VARIoT IoT vulnerabilities database
VAR-200412-0836 | CVE-2004-2532 | SolarWinds Serv-U File Server Trust Management Issue Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Serv-U FTP server before 5.1.0.0 has a default account and password for local administration, which allows local users to execute arbitrary commands by connecting to the server using the default administrator account, creating a new user, logging in as that new user, and then using the SITE EXEC command.
The weak account can be used to log into the site maintenance interface on the loopback interface only, and to create user accounts
VAR-200412-0184 | CVE-2004-1483 | The ActiveX and HTML file browsers of the Symantec 4400 Series Clientless VPN Gateway contains various unspecified vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple unknown vulnerabilities in the ActiveX and HTML file browsers in Symantec Clientless VPN Gateway 4400 Series 5.0 have unknown attack vectors and unknown impact.
The issues include multiple vulnerabilities related to the ActiveX and HTML file browser, cross-site scripting vulnerabilities in the end user interface, and a vulnerability in the end user interface that will allow an unauthorized user to change another user's single signon information. Remote attackers can use this vulnerability to modify other users' authentication information. No detailed vulnerability details are currently available. Cross-site scripting issues have also been reported by end users.
2) Various unspecified input validation errors within the end user UI
can be exploited to conduct cross-site scripting attacks.
3) An error within the end user UI can be exploited by malicious
users to manipulate other users' signon information (including
username and password).
SOLUTION:
A hotfix is available:
ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/SCVG5-20040806-00.tgz
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/hf3-readme.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org
----------------------------------------------------------------------
VAR-200408-0069 | CVE-2004-0683 | Symantec Norton AntiVirus 2002 and 2003 Service denial vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Symantec Norton AntiVirus 2002 and 2003 allows remote attackers to cause a denial of service (CPU consumption) via a compressed archive that contains a large number of directories. Norton AntiVirus 2003 Professional Edition is prone to a denial-of-service vulnerability
VAR-200408-0052 | CVE-2004-0641 | Thomson SpeedTouch Home ADSL Modem predictable TCP Serial number vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Thomson SpeedTouch 510 ADSL Router with firmware GV8BAA3.270, and possibly earlier versions, generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. The ability to predict TCP sequence numbers may allow a remote attacker to inject packets into a vulnerable data stream, for example the telnet service on the affected modem. Remote attackers can use this vulnerability to carry out TCP communication forgery attacks. The TCP initialization sequence number of the device can be guessed, which can cause the attacker to fail the ADSL Modem communication by forging the communication, or hijack the device. BACKGROUND
The Thompson (formerly Alcatel) SpeedTouch is an ADSL router for home
and business providing a continuously available, "always on,"
connection. More information about the product can be found at
http://www.speedtouchdsl.com/.
II.
The problem specifically exists due to the predictable nature of the TCP
Initial Sequence Number (ISN) generator on the device. The following
sanitized tcpdump output demonstrates the existence of the vulnerability
when 10 consecutive TCP connection requests are generated for the telnet
server (port 23) on the Thompson device:
48.3 host_a.1096 > host_b.telnet: S
48.3 host_b.telnet > host_a.1096: S 4081040897:4081040897(0) ack
48.3 host_a.1096 > host_b.telnet: R
48.4 host_a.1096 > host_b.telnet: S
48.4 host_b.telnet > host_a.1096: S 4081104897:4081104897(0) ack
48.4 host_a.1096 > host_b.telnet: R
48.6 host_a.1096 > host_b.telnet: S
48.6 host_b.telnet > host_a.1096: S 4081232897:4081232897(0) ack
48.6 host_a.1096 > host_b.telnet: R
48.7 host_a.1096 > host_b.telnet: S
48.7 host_b.telnet > host_a.1096: S 4081296897:4081296897(0) ack
48.7 host_a.1096 > host_b.telnet: R
48.9 host_a.1096 > host_b.telnet: S
48.9 host_b.telnet > host_a.1096: S 4081360897:4081360897(0) ack
48.9 host_a.1096 > host_b.telnet: R
49.0 host_a.1096 > host_b.telnet: S
49.0 host_b.telnet > host_a.1096: S 4081488897:4081488897(0) ack
49.0 host_a.1096 > host_b.telnet: R
49.2 host_a.1096 > host_b.telnet: S
49.2 host_b.telnet > host_a.1096: S 4081552897:4081552897(0) ack
49.2 host_a.1096 > host_b.telnet: R
49.3 host_a.1096 > host_b.telnet: S
49.3 host_b.telnet > host_a.1096: S 4081616897:4081616897(0) ack
49.3 host_a.1096 > host_b.telnet: R
49.5 host_a.1096 > host_b.telnet: S
49.5 host_b.telnet > host_a.1096: S 4081744897:4081744897(0) ack
49.5 host_a.1096 > host_b.telnet: R
49.6 host_a.1096 > host_b.telnet: S
49.6 host_b.telnet > host_a.1096: S 4081808897:4081808897(0) ack
49.6 host_a.1096 > host_b.telnet: R
In the above example, host_a is the querying host and host_b is the
Thompson device. A clear pattern in ISN generation can be seen as the
value increases by approximately 64,000 each millisecond.
