VARIoT IoT vulnerabilities database

RSA BSAFE SSL-J 3.0, 3.0.1 and 3.1, as used in Cisco iCND 2.0, caches session IDs from failed login attempts, which could allow remote attackers to bypass SSL client authentication and gain access to sensitive data by logging in after an initial failure. A vulnerability exists in several versions of RSA's SSL-J Software Development Kit (SDK) that can enable an attacker to bypass SSL client authentication. Under certain conditions, if an error occurs during the SSL client-server handshake, the SSL session key may be stored in a cache rather than being discarded. Once cached, this session key can be used by an attacker to cause a server to skip the full client authentication scheme, using a much shorter one. This effectively allows the attacker to fully bypass the client authentication. On systems that rely solely on the authentication mechanism provided by SSL, this could enable an attacker to perform unauthorized actions. Additional technical details are forthcoming

Buffer overflow in the GUI authentication code of Check Point VPN-1/FireWall-1 Management Server 4.0 and 4.1 allows remote attackers to execute arbitrary code via a long user name. Firewall-1 is a popular stateful-inspection firewall. It has been reported that Firewall-1 may contain a buffer overflow vulnerability. The vulnerability is allegedly in logging of authentication attempts by GUI log viewing clients. The attack must be launched from hosts who are permitted to view logs via the GUI interface. This vulnerability is present only in the Windows NT and 2000 versions of the product

Find-By-Content in Mac OS X 10.0 through 10.0.4 creates world-readable index files named .FBCIndex in every directory, which allows remote attackers to learn the contents of files in web accessible directories. The Apache (1.3.14) web server's file access protection scheme can be bypassed for the Mac OS X HFS+ filesystem. Mac OS X's Find-By-Content indexing may store file data where it can be served to remote users by Apache. Requesting a URL with the relative path of a '.DS_Store' file, will reveal the contents of the requested directory. This vulnerability could be used in conjunction with a previously discovered issue (BID 2852), which causes files to be arbitrarily disclosed through mixed case file requests. A remote attacker may read the indexed contents of files by submitting a URL to the vulnerable host's web service of the following form: http://www.example.com/target_directory/.FBCIndex. This information could provide an attacker with sensitive information including potential passwords useful in dictionary attacks, system configuration, installed applications, etc. Properly exploited, this information could allow an attacker to further compromise the security of the host

The Log Viewer function in the Check Point FireWall-1 GUI for Solaris 3.0b through 4.1 SP2 does not check for the existence of '.log' files when saving files, which allows (1) remote authenticated users to overwrite arbitrary files ending in '.log', or (2) local users to overwrite arbitrary files via a symlink attack. Check Point Firewall-1 is a commercial firewall implementation designed for small to enterprise sized networks. A problem with Firewall-1 makes it possible for a local user to overwrite critical system files. This makes it possible for a user with administrative access to Firewall-1 and local shell access to deny service to legitimate users of the system. This can cause a local denial of service attack

Check Point FireWall-1 3.0b through 4.1 for Solaris allows local users to overwrite arbitrary files via a symlink attack on temporary policy files that end in a .cpp extension, which are set world-writable. Check Point Firewall-1 is a commercial firewall implementation designed for small to enterprise sized networks. A problem with Firewall-1 has been discovered that makes it possible for a local user to change the permissions of root-owned files to world-writable, and potentially gain elevated privileges. The problem is in the creation of predictable /tmp files. Upon editing firewall rules and committing them, a file is created in /tmp using the name of the policy as a filename, and .cpp as an extension. It's possible for a local user to create symbolic links to root-owned files, which will result in the files becoming world-writable, and potentially gain local root access. The file's attributes are set to rw-rw-rw- (666), which allows anyone to modify the file. Since the file is not checked whether it is a link file when the file is created, an attacker can create a file in any directory through a link attack. If an attacker has permission to compile firewall policies and has access to the system where the firewall resides, this vulnerability could be exploited to elevate privileges

