VARIoT IoT vulnerabilities database
VAR-200501-0019 | CVE-2004-0921 | Apple MacOS AFP Denial of service vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
AFP Server on Mac OS X 10.3.x to 10.3.5, when a guest has mounted an AFP volume, allows the guest to "terminate authenticated user mounts" via modified SessionDestroy packets. Multiple security vulnerabilities are reported in Mac OS X. A security update is available to address these issues and to provide other enhancements. The following issues are reported:
Apple AFP server is reported prone to a remote denial of service vulnerability.
A weak permissions vulnerability is reported to affect the AFP server. This may result in a false sense of security for an administrator.
A vulnerability is reported to exist in the NetInfoManager utility. It is reported that the utility will, under certain circumstances, report the status of certain accounts as disabled when they are not.
A heap-based buffer overrun is reported to exist in the QuickTime utility. An attacker may exploit this vulnerability to execute arbitrary instructions in the context of the user that is running the vulnerable software.
Finally, ServerAdmin is reported prone to a weak default configuration vulnerability. This may result in ServerAdmin traffic being intercepted and decrypted by a remote attacker. This vulnerability has been split into BID 11344.
Some of these issues may already be described in previous BIDs. This BID will be split up into unique BIDs when further analysis of this update is complete
VAR-200502-0025 | CVE-2004-0975 | OpenSSL DER_CHOP Insecure Temporary File Creation Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files. A flaw in the OpenSSL library could allow a remote attacker to cause a denial of service on an affected application. Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures. OpenSSL include der_chop The script contains a flaw that creates a temporary file in an inappropriate way for security reasons, so there is a vulnerability that is subject to symbolic link attacks.der_chop An arbitrary file may be created or overwritten with the privileges of the user executing the script. OpenSSL is affected by an insecure temporary file creation vulnerability. This issue is likely due to a design error that causes the application to fail to verify the existence of a file before writing to it.
An attacker may leverage this issue to overwrite arbitrary files with the privileges of an unsuspecting user that activates the vulnerable application. Reportedly this issue is unlikely to facilitate privilege escalation. OpenSSL is an open source SSL suite.
----------------------------------------------------------------------
Want to work within IT-Security?
Secunia is expanding its team of highly skilled security experts.
We will help with relocation and obtaining a work permit.
Currently the following type of positions are available:
http://secunia.com/quality_assurance_analyst/
http://secunia.com/web_application_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
----------------------------------------------------------------------
TITLE:
gzip Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA21996
VERIFY ADVISORY:
http://secunia.com/advisories/21996/
CRITICAL:
Moderately critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
gzip 1.x
http://secunia.com/product/4220/
DESCRIPTION:
Tavis Ormandy has reported some vulnerabilities in gzip, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially compromise a vulnerable system.
1) A boundary error within the "make_table()" function in unlzh.c can
be used to modify certain stack data. tricking
a user or automated system into unpacking a specially crafted archive
file. tricking a user or
automated system into unpacking a specially crafted "pack" archive
file.
3) A buffer overflow within the "make_table()" function of gzip's LZH
support can be exploited to cause a DoS and potentially to compromise
a vulnerable system by e.g. tricking a user or automated system into
unpacking an archive containing a specially crafted decoding table.
4) A NULL pointer dereference within the "huft_build()" function and
an infinite loop within the LZH handling can be exploited to cause a
DoS by e.g. tricking a user or automated system into unpacking a
specially crafted archive file.
The vulnerabilities have been reported in version 1.3.5. Other
versions may also be affected.
SOLUTION:
Do not unpack untrusted archive files.
PROVIDED AND/OR DISCOVERED BY:
Tavis Ormandy, Google Security Team
ORIGINAL ADVISORY:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204676
OTHER REFERENCES:
US-CERT VU#554780:
http://www.kb.cert.org/vuls/id/554780
US-CERT VU#381508:
http://www.kb.cert.org/vuls/id/381508
US-CERT VU#773548:
http://www.kb.cert.org/vuls/id/773548
US-CERT VU#933712:
http://www.kb.cert.org/vuls/id/933712
US-CERT VU#596848
http://www.kb.cert.org/vuls/id/596848
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-333A
Apple Releases Security Update to Address Multiple Vulnerabilities
Original release date: November 29, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Apple Mac OS X version 10.3.x and 10.4.x
* Apple Mac OS X Server version 10.3.x and 10.4.x
* Apple Safari web browser
These vulnerabilities affect both Intel-based and PowerPC-based Apple
systems.