III. ANALYSIS
Successful exploitation of weak ISNs for the purpose of connection
spoofing is not a trivial task. Successful exploitation allows an
attacker to generate traffic on behalf of the affected device. Such an
ability is most dangerous when trust paths exist between the affected
device and another remote system.
IV. DETECTION
iDEFENSE has verified the existence of this vulnerability in Thompson's
SpeedTouch firmware version GV8BAA3.270 (1003825). It is suspected that
earlier versions are susceptible to exploitation as well.
V. WORKAROUNDS
Untrusted traffic should be filtered at the network perimeter.
VI. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0641 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VII. DISCLOSURE TIMELINE
06/08/04 Initial vendor contact - no response
06/08/04 iDEFENSE clients notified
06/18/04 Secondary vendor contact - no response
08/05/04 Public disclosure
VIII. CREDIT
The discoverer wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
IX. LEGAL NOTICES
Copyright © 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
VAR-200412-0212 | CVE-2004-1446 | Juniper Networks NetScreen firewall contains a DoS vulnerability in the SSHv1 service |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unknown vulnerability in ScreenOS in Juniper Networks NetScreen firewall 3.x through 5.x allows remote attackers to cause a denial of service (device reboot or hang) via a crafted SSH v1 packet. A vulnerability in the SSHv1 service of NetScreen firewalls could allow an attacker to cause a denial-of-service condition. It is reported that the vulnerability may be triggered by a remote attacker, prior to any form of authentication. Netscreen is a firewall security solution, and its operating system is ScreenOS. The firewall will reboot or hang, stopping normal services
VAR-200409-0025 | CVE-2004-0699 |
Check Point VPN-1 ASN.1 Buffer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-200407-0196 |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products, when Aggressive Mode IKE is implemented, allows remote attackers to execute arbitrary code by initiating an IKE negotiation and then sending an IKE packet with malformed ASN.1 data. A vulnerability exists in Check Point's VPN-1 Server, which is included in many Check Point products. This vulnerability may permit a remote attacker to compromise the gateway system. This issue results from insufficient boundary checks performed by the application when processing user-supplied data.
This overflow occurs during the initial key exchange process, and can be triggered with a single UDP packet. Since ISAKMP uses the UDP transport, a spoofed source address can be used in an attack.
Check Point reports that for a single packet attack to succeed, VPN-1 must be configured for aggressive mode key exchange. Without aggressive mode, an attacker must initiate a real key negotiation session.
