VARIoT IoT vulnerabilities database

Dynalink RTA 230 is a Linux-based ADSL router. The Dynalink RTA 230 has a default backdoor account that an attacker can use to control the entire ADSL device. According to the check /etc/passwd, you can find two default accounts: # cat /etc/passwd admin:xxxxx(obscured)xxxxx:0:0:Administrator:/:/bin/sh userNotUsed:YNf8oSCwK/0/Y:0: 0: Technical Support: /:/bin/sh These accounts cannot be modified and visible in the web configuration application. However, the WEB configuration application and the telnet service do not listen on the WAN interface by default. An attacker with access to the internal interface can fully control the ADSL device. Other devices that use similar firmware may also have this problem. Devices that may be affected by this vulnerability are: - US Robotics 9105 and 9106 - Siemens SE515 - Buffalo WMR-G54. It is reported that the firmware contains a backdoor account. This account is not visible or modifiable from the web administration interface

Multiple features in Ipswitch IMail Server before 8.13 allow remote attackers to cause a denial of service (crash) via (1) a long sender field to the Queue Manager or (2) a long To field to the Web Messaging component. It is reported that IMail is susceptible to multiple buffer overflow denial of service vulnerabilities. These vulnerabilities allow a remote attacker to crash the affected application, denying service to legitimate users. It is conjectured that it may be possible for an attacker to execute arbitrary code in the context of the affected server application. Versions of the application prior to 8.13 are reported affected by these vulnerabilities. TITLE: IMail Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA12453 VERIFY ADVISORY: http://secunia.com/advisories/12453/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: IMail Server 8.x http://secunia.com/product/3048/ DESCRIPTION: Various vulnerabilities have been reported in IMail, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). 2) An unspecified error within the Web Calendaring can potentially be exploited to cause a crash when a calender entry containing certain content is viewed. SOLUTION: Apply IMail Server 8.13 patch. http://www.ipswitch.com/support/imail/releases/imail_professional/im813.html PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://support.ipswitch.com/kb/IM-20040902-DM01.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Unknown vulnerability in the Web calendaring component of Ipswitch IMail Server before 8.13 allows remote attackers to cause a denial of service (crash) via "specific content.". It is reported that IMail is susceptible to multiple buffer overflow denial of service vulnerabilities. It is conjectured that it may be possible for an attacker to execute arbitrary code in the context of the affected server application. Versions of the application prior to 8.13 are reported affected by these vulnerabilities. TITLE: IMail Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA12453 VERIFY ADVISORY: http://secunia.com/advisories/12453/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: IMail Server 8.x http://secunia.com/product/3048/ DESCRIPTION: Various vulnerabilities have been reported in IMail, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). 1) An unspecified error within the Queue Manager can be exploited to cause a crash via an overly long sender field. 3) An unspecified error within the Web Messaging can potentially be exploited to cause a crash via an overly long "To:" line. SOLUTION: Apply IMail Server 8.13 patch. http://www.ipswitch.com/support/imail/releases/imail_professional/im813.html PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://support.ipswitch.com/kb/IM-20040902-DM01.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Kerio Personal Firewall 4.0 (KPF4) allows local users with administrative privileges to bypass the Application Security feature and execute arbitrary processes by directly writing to \device\physicalmemory to restore the running kernel's SDT ServiceTable. A vulnerability is reported to affect Kerio Personal Firewall (KPF) 'Application Security' functionality that could permit an executable that is run by an administrator to disable KPF 'Application Security' functionality. It is reported that (KPF) 'Application Security' functionality employs a modified Service Description Table in order to function. It is possible to restore the Service Description Table to its original state. A malicious application that is run by an administrator can read an intact SDT table from kernel memory and restore the SDT table in the running kernel by writing to kernel memory space. This will disable Kerio Personal Firewall (KPF) 'Application Security' functionality

D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address, which allows remote attackers to change the IP address of the camera via a UDP broadcast packet. D-Link Securicam Network DCS-900 Internet Camera is reportedly affected by a remote configuration vulnerability. An attacker may leverage this issue to hijack the vulnerable camera, ultimately triggering a denial of service condition, as the unsuspecting user will be unable to connect to the device without having its IP address