Overview
Apple has released Security Update 2006-007 to correct multiple
vulnerabilities affecting Mac OS X, Mac OS X Server, Safari web
browser. Vulnerabilities in OpenSSL, gzip, and other products are also
addressed.
I. Description
Apple Security Update 2006-007 addresses a number of vulnerabilities
affecting Mac OS X, OS X Server, Safari web browser, and other
products. Further details are available in the related vulnerability
notes.
This security update also addresses previously known vulnerabilities
in PHP, Perl, OpenSSL, and gzip, which are shipped with Mac OS X. The
OpenSSL vulnerabilities are documented in multiple vulnerability
notes. Information is also available through the OpenSSL
vulnerabilities page. Information about the vulnerabilities in gzip is
available in a series of vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. For specific details, see
the appropriate vulnerability notes. Potential consequences include
remote execution of arbitrary code or commands, bypass of security
restrictions, and denial of service.
III. Solution
Install updates
Install Apple Security Update 2006-007. This and other updates are
available via Apple Update or via Apple Downloads.
IV. References
* Vulnerability Notes for Apple Security Update 2006-007 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple-2006-007>
* Vulnerability Notes for OpenSSL Security Advisory [28th September
2006] -
<http://www.kb.cert.org/vuls/byid?searchview&query=openssl_secadv_20060928>
* Vulnerability Note VU#845620 -
<http://www.kb.cert.org/vuls/id/845620>
* Vulnerability Note VU#933712 -
<http://www.kb.cert.org/vuls/id/933712>
* Vulnerability Note VU#381508 -
<http://www.kb.cert.org/vuls/id/381508>
* Vulnerability Note VU#554780 -
<http://www.kb.cert.org/vuls/id/554780>
* Vulnerability Note VU#596848 -
<http://www.kb.cert.org/vuls/id/596848>
* Vulnerability Note VU#773548 -
<http://www.kb.cert.org/vuls/id/773548>
* About the security content of Security Update 2006-007 -
<http://docs.info.apple.com/article.html?artnum=304829>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Apple Downloads - <http://www.apple.com/support/downloads/>
* OpenSSL: OpenSSL vulnerabilities -
<http://www.openssl.org/news/vulnerabilities.html>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Safari>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-333A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-333A Feedback VU#191336" in the
subject.
_________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
November 29, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRW33NuxOF3G+ig+rAQJtiggApJKRh7x+z8vp0xb26sE16RUOD3epcrk6
lJZ4rXnqVqoFacAt0Ucb8T43/Uc4N85UMa695YbFspYZum3hcGZo+WnNPolGUeRz
iN/4bfKgzekfpbHxf6T3YvQYp+PVMRfHPUcxfaZDYXhu2813N4SSQpM59KRL5BD7
xr+5VvB09biVKlzpEdgtk2EHcqc+sMF5+o3cCgDJCnJNL+NG4J6d/hsyNP15ekTf
8m0W4rJonUe2gR2Bp7F1Y47KgRr3BT1aH2gxUSim9qEJpPdP/CkmGoFp+BfrFP9q
A580LOrqFK8HIly1fbPKb26p2theUUESnQqM9Ob8xolkCDLy6h7ssg==
=f7N+
-----END PGP SIGNATURE-----
VAR-200412-0566 | CVE-2004-2147 | Symantec Norton AntiVirus Malformed Email Service Rejection Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unknown versions of Symantec Norton AntiVirus and Microsoft Outlook allow attackers to cause a denial of service (crash) via malformed e-mail messages (1) without a body or (2) without a carriage return ("\n") separating the headers from the body. It is alleged that Symantec Norton AntiVirus is prone to a denial of service vulnerability.
The discoverer of this issue reports that when a malformed email is received through Microsoft Outlook and Norton AntiVirus attempts to process this email, the Norton AntiVirus application will crash.
Symantec is currently investigating this report; this BID will be updated as soon as this investigation is complete. It should also be noted that the discoverer of the issue has not provided any details about which versions may be affected by this issue, version information will be updated appropriately when this issue is investigated further
VAR-200409-0093 | No CVE | Inkra Router Virtual Service Switch Remote Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Inkra Router Virtual Service Switch is a device implemented by a routed virtual service exchange, which dynamically protects against internal networks and applications. Inkra Router Virtual Service Switch incorrectly handles abnormal network data. Remote attackers can use this vulnerability to conduct denial of service attacks on devices. No detailed vulnerability details are provided at this time. This issue is due to a failure of the application to handle exceptional network data.