This vulnerability can lead to remote code execution in the context of the VPN-1 process. This can lead to a complete system compromise
VAR-200407-0017 | CVE-2004-0732 | Php-Nuke Search module index.php SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to execute arbitrary SQL statements via the instory parameter. PHP-Nuke is prone to a sql-injection vulnerability
VAR-200407-0028 | CVE-2004-0736 | Php-Nuke Information disclosure vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The search module in Php-Nuke allows remote attackers to gain sensitive information via the (1) "**" or (2) "+" search patterns, which reveals the path in an error message. PHP-Nuke is prone to a information disclosure vulnerability. There is a vulnerability in Php-Nuke's search module
VAR-200407-0029 | CVE-2004-0737 | Php-Nuke Search module index.php Cross-site scripting vulnerability Php-Nuke Search module index.php Cross-site scripting vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple cross-site scripting vulnerabilities in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) max, (3) sel1, (4) sel2, (5) sel3, (6) sel4, (7) sel5, (8) match, (9) mod1, (10) mod2, or (11) mod3 parameters. PHP-Nuke is prone to a cross-site scripting vulnerability
VAR-200407-0030 | CVE-2004-0738 | Php-Nuke SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple SQL injection vulnerabilities in the Search module in Php-Nuke allow remote attackers to execute arbitrary SQL via the (1) min or (2) categ parameters. PHP-Nuke is prone to a sql-injection vulnerability
VAR-200407-0032 | CVE-2004-0740 | Lexmark printer HTTP Service Remote Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The HTTP server in Lexmark T522 and possibly other models allows remote attackers to cause a denial of service (server crash, reload, or hang) via an HTTP header with a long Host field, possibly triggering a buffer overflow. T522 Network Printer is prone to a denial-of-service vulnerability. The HTTP service program of the Lexmark printer does not process some HTTP requests correctly. Remote attackers can use this vulnerability to carry out a denial of service attack on the printer WEB service
VAR-200412-0263 | CVE-2004-2486 | Dropbear SSH Unknown authentication vulnerability in server digital signature standard |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The DSS verification code in Dropbear SSH Server before 0.43 frees uninitialized variables, which might allow remote attackers to gain access. Dropbear SSH is affected by an unspecified Digital Signal Standard (DSS) authentication vulnerability.
The impact of this issue is currently unknown. Presumably, an attacker could use this issue to gain unauthorized access to a computer running the vulnerable application, but this is not confirmed. We will update this BID as more information emerges. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Unified IP Phone Overflow and Denial
of Service Vulnerabilities
Revision 1.0
For Public Release 2008 February 13 1600 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
Cisco Unified IP Phone models contain multiple overflow and denial of
service (DoS) vulnerabilities. There are workarounds for several of
these vulnerabilities. Cisco has made free software available to
address this issue for affected customers.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following Cisco Unified IP Phone devices running Skinny Client
Control Protocol (SCCP) firmware:
* 7906G
* 7911G
* 7935
* 7936
* 7940
* 7940G
* 7941G
* 7960
* 7960G
* 7961G
* 7970G
* 7971G
The following Cisco Unified IP Phone devices running Session
Initiation Protocol (SIP) firmware:
* 7940
* 7940G
* 7960
* 7960G
The version of firmware running on an IP Phone can be determined via
the Settings menu on the phone or via the phone HTTP interface.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are known to be vulnerable. This includes the
following Cisco Unified IP Phone devices:
* 7931
* 7937
* 7942
* 7945
* 7965
* 7975
Details
=======
SCCP and SIP-Related Vulnerabilities
* DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SCCP and SIP firmware contain a buffer overflow
vulnerability in the handling of DNS responses. A
specially-crafted DNS response may be able to trigger a buffer
overflow and execute arbitrary code on a vulnerable phone. This
vulnerability is corrected in SCCP firmware version 8.0(8) and
SIP firmware version 8.8(0). This vulnerability is documented in
CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and
CSCsk21863.
SCCP-Only Related Vulnerabilities
* Large ICMP Echo Request DoS
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SCCP firmware contain a DoS vulnerability. It is possible
to cause a vulnerable device to reboot by sending a large ICMP
echo request packet. This vulnerability is corrected in SCCP
firmware version 8.0(6). This vulnerability is documented in
CVE-2008-0526 leavingcisco.com and Cisco Bug ID CSCsh71110.
* HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP
firmware contain a DoS vulnerability in their internal HTTP
server. By sending a specially crafted HTTP request to TCP port
80 on a vulnerable phone, it may be possible to cause the phone
to reboot. It is possible to workaround this issue by disabling
the internal HTTP server on vulnerable phones. The internal HTTP
server only listens to TCP port 80. This vulnerability is
corrected in SCCP firmware version 3.2(17) for 7935 devices and
SCCP firmware version 3.3(15) for 7936 devices. This
vulnerability is documented in CVE-2008-0527 leavingcisco.com and
Cisco Bug ID CSCsk20026.
* SSH Server DoS
Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and
7971G devices running SCCP firmware contain a buffer overflow
vulnerability in their internal Secure Shell (SSH) server. By
sending a specially crafted to packet to TCP port 22 on a
vulnerable phone, it may be possible for an unauthenticated
attacker to cause the phone to reboot. It may also be possible
for an unauthenticated attacker to execute arbitrary code with
system privileges. It is possible to workaround this issue by
disabling the internal SSH server on vulnerable phones. The
internal SSH server only listens to TCP port 22. This
vulnerability is corrected in SCCP firmware version 8.2(2)SR2.
