VARIoT IoT vulnerabilities database

AppleFileServer (AFS) in Apple Mac OS X 10.2.8 and 10.3.2 does not properly handle certain malformed requests, with unknown impact. It has been reported that AppleFileServer may be prone to an unspecified security vulnerability due to improper handling of malformed requests. Due to the fact that no details were supplied by the vendor, the implications of exploitation are not currently known. Apple MacOS X AppleFileServer is an Apple file service program

Zebra 0.93b and earlier, and quagga before 0.95, allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface

Cisco has reported the following vulnerabilities in Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series: Cisco FWSM is prone to a buffer overrun vulnerability when handling HTTP Auth data. This would most likely result in a denial of service but could also potentially allow for arbitrary code execution (though this has not been confirmed). Cisco FWSM has also been reported to be prone to denial of service attacks via SNMPv3 messages. This will cause a vulnerable device to reboot. Both of these issues have been addressed in FWSM 1.1.3 and later for affected devices.

Cisco PIX firewall 6.2.x through 6.2.3, when configured as a VPN Client, allows remote attackers to cause a denial of service (dropped IPSec tunnel connection) via an IKE Phase I negotiation request to the outside interface of the firewall. Cisco PIX has been reported prone to multiple remote denial of service vulnerabilities. The first issue has been reported to present itself when the affected PIX firewall processes an SNMPv3 message, in certain circumstances. Specifically, if the Cisco PIX device receives and processes an SNMPv3 message, the PIX firewall will crash and reload. PIX Firewall is prone to a denial-of-service vulnerability

Cisco Firewall Services Module (FWSM) in Cisco Catalyst 6500 and 7600 series devices allows remote attackers to cause a denial of service (crash and reload) via an SNMPv3 message when snmp-server is set. CSCeb16356 (HTTP Auth) Vulnerability: Passing HTTP Auth requests using TACACS+ or RADIUS authentication can cause Cisco FWSM to crash and reload due to send buffer overflow. This request can be initiated by the user by initiating an FTP, TELNET or HTTP connection. Cisco FWSM will only allow communication if the username and password are authenticated by the specified ACACS+ or RADIUS server. CSCeb88419 (SNMPv3) Vulnerability When configuring snmp-server host <if_name> <ip_addr> or snmp-server host <if_name> <ip_addr> poll on the Cisco FWSM module, when processing the received SNMPv3 message, the Cisco FWSM may crash and generate a rejection Serve. This vulnerability is not affected only when the snmp-server host <if_name> <ip_addr> trap command is configured on the Cisco FWSM module

Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable. iwconfig is prone to a local security vulnerability

Cisco PIX firewall 5.x.x, and 6.3.1 and earlier, allows remote attackers to cause a denial of service (crash and reload) via an SNMPv3 message when snmp-server is set. Cisco PIX Firewall Is SNMP Activate a specific SNMP Management station IP By address setting, SNMPv3 A vulnerability exists that crashes when trying to interpret a packet when it is received.Cisco PIX Firewall Service disruption (DoS) It may be in a state. The first issue has been reported to present itself when the affected PIX firewall processes an SNMPv3 message, in certain circumstances. The second issue that was reported by the vendor is that a remote attacker may close established VPN sessions between a Cisco PIX appliance that is configured as a VPN Client and a remote VPN server. This vulnerability is not affected only when the snmp-server host <if_name> <ip_addr> trap command is configured on the Cisco PIX firewall

Buffer overflow in cd9660.util in Apple Mac OS X 10.0 through 10.3.2 and Apple Mac OS X Server 10.0 through 10.3.2 may allow local users to execute arbitrary code via a long command line parameter. This vulnerability could allow a local attacker to gain elevated privileges on the vulnerable system. The cd9660.util utility has been reported prone to a local buffer overrun vulnerability. Excessive data supplied as an argument for the probe for mounting switch, passed to the cd9660.util utility will overrun the bounds of a reserved buffer in memory. Because memory adjacent to this buffer has been reported to contain saved values that are crucial to controlling execution flow, a local attacker may potentially influence cd9660.util execution flow into attacker-supplied instructions. Mac OS X is an operating system used on Mac machines, based on the BSD system. Due to the lack of sufficient input validation in the cd9660.util tool, local attackers can exploit this vulnerability to carry out buffer overflow attacks, which can lead to privilege escalation. \'\'/System/Library/Filesystems/cd9660.fs/cd9660.util\'\'can submit parameters to detect the mounted device, if the detection device parameter is too long, it may trigger buffer overflow at runtime, careful Building commit data can lead to privilege escalation