An attacker may leverage this issue to cause the affected device to crash, denying service to legitimate users
VAR-200412-1004 | CVE-2004-1550 | Motorola WR850G Wireless Router Remote Authentication Bypass Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Motorola Wireless Router WR850G running firmware 4.03 allows remote attackers to bypass authentication, log on as an administrator, and obtain sensitive information by repeatedly making an HTTP request for ver.asp until an administrator logs on. Motorola WR850G is a wireless router.
The attacker gains access to the WEB interface through periodic access restricted 'ver.asp' scripts, and can obtain the WEB interface user name and password. Using this password, by accessing frame_debug.asp, the WEB SHELL can be obtained and executed on the system. Any command. This issue is caused by a design error and may allow an attacker to ultimately take complete control over the device.
Motorola wireless router WR850G running firmware version 4.03 is reportedly affected by this issue. It is possible that other models and firmware versions are affected as well
VAR-200412-0169 | CVE-2004-1472 | Symantec Firewall/VPN appliance vulnerable to DoS via UDP port scan |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 allow remote attackers to cause a denial of service (device freeze) via a fast UDP port scan on the WAN interface. These issues are due to a failure of the application to handle exceptional conditions, a default configuration issue exists as well.
An attacker can leverage a denial of service issue to cause the affected appliance to stop responding, requiring a power off to bring the device back to functionality. A filter bypass issue allows an attacker to bypass the filters on the 'tftpd', 'snmpd', and 'isakmp' services. An attacker can also read and write the community string of the affected device by default, facilitating disclosure and altering of the device's settings.
Symantec Nexland legacy firewall appliances are also affected by these issues. Symantec Enterprise Firewall/VPN is an enterprise-level firewall/VPN system. Symantec Enterprise Firewall/VPN has a default public string, and remote attackers can use this value to obtain sensitive information or perform some configuration operations. Firewalls have default read/write public strings that allow attackers to collect and change firewall configurations. By combining other vulnerabilities, an attacker can send SNMP GET/SET requests to the WAN interface
VAR-200412-0170 | CVE-2004-1473 | Symantec Firewall/VPN appliance vulnerable to DoS via UDP port scan |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 and Gateway Security 320, 360, and 360R running firmware before 622 allow remote attackers to bypass filtering and determine whether the device is running services such as tftpd, snmpd, or isakmp via a UDP port scan with a source port of UDP 53. These issues are due to a failure of the application to handle exceptional conditions, a default configuration issue exists as well.
An attacker can leverage a denial of service issue to cause the affected appliance to stop responding, requiring a power off to bring the device back to functionality. A filter bypass issue allows an attacker to bypass the filters on the 'tftpd', 'snmpd', and 'isakmp' services. An attacker can also read and write the community string of the affected device by default, facilitating disclosure and altering of the device's settings.
Symantec Nexland legacy firewall appliances are also affected by these issues. Symantec Enterprise Firewall/VPN is an enterprise-level firewall/VPN system. Symantec Enterprise Firewall/VPN has a default public string, and remote attackers can use this value to obtain sensitive information or perform some configuration operations. Firewalls have default read/write public strings that allow attackers to collect and change firewall configurations. By combining other vulnerabilities, an attacker can send SNMP GET/SET requests to the WAN interface
VAR-200412-0171 | CVE-2004-1474 | Symantec Firewall/VPN appliance vulnerable to DoS via UDP port scan |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 and Gateway Security 320, 360, and 360R running firmware before 622 uses a default read/write SNMP community string, which allows remote attackers to alter the firewall's configuration file. These issues are due to a failure of the application to handle exceptional conditions, a default configuration issue exists as well.
An attacker can leverage a denial of service issue to cause the affected appliance to stop responding, requiring a power off to bring the device back to functionality. A filter bypass issue allows an attacker to bypass the filters on the 'tftpd', 'snmpd', and 'isakmp' services. An attacker can also read and write the community string of the affected device by default, facilitating disclosure and altering of the device's settings.
