VARIoT IoT vulnerabilities database

AFP Server in Apple Mac OS X 10.3.9 and 10.4.7 stores reconnect keys in a world-readable file, which allows local users to obtain the keys and access files and folders of other users. The Apple Mac OS X ImageIO framework contains an integer overflow that may allow a remote attacker to execute arbitrary code on an affected system. These issue affect Mac OS X and various applications including AFP Server, Bluetooth, Bom, DHCP, Image RAW, ImageIO, Launch Services, OpenSSH, and WebKit. A remote attacker may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and disclose potentially sensitive information

OpenSSH in Apple Mac OS X 10.4.7 allows remote attackers to cause a denial of service or determine account existence by attempting to log in using an invalid user, which causes the server to hang. The Apple Mac OS X ImageIO framework contains an integer overflow that may allow a remote attacker to execute arbitrary code on an affected system. These issue affect Mac OS X and various applications including AFP Server, Bluetooth, Bom, DHCP, Image RAW, ImageIO, Launch Services, OpenSSH, and WebKit. A remote attacker may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and disclose potentially sensitive information. Attackers can use this behavior to detect whether a specific account exists, and a large number of attempts can also cause a denial of service

Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ GNU zip (gzip) Is a utility that compresses and decompresses files. grep Run zgrep Or unzip the compressed file gunzip Each tool is packaged. Gzip 1.2.4 Previously, there were several security issues: 1) gzip 1.2.4 Included before zgrep There is a problem that does not properly sanitize arguments. (CAN-2005-0758) Details are currently unknown, but local attackers who exploit this issue zgrep An arbitrary command may be executed by passing an intentional file name to. 2) gzip 1.2.4 Previously, when decompressing a compressed file, there was a problem that caused a race condition between writing the decompressed file and changing permissions. (CAN-2005-0988) A local attacker who exploits this issue could alter the permissions of an arbitrary file by replacing the decompressed file with a hard link to the arbitrary file at a specific time. 3) gzip 1.2.4 Included before gunzip Is -N When decompressing a compressed file with a flag, there is a problem that the validity of the file name is not properly checked. (CAN-2005-1228) A remote attacker who exploits this issue ".." Send a compressed file that is a compressed file containing an intentional character string to the target user gzip Inducing a directory traversal attack by inducing unpacking with.Please refer to the “Overview” for the impact of this vulnerability. The gzip utility is prone to a directory-traversal vulnerability. The issue occurs when gunzip is invoked on a malicious archive using the '-N' option. An archive containing an absolute path for a filename that contains '/' characters can cause the file to be written using the absolute path contained in the filename. A remote attacker may leverage this issue using a malicious archive to corrupt arbitrary files with the privileges of the user that is running the vulnerable software. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200505-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gzip: Multiple vulnerabilities Date: May 09, 2005 Bugs: #89946, #90626 ID: 200505-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== gzip contains multiple vulnerabilities potentially allowing an attacker to execute arbitrary commands. The zgrep utility improperly sanitizes arguments, which may come from an untrusted source (CAN-2005-0758). Impact ====== These vulnerabilities could allow arbitrary command execution, changing the permissions of arbitrary files, and installation of files to an aribitrary location in the filesystem. Workaround ========== There is no known workaround at this time. Resolution ========== All gzip users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/gzip-1.3.5-r6" References ========== [ 1 ] CAN-2005-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758 [ 2 ] CAN-2005-0988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988 [ 3 ] CAN-2005-1228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200505-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0

