VARIoT IoT vulnerabilities database

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x before 3.5.2B, does not generate sufficiently random numbers, which may make it vulnerable to certain attacks such as spoofing. Cisco has reported that random number generation has been improved in Cisco VPN Client. Weak random number generation may present a security vulnerability to users of the client software, as it may be possible under some circumstances for attackers to anticipate numbers that are generated by the software. If an attacker can anticipate TCP sequence numbers for VPN sessions, it may be possible to mount man-in-the-middle attacks against a connection or possible inject packets into a connection. The attacker may need to be within the VPN to exploit this issue. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. A remote attacker can exploit this vulnerability to attack via the Man-In-Middle method or insert packets into an existing connection. Or remote unauthorized access to the VPN concentrator. CISCO designated this vulnerability number as: CSCdx89416

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x before 3.6(Rel), when configured with all tunnel mode, can be forced into acknowledging a TCP packet from outside the tunnel. This has the potential to leak information about the client system to attackers. This issue does not occur if "split tunneling mode" is enabled. Furthermore, 3.5.x releases of the client are not prone to this issue if the firewall is configured to run in "always on" mode. The 3.6(Rel) version of the client is prone to this issue even under circumstances where the firewall is run in "always on" mode. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. affected by this vulnerability. CISCO designated this vulnerability number as: CSCdy37058

The original patch for the Cisco Content Service Switch 11000 Series authentication bypass vulnerability (CVE-2001-0622) was incomplete, which still allows remote attackers to gain additional privileges by directly requesting the web management URL instead of navigating through the interface, possibly via a variant of the original attack, as identified by Cisco bug ID CSCdw08549. CSS11000 Content Services Switch is prone to a remote security vulnerability

Cisco VPN 3000 Concentrator 3.6(Rel) and earlier, and 2.x.x, when configured to use internal authentication with group accounts and without any user accounts, allows remote VPN clients to log in using PPTP or IPSEC user authentication. Cisco VPN 3000 series concentrators are a family of products for facilitating secure communications via VPN (Virtual Private Networks). This could result in unintended privileges and access

HTML interface for Cisco VPN 3000 Concentrator 2.x.x and 3.x.x before 3.0.3(B) allows remote attackers to cause a denial of service (CPU consumption) via a long URL request. Cisco VPN 3000 series concentrators are a family of products for facilitating secure communications via VPN (Virtual Private Networks). By placing a malicious HTTP request to a vulnerable system, the system becomes unstable

Information leaks in Cisco VPN 3000 Concentrator 2.x.x and 3.x.x before 3.5.4 allow remote attackers to obtain potentially sensitive information via the (1) SSH banner, (2) FTP banner, or (3) an incorrect HTTP request. Cisco VPN 3000 series concentrators are a family of products for facilitating secure communications via VPN (Virtual Private Networks). Under some circumstances, it may be possible for a remote user to gain access to sensitive information. The SSH banner reveals more information than necessary to negotiate a session. This could lead to intelligence gathering, and a directed attack against network resources. Cisco VPN 3000 Concentrator versions 2.xx and 3.xx prior to 3.5.4 have an information disclosure vulnerability

Cisco VPN 3000 Concentrator before 2.5.2(F), with encryption enabled, allows remote attackers to cause a denial of service (reload) via a Windows-based PPTP client with the "No Encryption" option set. Cisco VPN 3000 series concentrators are a family of products for facilitating secure communications via VPN (Virtual Private Networks). Under some circumstances, it may be possible for a remote PPTP client to cause a denial of service. This could result in a denial of service to legitimate users of the device. Cisco VPN 3000 Concentrator versions earlier than 2.5.2(F) have vulnerabilities

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.1, allows restricted administrators to obtain user passwords that are stored in plaintext in HTML source code. Cisco VPN 3000 series concentrators are prone to an issue which may cause user credentials to be disclosed to remote attackers under some circumstances. Cisco VPN 3000 Concentrator versions 2.2.x and 3.x prior to 3.5.1 have vulnerabilities