The default configuration of Norton AntiVirus for Microsoft Exchange 2000 2.x allows remote attackers to identify the recipient's INBOX file path by sending an email with an attachment containing malicious content, which includes the path in the rejection notice. A problem exists in Microsoft Exchange 2000 when running with Norton AntiVirus for Microsoft Exchange. A host running this combination of software can be tricked into disclosing mail directory paths to an attacker. Message attachments sent to an affected host will be scanned for malicious content by Norton AntiVirus for Microsoft Exchange. Upon rejection, the message will be bounced back to the sender with notification of why the message was rejected. When this happens, the path to the intended recipient's INBOX is sent in the message header of the rejection notification. The expected behavior is that the header in the returned message will only contain the destination address of the user and not the path of the user's INBOX. This can be exploited by an attacker who intentionally crafts a message to a user on the host which contains an attachment which will be rejected by the host

D-Link DI-704 Internet Gateway firmware earlier than V2.56b6 allows remote attackers to cause a denial of service (reboot) via malformed IP datagram fragments. The DLink Dl-704 is a DSL/Cable router and switch designed for home network use. A problem has been discovered in the Dl-704 router. Upon receiving a high amount of fragmented IP packets, the router begins to become resource starved. After receiving these packets for a period greater than two minutes, the router will become unstable, ceasing operation. This results in a denial of service users on either side of the router. A power cycling is required to resume normal operation

Various Intrusion Detection Systems (IDS) including (1) Cisco Secure Intrusion Detection System, (2) Cisco Catalyst 6000 Intrusion Detection System Module, (3) Dragon Sensor 4.x, (4) Snort before 1.8.1, (5) ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2, and (6) ISS RealSecure Server Sensor 5.5 and 6.0 for Windows, allow remote attackers to evade detection of HTTP attacks via non-standard "%u" Unicode encoding of ASCII characters in the requested URL. Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected. The Microsoft IIS web server supports a non-standard method of encoding web requests. If there is no webserver support for this encoding method or if it is disabled, there will be no targets to which encoded attacks can be sent. **NOTE**: Only RealSecure, Dragon and Snort are confirmed vulnerable. It is highly likely that IDS systems from other vendors are vulnerable as well, however we have not recieved confirmation. This record will be updated as more information becomes available regarding affected technologies. BlackICE products detect '%u' encoded requests as being invalid, but do not decode them and detect encoded attack signatures

Buffer overflow in the (1) smap/smapd and (2) CSMAP daemons for Gauntlet Firewall 5.0 through 6.0 allows remote attackers to execute arbitrary code via a crafted mail message. A remotely exploitable buffer overflow exists in the Gauntlet Firewall. A boundary condition error exists in the smap/smapd and CSMAPD daemons, shipped with several popular Network Associates products. The smap/smapd and CSMAP daemons are proxy servers used to handle e-mail transactions for both inbound and outbound e-mail. By successfully exploiting this condition, an attacker may be able to cause arbitrary code/commands to be executed on a vulnerable system with the privileges of the attacked daemon. Additional technical details are currently unknown. Some versions of SGI IRIX shipped with the Gauntlet Firewall package, and in the past it was a supported SGI product. While it is no longer being supported, SGI IRIX versions 6.5.2, 6.5.3, 6.5.4 and 6.5.5 may be prone to this issue

Check Point FireWall-1 allows remote attackers to cause a denial of service (high CPU) via a flood of packets to port 264. of Check Point Software Technologies firewall-1 Exists in unspecified vulnerabilities.None. Firewall-1 is prone to a denial-of-service vulnerability

Web-based configuration utility in Cisco 600 series routers running CBOS 2.0.1 through 2.4.2ap binds itself to port 80 even when web-based configuration services are disabled, which could leave the router open to attack. CBOS is prone to a remote security vulnerability. This vulnerability will open the route to possible attacks