This vulnerability is documented in CVE-2004-2486
leavingcisco.com and Cisco Bug ID CSCsh79629.
SIP-Only Related Vulnerabilities
* SIP MIME Boundary Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SIP firmware contain a buffer overflow vulnerability in
the handling of Multipurpose Internet Mail Extensions (MIME)
encoded data. By sending a specially crafted SIP message to a
vulnerable phone, it may be possible to trigger a buffer overflow
and execute arbitrary code on the phone. This vulnerability is
corrected in SIP firmware version 8.8(0). This vulnerability is
documented in CVE-2008-0528 leavingcisco.com and Cisco Bug ID
CSCsj74786.
* Telnet Server Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SIP firmware contain a buffer overflow vulnerability in
their internal telnet server. The telnet server is disabled by
default and can be configured to allow either privileged or
unprivileged user-level access. If the telnet server is enabled
for privileged or unprivileged access, the phone password
parameter must additionally be configured to permit telnet
access. By entering a specially crafted command on a phone
configured to permit unprivileged access, it may be possible for
an unprivileged-level, authenticated user to trigger a buffer
overflow and obtain privileged-level access to the phone. It is
possible to workaround this issue by disabling the internal
telnet server on vulnerable phones. This vulnerability is
corrected in SIP firmware version 8.8(0). This vulnerability is
documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID
CSCsj78359.
* SIP Proxy Response Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SIP firmware contain a heap overflow vulnerability in the
handling of a challenge/response message from a SIP proxy. If an
attacker controls the SIP proxy to which a vulnerable phone is
registered, attempts to register, or the attacker can act as a
man-in-the-middle, it may be possible to send a malicious
challenge/response message to a phone and execute arbitrary code.
This vulnerability is corrected in SIP firmware version 8.8(0).
This vulnerability is documented in CVE-2008-0531
leavingcisco.com and Cisco Bug ID CSCsj74765.
Vulnerability Scoring Details
=============================
Cisco is providing scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
Cisco will provide a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
CVSS is a standards based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsj74818 - DNS Response Parsing Stack Overflow
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsk21863 - DNS Response Parsing Stack Overflow
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsh71110 - 7940/7960 IP Phone ICMP Denial of Service
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsk20026 - IP Phone HTTP Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsh79629 - TNP Phone SSH Vulnerability
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsj74786 - SIP Mime Boundary Overflow
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsj78359 - SIP 40/60:Telnet access stack overflow
CVSS Base Score - 8.5
Access Vector - Network
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsj74765 - SIP Proxy Response Overflow
CVSS Base Score - 7.3
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may cause vulnerable
IP phone devices to reboot which will interrupt client voice services
and, in some cases, allow the execution of arbitrary code.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.
Workarounds
===========
Workarounds are available for several of the vulnerabilities.
Disabling unnecessary internal phone Telnet and HTTP servers will
eliminate exposure to the Telnet Server overflow and HTTP Server DoS
vulnerabilities.
It is possible to mitigate these vulnerabilities with access control
lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH),
TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and
TCP/UDP port 5060 (SIP) should be deployed at voice/data network
boundaries as part of a tACL policy for protection of traffic which
enters the network at ingress access points. This policy should be
configured to protect the network device and other devices behind it
where the filter is applied.
Additional information about tACLs is available in "Transit Access
Control Lists: Filtering at Your Edge":
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080116-phone.shtml
Obtaining Fixed Software
========================
Cisco will make free software available to address this vulnerability
for affected customers. This advisory will be updated as fixed
software becomes available. Prior to deploying software, customers
should consult their maintenance provider or check the software for
feature set compatibility and known issues specific to their
environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found a
http://www.cisco.com/public/sw-license-agreement.html , or as otherwise
set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact either "psirt@cisco.com" or "security-alert@cisco.com"
for software upgrades.
Fixed Firmware for SCCP-Related Vulnerabilities
For the Large ICMP Echo DoS, fixed SCCP firmware version 8.0(6) and
later for Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
is available.