WS_FTP 5.0.2 allows remote authenticated users to cause a denial of service (CPU consumption) via a CD command that contains an invalid path with a "../" sequence. WS_FTP Server is reported prone to a remote denial of service vulnerability. This issue presents itself when the application processes a malformed file path through the 'cd' command. WS_FTP Server version 5.0.2 is reported prone to this issue, however, other versions may be affected as well. Progress Software Ipswitch WS_FTP Server is a set of FTP server software developed by Progress Software Company in the United States. It provides functions such as file transfer control and transfer encryption. There is a security vulnerability in Progress Software Ipswitch WS_FTP Server version 5.0.2

Cisco IOS 12.2(15) and earlier allows remote attackers to cause a denial of service (refused VTY (virtual terminal) connections), via a crafted TCP connection to the Telnet or reverse Telnet port. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability could allow remote attackers to prevent new connections to remote management services on a vulnerable device. Successful exploitation of this vulnerability requires a complete 3-way handshake, so it is difficult to attack by forging IP addresses

Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload. The Entrust LibKMP ISAKMP library is reported to be affected by a remote buffer overflow vulnerability. Malicious ISAKMP packets may trigger a buffer overrun in the affected library resulting in the corruption of process memory. Although unconfirmed, it is conjectured that this vulnerability may be related to the vulnerability described in BID 10273, as Checkpoint VPN-1 may use the affected library. The Entrust LibKmp ISAKMP library is used by multiple VPN vendors to exchange IKE keys for IPSEC-based VPN products. libKmp handles all incoming ISAKMP packets, this library is also used to authenticate and check the processing of incoming requests. The Entrust LibKmp ISAKMP library does not correctly verify incoming ISAKMP packets when implementing the IKE key exchange protocol. Entrust\'\'s LibKmp library is provided by the vendor to third parties to handle the exchange of IKE keys. This library is used in several enterprise firewall VPN products. Entrust\'\'s LibKmp library is fully checked for handling ISAKMP payloads and sizes. But the proposal payload embedded in the main SA payload is not properly filtered. The code that handles these loads has a flaw that can lead to memory corruption, a heap overflow. An attacker exploits this vulnerability to send malicious ISAKMP packets, which can cause the VPN component to crash, and carefully constructed and submitted data may execute arbitrary instructions on the system with process privileges. Product: Symantec Gateway Security 2.0 - Model 5400 Series Copyright \xa9 2004 Symantec Corporation August, 2004 ************************************************************************************ Hotfix: SG8000-20040715-00 - Entrust updates ************************************************************************************ This document contains the following information about the Symantec Gateway Security 2.0 - Model 5400 Series: * Prerequisites * Included modules * Fix description * Installation instructions * Uninstallation instructions ************************************************************************************ Prerequisites: HB8000-20031023-00 - December 2003 patch SG8000-20040405-00 - April 2004 patch ************************************************************************************ Included modules: isakmpd libEntrust.so libkmp.so ************************************************************************************ Fix description: Corrects problem with Denial of Service attack reported against isakmpd in CAN-2004-0369. ************************************************************************************ Installation instructions: The April 2004 patch must be installed prior to installing this hotfix. To install the patch 1. Download the entrust-sgs20.tgz file to a location that is accessible from the Security Gateway Management Interface (SGMI). 2. In the SGMI, on the Action menu, click HotFix. 3. In the left pane of the Hotfix Management window, click Install hotfix. 4. In the right pane of the Hotfix Management window, click Browse. 5. In the Choose file dialog box, browse to and select the entrust-sgs20.tgz file, and then click Open. 6. In the right pane of the Hotfix Management window, click Install. 7. Wait until a message appears in the right pane of the Hotfix Management window. (Note: there is no visible indication of activity.) 8. If the message includes a "Restart" link, click the link and wait until the "Security gateway is restarting" message appears. 9. Close the Hotfix Management window. ************************************************************************************ Uninstallation instructions: To uninstall the patch 1. In the SGMI, on the Action menu, click HotFix. 2. In the left pane of the Hotfix Management window, click Uninstall hotfix. 3. In the right pane of the Hotfix Management window, click the radio button next to hotfix ID SG8000-20040715-00. 4. In the right pane of the Hotfix Management window, click Uninstall. 5. Wait until a message appears in the right pane of the Hotfix Management window. (Note: there is no visible indication of activity.) 6. If the message includes a "Restart" link, click the link and wait until the "Security gateway is restarting" message appears. 7. Close the Hotfix Management window. ************************************************************************************ . Connect to Symantec Gateway Security (SGS) using the SRMC. Connect to the VelociRaptor using the SRMC. Right-click the VelociRaptor icon. Browse to the location of the *.tgz file. Select Open to load the patch. Answer "No" when asked if you want to reboot the system. Connect to the VelociRaptor using the SRMC. Right-click the VelociRaptor. Select All Tasks > SRL Client. Log into the system. Type: cd /usr/vr/hotfixes/SG7004-20040715-00 and press Enter. Type: ./Uninstall and press Enter