Multiple TCP implementations with Protection Against Wrapped Sequence Numbers (PAWS) with the timestamps option enabled allow remote attackers to cause a denial of service (connection loss) via a spoofed packet with a large timer value, which causes the host to discard later packets because they appear to be too old. Certain TCP implementations may allow a remote attacker to arbitrarily modify host timestamp values, leading to a denial-of-service condition. TCP The implementation of the time stamp option is TCP A vulnerability exists that allows the internal timer on a connection to be changed to any value.the system TCP Connection reset and service disruption (DoS) It may be in a state. The Transmission Control Protocol (TCP) defined in RFC 793 allows reliable host-to-host transmission in a message exchange network. RFC 1323 introduces a number of technologies that enhance TCP performance, two of which are TCP timestamps and sequence number rollback protection (PAWS).  There are security holes in the PAWS technology of TCP RFC 1323. If TCP timestamps are enabled, both endpoints of the TCP connection use the internal clock to mark the TCP header with the timestamp value.  This vulnerability can occur if an attacker sends enough TCP PAWS packets to the vulnerable computer. An attacker can set the message timestamp to a large value. When the target machine processes this message, the internal timer will be updated to this value, which may cause all valid messages received afterwards to be discarded because these messages are considered too old or invalid. This technique may cause the target connection to deny service. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products TCP Timestamp Denial of Service SECUNIA ADVISORY ID: SA15393 VERIFY ADVISORY: http://secunia.com/advisories/15393/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco SN5400 Series Storage Routers http://secunia.com/product/2188/ Cisco MGX 8900 Series Multiservice Switches http://secunia.com/product/5117/ Cisco MGX 8800 Series Multiservice Switches http://secunia.com/product/5116/ Cisco MGX 8200 Series Edge Concentrators http://secunia.com/product/5115/ Cisco Content Services Switch 11000 Series (WebNS) http://secunia.com/product/1507/ Cisco Aironet 350 Series Access Point http://secunia.com/product/5114/ Cisco Aironet 1200 Series Access Point http://secunia.com/product/1929/ DESCRIPTION: A vulnerability has been reported in some Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service) on active TCP sessions. Successful exploitation requires knowledge of IP address information of the source and destination of the TCP network connection. The vulnerability affects the following products: * SN5400 series storage routers * CSS11000 series content services switches * AP350 and AP1200 series Access Points running VxWorks * MGX8200, MGX8800, and MGX8900 series WAN switches (only management interfaces) SOLUTION: SN5400 series storage routers: The vulnerability has been addressed by CSCin85370. CSS11000 series content services switches: The vulnerability has been addressed by CSCeh40395. AP350 and AP1200 series Access Points: The vendor recommends upgrading APs running VxWorks to Cisco IOS. MGX series WAN switches: The vulnerability has been documented by CSCeh85125 and CSCeh85130. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Noritoshi Demizu. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050518-tcpts.shtml OTHER REFERENCES: US-CERT VU#637934: http://www.kb.cert.org/vuls/id/637934 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has acknowledged that various Cisco products are affected. The published Internet-Draft details three types of attacks, which utilize the following ICMP messages to cause a negative impact on TCP connections either terminating or originating from a vulnerable device. 1) ICMP "hard" error messages 2) ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages (known as PMTUD attacks) 3) ICMP "source quench" messages These attacks can all be exploited to cause TCP connection resets, reduce the throughput in existing TCP connections, or consume large amounts of CPU and memory resources. NOTE: See the original advisory for a list of affected versions. SOLUTION: See patch matrix in vendor advisory for information about fixes

A vulnerability is present in the F5 BIG-IP user interface. This issue exists because the Configuration utility does not check the credentials for additional sessions from a user once they are logged in. Versions 9.0.2 through to 9.0.4 of BIG-IP are reported vulnerable to this issue.

AppleWebKit (WebCore and WebKit), as used in multiple products such as Safari 1.2 and OmniGroup OmniWeb 5.1, allows remote attackers to read arbitrary files via the XMLHttpRequest Javascript component, as demonstrated using automatically mounted disk images and file:// URLs. Web browsers based on AppleWebKit may allow remote web sites to reference content on the local filesystem. This may allow an attacker to execute script within the security context of the local machine. A remote code execution vulnerability affects Apple's WebCore Framework. This issue is due to a failure of the affected framework library to securely handle remote scripts. An attacker may leverage this issue to execute arbitrary code with the privileges of a user that activated the malicious remote script, facilitating unauthorized access and privilege escalation

Unknown vulnerability in the nfs_mount call in Mac OS X 10.3.9 and earlier allows local users to gain privileges via crafted arguments. This issue exists in Kernel NFS mount functionality and may permit a local attacker to crash the vulnerable computer. It should be noted that this issue was previously reported in BID 13203 (Apple Mac OS X Kernel Multiple Local Privilege Escalation And Denial Of Service Vulnerabilities); it has been assigned its own BID