For the HTTP Server DoS, fixed SCCP firmware version 3.2(17) and
later for Cisco Unified IP Phone 7935 devices and fixed SCCP firmware
3.3(15) and later for Cisco Unified IP Phone 7936 devices are
available.
For the SSH Server DoS, fixed SCCP firmware version 8.2(2)SR2 and
later for Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G
and 7971G devices is available.
For the DNS Response Parsing overflow, fixed SCCP firmware version
8.0(8) and later for Cisco Unified IP Phone 7940, 7940G, 7960 and
7960G devices is available.
Fixed firmware for all SCCP-related vulnerabilities can be obtained
here:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ip-7900ser?psrtdcat20e2
Fixed Firmware for SIP-Related Vulnerabilities
All the SIP-related vulnerabilities referenced in this advisory are
fixed in SIP firmware version 8.0(6) and later for Cisco Unified IP
Phone 7940, 7940G, 7960 and 7960G devices, which can be obtained
here:
http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreement with third-party support organizations
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party
vendors but are unsuccessful at obtaining fixed software through
their point of sale should get their upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the
TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
The SIP MIME Boundary, Telnet Server, DNS Response Parsing and SIP
Proxy Response overflows were reported to Cisco by Jon Griffin and
Mustaque Ahamad of the School of Computer Science at the Georgia
Institute of Technology.
The HTTP Server DoS was reported to Cisco by Sven Weizenegger of
T-Systems.
The Large ICMP Echo Request DoS vulnerability was reported to Cisco
by a customer. The SSH Server DoS was discovered internally by Cisco.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-February-13 | public |
| | | release. |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFHsxkJ86n/Gc8U/uARAkIXAJ45lC0HwhFYS0qwgFMkWfvvnyeoBgCglw0y
ePH+n78tRXxwRSzEPmNJcak=
=YQOM
-----END PGP SIGNATURE-----
VAR-200412-0964 | CVE-2004-2048 | eSeSIX Thintune Thin client device multiple security vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
radmin in eSeSIX Thintune thin clients running firmware 2.4.38 and earlier starts a process port 25072 that can be accessed with a default "jstwo" password, which allows remote attackers to gain access. Thintune Linux-based devices are reported prone to multiple vulnerabilities.
The issues include backdoor accounts that can be accessed over the network and an information disclosure issue that can disclose user accounts and passwords.
Thintune devices with firmware version 2.4.38 and prior are affected by these issues. Reportedly, Thintune devices based on Windows CE are not affected. eSeSIX Thintune is a series of thin client applications developed by eSeSIX GmbH. ICA, RDP, X11 and SSH support on custom Linux platforms. The second problem is that there is a password disclosure problem. The Keeper library is used to store all JStream configuration settings. The configuration files are stored in the /root/.keeper/ directory. By browsing the local file system or using the "getreg" command provided in the first question , can remotely read Keeper database information, resulting in access to VNC, control center and screen saver password information. The third problem is that the local ROOT SHELL can be obtained by any user by pressing <CTRL><SHIFT><ALT><DEL> and then entering the "maertsJ" password to obtain the ROOT SHELL. The fourth problem is that local users can view plaintext passwords. Thintune software supports end users to access through Phoenix Web browsers. By entering "file:///", local file system directories can be obtained, and local users can use browsers to view sensitive information. The fifth problem is that the password check is not correct. If the user sets the password to 'a', then inputting a character string starting with "automobile", "any" or "afternoon" can be successfully verified
VAR-200412-0966 | CVE-2004-2050 | eSeSIX Thintune Thin client device multiple security vulnerabilities |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allow local users to gain privileges by pressing CTRL-SHIFT-ALT-DEL and entering the "maertsJ" password, which is hard-coded into lshell. Thintune Linux-based devices are reported prone to multiple vulnerabilities. These issues can allow remote attackers to gain complete access to a vulnerable device.
The issues include backdoor accounts that can be accessed over the network and an information disclosure issue that can disclose user accounts and passwords.