Symantec Nexland legacy firewall appliances are also affected by these issues. Symantec Enterprise Firewall/VPN is an enterprise-level firewall/VPN system. Firewalls have default read/write public strings that allow attackers to collect and change firewall configurations. By combining other vulnerabilities, an attacker can send SNMP GET/SET requests to the WAN interface
VAR-200412-0422 | CVE-2004-2163 | OpenBSD Radius Authentication Bypass Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
login_radius on OpenBSD 3.2, 3.5, and possibly other versions does not verify the shared secret in a response packet from a RADIUS server, which allows remote attackers to bypass authentication by spoofing server replies. OpenBSD is reported prone to an authentication bypass vulnerability when using Radius authentication. This issue can be leveraged by spoofing traffic on a vulnerable network and carrying out a man-in-the-middle attack to gain unauthorized access to an OpenBSD computer.
This vulnerability arises if an OpenBSD computer is configured to use Radius authentication and may allow an attacker to gain unauthorized access to the OpenBSD computer.
The vulnerability is confirmed in OpenBSD 3.2 and OpenBSD 3.5. Other versions may be vulnerable as well
VAR-200412-0022 | CVE-2004-0873 | Apple iChat Remote Connection Application Execution Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Apple iChat AV 2.1, AV 2.0, and 1.0.1 allows remote attackers to execute arbitrary programs via a "link" that references the program. This issue is due to a design error that allows attacker to execute arbitrary commands through a vulnerable application.
An attacker can leverage this issue to execute arbitrary application on an unsuspecting user's computer. The impact of this issue may be increased when an attacker entices a victim to first download an application or has another means of placing an application on the victim's computer, and then exploits this issue to execute it. Apple iChat is a video chat program
VAR-200409-0091 | No CVE | Pingtel Xpressa Remote Denial of Service Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Pingtel series are SIP products, one of which is the Xpressa SIP desktop phone.
There is a problem with the HTTP management interface of the Pingtel Xpressa phone. A remote attacker could use this vulnerability to conduct a denial-of-service attack on the device and crash the VxWorks operating system.
Pingtel Xpressa phones can be managed through various interfaces (console, Telnet, and HTTP). The embedded HTTP service does not properly handle submission requests, and submits long requests similar to the following:
GET /<buffer>/cgi/application.cgi HTTP / 1.0
Authorization: Basic [base64authstring]
The buffer here exceeds 260 characters, which can cause the VxWorks system to crash. VxWorks The operating system crashed
VAR-200409-0066 | CVE-2004-1675 | SolarWinds Serv-U File Server Input validation error vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Serv-U FTP server 4.x and 5.x allows remote attackers to cause a denial of service (application crash) via a STORE UNIQUE (STOU) command with an MS-DOS device name argument such as (1) COM1, (2) LPT1, (3) PRN, or (4) AUX. Serv-U FTP Server is reported prone to a denial of service vulnerability. This issue presents itself because the application fails to handle exceptional conditions.
The vulnerability is a result of Serv-U FTP Server processing certain 'STOU' commands.
All versions of Serv-U prior to 5.2.0.1 are reportedly affected by this vulnerability
VAR-200409-0006 | CVE-2004-0830 | F-Secure Internet Gatekeeper Content Scan Server Remote Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Content Scanner Server in F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier, F-Secure Anti-Virus for Microsoft Exchange 6.01 and earlier, and F-Secure Internet Gatekeeper 6.32 and earlier allow remote attackers to cause a denial of service (service crash due to unhandled exception) via a certain malformed packet. F-Secure Content Scanner Server is reported prone to a remote denial of service vulnerability. This issue presents itself when the application handles certain malformed packets. This vulnerability causes an unhandled exception in the process leading to a crash in the process. F-Secure Internet Gatekeeper can perform automatic virus and content filtering on EMAIL and WEB communications. According to the configuration options, a dialog box will be prompted on the desktop stating that the FSAVSD.EXE process has crashed
VAR-200412-0025 | CVE-2004-0824 | Apple PPPDialer Unsafe log file creation symbolic link vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
PPPDialer for Mac OS X 10.2.8 through 10.3.5 allows local users to overwrite system files via a symlink attack on PPPDialer log files. The Apple PPPDialer utility is reported to contain an insecure log file creation vulnerability. The result of this is that log files created by the application are created in a world writeable location.
A local attacker may possibly exploit this vulnerability to execute symbolic link file overwrite attacks.
