VARIoT IoT vulnerabilities database

The Gateway GS-400 server has a default root password of "0001n" that can not be changed via the administrative interface, which can allow attackers to gain root privileges. The GS-400 is a storage machine distributed by Gateway. A default vendor password of "0001n" is used on all GS-400 servers. This password is unchangeable via the administrative interface. This could allow an attacker with the ability to remotely connect to the server to gain unauthorized access. Gateway GS-400 server is an IDE RAID system service software, which can be used under the Linux operating system. There is a WEB-based management console in the system, which runs with \"admin\" user authority. This password is saved in the password file in un-shadow mode, and the length of the password used is not strong enough, as long as it can be cracked by brute force guessing (5^36 times)

Buffer overflows in Cisco Virtual Private Network (VPN) Client 3.5.4 and earlier allows remote attackers to cause a denial of service via (1) an Internet Key Exchange (IKE) with a large Security Parameter Index (SPI) payload, or (2) an IKE packet with a large number of valid payloads. VPN Client for Linux is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions. Cisco Virtual Private Network (VPN) Client software is used to communicate with Cisco VPN Concentrator, it can run on Windows, Solaris, redhat linux, Apple MacOS and other systems. The Cisco VPN Client software contains multiple security holes, which can be exploited by attackers to prevent the Cisco VPN Client software program from working properly. * An IKE packet containing more than 57 payloads can trigger VPN Client software buffer overflow. * When the VPN Client software receives a malformed data packet with a payload length of zero, the VPN Client software will occupy 100\\% of the CPU resources of the workstation. The Cisco bug ID for these vulnerabilities is CSCdy26045

Norton Anti-Virus (NAV) allows remote attackers to bypass content filtering via attachments whose Content-Type and Content-Disposition headers are mixed upper and lower case, which is ignored by some mail clients. is prone to a security bypass vulnerability. There is a vulnerability in Norton Anti-Virus (NAV)

IIS 5 and 5.1 supporting WebDAV methods allows remote attackers to determine the internal IP address of the system (which may be obscured by NAT) via (1) a PROPFIND HTTP request with a blank Host header, which leaks the address in an HREF property in a 207 Multi-Status response, or (2) via the WRITE or MKCOL method, which leaks the IP in the Location server header. IIS Far East Edition is prone to a remote security vulnerability

Buffer overflow in WS_FTP FTP Server 3.1.1 allows remote authenticated users to execute arbitrary code via a long SITE CPWD command. Ipswitch WS_FTP Server, is a FTP server for Microsoft Windows platforms. Oversized parameters may corrupt process memory, possibly leading to the execution of arbitrary code as the server process. This issue has been reported in WS_FTP Server 3.1.1. Earlier versions may share this vulnerability, this has not however been confirmed. Progress Software Ipswitch WS_FTP Server is a set of FTP server software developed by Progress Software Company in the United States. It provides functions such as file transfer control and transfer encryption. A buffer error vulnerability exists in Progress Software Ipswitch WS_FTP Server version 3.1.1

Linux-iSCSI iSCSI implementation installs the iscsi.conf file with world-readable permissions on some operating systems, including Red Hat Linux Limbo Beta #1, which could allow local users to gain privileges by reading the cleartext CHAP password. iSCSI leaves administrative credentials stored in a world-readable configuration file. The configuration file that iSCSI uses is stored in /etc/iscsi.conf. Reportedly, this file is installed, by default, with world readable and possibly world writeable permissions enabled. This may have some potentially serious consequences as the configuration file also stores password information in plain text. iSCSI (Small Computer System Interface) is a protocol that supports access to storage devices over a TCP/IP network, which facilitates storage consolidation and sharing of storage resources across organizations. The main authentication mechanism of iSCSI uses the CHAP protocol. There is a configuration problem in the Linux implementation of iSCSI, and local attackers can exploit this vulnerability to obtain sensitive information such as authentication passwords. and other sensitive information