The CSAdmin web administration interface for Cisco Secure Access Control Server (ACS) 3.2(2) build 15 allows remote attackers to cause a denial of service (hang) via a flood of TCP connections to port 2002. Cisco Secure Access Control Server and Secure Access Control Server Solution Engine are reported prone to multiple vulnerabilities. Cisco Secure ACS is reported prone to another denial of service vulnerability when handling Light Extensible Authentication Protocol (LEAP) authentication requests. Cisco Secure ACS is reported prone to an authentication bypass vulnerability when configured to communicate to a Novell Directory Services (NDS) database for authenticating NDS users. Among them, ACS supports NOVELL directory service. However, wrong passwords and incorrect usernames will be rejected for authentication

Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter. Ipswitch WhatsUp Gold is affected by a remote buffer-overflow vulnerability because the application fails to properly validate user-supplied string lengths before copying them into static process buffers. An attacker might leverage this issue to execute arbitrary code on the affected computer with the privileges of the user that started the vulnerable application. The software supports the performance management of networks, servers, virtual environments and applications. The _maincfgret.cgi program of WhatsUp Gold does not correctly check and filter the instancename parameter submitted by the user. <**>. BACKGROUND Ipswitch WhatsUp Gold is a Microsoft Windows based network monitoring application. More information is available at: http://www.Ipswitch.com/products/whatsup/index.html II. The problem specifically exists in the _maincfgret.cgi script accessible through the web server installed by WhatsUp Gold. III. The WhatsUp Gold web server is not enabled by default. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability against WhatsUp Gold version 8.03. iDEFENSE has confirmed that the latest version of WhatsUp Gold, version 8.03 Hotfix 1, is not vulnerable. V. WORKAROUND Disable the WhatsUp Gold web server if it is not required. VI. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0798 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/12/2004 Initial vendor notification 08/12/2004 iDEFENSE clients notified 08/12/2004 Initial vendor response 08/25/2004 Public disclosure IX. CREDIT The discoverer wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

Cisco Secure Access Control Server (ACS) 3.2, when configured as a Light Extensible Authentication Protocol (LEAP) RADIUS proxy, allows remote attackers to cause a denial of service (device crash) via certain LEAP authentication requests. Cisco Secure Access Control Server and Secure Access Control Server Solution Engine are reported prone to multiple vulnerabilities. These vulnerabilities may allow remote attackers to cause denial of service conditions and gain unauthorized access to AAA clients and ACS administration interface. The following specific vulnerabilities were reported by the vendor: A remote attacker can trigger a denial of service condition in ACS Windows and ACS Solution Engine by establishing a large amount of TCP connections to the CSAdmin application. Cisco Secure ACS is reported prone to an authentication bypass vulnerability when configured to communicate to a Novell Directory Services (NDS) database for authenticating NDS users. Another vulnerability affecting ACS may allow remote attackers to gain unauthenticated access to the administration interface of the service. Among them, ACS supports NOVELL directory service. However, wrong passwords and incorrect usernames will be rejected for authentication

Cisco Secure Access Control Server (ACS) 3.2(3) and earlier spawns a separate unauthenticated TCP connection on a random port when a user authenticates to the ACS GUI, which allows remote attackers to bypass authentication by connecting to that port from the same IP address. Cisco Secure Access Control Server and Secure Access Control Server Solution Engine are reported prone to multiple vulnerabilities. These vulnerabilities may allow remote attackers to cause denial of service conditions and gain unauthorized access to AAA clients and ACS administration interface. The following specific vulnerabilities were reported by the vendor: A remote attacker can trigger a denial of service condition in ACS Windows and ACS Solution Engine by establishing a large amount of TCP connections to the CSAdmin application. Cisco Secure ACS is reported prone to another denial of service vulnerability when handling Light Extensible Authentication Protocol (LEAP) authentication requests. Cisco Secure ACS is reported prone to an authentication bypass vulnerability when configured to communicate to a Novell Directory Services (NDS) database for authenticating NDS users. Another vulnerability affecting ACS may allow remote attackers to gain unauthenticated access to the administration interface of the service. Among them, ACS supports NOVELL directory service. However, wrong passwords and incorrect usernames will be rejected for authentication

