VARIoT IoT vulnerabilities database

Serv-U FTP server before 5.1.0.0 has a default account and password for local administration, which allows local users to execute arbitrary commands by connecting to the server using the default administrator account, creating a new user, logging in as that new user, and then using the SITE EXEC command. The weak account can be used to log into the site maintenance interface on the loopback interface only, and to create user accounts

Multiple unknown vulnerabilities in the ActiveX and HTML file browsers in Symantec Clientless VPN Gateway 4400 Series 5.0 have unknown attack vectors and unknown impact. The issues include multiple vulnerabilities related to the ActiveX and HTML file browser, cross-site scripting vulnerabilities in the end user interface, and a vulnerability in the end user interface that will allow an unauthorized user to change another user's single signon information. Remote attackers can use this vulnerability to modify other users' authentication information. No detailed vulnerability details are currently available. Cross-site scripting issues have also been reported by end users. 2) Various unspecified input validation errors within the end user UI can be exploited to conduct cross-site scripting attacks. 3) An error within the end user UI can be exploited by malicious users to manipulate other users' signon information (including username and password). SOLUTION: A hotfix is available: ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/SCVG5-20040806-00.tgz PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/hf3-readme.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Symantec Norton AntiVirus 2002 and 2003 allows remote attackers to cause a denial of service (CPU consumption) via a compressed archive that contains a large number of directories. Norton AntiVirus 2003 Professional Edition is prone to a denial-of-service vulnerability

Thomson SpeedTouch 510 ADSL Router with firmware GV8BAA3.270, and possibly earlier versions, generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. The ability to predict TCP sequence numbers may allow a remote attacker to inject packets into a vulnerable data stream, for example the telnet service on the affected modem. Remote attackers can use this vulnerability to carry out TCP communication forgery attacks. The TCP initialization sequence number of the device can be guessed, which can cause the attacker to fail the ADSL Modem communication by forging the communication, or hijack the device. BACKGROUND The Thompson (formerly Alcatel) SpeedTouch is an ADSL router for home and business providing a continuously available, "always on," connection. More information about the product can be found at http://www.speedtouchdsl.com/. II. The problem specifically exists due to the predictable nature of the TCP Initial Sequence Number (ISN) generator on the device. The following sanitized tcpdump output demonstrates the existence of the vulnerability when 10 consecutive TCP connection requests are generated for the telnet server (port 23) on the Thompson device: 48.3 host_a.1096 > host_b.telnet: S 48.3 host_b.telnet > host_a.1096: S 4081040897:4081040897(0) ack 48.3 host_a.1096 > host_b.telnet: R 48.4 host_a.1096 > host_b.telnet: S 48.4 host_b.telnet > host_a.1096: S 4081104897:4081104897(0) ack 48.4 host_a.1096 > host_b.telnet: R 48.6 host_a.1096 > host_b.telnet: S 48.6 host_b.telnet > host_a.1096: S 4081232897:4081232897(0) ack 48.6 host_a.1096 > host_b.telnet: R 48.7 host_a.1096 > host_b.telnet: S 48.7 host_b.telnet > host_a.1096: S 4081296897:4081296897(0) ack 48.7 host_a.1096 > host_b.telnet: R 48.9 host_a.1096 > host_b.telnet: S 48.9 host_b.telnet > host_a.1096: S 4081360897:4081360897(0) ack 48.9 host_a.1096 > host_b.telnet: R 49.0 host_a.1096 > host_b.telnet: S 49.0 host_b.telnet > host_a.1096: S 4081488897:4081488897(0) ack 49.0 host_a.1096 > host_b.telnet: R 49.2 host_a.1096 > host_b.telnet: S 49.2 host_b.telnet > host_a.1096: S 4081552897:4081552897(0) ack 49.2 host_a.1096 > host_b.telnet: R 49.3 host_a.1096 > host_b.telnet: S 49.3 host_b.telnet > host_a.1096: S 4081616897:4081616897(0) ack 49.3 host_a.1096 > host_b.telnet: R 49.5 host_a.1096 > host_b.telnet: S 49.5 host_b.telnet > host_a.1096: S 4081744897:4081744897(0) ack 49.5 host_a.1096 > host_b.telnet: R 49.6 host_a.1096 > host_b.telnet: S 49.6 host_b.telnet > host_a.1096: S 4081808897:4081808897(0) ack 49.6 host_a.1096 > host_b.telnet: R In the above example, host_a is the querying host and host_b is the Thompson device. A clear pattern in ISN generation can be seen as the value increases by approximately 64,000 each millisecond. III. ANALYSIS Successful exploitation of weak ISNs for the purpose of connection spoofing is not a trivial task. Successful exploitation allows an attacker to generate traffic on behalf of the affected device. Such an ability is most dangerous when trust paths exist between the affected device and another remote system. IV. DETECTION iDEFENSE has verified the existence of this vulnerability in Thompson's SpeedTouch firmware version GV8BAA3.270 (1003825). It is suspected that earlier versions are susceptible to exploitation as well. V. WORKAROUNDS Untrusted traffic should be filtered at the network perimeter. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0641 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VII. DISCLOSURE TIMELINE 06/08/04 Initial vendor contact - no response 06/08/04 iDEFENSE clients notified 06/18/04 Secondary vendor contact - no response 08/05/04 Public disclosure VIII. CREDIT The discoverer wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp IX. LEGAL NOTICES Copyright © 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Unknown vulnerability in ScreenOS in Juniper Networks NetScreen firewall 3.x through 5.x allows remote attackers to cause a denial of service (device reboot or hang) via a crafted SSH v1 packet. A vulnerability in the SSHv1 service of NetScreen firewalls could allow an attacker to cause a denial-of-service condition. It is reported that the vulnerability may be triggered by a remote attacker, prior to any form of authentication. Netscreen is a firewall security solution, and its operating system is ScreenOS. The firewall will reboot or hang, stopping normal services

Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products, when Aggressive Mode IKE is implemented, allows remote attackers to execute arbitrary code by initiating an IKE negotiation and then sending an IKE packet with malformed ASN.1 data. A vulnerability exists in Check Point's VPN-1 Server, which is included in many Check Point products. This vulnerability may permit a remote attacker to compromise the gateway system. This issue results from insufficient boundary checks performed by the application when processing user-supplied data. This overflow occurs during the initial key exchange process, and can be triggered with a single UDP packet. Since ISAKMP uses the UDP transport, a spoofed source address can be used in an attack. Check Point reports that for a single packet attack to succeed, VPN-1 must be configured for aggressive mode key exchange. Without aggressive mode, an attacker must initiate a real key negotiation session. This vulnerability can lead to remote code execution in the context of the VPN-1 process. This can lead to a complete system compromise

SQL injection vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to execute arbitrary SQL statements via the instory parameter. PHP-Nuke is prone to a sql-injection vulnerability

The search module in Php-Nuke allows remote attackers to gain sensitive information via the (1) "**" or (2) "+" search patterns, which reveals the path in an error message. PHP-Nuke is prone to a information disclosure vulnerability. There is a vulnerability in Php-Nuke's search module

Multiple cross-site scripting vulnerabilities in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) max, (3) sel1, (4) sel2, (5) sel3, (6) sel4, (7) sel5, (8) match, (9) mod1, (10) mod2, or (11) mod3 parameters. PHP-Nuke is prone to a cross-site scripting vulnerability

Multiple SQL injection vulnerabilities in the Search module in Php-Nuke allow remote attackers to execute arbitrary SQL via the (1) min or (2) categ parameters. PHP-Nuke is prone to a sql-injection vulnerability

The HTTP server in Lexmark T522 and possibly other models allows remote attackers to cause a denial of service (server crash, reload, or hang) via an HTTP header with a long Host field, possibly triggering a buffer overflow. T522 Network Printer is prone to a denial-of-service vulnerability. The HTTP service program of the Lexmark printer does not process some HTTP requests correctly. Remote attackers can use this vulnerability to carry out a denial of service attack on the printer WEB service