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.2, allows restricted administrators to obtain certificate passwords that are stored in plaintext in the HTML source code for Certificate Management pages. This may enable an administrative user to gain unauthorized access to the Certificate Management interface. This would only be an issue in circumstances where the policy of an organization using the device restricts certificate management privileges to particular administrative users. Cisco VPN 3000 Concentrator 2.2.x, and versions earlier than 3.5.2 have vulnerabilities

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, adds an "HTTPS on Public Inbound (XML-Auto)(forward/in)" rule but sets the protocol to "ANY" when the XML filter configuration is enabled, which ultimately allows arbitrary traffic to pass through the concentrator. Cisco VPN 3000 series concentrators are prone to an issue with XML filters which may inadvertently allow unauthorized network access to occur. This issue occurs when XML filters have been enabled on the public interface of the device. The vulnerable concentrator checks the destination port only when the value for the protocol is set to "TCP" or "UDP". Since the protocol is mistakenly set to "ANY", this will allow network connections using any protocol to an arbitrary port to occur through the concentrator. Cisco VPN 3000 Concentrator 2.2.x before 3.5.3, and 3.x versions have vulnerabilities

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, allows remote attackers to obtain potentially sensitive information without authentication by directly accessing certain HTML pages. Cisco VPN 3000 series concentrators leave some areas of the web interface exposed to unauthenticated web users. Attackers may use the sensitive information disclosed in this manner to potentially aid in mounting further attacks against the device and the network. Cisco VPN 3000 Concentrator 2.2.x before 3.5.3, and 3.x versions have vulnerabilities

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, allows remote attackers to cause a denial of service (crash) via a long (1) username or (2) password to the HTML login interface. To exploit this condition, the attacker must submit overly long values for the username/password strings using the POST method. The attacker might, for example, submit a modified version of the form for the login page to trigger this condition. Successful exploitation will cause the device to reload. Cisco VPN 3000 Concentrator 2.2.x, and 3.x versions prior to 3.5.3 have vulnerabilities

The LAN-to-LAN IPSEC capability for Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.4, allows remote attackers to cause a denial of service via an incoming LAN-to-LAN connection with an existing security association with another device on the remote network, which causes the concentrator to remove the previous connection. Cisco has reported a security vulnerability in VPN 3000 series concentrator devices. The vulnerability is related to handling of incoming LAN-to-LAN IPSEC tunnel connections. According to Cisco, this behaviour may be exploitable as a denial of service attack. Furthermore, affected devices do not ensure that the data transmitted across a LAN-to-LAN IPSEC tunnel is sourced from the appropriate network. The implications of this potentially separate issue are not yet known. There are loopholes in the LAN-to-LAN IPSEC capability of Cisco VPN 3000 Concentrator 2.2.x and versions 3.x before 3.5.4

Cisco VPN 3000 Concentrator 2.2.x, 3.6(Rel), and 3.x before 3.5.5, allows remote attackers to cause a denial of service via (1) malformed or (2) large ISAKMP packets. Cisco VPN 3000 series concentrators do not properly handle specially crafted Internet Security Association and Key Management Protocol (ISAKMP) packets, which can cause a vulnerable device to reload, denying service to legitimate users. Denial of network/VPN service may be possible. Cisco has reported a number of vulnerabilities in the VPN 3000 series concentrators. These issues affect models 3005, 3015, 3030, 3060, 3080 and the Cisco VPN 3002 Hardware Client. The nature of these issues varies from disclosure of sensitive information, to denial of service. Some of these issues may allow for remote unauthorized access to the device or the network to occur. VPN 3000 Concentrator is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions

Cisco AS5350 IOS 12.2(11)T with access control lists (ACLs) applied and possibly with ssh running allows remote attackers to cause a denial of service (crash) via a port scan, possibly due to an ssh bug. NOTE: this issue could not be reproduced by the vendor. The Cisco AS5350 Universal Gateway is reported to be prone to a denial of service condition. It is possible to cause this condition by portscanning a vulnerable device. This issue was reported for Cisco AS5350 devices running Cisco IOS release 12.2(11)T. Other firmware and devices may also be affected. There are conflicting reports regarding the existence of this vulnerability. Other sources have indicated that the issue may be related to a configuration problem. Attackers can use the Nmap scanner to scan the ports 1-65535 of the Cisco AS5350 Universal Gateway, which can cause the system to hang and require a restart of the device to obtain normal functions. However, there are many different views on this issue. improper

Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to cause a denial of service (hang and CPU consumption) via a SYN packet flood. Kerio Personal Firewall (KPF) is a personal firewall product for the Microsoft Windows operating system. When KPF recieves a large number of SYN packets are recieved from a single source, the firewall process will consume all available CPU time, and eventually hang the vulnerable system. A reboot may be required in order to regain normal functionality

Belkin F5D6130 Wireless Network Access Point running firmware AP14G8 allows remote attackers to cause a denial of service (connection loss) by sending several SNMP GetNextRequest requests. Reportedly, this issue may be exploited by making a sequence of SNMP requests. A valid community name is not required. After a number of SNMP requests are made, the device will fail to respond to further requests. Additionally, all wireless connections will be dropped, and new connections refused. Under some conditions, the device may also fail to respond on the ethernet interface. Belkin F5D6130 has a design problem. It can make SNMP requests without providing legal SNMP community strings

The remote administration capability for the D-Link DI-804 router 4.68 allows remote attackers to bypass authentication and release DHCP addresses or obtain sensitive information via a direct web request to the pages (1) release.htm, (2) Device Status, or (3) Device Information. DI-804 is a hardware gateway and firewall developed and designed by D-LINK.  DI-804's web management interface lacks access control, which causes the DHCP address that has been allocated to be released.  When the web management interface of DI-804 is enabled, the /release.html page can be used to operate the DHCP-assigned address. Due to the lack of access control to the /release.html page, remote attackers can cause the allocated address to be maliciously released. This page is used to manipulate DHCP allocated addresses, and could be used to revoke leases on assigned addresses. It is possible to access to the Device information and Device status pages. These pages contain information such as the WAN IP, netmask, name server information, DHCP log, and MAC address to IP address mappings. The device information page lists the device name, firmware version, MAC addresses of LAN and WAN interfaces

Tiny Personal Firewall 3.0 through 3.0.6 allows remote attackers to cause a denial of service (crash) by via SYN, UDP, ICMP and TCP portscans when the administrator selects the Log tab of the Personal Firewall Agent module. Reportedly, Tiny Personal Firewall is vulnerable to a denial of service condition. The vulnerability occurs when a user selects to browse the Personal Firewall Agent Logs and when the system is being portscanned. This will cause Tiny Personal Firewall to consume all CPU resources and cause the system to stop responding and eventually crash. Tiny Personal Firewall is a firewall suitable for personal computers, which can protect against network attacks, worms, Trojan horses and viruses, and can run under the Microsoft Windows operating system. 2) IP forgery and denial of service attack vulnerability: When Tiny Personal Firewall is fully configured and the firewall level is set to high, there is a problem when Tiny Personal Firewall blocks the communication whose source address is the IP address of the firewall itself, and the attacker can forge the source address Bypass firewall rules for packets to the firewall's own IP address

Buffer overflow in GoAhead WebServer 2.1 allows remote attackers to execute arbitrary code via a long HTTP GET request with a large number of subdirectories. GoAhead WebServer is an Open Source embedded web server which supports Active Server Pages, embedded javascript, and SSL authentication and encryption. It is available for a variety of platforms including Microsoft Windows and Linux variant operating systems. It has been discovered that a buffer overflow exists in GoAhead WebServer. This could lead to an attacker gaining remote access to a vulnerable host. GoAhead WebServer lacks correct processing of URL requests submitted by users. <**>