Thintune devices with firmware version 2.4.38 and prior are affected by these issues. Reportedly, Thintune devices based on Windows CE are not affected. eSeSIX Thintune is a series of thin client applications developed by eSeSIX GmbH. ICA, RDP, X11 and SSH support on custom Linux platforms. The second problem is that there is a password disclosure problem. The Keeper library is used to store all JStream configuration settings. The configuration files are stored in the /root/.keeper/ directory. By browsing the local file system or using the \"getreg\" provided in the first question " command, which can remotely read the Keeper database information, resulting in access to VNC, control center and screen saver password information. The third problem is that any user who obtains the local ROOT SHELL can press <CTRL><SHIFT><ALT><DEL> and then enter the \"maertsJ\" password to obtain the ROOT SHELL. The fourth problem is to view the plain text password of the local user. Thintune software supports end users to access through the Phoenix Web browser. By entering \"file:///\", the local file system directory can be obtained, and the local user can use the browser to view sensitive information. The fifth problem is that the password check is incorrect. If the user sets the password as \'\'a\'\', then inputting a character string starting with \"automobile\", \"any\" or \"afternoon\" is fine. Successfully authenticated
VAR-200412-0965 | CVE-2004-2049 | eSeSIX Thintune Thin client device multiple security vulnerabilities |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
eSeSIX Thintune thin clients running firmware 2.4.38 and earlier store sensitive usernames and passwords in cleartext in configuration files for the keeper library, which allows attackers to gain access. Thintune Linux-based devices are reported prone to multiple vulnerabilities. These issues can allow remote attackers to gain complete access to a vulnerable device.
The issues include backdoor accounts that can be accessed over the network and an information disclosure issue that can disclose user accounts and passwords.
Thintune devices with firmware version 2.4.38 and prior are affected by these issues. Reportedly, Thintune devices based on Windows CE are not affected. eSeSIX Thintune is a series of thin client applications developed by eSeSIX GmbH. ICA, RDP, X11 and SSH support on custom Linux platforms. The second problem is that there is a password disclosure problem. The Keeper library is used to store all JStream configuration settings. The configuration files are stored in the /root/.keeper/ directory. By browsing the local file system or using the \"getreg\" provided in the first question " command, which can remotely read the Keeper database information, resulting in access to VNC, control center and screen saver password information. The third problem is that any user who obtains the local ROOT SHELL can press <CTRL><SHIFT><ALT><DEL> and then enter the \"maertsJ\" password to obtain the ROOT SHELL. The fourth problem is to view the plain text password of the local user. Thintune software supports end users to access through the Phoenix Web browser. By entering \"file:///\", the local file system directory can be obtained, and the local user can use the browser to view sensitive information. The fifth problem is that the password check is incorrect. If the user sets the password as \'\'a\'\', then inputting a character string starting with \"automobile\", \"any\" or \"afternoon\" is fine. Successfully authenticated
VAR-200407-0095 | CVE-2004-2051 | eSeSIX Thintune Thin client device multiple security vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Phoenix browser in eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allows local users to read arbitrary files via a file:/// URL. Thintune Linux-based devices are reported prone to multiple vulnerabilities. These issues can allow remote attackers to gain complete access to a vulnerable device.
The issues include backdoor accounts that can be accessed over the network and an information disclosure issue that can disclose user accounts and passwords.
Thintune devices with firmware version 2.4.38 and prior are affected by these issues. Reportedly, Thintune devices based on Windows CE are not affected. eSeSIX Thintune is a series of thin client applications developed by eSeSIX GmbH. ICA, RDP, X11 and SSH support on custom Linux platforms. The second problem is that there is a password disclosure problem. The Keeper library is used to store all JStream configuration settings. The configuration files are stored in the /root/.keeper/ directory. By browsing the local file system or using the \"getreg\" provided in the first question " command, which can remotely read the Keeper database information, resulting in access to VNC, control center and screen saver password information. The third problem is that any user who obtains the local ROOT SHELL can press <CTRL><SHIFT><ALT><DEL> and then enter the \"maertsJ\" password to obtain the ROOT SHELL. The fourth problem is to view the plain text password of the local user. Thintune software supports end users to access through the Phoenix Web browser. By entering \"file:///\", the local file system directory can be obtained, and the local user can use the browser to view sensitive information. The fifth problem is that the password check is incorrect. If the user sets the password as \'\'a\'\', then inputting a character string starting with \"automobile\", \"any\" or \"afternoon\" is fine. Successfully authenticated
VAR-200412-0194 | CVE-2004-1432 | Multiple Cisco ONS control cards fail to properly handle malformed TCP packets |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via malformed (1) IP or (2) ICMP packets. A vulnerability exists in multiple control cards used by Cisco ONS devices. This vulnerability could allow a remote attacker to cause a denial-of-service condition. Most of the reported issues are related to handling of malformed packets, resulting in a denial of service condition. However, an authentication bypass vulnerability has also been reported to affect some platforms. Attackers can send malformed IP, ICMP, TCP and UDP packets to cause XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reboot. Repeated issuance of these malformed packets can cause the control card to stop responding to normal services. The CSCee27329 (passwd) vulnerability is that if the account is set with an empty password, then the device can be successfully authenticated by using a password exceeding 10 characters to log in to the device. This vulnerability only affects the TL1 login interface. The CTC login interface is not affected by this vulnerability
VAR-200412-0962 | CVE-2004-2045 | Conceptronic CADSLR1 ADSL Router Service Rejection Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The HTTP administration interface on Conceptronic CADSLR1 ADSL router running firmware 3.04n allows remote attackers to cause a denial of service (device reboot) via an HTTP request with a long username. The Conseptronic CADSLR1 router is reported to contain a denial of service vulnerability.