Cisco Secure Access Control Server (ACS) 3.2(3) and earlier, when configured with an anonymous bind in Novell Directory Services (NDS) and authenticating NDS users with NDS, allows remote attackers to gain unauthorized access to AAA clients via a blank password. Cisco Secure Access Control Server and Secure Access Control Server Solution Engine are reported prone to multiple vulnerabilities. The following specific vulnerabilities were reported by the vendor: A remote attacker can trigger a denial of service condition in ACS Windows and ACS Solution Engine by establishing a large amount of TCP connections to the CSAdmin application. Cisco Secure ACS is reported prone to another denial of service vulnerability when handling Light Extensible Authentication Protocol (LEAP) authentication requests. Another vulnerability affecting ACS may allow remote attackers to gain unauthenticated access to the administration interface of the service. Among them, ACS supports NOVELL directory service. However, wrong passwords and incorrect usernames will be rejected for authentication

Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to execute arbitrary commands via accent (`) and possibly other shell metacharacters in the query string to virtualinput.cgi. Multiple vulnerabilities are reported to reside in multiple Axis network video and camera servers: 1. A shell metacharacter command-execution vulnerability allows an anonymous user to download the contents of the '/etc/passwd' file on the device. Other commands are also likely to work, facilitating other attacks. This issue is reported to affect: - Axis 2100, 2110, 2120, 2420 network cameras with firmware versions 2.34 thru 2.40 - Axis 2130 network cameras - Axis 2401 and 2401 video servers 2. A directory-traversal vulnerability in HTTP POST requests. This attack is demonstrated by an anonymous user calling protected administration scripts. This bypasses authentication checks and gives anonymous users remote adminitration of the devices. This issue is reported to affect: - Axis 2100, 2110, 2120, 2420 network cameras with firmware versions 2.12 thru 2.40 - Axis 2130 network cameras - Axis 2401,and 2401 video servers 3. A hardcoded backdoor administrative-user issue allows remote attackers to administer affected devices. This likely cannot be disabled. This issue is reported to affect: - Axis StorePoint CD E100 CD-ROM Server with firmware version 5.30 Other products and versions of firmware are likely affected by one or more of these vulnerabilities

Directory traversal vulnerability in Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to bypass authentication via a .. (dot dot) in an HTTP POST request to ServerManager.srv, then use these privileges to conduct other activities, such as modifying files using editcgi.cgi. A shell metacharacter command-execution vulnerability allows an anonymous user to download the contents of the '/etc/passwd' file on the device. Other commands are also likely to work, facilitating other attacks. This issue is reported to affect: - Axis 2100, 2110, 2120, 2420 network cameras with firmware versions 2.34 thru 2.40 - Axis 2130 network cameras - Axis 2401 and 2401 video servers 2. A directory-traversal vulnerability in HTTP POST requests. This attack is demonstrated by an anonymous user calling protected administration scripts. This bypasses authentication checks and gives anonymous users remote adminitration of the devices. This issue is reported to affect: - Axis 2100, 2110, 2120, 2420 network cameras with firmware versions 2.12 thru 2.40 - Axis 2130 network cameras - Axis 2401,and 2401 video servers 3. A hardcoded backdoor administrative-user issue allows remote attackers to administer affected devices. This likely cannot be disabled. This issue is reported to affect: - Axis StorePoint CD E100 CD-ROM Server with firmware version 5.30 Other products and versions of firmware are likely affected by one or more of these vulnerabilities

Unknown vulnerability in AppleFileServer for Mac OS X 10.3.4, related to "the use of SSH and reporting errors," has unknown impact and attack vectors. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None

Cisco IOS 12.0S, 12.2, and 12.3, with Open Shortest Path First (OSPF) enabled, allows remote attackers to cause a denial of service (device reload) via a malformed OSPF packet. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow remote attackers to conduct denial-of-service attacks on an affected device. Cisco IOS is reported prone to a remote denial of service vulnerability. A remote attacker may exploit this condition in multiple routers that reside on the same network segment as the attacker, to trigger a device reset. The attacker may continuously transmit malicious OSPF packets to the target routers in order to effectively deny network services to legitimate hosts. Cisco IOS is the operating system that runs on many Cisco devices. There is a problem in Cisco IOS processing malformed OSPF packets. OSPF is a routing protocol defined by RFC 2328, designed to manage IP routing within an AS. Some CISCO IOSs have a loophole in the processing of OSPF packets, which can lead to system overload. To successfully exploit this vulnerability, an attacker must know several parameters configured on the interface, such as OSPF Area number, Netmask, hello, and dead timers