Cisco 600 series routers running CBOS 2.0.1 through 2.4.2ap allows remote attackers to cause a denial of service via multiple connections to the router on the (1) HTTP or (2) telnet service, which causes the router to become unresponsive and stop forwarding packets. CBOS is the Cisco Broadband Operating System, firmware designed for use on Cisco 600 series routers. It is maintained and distributed by Cisco Systems. CBOS becomes unstable when it receives multiple TCP connections on one of the two administrative ports; 21 via telnet, or 80 via HTTP. Upon receiving multiple connections on one of these two ports, the 600 series router becomes incapable of configuration, requiring reboot to resume normal operation. This problem affects the following Cisco 600 series routers: 627, 633, 673, 675, 675E, 677, 677i and 678

Buffer overflow in ssinc.dll in IIS 5.0 and 4.0 allows local users to gain system privileges via a Server-Side Includes (SSI) directive for a long filename, which triggers the overflow when the directory name is added, aka the "SSI privilege elevation" vulnerability. A buffer overflow in the code that processes server-side include files on IIS 4.0 and IIS 5.0 could allow an intruder to execute code with the privileges of the web server. Microsoft IIS Implemented in SSI The function handles file names including path names to be included DLL Contains a vulnerability that causes a buffer overflow.Local System An arbitrary code may be executed with the execution right

IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. Microsoft IIS In Guest As a result, you can elevate from account privileges System With authority Web A vulnerability exists that allows arbitrary code placed in the public directory to be executed.System An arbitrary code may be executed with privileges

Aladdin eSafe Gateway versions 2.x allows a remote attacker to circumvent HTML SCRIPT filtering via a special arrangement of HTML tags which includes SCRIPT tags embedded within other SCRIPT tags. Esafe Gateway is prone to a remote security vulnerability. Vulnerabilities exist in Aladdin eSafe Gateway 2.x

Aladdin eSafe Gateway versions 3.0 and earlier allows a remote attacker to circumvent filtering of SCRIPT tags by embedding the scripts within certain HTML tags including (1) onload in the BODY tag, (2) href in the A tag, (3) the BUTTON tag, (4) the INPUT tag, or (5) any other tag in which scripts can be defined. Esafe Gateway is prone to a remote security vulnerability. Vulnerabilities exist in Aladdin eSafe Gateway 3.0 and earlier versions

Aladdin eSafe Gateway versions 3.0 and earlier allows a remote attacker to circumvent HTML SCRIPT filtering via the UNICODE encoding of SCRIPT tags within the HTML document. Esafe Gateway is prone to a remote security vulnerability. Vulnerabilities exist in Aladdin eSafe Gateway 3.0 and earlier versions

Cisco Catalyst 2900XL switch allows a remote attacker to create a denial of service via an empty UDP packet sent to port 161 (SNMP) when SNMP is disabled. Catalyst 2900 XL is prone to a denial-of-service vulnerability. Vulnerabilities exist in Cisco Catalyst 2900XL switches

PHP-Nuke 5.x allows remote attackers to perform arbitrary SQL operations by modifying the "prefix" variable when calling any scripts that do not already define the prefix variable (e.g., by including mainfile.php), such as article.php. PHP-Nuke reportedly contains a vulnerability introduced in a new feature which may permit remote attackers to execute almost arbitrary SQL queries. In version 5.x of PHP-Nuke, the administrator can set an arbitrary prefix for the database table names. Because it is a prefix for PHP-Nuke tables, this variable is included in many SQL queries used by PHP-Nuke. Vulnerabilities exist in PHP-Nuke 5.x versions

LinkSys EtherFast BEFSR41 Cable/DSL routers running firmware before 1.39.3 Beta allows a remote attacker to view administration and user passwords by connecting to the router and viewing the HTML source for (1) index.htm and (2) Password.htm. Linksys EtherFast routers are small four port routers designed to optimize the use of DSL or Cable connections. EtherFast routers provide advanced features such as Network Address Translation, and DHCP Serving. EtherFast routers store the ISP and router login passwords in HTML configuration files. Additionally, when accessed by the administrator, the information is sent over the network in plain text. This makes it possible to sniff the passwords during transit. A vulnerability exists in the LinkSys EtherFast BEFSR41 Cable/DSL router running firmware prior to 1.39.3 Beta