The DSS verification code in Dropbear SSH Server before 0.43 frees uninitialized variables, which might allow remote attackers to gain access. Dropbear SSH is affected by an unspecified Digital Signal Standard (DSS) authentication vulnerability. The impact of this issue is currently unknown. Presumably, an attacker could use this issue to gain unauthorized access to a computer running the vulnerable application, but this is not confirmed. We will update this BID as more information emerges. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities Revision 1.0 For Public Release 2008 February 13 1600 UTC (GMT) +-------------------------------------------------------------------- Summary ======= Cisco Unified IP Phone models contain multiple overflow and denial of service (DoS) vulnerabilities. There are workarounds for several of these vulnerabilities. Cisco has made free software available to address this issue for affected customers. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml Affected Products ================= Vulnerable Products +------------------ The following Cisco Unified IP Phone devices running Skinny Client Control Protocol (SCCP) firmware: * 7906G * 7911G * 7935 * 7936 * 7940 * 7940G * 7941G * 7960 * 7960G * 7961G * 7970G * 7971G The following Cisco Unified IP Phone devices running Session Initiation Protocol (SIP) firmware: * 7940 * 7940G * 7960 * 7960G The version of firmware running on an IP Phone can be determined via the Settings menu on the phone or via the phone HTTP interface. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are known to be vulnerable. This includes the following Cisco Unified IP Phone devices: * 7931 * 7937 * 7942 * 7945 * 7965 * 7975 Details ======= SCCP and SIP-Related Vulnerabilities * DNS Response Parsing Overflow Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP and SIP firmware contain a buffer overflow vulnerability in the handling of DNS responses. A specially-crafted DNS response may be able to trigger a buffer overflow and execute arbitrary code on a vulnerable phone. This vulnerability is corrected in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and CSCsk21863. SCCP-Only Related Vulnerabilities * Large ICMP Echo Request DoS Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP firmware contain a DoS vulnerability. It is possible to cause a vulnerable device to reboot by sending a large ICMP echo request packet. This vulnerability is corrected in SCCP firmware version 8.0(6). This vulnerability is documented in CVE-2008-0526 leavingcisco.com and Cisco Bug ID CSCsh71110. * HTTP Server DoS Cisco Unified IP Phone 7935 and 7936 devices running SCCP firmware contain a DoS vulnerability in their internal HTTP server. By sending a specially crafted HTTP request to TCP port 80 on a vulnerable phone, it may be possible to cause the phone to reboot. It is possible to workaround this issue by disabling the internal HTTP server on vulnerable phones. The internal HTTP server only listens to TCP port 80. This vulnerability is corrected in SCCP firmware version 3.2(17) for 7935 devices and SCCP firmware version 3.3(15) for 7936 devices. This vulnerability is documented in CVE-2008-0527 leavingcisco.com and Cisco Bug ID CSCsk20026. * SSH Server DoS Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices running SCCP firmware contain a buffer overflow vulnerability in their internal Secure Shell (SSH) server. By sending a specially crafted to packet to TCP port 22 on a vulnerable phone, it may be possible for an unauthenticated attacker to cause the phone to reboot. It may also be possible for an unauthenticated attacker to execute arbitrary code with system privileges. It is possible to workaround this issue by disabling the internal SSH server on vulnerable phones. The internal SSH server only listens to TCP port 22. This vulnerability is corrected in SCCP firmware version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486 leavingcisco.com and Cisco Bug ID CSCsh79629. SIP-Only Related Vulnerabilities * SIP MIME Boundary Overflow Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a buffer overflow vulnerability in the handling of Multipurpose Internet Mail Extensions (MIME) encoded data. By sending a specially crafted SIP message to a vulnerable phone, it may be possible to trigger a buffer overflow and execute arbitrary code on the phone. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0528 leavingcisco.com and Cisco Bug ID CSCsj74786. * Telnet Server Overflow Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a buffer overflow vulnerability in their internal telnet server. The telnet server is disabled by default and can be configured to allow either privileged or unprivileged user-level access. If the telnet server is enabled for privileged or unprivileged access, the phone password parameter must additionally be configured to permit telnet access. By entering a specially crafted command on a phone configured to permit unprivileged access, it may be possible for an unprivileged-level, authenticated user to trigger a buffer overflow and obtain privileged-level access to the phone. It is possible to workaround this issue by disabling the internal telnet server on vulnerable phones. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID CSCsj78359. * SIP Proxy Response Overflow Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a heap overflow vulnerability in the handling of a challenge/response message from a SIP proxy. If an attacker controls the SIP proxy to which a vulnerable phone is registered, attempts to register, or the attacker can act as a man-in-the-middle, it may be possible to send a malicious challenge/response message to a phone and execute arbitrary code. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0531 leavingcisco.com and Cisco Bug ID CSCsj74765. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsj74818 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk21863 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh71110 - 7940/7960 IP Phone ICMP Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk20026 - IP Phone HTTP Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh79629 - TNP Phone SSH Vulnerability CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74786 - SIP Mime Boundary Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj78359 - SIP 40/60:Telnet access stack overflow CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Medium Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74765 - SIP Proxy Response Overflow CVSS Base Score - 7.3 Access Vector - Network Access Complexity - High Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may cause vulnerable IP phone devices to reboot which will interrupt client voice services and, in some cases, allow the execution of arbitrary code. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Workarounds =========== Workarounds are available for several of the vulnerabilities. Disabling unnecessary internal phone Telnet and HTTP servers will eliminate exposure to the Telnet Server overflow and HTTP Server DoS vulnerabilities. It is possible to mitigate these vulnerabilities with access control lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH), TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and TCP/UDP port 5060 (SIP) should be deployed at voice/data network boundaries as part of a tACL policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device and other devices behind it where the filter is applied. Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge": http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080116-phone.shtml Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found a http://www.cisco.com/public/sw-license-agreement.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Fixed Firmware for SCCP-Related Vulnerabilities For the Large ICMP Echo DoS, fixed SCCP firmware version 8.0(6) and later for Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices is available. For the HTTP Server DoS, fixed SCCP firmware version 3.2(17) and later for Cisco Unified IP Phone 7935 devices and fixed SCCP firmware 3.3(15) and later for Cisco Unified IP Phone 7936 devices are available. For the SSH Server DoS, fixed SCCP firmware version 8.2(2)SR2 and later for Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices is available. For the DNS Response Parsing overflow, fixed SCCP firmware version 8.0(8) and later for Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices is available. Fixed firmware for all SCCP-related vulnerabilities can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/ip-7900ser?psrtdcat20e2 Fixed Firmware for SIP-Related Vulnerabilities All the SIP-related vulnerabilities referenced in this advisory are fixed in SIP firmware version 8.0(6) and later for Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices, which can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2 Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SIP MIME Boundary, Telnet Server, DNS Response Parsing and SIP Proxy Response overflows were reported to Cisco by Jon Griffin and Mustaque Ahamad of the School of Computer Science at the Georgia Institute of Technology. The HTTP Server DoS was reported to Cisco by Sven Weizenegger of T-Systems. The Large ICMP Echo Request DoS vulnerability was reported to Cisco by a customer. The SSH Server DoS was discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-February-13 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFHsxkJ86n/Gc8U/uARAkIXAJ45lC0HwhFYS0qwgFMkWfvvnyeoBgCglw0y ePH+n78tRXxwRSzEPmNJcak= =YQOM -----END PGP SIGNATURE-----