The NETGEAR DG834G is a router. The NETGEAR DG834G has a default account that can be exploited by remote attackers to modify device settings. By connecting to the NETGEAR DG834G web service, such as: http://192.168.0.1/setup.cgi?todo=debug, you can start the debug mode of the router, then you can Telnet port 23, get ROOT SHELL, the default password for ZEBRA service\" Zebra\" comes to access, so an attacker can access the modified device settings. It is reported that Netgear DG834G devices contain a default password for their Zebra process. Zebra is a dynamic routing daemon, and contains a telnet-accessible configuration shell. It is reported that Zebra listens on both the WAN and the internal network interfaces. By gaining administrative access to Zebra, an attacker has the ability to modify network routes on the device, possibly redirecting traffic or denying network service to legitimate users. They may also be able to exploit latent vulnerabilities in Zebra itself. Due to code reuse, it is possible that other devices similar to this one are also affected

Safari in Mac OS X before 10.3.5, after sending form data using the POST method, may re-send the data to a GET method URL if that URL is redirected after the POST data and the user uses the forward or backward buttons, which may cause an information leak. There is a vulnerability in the way Safari handles form data that may expose sensitive information when the forward/backward buttons are used. Apple has released Mac OS X 10.3.5. This release addresses a number of security vulnerabilities. A denial-of-service vulnerability in the operating system may allow a remote attacker to disable network traffic. These issues have been addressed in Mac OS X 10.3.5. Individual BIDs will be created upon further analysis. There is a security problem in the Safari browser. Apple reports that when a form is submitted using a POST request, and then the web server returns an HTTP redirect to the GET URL, under some conditions, the browser will re-POST the form data to the GET URL. This can be triggered by the forward/back buttons

The TCP/IP Networking component in Mac OS X before 10.3.5 allows remote attackers to cause a denial of service (memory and resource consumption) via a "Rose Attack" that involves sending a subset of small IP fragments that do not form a complete, larger packet. Apple Mac OS X In TCP/IP In the implementation of a specific fragmented SYN There is a flaw in handling the packet. Therefore, the difference in fragment offsets in the datagram is excessively large SYN There is a problem that system resources are consumed excessively when a large number of packets are processed.By a third party CPU Excessive resource consumption or network operation disrupted service operation (DoS) There is a possibility of being put into a state. Apple has released Mac OS X 10.3.5. This release addresses a number of security vulnerabilities. The following new issues were reported: A remote vulnerability in the Apple Safari Web browser may allow a remote attacker to steal potentially sensitive form data. A denial-of-service vulnerability in the operating system may allow a remote attacker to disable network traffic. These issues have been addressed in Mac OS X 10.3.5. Individual BIDs will be created upon further analysis. There is an issue in the implementation of the Mac OS X TCP/IP stack, which can be exploited by a remote attacker to perform a denial of service attack on the system. TITLE: HP-UX TCP/IP "Rose Attack" Denial of Service Vulnerability SECUNIA ADVISORY ID: SA18082 VERIFY ADVISORY: http://secunia.com/advisories/18082/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: HP-UX 11.x http://secunia.com/product/138/ DESCRIPTION: A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of specially crafted IP fragments. This can be exploited by sending a sequence of specially crafted IP fragments to cause the system to use too much system resources, potentially resulting in DoS. This is commonly known as the "Rose Attack. The vulnerability has been reported in version B.11.00, B.11.04, B.11.11, and B.11.23 running TCP/IP. SOLUTION: Apply updates. http://www.hp.com/go/softwaredepot HP-UX B.11.00: Install PHNE_33395 or later, and run "sqmax 1000". HP-UX B.11.04: Install PHNE_33427 or later, and run "sqmax 1000". HP-UX B.11.11: Install PHNE_31091 or later, and run "sqmax 1000". HP-UX B.11.23: Install PHKL_31500. Alternatively, install IPF-HP revision A.03.05.10.02 or later. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: HPSBUX02087 SSRT4728: http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00579189 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------