Cisco VPN 5000 series concentrator hardware 6.0.21.0002 and earlier, and 5.2.23.0003 and earlier, when using RADIUS with a challenge type of Password Authentication Protocol (PAP) or Challenge, sends the user password in cleartext in a validation retry request, which could allow remote attackers to steal passwords via sniffing. The VPN 5000 Concentrator line supports the use of a RADIUS server to authenticate client connections. An error has been reported in this authentication process when either PAP or Challenge authentication is used. If more than one authentication message is transmitted, the client password will be sent in plaintext. Cisco has reported that this issue does not exist if CHAP authentication is used. The Cisco VPN 5000 Series Concentrators consist of a general-purpose remote-access virtual private network (VPN) platform and client software that combines high availability, performance, and scalability with today's most advanced encryption and authentication technologies for Professional operators or enterprise users provide services. User passwords may be sent in clear text. VPN 5000 series concentrators support three RADIUS communication methods. The keyword ChallengeType in the [RADIUS] section can be set to CHAP, PAP or Challenge. When using a RADIUS server, access requests are sent to the RADIUS server, and user passwords are encrypted according to RFC regulations. If within a certain period of time due to network or configuration problems, the server does not return an Access-Accept (allowing access) packet, then the concentrator will send a retry packet, but the user password in this packet is sent in plain text. All Cisco VPN 5000 Series Concentrator hardware using software versions 6.0.21.0002 (and earlier) and 5.2.23.0003 (and earlier) are affected by this vulnerability. This series includes the 5001, 5002 and 5008 models. Older versions of the IntraPort family of concentrator hardware are also affected by this vulnerability. This series includes IntraPort 2, IntraPort 2+, IntraPort Enterprise-2 and Enterprise-8, IntraPort Carrier-2 and Carrier-8 models. VPN 3000 series concentrator hardware is not affected by this vulnerability

Microsoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862). ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Micrisoft Internet Explorer (IE) Has implemented SSL as well as Microsoft Outlook Express S/MIME Has a flaw in handling certificates. IE as well as Outlook S/MIME Then, the intermediate certificate authority ( Middle CA) Because it does not check the validity of the domain, it accepts a domain certificate created by a malicious user as normal. Usually an intermediate certificate is Basic Constraints In the extension field, it is described whether you have the authority to sign other certificate authorities. IE as well as Outlook S/MIME In the implementation of this Basic Constraints The extended area is not checked sufficiently. If the root certificate authority can be trusted, it will trust the certificate. for that reason, IE as well as Outlook S/MIME Accepts certificates from any domain signed with a bad certificate created by a malicious user as normal. By exploiting this problem, an attacker can intercept and steal encrypted information, or spoof. Microsoft Windows 2000 SP4 After applying Internet Exploer 6.0 SP1 Vendors have reported that they are affected by this issue. Eliminate this problem Windows 2000 SP4 Patch for (KB329115) But 2003 Year 11 Moon 11 Released by date.Please refer to the “Overview” for the impact of this vulnerability. A flaw has been reported in the handling of X.509 certificates by a number of products, including several web browsers. It may be possible for a malicious party to create certificates for arbitrary domains, which will be treated as trusted by the vulnerable browser. This vulnerability was originally reported in Microsoft's Internet Explorer web browser. Reports state that IIS 5.0 under Windows 2000 is also vulnerable. In this case, client certificate chains are not properly verified. Attackers may exploit this vulnerability to bypass some authentication schemes. This vulnerability also exists in some versions of KDE and the included Konqueror web browser. Versions 3.0.2 and earlier are vulnerable. ** A report suggests that the patch issued by Microsoft may not fully protect against this vulnerability. It may be possible that a malicious site using an invalid certificate may mislead users into believing that a certificate is expired rather than being invalid. ** UPDATE 11/11/03 - Microsoft has updated their bulletin for this issue. Users who installed Internet Explorer 6 after installing Windows 2000 Service Pack 4 may have reintroduced this issue onto their systems. A new patch is available for users who installed Internet Explorer 6 on Windows 2000 SP4 systems