Privilege escalation may be possible using this method of attack, if the attacker can control the data that is being written to the target file. The PPPDialer for Mac OS X versions 10.2.8 through 10.3.5 is vulnerable
VAR-200412-0026 | CVE-2004-0825 | Apple QuickTime Streaming Server vulnerable to DoS |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
QuickTime Streaming Server in Mac OS X Server 10.2.8, 10.3.4, and 10.3.5 allows remote attackers to cause a denial of service (application deadlock) via a certain sequence of operations. There is a vulnerability in the Mac OS X CoreFoundation framework that could allow a local attacker to execute arbitrary code. According to the report, remote clients can cause the process to deadlock by issuing a specific sequence of operations. This can render the service inoperable, resulting in a denial of service, until the server is restarted. Mac OS X is an operating system used on Mac machines, based on the BSD system. A reboot is required for normal operation
VAR-200412-0024 | CVE-2004-0821 | Apple QuickTime Streaming Server vulnerable to DoS |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The CFPlugIn in Core Foundation framework in Mac OS X allows user supplied libraries to be loaded, which could allow local users to gain privileges. There is a vulnerability in the Apple QuickTime Streaming Server that could allow a remote attacker to cause a denial-of-service condition. It is reported that bundles using CoreFoundation can be made to automatically load plug-in executables using the CFPlugIn feature. This is a security vulnerability allowing for local privilege escalation as malicious executable plug-ins can be loaded by a privileged application. At this time, it is not clear whether the application targeted must be in the form of a bundle or if the attacker can perform the attack against any privileged application with a custom bundle.
Users are advised to apply the patch provided by Apple, which changes the feature to prevent loading of plug-ins automatically if an executable is already loaded. Mac OS X is an operating system used on Mac machines, based on the BSD system. Apple Mac OS X CoreFoundation has library loading processing issues and buffer overflows. Local attackers can exploit this vulnerability to obtain ROOT privileges. Apple reports that local users can use the CoreFoundation CFPlugIn application to load any user-provided library to obtain ROOT privileges [CVE: CAN -2004-0821]. In addition, local users can modify some environment variables to trigger buffer overflow in CoreFoundation, and can execute arbitrary commands with ROOT process privileges [CVE: CAN-2004-0822]
VAR-200409-0014 | CVE-2004-0822 | Apple QuickTime Streaming Server vulnerable to DoS |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Buffer overflow in The Core Foundation framework (CoreFoundation.framework) in Mac OS X 10.2.8, 10.3.4, and 10.3.5 allows local users to execute arbitrary code via a certain environment variable. There is a vulnerability in the Apple QuickTime Streaming Server that could allow a remote attacker to cause a denial-of-service condition. It is reported that a buffer overflow vulnerability is present in CoreFoundation related to its handling of an unspecified environment variable. Consequently, privileged applications using CoreFoundation may be exploited by local users to elevate their access level to that of the application. It is not known if all applications using CoreFoundation are vulnerable. Mac OS X is an operating system used on Mac machines, based on the BSD system. Apple Mac OS X CoreFoundation has library loading processing issues and buffer overflows. Local attackers can exploit this vulnerability to obtain ROOT privileges. Apple reports that local users can use the CoreFoundation CFPlugIn application to load any user-provided library to obtain ROOT privileges [CVE: CAN -2004-0821]
VAR-200409-0015 | CVE-2004-0823 | Apple QuickTime Streaming Server vulnerable to DoS |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
OpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 and possibly other operating systems, may allow certain authentication schemes to use hashed (crypt) passwords in the userPassword attribute as if they were plaintext passwords, which allows remote attackers to re-use hashed passwords without decrypting them. There is a vulnerability in the Apple QuickTime Streaming Server that could allow a remote attacker to cause a denial-of-service condition. There is a vulnerability in the Mac OS X CoreFoundation framework that could allow a local attacker to execute arbitrary code. OpenLDAP In using a specific authentication scheme userPassword There is a flaw that prevents password authentication if the password value is obtained because the value stored in is not processed as plain text.Password authentication may be avoided. In certain undisclosed cases, OpenLDAP is reported prone to an ambiguous-password-attribute weakness.
If an attacker can retrieve a password hash as contained in the OpenLDAP database, they may then be able to directly authenticate to the LDAP database. The attacker may gain unauthorized access if they can sniff password hashes from the network or if they can retrieve the contents of the 'userPassword' attribute from a database backup or through weak permissions on the database.
