for access control

The Allied Telesyn TFTP service is reported to be prone to multiple vulnerabilities. The following specific issues are reported: 1. Allied Telesyn TFTP Server is reported susceptible to a directory-traversal vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input data. This vulnerability allows remote attackers to retrieve or overwrite the contents of arbitrary potentially sensitive files located on the serving appliance with the privileges of the TFTP server process. 2. Allied Telesyn TFTP Server is reported prone to a remote buffer-overflow vulnerability. This vulnerability may be exploited by a remote attacker to crash the affected service. NOTE (November 17, 2010): This vendor may now be known as Allied Telesis.

Integer overflow on Apple QuickTime before 6.5.2, when running on Windows systems, allows remote attackers to cause a denial of service (memory consumption) via certain inputs that cause a large memory operation. This issue is due to a failure of the application to properly validate integer signed-ness prior to using it to carry out critical operations. An attacker may leverage this issue to cause the affected QuickTime client to crash, denying service to legitimate users. It has been speculated that this issue may also facilitate code execution; any code execution would occur with the privileges of the user that activated the affected software. Apple QuickTime is a media player that provides high-quality sound and images. An unspecified issue in Apple QuickTime for Windows could allow a remote attacker to execute arbitrary code with process privileges from the HTML environment. Currently NSSSoftware has not released detailed vulnerability details

Apple Remote Desktop Client 1.2.4 executes a GUI application as root when it is started by an Apple Remote Desktop Administrator application, which allows remote authenticated users to execute arbitrary code when loginwindow is active via Fast User Switching. The issue is due to a design error that fails to activate applications with the correct privileges. This issue may allow a local attacker to gain superuser privileges on the affected computer. Vendor reports require Fast User Switching to be enabled to be affected by this vulnerability

It is reported that ZENworks for Desktops contains a local privilege escalation vulnerability. This vulnerability allows users with local interactive access to execute arbitrary application with administrative privileges. Version 4.0.1 of the application is reported to be vulnerable to this issue.

The Hawking Technologies HAR11A modem/router allows remote attackers to obtain sensitive information by connecting to port 254, which displays a management interface and information on established connections. HAR11A DSL routers are reported susceptible to an unauthenticated administrative console access vulnerability. This issue is due to a failure of the device to require authentication credentials prior to allowing administrative access to the devices CLI interface. Remote attackers may possibly be able to gain administrative access to affected devices. Due to code reuse among differing hardware, other devices may also be affected. This issue may also be related to BID 8855. The Hawking Technologies HAR11A is a small router. An attacker can connect to port 254 through the telnet tool, access without a password, and manage the router. It is possible that other routers have the same vulnerability

Java 2 Micro Edition is a Java technology implementation that supports mobile devices.  Java 2 Micro Edition has security issues. Remote attackers can use this vulnerability to build Java code to bypass the Java security mechanism.  Adam Gowdiak reports a flaw in the implementation of the Connected Limited Device Configuration (CLDC) in the K virtual machine bytecode checker. Remote users can bypass JAVA KVM 'sandbox' security mechanisms to access operating system functions and data.  For example, a remote attacker can establish a malicious JAVA code to obtain data (such as phone books and SMS messages) from a mobile phone, establish an Internet connection, write FLASH to the phone's memory, install software, and modify internal process communications of the operating system.  Nokia, Siemens, Panasonic, Samsung, Motorola and other phones are affected by this vulnerability.  For details, please refer to the following articles:  http://media.corporate-ir.net/media_files/NYS/NOK/Beijing/mestaranta.pdf