The SSL capability for Konqueror in KDE 3.0.2 and earlier does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ * KDE Is X Window System It is a comprehensive desktop environment developed for use. * Red Hat Linux Implemented in KDE 2.x , 3.x Has several security issues: 1. KDE 3.0.2 Included with Web browser Konqueror of SSL There is a problem that the site that is not functional and treats an untrusted site as a trusted site. 2. KDE 3.0 From 3.0.2 of Konqueror In Cookie of secure There is a flaw that does not detect the flag, Cookie There is a problem that leaks. 3. KDE 3.0.3 previous Konqueror Has a problem with cross-site scripting attacks. 4. KDE 3.0.1 Implemented from kpf There is a problem with a file that allows a local attacker to view an arbitrary file. 5. KDE 2.x From 3.0.4 In rlogin Protocol and telnet There is a flaw in the implementation of the protocol that can be exploited by remote and local attackers KDE There is a problem that arbitrary code is executed with the execution right. 6. KDE LAN Provide browsing function resLISa There is a buffer overflow problem, LISa Has a privilege escalation problem. (LISa The service is disabled by default )Please refer to the “Overview” for the impact of this vulnerability. A flaw has been reported in the handling of X.509 certificates by a number of products, including several web browsers. It may be possible for a malicious party to create certificates for arbitrary domains, which will be treated as trusted by the vulnerable browser. The flaw lies in the handling of intermediate certificate authorities. Normally, intermediate certificates should possess a Basic Constraints field which states the certificate may be used as a signing authority. Vulnerable products do not require the Basic Constraints field be properly defined. A malicious party with one valid certificate may sign a new certificate for an arbitrary domain. This may allow the attacker to spoof a sensitive domain, or to attempt a man-in-the-middle attack against encrypted communications. This vulnerability was originally reported in Microsoft's Internet Explorer web browser. It has been reported that, in the case of Microsoft Internet Explorer, the flaw lies in some cryptographic functions implemented in the operating system. It should be noted that this flaw has not been reported in the Cryptographic API included with Microsoft Windows. Reports state that IIS 5.0 under Windows 2000 is also vulnerable. In this case, client certificate chains are not properly verified. Attackers may exploit this vulnerability to bypass some authentication schemes. Versions 3.0.2 and earlier are vulnerable. ** A report suggests that the patch issued by Microsoft may not fully protect against this vulnerability. It may be possible that a malicious site using an invalid certificate may mislead users into believing that a certificate is expired rather than being invalid. ** UPDATE 11/11/03 - Microsoft has updated their bulletin for this issue. Users who installed Internet Explorer 6 after installing Windows 2000 Service Pack 4 may have reintroduced this issue onto their systems. A new patch is available for users who installed Internet Explorer 6 on Windows 2000 SP4 systems

TinySSL 1.02 and earlier does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack. A flaw has been reported in the handling of X.509 certificates by a number of products, including several web browsers. It may be possible for a malicious party to create certificates for arbitrary domains, which will be treated as trusted by the vulnerable browser. The flaw lies in the handling of intermediate certificate authorities. Vulnerable products do not require the Basic Constraints field be properly defined. A malicious party with one valid certificate may sign a new certificate for an arbitrary domain. This may allow the attacker to spoof a sensitive domain, or to attempt a man-in-the-middle attack against encrypted communications. This vulnerability was originally reported in Microsoft's Internet Explorer web browser. It has been reported that, in the case of Microsoft Internet Explorer, the flaw lies in some cryptographic functions implemented in the operating system. It should be noted that this flaw has not been reported in the Cryptographic API included with Microsoft Windows. Reports state that IIS 5.0 under Windows 2000 is also vulnerable. In this case, client certificate chains are not properly verified. Attackers may exploit this vulnerability to bypass some authentication schemes. This vulnerability also exists in some versions of KDE and the included Konqueror web browser. Versions 3.0.2 and earlier are vulnerable. ** A report suggests that the patch issued by Microsoft may not fully protect against this vulnerability. It may be possible that a malicious site using an invalid certificate may mislead users into believing that a certificate is expired rather than being invalid. ** UPDATE 11/11/03 - Microsoft has updated their bulletin for this issue. Users who installed Internet Explorer 6 after installing Windows 2000 Service Pack 4 may have reintroduced this issue onto their systems. A new patch is available for users who installed Internet Explorer 6 on Windows 2000 SP4 systems

Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise Firewall 6.5.2 and 7.0, VelociRaptor Models 500/700/1000 and 1100/1200/1300, and Gateway Security 5110/5200/5300 generate easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections. Symantec produces a range of hardware and software firewall products. A number of these products have been reported to have a vulnerability related to the creation of TCP Initial Sequence Numbers (ISNs). Reportedly, vulnerable products will reuse ISN values for connections with the same source and destination IP and port, over a limited time period. An attacker able to gain knowledge of this ISN may spoof new connections from the specified IP address, or inject data into legitimate connections. Remote attackers can use this vulnerability to perform IP spoofing or data insertion attacks on the current connection. The firewall's application-layer protocol inspection technology can prevent session spoofing and hijacking through random TCP initial sequence numbers for new proxy connections. During this time, an attacker can capture the initial TCP handshake of an early session from a legitimate IP

IPSwitch IMail Web Calendaring service (iwebcal) allows remote attackers to cause a denial of service (crash) via an HTTP POST request without a Content-Length field. IMail is a commercial email server software package distributed and maintained by Ipswitch, Incorporated. IMail is available for Microsoft Operating Systems. It has been reported that such a transaction with the service results in a crash of the iwebcal service

The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service via invalid encodings. Abstract Syntax Notation number One (ASN.1) is an international standard used to describe and transmit data packets between applications and across networks. OpenSSL In ASN.1 library Inside ans1_get_length() A buffer overflow vulnerability exists when an abnormal certificate is passed to a function.OpenSSL Service disruption (DoS) It may be in a state. This vulnerability is due to parsing errors and affects SSL, TLS, S/MIME, PKCS#7 and certificate creation routines. OpenSSL is an open source general-purpose encryption library developed by the OpenSSL team that can implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. There is a vulnerability in the ASN1 interpreter of OpenSSL when dealing with invalid encoding methods. Remote attackers may use this vulnerability to carry out denial-of-service attacks on applications that use the ASN1 library

OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code. A remotely exploitable vulnerability exists in OpenSSL servers that could lead to the execution of arbitrary code on the system. OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) protocol. There is a buffer overflow on 64-bit platforms related to the ASCII representation of integers. Remotely exploitable buffer overflow conditions have been reported in OpenSSL. It is possible to overflow these buffers on a vulnerable system if overly large values are submitted by a malicious attacker. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. There is a loophole in the design and implementation of OpenSSL. Under certain circumstances, a remote attacker may use this loophole to cause a denial of service attack on the server or execute arbitrary instructions on the host. OpenSSL Security Advisory [30 July 2002] This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory. Advisory 1 ========== A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are conducting a security review of OpenSSL, under the DARPA program CHATS. Vulnerabilities --------------- All four of these are potentially remotely exploitable. 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue 3, and CAN-2002-0655 to issue 4. In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them. Who is affected? ---------------- Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable. SSLeay is probably also affected. Recommendations --------------- Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS. A patch for 0.9.7 is available from the OpenSSL website (https://www.openssl.org/). Servers can disable SSL2, alternatively disable all applications using SSL or TLS until the patches are applied. Users of 0.9.7 pre-release versions with Kerberos enabled will also have to disable Kerberos. Client should be disabled altogether until the patches are applied. Known Exploits -------------- There are no know exploits available for these vulnerabilities. As noted above, Neohapsis have demonstrated internally that an exploit is possible, but have not released the exploit code. References ---------- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 Acknowledgements ---------------- The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. The patch and advisory were prepared by Ben Laurie. Advisory 2 ========== Vulnerabilities --------------- The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue. Who is affected? ---------------- Any OpenSSL program which uses the ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines. Recommendations --------------- Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL. Users of 0.9.7 pre-release versions should apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all applications using OpenSSL. Exploits -------- There are no known exploits for this vulnerability. References ---------- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 Acknowledgements ---------------- This vulnerability was discovered by Adi Stav <stav@mercury.co.il> and James Yonan <jim@ntlp.com> independently. The patch is partly based on a version by Adi Stav. The patch and advisory were prepared by Dr. Stephen Henson. Combined patches for OpenSSL 0.9.6d: https://www.openssl.org/news/patch_20020730_0_9_6d.txt Combined patches for OpenSSL 0.9.7 beta 2: https://www.openssl.org/news/patch_20020730_0_9_7.txt URL for this Security Advisory: https://www.openssl.org/news/secadv_20020730.txt

Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3. The DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10 contains buffer overflows in code that handles responses for network name and address requests. Other resolver libraries derived from BIND 4 such as BSD libc, GNU glibc, and those used by System V UNIX systems may also be affected. An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service. This vulnerability is resolved in BIND versions 4.9.11, 8.2.7, 8.3.4, and BIND 9. Based on recent reports, we believe this vulnerability is being actively exploited. OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) protocol. A remotely exploitable vulnerability exists in OpenSSL servers that could lead to the execution of arbitrary code on the server. OpenSSL Is OpenSSL On the server SSL version 2.0 ( Less than, SSLv2) The buffer overflow vulnerability is caused by handshake processing. The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. ***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available. OpenSSL is prone to a buffer-overflow vulnerability involving overly long SSLv3 session IDs. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2002-04 November 26, 2002 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in August 2002 (CS-2002-03), we have seen trojan horses for three popular distributions, new self-propagating malicious code (Apache/mod_ssl), and multiple vulnerabilities in BIND. In addition, we have issued a new PGP Key. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Reports received by the CERT/CC indicate that the Apache/mod_ssl worm has already infected thousands of systems. Over a month earlier, the CERT/CC issued an advisory (CA-2002-23) describing four remotely exploitable buffer overflows in OpenSSL. Trojan Horse Sendmail Distribution The CERT/CC has received confirmation that some copies of the source code for the Sendmail package have been modified by an intruder to contain a Trojan horse. These copies began to appear in downloads from the FTP server ftp.sendmail.org on or around September 28, 2002. On October 8, 2002, the CERT/CC issued an advisory (CA-2002-28) describing various methods to verify software authenticity. CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution http://www.cert.org/advisories/CA-2002-28.html 3. Trojan Horse tcpdump and libpcap Distributions The CERT/CC has received reports that some copies of the source code for libpcap, a packet acquisition library, and tcpdump, a network sniffer, have been modified by an intruder and contain a Trojan horse. These modified distributions began to appear in downloads from the HTTP server www.tcpdump.org on or around Nov 11, 2002. The CERT/CC issued an advisory (CA-2002-30) listing MD5 checksums and official distribution sites for libpcap and tcpdump. CERT Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions http://www.cert.org/advisories/CA-2002-30.html 4. Multiple Vulnerabilities in BIND The CERT/CC has documented multiple vulnerabilities in BIND, the popular domain name server and client library software package from the Internet Software Consortium (ISC). Several vulnerabilities are referenced in the advisory; they are listed here individually. CERT Advisory CA-2002-31 Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-2002-31.html Vulnerability Note #852283 Cached malformed SIG record buffer overflow http://www.kb.cert.org/vuls/id/852283 Vulnerability Note #229595 Overly large OPT record assertion http://www.kb.cert.org/vuls/id/229595 Vulnerability Note #581682 ISC Bind 8 fails to properly dereference cache SIG RR elements invalid expiry times from the internal database http://www.kb.cert.org/vuls/id/581682 Vulnerability Note #844360 Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups http://www.kb.cert.org/vuls/id/844360 5. Heap Overflow Vulnerability in Microsoft Data Access Components (MDAC) On November 21, 2002 the CERT/CC issued an advisory (CA-2002-33) describing a vulnerability in MDAC, a collection of Microsoft utilities and routines that process requests between databases and network applications. CERT Advisory CA-2002-33 Heap Overflow Vulnerability in Microsoft Data Access Components (MDAC) http://www.cert.org/advisories/CA-2002-33.html ______________________________________________________________________ New CERT/CC PGP Key On September 19, the CERT/CC issued a new PGP key, which should be used when sending sensitive information to the CERT/CC. CERT/CC PGP Public Key https://www.cert.org/pgp/cert_pgp_key.asc Sending Sensitive Information To The CERT/CC http://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Congressional Testimony http://www.cert.org/congressional_testimony/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Home User Security http://www.cert.org/homeusers/HomeComputerSecurity * Tech Tips http://www.cert.org/tech_tips/ * Training Schedule http:/www.cert.org/training/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2002-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright \xa92002 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPePMQWjtSoHZUTs5AQGdxwP9HK4mSF15bMQ9MZ4mMFcLIhvdXykANg8A 6nEIAyB8CJpbuWdP7sPh3qAwaZ9BhRFEGeLakONOpoo7bmjkwAWrJHxF3b1CrgHS ZuKQsgEhnm9wpPdU6w6SG1cJBkwz70b8d7YK0vcVuKhmaW0JOx9OLGKsAe3SFePD OiZbNHX+eb8= =Mnbn -----END PGP SIGNATURE----- . OpenSSL Security Advisory [30 July 2002] This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory. Advisory 1 ========== A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are conducting a security review of OpenSSL, under the DARPA program CHATS. 1. The client master key in SSL2 could be oversized and overrun a buffer. Exploit code is NOT available at this time. 2. 3. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue 3, and CAN-2002-0655 to issue 4. In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them. Who is affected? ---------------- Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable. SSLeay is probably also affected. Recommendations --------------- Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS. A patch for 0.9.7 is available from the OpenSSL website (https://www.openssl.org/). Servers can disable SSL2, alternatively disable all applications using SSL or TLS until the patches are applied. Users of 0.9.7 pre-release versions with Kerberos enabled will also have to disable Kerberos. Client should be disabled altogether until the patches are applied. Known Exploits -------------- There are no know exploits available for these vulnerabilities. As noted above, Neohapsis have demonstrated internally that an exploit is possible, but have not released the exploit code. References ---------- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 Acknowledgements ---------------- The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. The patch and advisory were prepared by Ben Laurie. Advisory 2 ========== Vulnerabilities --------------- The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue. Who is affected? ---------------- Any OpenSSL program which uses the ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines. Recommendations --------------- Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL. Users of 0.9.7 pre-release versions should apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all applications using OpenSSL. References ---------- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 Acknowledgements ---------------- This vulnerability was discovered by Adi Stav <stav@mercury.co.il> and James Yonan <jim@ntlp.com> independently. The patch is partly based on a version by Adi Stav. The patch and advisory were prepared by Dr. Stephen Henson. Combined patches for OpenSSL 0.9.6d: https://www.openssl.org/news/patch_20020730_0_9_6d.txt Combined patches for OpenSSL 0.9.7 beta 2: https://www.openssl.org/news/patch_20020730_0_9_7.txt URL for this Security Advisory: https://www.openssl.org/news/secadv_20020730.txt