Heap-based buffer overflow in the syscall emulation functionality in Mac OS X before 10.3.9 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via crafted parameters. A heap-based buffer overflow vulnerability affects Apple Mac OS X. This issue is due to a failure of the application to securely manage user-supplied data when copying it into sensitive memory space while managing syscall emulation functionality. An attacker may leverage this issue to cause a denial of service condition and potentially execute code with kernel level privileges. It should be noted that this issue was previously reported in BID 13203 (Apple Mac OS X Kernel Multiple Local Privilege Escalation And Denial Of Service Vulnerabilities); it has been assigned its own BID

Unknown vulnerability in the setsockopt system call in Mac OS X 10.3.9 and earlier allows local users to cause a denial of service (memory exhaustion) via crafted arguments. The vendor reports that the kernel 'setsockopt()' function fails to properly validate user-supplied arguments. This issue may allow a local attacker to exhaust computer memory and ultimately trigger a denial of service condition

Stack-based buffer overflow in the semop system call in Mac OS X 10.3.9 and earlier allows local users to gain privileges via crafted arguments. A kernel stack overflow that presents itself in the 'semop()' system call exists in the Apple Mac OS X kernel. This is due to a failure of the affected function to properly handle certain user-supplied arguments. Exploitation of this issue will facilitate code execution with kernel level (ring 0) privileges. It should be noted that this issue was previously reported in BID 13203 (Apple Mac OS X Kernel Multiple Local Privilege Escalation And Denial Of Service Vulnerabilities); it has been assigned its own BID

exif.c in PHP before 4.3.11 allows remote attackers to cause a denial of service (memory consumption and crash) via an EXIF header with a large IFD nesting level, which causes significant stack recursion. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ PHP 4 Later, at compile time --enable-exif By compiling with EXIF ( Image file standards for digital cameras ) Enable support for. This generated by the digital camera JPEG/TIFF In the image EXIF Included in header IFD (Image File Directory) tag ( Information such as image size and type, compression method, color information, copyright ) You can get PHP 4.3.10 Before, 5.0.3 Included before EXIF module (exif.c) Contained within a specific image file IFD The following security issues exist due to inadequate handling of tags. still, PHP Group More distributed PHP By default, EXIF Support will not be activated, Red Hat Enterprise Linux Some as Linux Included with the distribution PHP In the package EXIF Support is enabled. PHP 4.3.11/5.0.4 In addition to the above issues, there are multiple security issues (CAN-2005-0524 And CAN-2005-0525 Such ) , And bugs have been fixed, PHP 4.3.11/5.0.4 Can be updated to PHP Group It is strongly recommended.Please refer to the “Overview” for the impact of this vulnerability. PHP is prone to a denial of service vulnerability. This issue could manifest itself in Web applications that allow users to upload images. PHP is a server-side scripting language designed to be embedded in HTML files and can run on Windows, Linux and many Unix operating systems

Microsoft Visual C++, Microsoft WinDbg, and OllyDbg are very popular debuggers. An access validation vulnerability exists in the implementation of these debuggers, which allows the user of the debugger to execute arbitrary code on the host. The cause is that the affected application cannot ensure that the code being checked is running in a restricted environment. If a non-armed user attempts to debug an attacker-provided executable, the malicious code in the containing library is run in an uncontrolled manner in the debugger's environment. This vulnerability allows a remote attacker to execute arbitrary code in an environment that is affected by the debugger. Due to the security nature expected of the debugger, even very careful users can suffer. Other debuggers are also likely affected, as the underlying operating system design makes it very difficult to avoid this vulnerability

Linksys WET11 1.5.4 allows remote attackers to change the password without providing the original password via the data parameter to changepw.html. A remote authentication bypass vulnerability affects Linksys WET11. This issue is due to a failure of the application to validate authentication credentials when processing password change requests. An attacker may leverage this issue to arbitrarily change the administration password of an affected device, facilitating a complete compromise of the device. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Linksys WET11 Password Change Security Bypass Vulnerability SECUNIA ADVISORY ID: SA14871 VERIFY ADVISORY: http://secunia.com/advisories/14871/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Linksys WET11 http://secunia.com/product/645/ DESCRIPTION: Kristian Hermansen has reported a vulnerability in Linksys WET11, which can be exploited by malicious people to bypass certain security restrictions. This can be exploited to set a blank password and gain access to the device. Example: http://[victim]/changepw.html?data=........................ NOTE: In version 1.5.4, successful exploitation requires that a user has logged in recently. The vulnerability has been reported in version 1.5.4. Other versions may also be affected. SOLUTION: Restrict access to the administrative web interface. PROVIDED AND/OR DISCOVERED BY: Kristian Hermansen ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple SQL injection vulnerabilities in the Downloads module for PHP-Nuke 7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the email or url parameters in the Add function, (2) the min parameter in the viewsdownload function, or (3) the min parameter in the search function. PHP-Nuke Downloads module is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. These issues are reported to affect PHP-Nuke version 7.6; earlier versions may also be affected

Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 7.6 allow remote attackers to execute arbitrary SQL commands via (1) the email or url parameters in the Add function, (2) the url parameter in the modifylinkrequestS function, (3) the orderby or min parameters in the viewlink function, (4) the orderby, min, or show parameters in the search function, or (5) the ratenum parameter in the MostPopular function. The Web_Links module of PHP-Nuke is affected by multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. These issues are reported to affect PHP-Nuke version 7.6; earlier versions may also be affected

Cisco IOS 12.2T, 12.3 and 12.3T, when using Easy VPN Server XAUTH version 6 authentication, allows remote attackers to bypass authentication via a "malformed packet.". ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Also, IKE (Internet Key Exchange) Expanded XAUTH (eXtended authentication) But VPN Used for authentication with clients. (BID 13031) However, in order to take advantage of this issue, the attacker IKE Phase 1 You need to know the shared group key to complete the negotiation. 2) specific ISAKMP If the profile attribute is set but not processed properly, VPN Server − There is a problem that a deadlock condition occurs in communication between clients. (BID 13033) The deadlock condition usually clears over time, but during this time the phase 2 When a negotiation is initiated by a malicious client, IPSec SA (Security Association) May be established. still, ISAKMP Only affected by certificate map matching in the profile. A remote attacker who exploits these issues could gain unauthorized access and gain access to network resources.Please refer to the “Overview” for the impact of this vulnerability. Cisco IOS is the Internet operating system used by Cisco network equipment. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco IOS IKE XAUTH Implementation Security Bypass Vulnerabilities SECUNIA ADVISORY ID: SA14853 VERIFY ADVISORY: http://secunia.com/advisories/14853/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS 12.x http://secunia.com/product/182/ DESCRIPTION: Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: See patch matrix in the vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in the Top module for PHP-Nuke 6.x through 7.6 allows remote attackers to execute arbitrary SQL commands via the querylang parameter. PHP-Nuke is prone to an SQL injection vulnerability. This issue arises due to insufficient sanitization of user-supplied input. This issue may allow a remote attacker to manipulate query logic, potentially leading to unauthorized access to sensitive information such as the administrator password hash or corruption of database data. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation

Secure Shell (SSH) 2 in Cisco IOS 12.0 through 12.3 allows remote attackers to cause a denial of service (device reload) (1) via a username that contains a domain name when using a TACACS+ server to authenticate, (2) when a new SSH session is in the login phase and a currently logged in user issues a send command, or (3) when IOS is logging messages and an SSH session is terminated while the server is sending data. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ SSH (Secure Shell) Is a protocol that allows a secure remote connection to a device. SSH Protocol version 1 And version 2 Is provided, Cisco IOS Supported by different versions SSH The protocol version is different. TACACS (Terminal Access Controller Access Control System) The authentication protocol used for remote login authentication 1 And extended TACACS+ Is AAA (Authentication, Authorization and Accounting ) Is supported. Cisco IOS 12.0/12.1/12.2/12.3-based Releases Included with SSH The server may not be able to service under certain circumstances 2 There are two problems. 1) IOS Device SSH version 2 Support SSH When configured as a server, there is a problem that the device reloads when any of the following events occur. This problem, SSH version 1 and 2 Both affected and version 2 In the case of, memory leak will occur even if login is successful. (BID 13042) A remote attacker who exploits these issues can cause the target device to go into a denial of service by intentionally repeating the above events. still, 1-1) and 2) Problem as an authentication method RADIUS If the server is used or authenticated with a local user database, it may not be affected. Cisco Systems Has been reported.Please refer to the “Overview” for the impact of this vulnerability. Cisco IOS is reported prone to a remote denial of service vulnerability. It is noted that the vulnerability only affects SSHv2, SSHv1 is not affected. 1) An error when acting as a SSH v2 server for remote management and authenticating against a TACACS+ server can be exploited to cause a vulnerable device to reload. SOLUTION: See patch matrix in the vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Memory leak in Secure Shell (SSH) in Cisco IOS 12.0 through 12.3, when authenticating against a TACACS+ server, allows remote attackers to cause a denial of service (memory consumption) via an incorrect username or password. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ SSH (Secure Shell) Is a protocol that allows a secure remote connection to a device. SSH Protocol version 1 And version 2 Is provided, Cisco IOS Supported by different versions SSH The protocol version is different. TACACS (Terminal Access Controller Access Control System) The authentication protocol used for remote login authentication 1 And extended TACACS+ Is AAA (Authentication, Authorization and Accounting ) Is supported. Cisco IOS 12.0/12.1/12.2/12.3-based Releases Included with SSH The server may not be able to service under certain circumstances 2 There are two problems. 1) IOS Device SSH version 2 Support SSH When configured as a server, there is a problem that the device reloads when any of the following events occur. (BID 13043) 1-1) TACACS+ If configured to authenticate users using a server, try to log in using a user name that includes the domain name 1-2) new SSH When a session is in the authentication phase, other logged-in users send Use commands 1-3) Already established SSH Message logging is directed to the session, SSH While the server is sending data to the client That IOS To device SSH The session ends 2) TACACS+ When configured to authenticate users using a server, there is a memory leak issue if login fails due to an incorrect username or password. This problem, SSH version 1 and 2 Both affected and version 2 In the case of, memory leak will occur even if login is successful. (BID 13042) A remote attacker who exploits these issues can cause the target device to go into a denial of service by intentionally repeating the above events. still, 1-1) and 2) Problem as an authentication method RADIUS If the server is used or authenticated with a local user database, it may not be affected. Cisco Systems Has been reported.Please refer to the “Overview” for the impact of this vulnerability. This condition is the result of a memory leak that may be triggered by remote clients under some circumstances. If the memory leak is triggered repeatedly, this could exhaust resources on the device, resulting in a reload of the device and persistent denial of service. 1) An error when acting as a SSH v2 server for remote management and authenticating against a TACACS+ server can be exploited to cause a vulnerable device to reload. SOLUTION: See patch matrix in the vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS 12.2T, 12.3 and 12.3T, when processing an ISAKMP profile that specifies XAUTH authentication after Phase 1 negotiation, may not process certain attributes in the ISAKMP profile that specifies XAUTH, which allows remote attackers to bypass XAUTH and move to Phase 2 negotiations. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Cisco IOS The remote user IPSec using, CISCO IOS VPN Software that enables secure communication with the gateway Easy VPN Server Has been implemented. Also, IKE (Internet Key Exchange) Expanded XAUTH (eXtended authentication) But VPN Used for authentication with clients. Cisco IOS 12.2/12.3-based Releases Implemented in Easy VPN Server Has several security issues: 1) specific Internet Key Exchange (IKE) XAUTH Message is UDP port 500 Sent to the wrong client XAUTH There is a problem that allows authentication. (BID 13031) However, in order to take advantage of this issue, the attacker IKE Phase 1 You need to know the shared group key to complete the negotiation. 2) specific ISAKMP If the profile attribute is set but not processed properly, VPN Server − There is a problem that a deadlock condition occurs in communication between clients. (BID 13033) The deadlock condition usually clears over time, but during this time the phase 2 When a negotiation is initiated by a malicious client, IPSec SA (Security Association) May be established. still, ISAKMP Only affected by certificate map matching in the profile. A remote attacker who exploits these issues could gain unauthorized access and gain access to network resources.Please refer to the “Overview” for the impact of this vulnerability. The vulnerability occurs in a case where attributes in an ISAKMP profile that have been assigned to remote peer are not processed. Cisco IOS is the Internet operating system used by Cisco network equipment. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco IOS IKE XAUTH Implementation Security Bypass Vulnerabilities SECUNIA ADVISORY ID: SA14853 VERIFY ADVISORY: http://secunia.com/advisories/14853/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS 12.x http://secunia.com/product/182/ DESCRIPTION: Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: See patch matrix in the vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------