Nortel Contivity VPN Client 2.1.7, 3.00, 3.01, 4.91, and 5.01, when opening a VPN tunnel, does not check the gateway certificate until after a dialog box has been displayed to the user, which creates a race condition that allows remote attackers to perform a man-in-the-middle (MITM) attack. Nortel Contivity VPN Client is reported prone to a certificate check failure. The vulnerability is present because the VPN connection is established before the user permits the connection. This may allow the attacker to launch further attacks against the vulnerable computer. Nortel Contivity VPN Client is a VPN client. Remote attackers can exploit this vulnerability to further attack the target system. No detailed vulnerability details are currently available. Successful exploitation requires that an attacker is able to conduct a man-in-the-middle attack, thereby making the client connect to a malicious gateway. The vulnerability has been reported in version 4.91. Other versions may also be vulnerable. SOLUTION: Reportedly, this will be fixed in version 5.1 (expected to be released in the beginning of 2005). The vendor has not replied to any requests for comments on this issue. PROVIDED AND/OR DISCOVERED BY: Roger Sylvain from Solucom ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Format string vulnerability in Speedtouch USB driver before 1.3.1 allows local users to execute arbitrary code via (1) modem_run, (2) pppoa2, or (3) pppoa3. The problem occurs due to insufficient sanitization of user-supplied data. This vulnerability may be exploited in order to have arbitrary code executed with superuser privileges

Integer overflow in pdftops filter in CUPS in Red Hat Enterprise Linux 3 and 4, when running on 64-bit platforms, allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: this issue is due to an incomplete fix for CVE-2004-0888. The pdftops utility is reported prone to multiple integer-overflow vulnerabilities because it fails to properly ensure that user-supplied input doesn't result in the overflowing of integer values. This may result in data being copied past the end of a memory buffer. These overflows cause the application to allocate memory regions that are smaller than expected. Subsequent operations are likely to overwrite memory regions past the end of the allocated buffer, allowing attackers to overwrite critical memory control structures. This may allow attackers to control the flow of execution and potentially execute attacker-supplied code in the context of the affected application. Applications using embedded xpdf code may be vulnerable to these issues as well. Xpdf is an open source program for viewing PDF files. The \'\'pdftops/XRef.cc\'\' contained in Xpdf has a problem in processing the pageSize value. A remote attacker can use this vulnerability to construct a malicious PDF file, lure users to access it, and trigger an integer buffer overflow. CUPS contains a call to Xpdf and is therefore also affected by this vulnerability. No detailed vulnerability details are currently available. The vulnerability is caused due to an incomplete fix of CVE-2004-0888 on 64bit architectures. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Red Hat update for cups SECUNIA ADVISORY ID: SA29630 VERIFY ADVISORY: http://secunia.com/advisories/29630/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network OPERATING SYSTEM: RedHat Enterprise Linux AS 3 http://secunia.com/product/2534/ RedHat Enterprise Linux AS 4 http://secunia.com/product/4669/ RedHat Enterprise Linux WS 3 http://secunia.com/product/2536/ RedHat Enterprise Linux WS 4 http://secunia.com/product/4670/ RedHat Enterprise Linux ES 3 http://secunia.com/product/2535/ RedHat Enterprise Linux ES 4 http://secunia.com/product/4668/ DESCRIPTION: Red Hat has issued an update for cups. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. For more information: SA29431 SOLUTION: Updated packages are available via Red Hat Network. http://rhn.redhat.com ORIGINAL ADVISORY: http://rhn.redhat.com/errata/RHSA-2008-0206.html OTHER REFERENCES: SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Safari 1.x to 1.2.4, and possibly other versions, allows inactive windows to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows, aka the "Dialog Box Spoofing Vulnerability," a different vulnerability than CVE-2004-1314. This issue may allow a remote attacker to carry out phishing style attacks as an attacker may exploit this vulnerability to spoof an interface of a trusted web site. Apple Safari 1.2.3 (v125.9) is reported vulnerable to this issue. It is likely that other versions are affected as well

3Com OfficeConnect ADSL Wireless 11g Firewall Router is affected by an authentication bypass vulnerability; This issue is due to a failure of the device to properly validate an authenticated administrator. An attacker could leverage this issue to gain administrative access to the affective device facilitating disclosure of administrator passwords, WEP encryption keys, configuration manipulation and denial of service. It should be noted that this issue was originally reported in vulnerability report '3Com OfficeConnect ADSL Wireless 11g Firewall Router Multiple Unspecified Vulnerabilities' (BID 11422). It has been assigned its own BID as more information has been made available.