radmin in eSeSIX Thintune thin clients running firmware 2.4.38 and earlier starts a process port 25072 that can be accessed with a default "jstwo" password, which allows remote attackers to gain access. Thintune Linux-based devices are reported prone to multiple vulnerabilities. The issues include backdoor accounts that can be accessed over the network and an information disclosure issue that can disclose user accounts and passwords. Thintune devices with firmware version 2.4.38 and prior are affected by these issues. Reportedly, Thintune devices based on Windows CE are not affected. eSeSIX Thintune is a series of thin client applications developed by eSeSIX GmbH. ICA, RDP, X11 and SSH support on custom Linux platforms. The second problem is that there is a password disclosure problem. The Keeper library is used to store all JStream configuration settings. The configuration files are stored in the /root/.keeper/ directory. By browsing the local file system or using the "getreg" command provided in the first question , can remotely read Keeper database information, resulting in access to VNC, control center and screen saver password information. The third problem is that the local ROOT SHELL can be obtained by any user by pressing <CTRL><SHIFT><ALT><DEL> and then entering the "maertsJ" password to obtain the ROOT SHELL. The fourth problem is that local users can view plaintext passwords. Thintune software supports end users to access through Phoenix Web browsers. By entering "file:///", local file system directories can be obtained, and local users can use browsers to view sensitive information. The fifth problem is that the password check is not correct. If the user sets the password to 'a', then inputting a character string starting with "automobile", "any" or "afternoon" can be successfully verified

eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allow local users to gain privileges by pressing CTRL-SHIFT-ALT-DEL and entering the "maertsJ" password, which is hard-coded into lshell. Thintune Linux-based devices are reported prone to multiple vulnerabilities. These issues can allow remote attackers to gain complete access to a vulnerable device. The issues include backdoor accounts that can be accessed over the network and an information disclosure issue that can disclose user accounts and passwords. Thintune devices with firmware version 2.4.38 and prior are affected by these issues. Reportedly, Thintune devices based on Windows CE are not affected. eSeSIX Thintune is a series of thin client applications developed by eSeSIX GmbH. ICA, RDP, X11 and SSH support on custom Linux platforms. The second problem is that there is a password disclosure problem. The Keeper library is used to store all JStream configuration settings. The configuration files are stored in the /root/.keeper/ directory. By browsing the local file system or using the \"getreg\" provided in the first question " command, which can remotely read the Keeper database information, resulting in access to VNC, control center and screen saver password information. The third problem is that any user who obtains the local ROOT SHELL can press <CTRL><SHIFT><ALT><DEL> and then enter the \"maertsJ\" password to obtain the ROOT SHELL. The fourth problem is to view the plain text password of the local user. Thintune software supports end users to access through the Phoenix Web browser. By entering \"file:///\", the local file system directory can be obtained, and the local user can use the browser to view sensitive information. The fifth problem is that the password check is incorrect. If the user sets the password as \'\'a\'\', then inputting a character string starting with \"automobile\", \"any\" or \"afternoon\" is fine. Successfully authenticated

eSeSIX Thintune thin clients running firmware 2.4.38 and earlier store sensitive usernames and passwords in cleartext in configuration files for the keeper library, which allows attackers to gain access. Thintune Linux-based devices are reported prone to multiple vulnerabilities. These issues can allow remote attackers to gain complete access to a vulnerable device. The issues include backdoor accounts that can be accessed over the network and an information disclosure issue that can disclose user accounts and passwords. Thintune devices with firmware version 2.4.38 and prior are affected by these issues. Reportedly, Thintune devices based on Windows CE are not affected. eSeSIX Thintune is a series of thin client applications developed by eSeSIX GmbH. ICA, RDP, X11 and SSH support on custom Linux platforms. The second problem is that there is a password disclosure problem. The Keeper library is used to store all JStream configuration settings. The configuration files are stored in the /root/.keeper/ directory. By browsing the local file system or using the \"getreg\" provided in the first question " command, which can remotely read the Keeper database information, resulting in access to VNC, control center and screen saver password information. The third problem is that any user who obtains the local ROOT SHELL can press <CTRL><SHIFT><ALT><DEL> and then enter the \"maertsJ\" password to obtain the ROOT SHELL. The fourth problem is to view the plain text password of the local user. Thintune software supports end users to access through the Phoenix Web browser. By entering \"file:///\", the local file system directory can be obtained, and the local user can use the browser to view sensitive information. The fifth problem is that the password check is incorrect. If the user sets the password as \'\'a\'\', then inputting a character string starting with \"automobile\", \"any\" or \"afternoon\" is fine. Successfully authenticated

The Phoenix browser in eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allows local users to read arbitrary files via a file:/// URL. Thintune Linux-based devices are reported prone to multiple vulnerabilities. These issues can allow remote attackers to gain complete access to a vulnerable device. The issues include backdoor accounts that can be accessed over the network and an information disclosure issue that can disclose user accounts and passwords. Thintune devices with firmware version 2.4.38 and prior are affected by these issues. Reportedly, Thintune devices based on Windows CE are not affected. eSeSIX Thintune is a series of thin client applications developed by eSeSIX GmbH. ICA, RDP, X11 and SSH support on custom Linux platforms. The second problem is that there is a password disclosure problem. The Keeper library is used to store all JStream configuration settings. The configuration files are stored in the /root/.keeper/ directory. By browsing the local file system or using the \"getreg\" provided in the first question " command, which can remotely read the Keeper database information, resulting in access to VNC, control center and screen saver password information. The third problem is that any user who obtains the local ROOT SHELL can press <CTRL><SHIFT><ALT><DEL> and then enter the \"maertsJ\" password to obtain the ROOT SHELL. The fourth problem is to view the plain text password of the local user. Thintune software supports end users to access through the Phoenix Web browser. By entering \"file:///\", the local file system directory can be obtained, and the local user can use the browser to view sensitive information. The fifth problem is that the password check is incorrect. If the user sets the password as \'\'a\'\', then inputting a character string starting with \"automobile\", \"any\" or \"afternoon\" is fine. Successfully authenticated

Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via malformed (1) IP or (2) ICMP packets. A vulnerability exists in multiple control cards used by Cisco ONS devices. This vulnerability could allow a remote attacker to cause a denial-of-service condition. Most of the reported issues are related to handling of malformed packets, resulting in a denial of service condition. However, an authentication bypass vulnerability has also been reported to affect some platforms. Attackers can send malformed IP, ICMP, TCP and UDP packets to cause XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reboot. Repeated issuance of these malformed packets can cause the control card to stop responding to normal services. The CSCee27329 (passwd) vulnerability is that if the account is set with an empty password, then the device can be successfully authenticated by using a password exceeding 10 characters to log in to the device. This vulnerability only affects the TL1 login interface. The CTC login interface is not affected by this vulnerability

The HTTP administration interface on Conceptronic CADSLR1 ADSL router running firmware 3.04n allows remote attackers to cause a denial of service (device reboot) via an HTTP request with a long username. The Conseptronic CADSLR1 router is reported to contain a denial of service vulnerability. This vulnerability reportedly presents itself in the embedded HTTP server used for web-based administration of the router. When presented a large malformed request, the device will reportedly crash and reboot. This vulnerability could be exploited by a remote attacker to deny service to legitimate users. Due to code reuse across products, other Conseptronic devices may also be vulnerable to similar issues. TITLE: Conceptronic CADSLR1 Router Denial of Service Vulnerability SECUNIA ADVISORY ID: SA12110 VERIFY ADVISORY: http://secunia.com/advisories/12110/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: Conceptronic CADSLR1 http://secunia.com/product/3707/ DESCRIPTION: Jordi Corrales has reported a vulnerability in CADSLR1, allowing malicious people to cause a Denial of Service. The problem is that the device fails to handle HTTP requests with a long username (65535 characters). This causes the device to reboot. This has been reported to affect devices running firmware version 3.04n. Prior versions may also be affected. SOLUTION: Filter access to the device or disable the HTTP service. PROVIDED AND/OR DISCOVERED BY: Jordi Corrales ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

The Transaction Language 1 (TL1) login interface in Cisco ONS 15327 4.6(0) and 4.6(1) and 15454 and 15454 SDH 4.6(0) and 4.6(1), when a user account is configured with a blank password, allows remote attackers to gain unauthorized access by logging in with a password larger than 10 characters. A vulnerability exists in multiple control cards used by Cisco ONS devices. This vulnerability could allow a remote attacker to cause a denial-of-service condition. Most of the reported issues are related to handling of malformed packets, resulting in a denial of service condition. However, an authentication bypass vulnerability has also been reported to affect some platforms. Attackers can send malformed IP, ICMP, TCP and UDP packets to cause XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reboot. Repeated issuance of these malformed packets can cause the control card to stop responding to normal services. The CSCee27329 (passwd) vulnerability is that if the account is set with an empty password, then the device can be successfully authenticated by using a password exceeding 10 characters to log in to the device. This vulnerability only affects the TL1 login interface. The CTC login interface is not affected by this vulnerability

Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.1(0) to 4.1(2), 4.5(x), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via malformed SNMP packets. A vulnerability exists in multiple control cards used by Cisco ONS devices. This vulnerability could allow a remote attacker to cause a denial-of-service condition. Most of the reported issues are related to handling of malformed packets, resulting in a denial of service condition. However, an authentication bypass vulnerability has also been reported to affect some platforms. Attackers can send malformed IP, ICMP, TCP and UDP packets to cause XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reboot. Repeated issuance of these malformed packets can cause the control card to stop responding to normal services. The CSCee27329 (passwd) vulnerability is that if the account is set with an empty password, then the device can be successfully authenticated by using a password exceeding 10 characters to log in to the device. This vulnerability only affects the TL1 login interface. The CTC login interface is not affected by this vulnerability