setpwnam.c in the util-linux package, as included in Red Hat Linux 7.3 and earlier, and other operating systems, does not properly lock a temporary file when modifying /etc/passwd, which may allow local users to gain privileges via a complex race condition that uses an open file descriptor in utility programs such as chfn and chsh. The util-linux package contains a race condition vulnerability that can be used to elevate privileges on the system. The util-linux package is a set of commonly used system utilities such as 'chfn' and 'chsh'. It is included with many Linux distributions. The condition is related to file locking. Failure to check for the existence of a lockfile prior to sensitive operations may, under specific circumstances, open a window of opportunity for attack. The util-linux utilities often write to sensitive files such as /etc/passwd/. The reported attacks are complex, time dependent and require specific circumstances such as system administrator interaction and a large passwd file. Red Hat Linux is known to ship with util-linux as a core component. Other distributions, those that are derived from Red Hat in particular, may also be vulnerable. It should be noted that the utilities included with the shadow-utils package (shipped with SuSE Linux) are not vulnerable. The util-linux tool contains multiple tools for performing Linux system functions. For example, the \'\'chfn\'\' tool allows users to modify personal information stored in the /etc/passwd file. To modify this file, the application needs to use Install with setuid root privileges. Under certain conditions, by using the complex file lock and modification operation loopholes in the login-utils/setpwnam.c code in the util-linux tool, the carefully constructed attack sequence can be modified by using the race condition loopholes such as the /etc/passwd file. Privilege escalation. However, to successfully exploit this vulnerability and perform privilege escalation requires some interaction with the administrator. In addition, the password file must exceed 4K bytes, and when a local attacker modifies the /etc/passwd file, the modified entry cannot be placed in the last part of the 4K bytes of the password file