The NetGear WAB102 is a wireless access AP. The NetGear WAB102 has multiple password management issues that can be exploited by remote attackers to gain unauthorized access to the device for various malicious operations. An attacker can access the device by providing any password that contains spaces. Another problem is that the default password '1234' is reset when the device is powered down and reset. NetGear WAB102 running firmware version 1.2.3 has been reported to be prone to this issue

Buffer overflow in the authentication module for Cisco ACNS 4.x before 4.2.11, and 5.x before 5.0.5, allows remote attackers to execute arbitrary code via a long password. Cisco has reported a remotely exploitable buffer overrun in ACNS authentication libraries, which are typically deployed on various Content devices. The following devices running ACNS software versions prior to 4.2.11 or 5.0.5 are affected: Content Routers 4400 series Content Distribution Manager 4600 series Content Engine 500 and 7300 series Content Engine Module for Cisco Routers 2600, 3600 and 3700 series This issue could be potentially exploited to execute arbitrary code on a vulnerable device, resulting in full compromise. Denial of services is another possible consequence of exploitation. Cisco ACNS provides networking solutions for the next generation of Cisco enterprise content. There is a buffer overflow problem in the authentication library of Cisco ACNS. Of course, this problem can also cause the device to deny service

The PKI functionality in Mac OS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (service crash) via malformed ASN.1 sequences. Some versions of the rsync program contain a remotely exploitable vulnerability. This vulnerability may allow an attacker to execute arbitrary code on the target system. This could potentially lead to an attacker crashing a service that uses an implementation of the vulnerable software. This issue is reported to be similar to OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulnerability described in BID 8970. Due to a lack of details further information concerning this issue cannot be provided at the moment. This BID will be updated as more information becomes available. Mac OS X is an operating system used on Mac machines, based on the BSD system. No detailed vulnerability details are currently available

The Apache module mod_userdir allows access to the user's website directory using a syntax similar to http://example.com/~user/. The default installation configuration of Apache mod_userdir is not secure, and remote attackers can exploit this vulnerability to obtain sensitive information. An attacker can use the mod_userdir error configuration to enumerate sensitive information such as the username on the host, and use this information to further attack the system. It is reported that the Apache mod_userdir module is prone to an information disclosure vulnerability. The issue is reported to exist because the module is configured in an insecure manner by default. It is reported that an attacker may exploit this vulnerability to harvest user account usernames that are present on the affected host

The Linksys WRT54G Router is a router device. The Linksys WRT54G Router is not properly handling some of the GET requests, and the remote attacker can exploit this vulnerability to restart the router. Sending an empty GET request to the router embedded in port 80 of the WEB system listening will cause the router to be restarted, causing a denial of service attack. It has been reported that when the affected appliance handles a request of this type the embedded web server will halt, requiring the appliance to be power cycled in order to regain normal functionality

Cisco Aironet Access Points are wireless access points.  Vulnerabilities in Cisco Aironet Access Points when running Cisco IOS could result in the disclosure of WEP key information.  When the 'snmp-server enable traps wlan-wep' command is set on Cisco Aironet Access Points, AP devices running Cisco IOS software will send WEP keys to the SNMP server in clear text. The affected hardware models include the Cisco Aironet 1100, 1200, and 1400 series. This command is disabled by default. The Cisco Aironet AP model running VxWorks is not affected by this vulnerability.  To determine whether the AP is running Cisco IOS software, as long as the telnet AP address is displayed, if it is simply provided such as apl200% instead of a graphical interface, it indicates that the IOS software is running