This vulnerability reportedly presents itself in the embedded HTTP server used for web-based administration of the router. When presented a large malformed request, the device will reportedly crash and reboot.
This vulnerability could be exploited by a remote attacker to deny service to legitimate users.
Due to code reuse across products, other Conseptronic devices may also be vulnerable to similar issues.
TITLE:
Conceptronic CADSLR1 Router Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA12110
VERIFY ADVISORY:
http://secunia.com/advisories/12110/
CRITICAL:
Less critical
IMPACT:
DoS
WHERE:
>From local network
OPERATING SYSTEM:
Conceptronic CADSLR1
http://secunia.com/product/3707/
DESCRIPTION:
Jordi Corrales has reported a vulnerability in CADSLR1, allowing
malicious people to cause a Denial of Service.
The problem is that the device fails to handle HTTP requests with a
long username (65535 characters). This causes the device to reboot.
This has been reported to affect devices running firmware version
3.04n. Prior versions may also be affected.
SOLUTION:
Filter access to the device or disable the HTTP service.
PROVIDED AND/OR DISCOVERED BY:
Jordi Corrales
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org
----------------------------------------------------------------------
VAR-200412-0198 | CVE-2004-1436 | Multiple Cisco ONS control cards fail to properly handle malformed TCP packets |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Transaction Language 1 (TL1) login interface in Cisco ONS 15327 4.6(0) and 4.6(1) and 15454 and 15454 SDH 4.6(0) and 4.6(1), when a user account is configured with a blank password, allows remote attackers to gain unauthorized access by logging in with a password larger than 10 characters. A vulnerability exists in multiple control cards used by Cisco ONS devices. This vulnerability could allow a remote attacker to cause a denial-of-service condition. Most of the reported issues are related to handling of malformed packets, resulting in a denial of service condition. However, an authentication bypass vulnerability has also been reported to affect some platforms. Attackers can send malformed IP, ICMP, TCP and UDP packets to cause XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reboot. Repeated issuance of these malformed packets can cause the control card to stop responding to normal services. The CSCee27329 (passwd) vulnerability is that if the account is set with an empty password, then the device can be successfully authenticated by using a password exceeding 10 characters to log in to the device. This vulnerability only affects the TL1 login interface. The CTC login interface is not affected by this vulnerability
VAR-200412-0196 | CVE-2004-1434 | Multiple Cisco ONS control cards fail to properly handle malformed TCP packets |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.1(0) to 4.1(2), 4.5(x), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via malformed SNMP packets. A vulnerability exists in multiple control cards used by Cisco ONS devices. This vulnerability could allow a remote attacker to cause a denial-of-service condition. Most of the reported issues are related to handling of malformed packets, resulting in a denial of service condition. However, an authentication bypass vulnerability has also been reported to affect some platforms. Attackers can send malformed IP, ICMP, TCP and UDP packets to cause XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reboot. Repeated issuance of these malformed packets can cause the control card to stop responding to normal services. The CSCee27329 (passwd) vulnerability is that if the account is set with an empty password, then the device can be successfully authenticated by using a password exceeding 10 characters to log in to the device. This vulnerability only affects the TL1 login interface. The CTC login interface is not affected by this vulnerability