The OpenLDAP that is included with Apple Mac OS X, versions 10.3.4 and 10.3.5, is reported affected. Versions of OpenLDAP included in other operating systems may also be affected. There is a problem in OpenLDAP's verification of CRYPT passwords. Remote attackers can use this vulnerability to log in using other users' CRYPT values as passwords. An attacker can log in with the target user's authority by using the CRYPT value of the target user's password. Apple reports that CRYPT passwords can be specified as a clear text password as userPassword. According to reports, some authentication mechanisms can use CRYPT values as plaintext passwords.
TITLE:
Red Hat update for openldap / nss_ldap
SECUNIA ADVISORY ID:
SA17233
VERIFY ADVISORY:
http://secunia.com/advisories/17233/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, Exposure of sensitive information
WHERE:
>From remote
OPERATING SYSTEM:
RedHat Linux Advanced Workstation 2.1 for Itanium
http://secunia.com/product/1326/
RedHat Enterprise Linux WS 4
http://secunia.com/product/4670/
RedHat Enterprise Linux WS 3
http://secunia.com/product/2536/
RedHat Enterprise Linux WS 2.1
http://secunia.com/product/1044/
RedHat Enterprise Linux ES 4
http://secunia.com/product/4668/
RedHat Enterprise Linux ES 3
http://secunia.com/product/2535/
RedHat Enterprise Linux ES 2.1
http://secunia.com/product/1306/
RedHat Enterprise Linux AS 4
http://secunia.com/product/4669/
RedHat Enterprise Linux AS 3
http://secunia.com/product/2534/
RedHat Enterprise Linux AS 2.1
http://secunia.com/product/48/
DESCRIPTION:
Red Hat has issued updates for openldap / nss_ldap. This fixes two
security issues and a vulnerability, which can be exploit by
malicious people to gain knowledge of sensitive information or bypass
certain security restrictions.
For more information:
SA15906
SA16518
SA12491
SOLUTION:
Updated packages are available from Red Hat Network.
http://rhn.redhat.com/
ORIGINAL ADVISORY:
http://rhn.redhat.com/errata/RHSA-2005-767.html
http://rhn.redhat.com/errata/RHSA-2005-751.html
OTHER REFERENCES:
SA15906:
http://secunia.com/advisories/15906/
SA16518:
http://secunia.com/advisories/16518/
SA12491:
http://secunia.com/advisories/12491/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200410-0023 | CVE-2004-0799 | Ipswitch WhatsUp Gold Remote denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 allows remote attackers to cause a denial of service (server crash) via a GET request containing an MS-DOS device name, as demonstrated using "prn.htm". The software supports the performance management of networks, servers, virtual environments and applications. BACKGROUND
Ipswitch WhatsUp Gold is a Microsoft Windows based network monitoring
application. More information is available at
http://www.Ipswitch.com/products/whatsup/index.html
II.
The problem specifically exists in the handling of reserved DOS device
names. By generating a GET request for 'prn.htm' to the HTTP daemon
installed by WhatsUp Gold, the application crashes and the following
Runtime Library error is displayed:
Runtime Error!
Program: C:\Program Files\WhatsUp\whatsupg.exe
abnormal program termination
III. The
WhatsUp Gold web server is not enabled by default.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability against
WhatsUp Gold versions 8.03 and the latest version 8.03 Hotfix 1. It is
suspected that earlier versions are also vulnerable.
V. WORKAROUNDS
Disable the WhatsUp Gold web server if it is not required.
VI. VENDOR RESPONSE
A patch to address this issue is available at:
http://www.ipswitch.com/Support/WhatsUp/patch-upgrades.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0799 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
08/12/2004 Initial vendor notification
08/12/2004 iDEFENSE clients notified
08/12/2004 Initial vendor response
09/16/2004 Coordinated public disclosure
IX. CREDIT
The discoverer wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
VAR-200409-0059 | CVE-2004-1663 | LSI Logic storage controllers Security hole |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Engenio/LSI Logic storage controllers, as used in products such as Storagetek D280, and IBM DS4100 (formerly FastT 100) and Brocade SilkWorm Switches, allow remote attackers to cause a denial of service (freeze and possible data corruption) via crafted TCP packets. It is reported that hardware based on Engenio Storage Controllers are prone to a remote denial of service vulnerability. This could also result reportedly result in unrecoverable corruption of data.
Affected hardware includes Storagetek D280, and IBM DS4100 (formerly FastT 100) and Brocade SilkWorm Switches. Other devices may be affected such as other Storagetek and IBM FastT storage controllers, SGI, and Teradata storage controllers though this has not confirmed. The problem may exist in the underlying vxWorks operating system though this has also not been confirmed