The web server for D-Link DP-300 print server allows remote attackers to cause a denial of service (hang) via a large HTTP POST request. The DP-303 print server is a hardware device developed by D-LINK and designed to connect to printable shares via Ethernet. It has a built-in WEB interface for management.  The DP-303 print server's WEB interface lacks the correct check when processing extra long POST requests. Remote attackers can use this vulnerability to conduct remote denial of service attacks

Buffer overflow in Lucent Access Point 300, 600, and 1500 Service Routers allows remote attackers to cause a denial of service (reboot) via a long HTTP request to the administrative interface. An error has been reported in the embedded HTTP server. It has been reported that sending a HTTP request consisting of approximately 4000 characters of data will cause the device to reboot. This may result in an interruption of service for legitimate users of the device

Administrative web interface for IC9 Pocket Print Server Firmware 7.1.30 and 7.1.36f allows remote attackers to cause a denial of service (reboot and reset) via a long password, possibly due to a buffer overflow. IC9 is the Pocket Print Server distributed by SEH. It provides network capability to parallel port printers. A user accessing the web administration interface of a vulnerable device may be able to reboot the print server, and attached printer. This results in a denial of service, as the print server and printer are unavailable during the reboot process. If an attacker can access the WEB management interface and submit password data containing more than 300 bytes to the management interface program for processing, it will cause the printer to crash and the device to restart

Heap-based buffer overflow in the TFTP server capability in Cisco IOS 11.1, 11.2, and 11.3 allows remote attackers to cause a denial of service (reset) or modify configuration via a long filename. A problem has been discovered in Cisco IOS and MGX switches that could result in a denial of service, and potential code execution. This overflow results due insufficient bounds checking on requested file names. A request for a file name of 700 or more bytes will result a crash of the router, and reboot of the device. On Cisco MGX switches, the TFTP service will fail but the device will continue to function. Cisco IOS versions 12.0 and later are not prone to this issue. Cisco has assigned Cisco Bug ID CSCdy03429 to this vulnerability. Cisco has announced that some MGX switches are also affected by this issue. Cisco has assigned Cisco Bug ID CSCdy03429 to this vulnerability. Cisco routers are widely used Internet routers developed by CISCO, using the Cisco IOS operating system