Cisco Aironet Access Points are wireless access points. A vulnerability exists in Cisco Aironet Access Points running Cisco IOS that could result in the disclosure of WEP key information. When the Cisco Aironet Access Points have the 'snmp-server enable traps wlan-wep' command set, the AP device running Cisco IOS Software sends the WEP key to the SNMP server in clear text. The affected hardware models include the Cisco Aironet 1100, 1200, and 1400 series, which is turned off by default. The Cisco Aironet AP model running VxWorks is not affected by this vulnerability. To determine if an AP is running Cisco IOS software, as long as the telnet AP address is displayed as simple as apl200% instead of a graphical interface, it indicates that the IOS software is running. The issue has been reported to exist if the 'snmp-server enable traps wlan-wep' command has been set

Detecttr.c is a route detection program. Detecttr.c Due to a lack of adequate checking of hostnames, remote attackers can exploit this vulnerability for format string attacks, which may result in arbitrary instructions being executed on the system with process privileges. The problem is that because the detecttr.c error uses the syslog() function, the hostname is passed directly to the syslog() function without proper format string checking. When logging to the log file, it can cause corrupted memory information, and the commit data may be carefully constructed. Execute arbitrary instructions on the system with process privileges. A remote format string vulnerability has been discovered in the detecttr.c traceroute detection tool, initially released in Phrack magazine. Successful exploitation of this issue could allow an attacker to execute arbitrary code on a vulnerable system with the privileges of the user invoking detecttr

The HP ProCurve Switch is an enterprise network switch. The HP ProCurve Switch has problems handling RCP worms such as W32.Welchia.Worm (MCID 1811) and W32.Blaster.Worm (MCID 1761), causing the switch to stop responding to normal requests, causing a denial of service attack. There are currently no detailed details of the vulnerability. This issue is reported to result in deteriorated network traffic and a denial of service condition for end users

Directory Services in Apple Mac OS X 10.0.2, 10.0.3, 10.2.8, 10.3.2 and Apple Mac OS X Server 10.2 through 10.3.2 accepts authentication server information from unknown LDAP or NetInfo sources as provided by a malicious DHCP server, which allows remote attackers to gain privileges. It has been reported that Apple MacOS X may be prone to a vulnerability that may allow an attacker to gain root access to a vulnerable system via DHCP responses. It has been reported that systems running MacOS X attempt to negotiate DHCP on all available interfaces. If a network is not found, and that system is implementing the use of wireless connectivity, then that system will attempt to connect to any network in order to obtain an address. The system will also attempt to connect to an LDAP or NetInfo server on the network by using DHCP provided fields. The vulnerable host is reported to implicitly trust the server for correct information. It has also been reported that an attacker may set up a malicious server and thereby be able to login to a vulnerable system using any login name and a user id (uid) of 0 in response to DHCP lease requests. Mac OS X is an operating system used on Mac machines, based on the BSD system. The \"Directory Access\" default setting on systems affected by this vulnerability blindly uses and trusts the DHCP fields provided by these servers, and the system does not prevent logins with any login with uid 0. For example, if an LDAP or NetInfo server contains a user named \"bluemeanie\", uid 0, the system will not check the login system window, or any network-provided premises, such as SSH. In most cases, the Mac would need to boot into a malicious environment to exploit this vulnerability (the Netinfod process would have to be restarted to insert the malicious server into its list of authenticated resources)

The Thomson SpeedTouch DSL is a broadband router. Thomson SpeedTouch DSL has problems handling some special types of communications, and remote attackers can exploit this vulnerability to perform denial of service attacks on devices. When an attacker performs a large-scale port scan of a Thomson SpeedTouch DSL router, it will cause the device to stop responding and cause a denial of service. An attacker can use a scanner such as NMAP or Nessus to scan. A problem has been reported in SpeedTouch DSL routers when routing certain types of traffic. Because of this, it may be possible to deny service to legitimate users of a vulnerable router

The HTTP server in the Thomson TWC305, TWC315, and TCW690 cable modem ST42.03.0a allows remote attackers to cause a denial of service (unstable service) via a long GET request, possibly caused by a buffer overflow. A problem has been identified in Thomson Cable Modems when handling long requests on the HTTP port. Because of this, it may be possible for an attacker to deny service to legitimate users of the device. Thomson TCM315 is a broadband wired MODEM device