VARIoT IoT vulnerabilities database

Cisco devices running Application and Content Networking System (ACNS) 5.0, 5.1 before 5.1.13.7, or 5.2 before 5.2.3.9 allow remote attackers to cause a denial of service (bandwidth consumption) via "crafted IP packets" that are continuously forwarded. This issue is due to a failure of the affected software to properly handle malformed network data. Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device. ACNS is a Cisco digital media delivery solution that optimizes the delivery quality of video traffic from the data center to branch offices over the WAN

SendLink 1.5 stores sensitive information, possibly including passwords, in plaintext in the data.eat file, which allows local users to gain privileges. SendLink is a small and convenient network sharing software

Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication. cURL/libcURL 7.13.0 Previously, Kerberos Authentication and NTLM from the site performing the authentication. It has been reported that cURL and libcURL are vulnerable to a remotely exploitable stack-based buffer overflow vulnerability. The cURL and libcURL NTML response processing code fails to ensure that a buffer overflow cannot occur when response data is decoded. The overflow occurs in the stack region, and remote code execution is possible if the saved instruction pointer is overwritten with a pointer to embedded instructions. Background ========== curl is a command line tool for transferring files via many different protocols. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/curl < 7.13.1 >= 7.13.1 Description =========== curl fails to properly check boundaries when handling NTLM authentication. Impact ====== With a malicious server an attacker could send a carefully crafted NTLM response to a connecting client leading to the execution of arbitrary code with the permissions of the user running curl. Workaround ========== Disable NTLM authentication by not using the --anyauth or --ntlm options. Resolution ========== All curl users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/curl-7.13.1" References ========== [ 1 ] CAN-2005-0490 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200503-20.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0

The RgSecurity form in the HTTP server for the Thomson TCW690 cable modem running firmware 2.1 and software ST42.03.0a does not properly validate the password before performing changes, which allows remote attackers on the LAN to gain access via a direct POST request. Thomson Cable Modem is prone to a denial-of-service vulnerability

Gigafast router (aka CompUSA router) with the DNS proxy option enabled allows remote attackers to cause a denial of service via malformed DNS queries. Gigafast Router is prone to a denial-of-service vulnerability. Gigafast is a router produced by GigaFast E company

Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 7.5 allow remote attackers to inject arbitrary HTML or web script via (1) the newdownloadshowdays parameter in a NewDownloads operation or (2) the newlinkshowdays parameter in a NewLinks operation. It is reported that PHP-Nuke is affected by various cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input. These issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials. PHP-Nuke is a widely popular website creation and management tool

Php-Nuke 7.5 allows remote attackers to determine the full path of the web server via invalid or missing arguments to (1) db.php, (2) mainfile.php, (3) Downloads/index.php, or (4) Web_Links/index.php, which lists the path in a PHP error message. It is reported that PHP-Nuke is affected by various cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input. These issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials. PHP-Nuke is a widely popular website creation and management tool

vsdatant.sys in Zone Lab ZoneAlarm before 5.5.062.011, ZoneAlarm Wireless before 5.5.080.000, Check Point Integrity Client 4.x before 4.5.122.000 and 5.x before 5.1.556.166 do not properly verify that the ServerPortName argument to the NtConnectPort function is a valid memory address, which allows local users to cause a denial of service (system crash) when ZoneAlarm attempts to dereference an invalid pointer. Multiple ZoneAlarm products and Check Point Integrity Client are reported prone to a local denial of service vulnerability. This issue exists due to an invalid pointer dereference. A successful attack can result in a denial of service condition in the kernel. ZoneAlarm Security Suite, ZoneAlarm Pro, and ZoneAlarm versions prior to 5.5.062.011 and Check Point Integrity Client versions prior to 4.5.122.000 and 5.1.556.166 are considered vulnerable to this issue. ZoneAlarm is a popular desktop firewall system. BACKGROUND Zone Labs ZoneAlarm provides personal firewall protection. More information is available from: http://www.zonelabs.com/ II. ZoneAlarm offers process specific protection by hooking the kernel API routine NtConnectPort(). NtConnectPort() is used by programs to implement advanced inter-process communication (IPC). The NtConnectPort() function is declared as follows: NtConnectPort( OUT PHANDLE ClientPortHandle, IN PUNICODE_STRING ServerPortName, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory OPTIONAL, OUT PLPC_SECTION_MEMORY ServerSharedMemory OPTIONAL, OUT PULONG MaximumMessageLength OPTIONAL, IN OUT PVOID ConnectionInfo OPTIONAL, IN OUT PULONG ConnectionInfoLength OPTIONAL); The problem specifically exists within vsdatant.sys as ZoneAlarm fails to verify the second argument. 'ServerPortName' is a valid address prior to derefencing it as a pointer. The vulnerable section of code is displayed here: 0001EE93 mov esi, [esp+108h+ServerPortName] 0001EE9A mov edi, eax 0001EE9C test esi, esi 0001EE9E jz short loc_1EEB6 0001EEA0 mov edx, [esi+4] The argument 'ServerPortName' is stored in the register ESI. A check is made to ensure that the value is not NULL. Any non-zero invalid memory address can be passed as the second argument to NtConnectPort(), resulting in a system crash. III. ANALYSIS Exploitation allows local and remote attackers who have exploited another vulnerability to trigger a DoS in kernel space, resulting in a "blue screen of death." IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in ZoneAlarm version 5.1. It is suspected that previous versions of ZoneAlarm are vulnerable as well. V. WORKAROUND iDEFENSE is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE A vendor advisory for this issue is available at: http://download.zonelabs.com/bin/free/securityAlert/19.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2005-0114 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/06/2005 Initial vendor notification 01/07/2005 Initial vendor response 02/11/2005 Coordinated public disclosure IX. CREDIT iDEFENSE Labs is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Heap-based buffer overflow in the DEC2EXE module for Symantec AntiVirus Library allows remote attackers to execute arbitrary code via a UPX compressed file containing a negative virtual offset to a crafted PE header. The Symantec AntiVirus Library DEC2EXE component is vulnerable to remote arbitrary code execution. Various Symantec products are reported prone to a remote heap overflow vulnerability. This issue affects the UPX Parsing Engine shipped with the products. The Symantec Antivirus library is used to parse different file formats to detect malicious programs, and one of the modules, DEC2EXE, is used to detect UPX file formats. The module of the Symantec Antivirus library used to detect UPX files lacks correct handling of virtual file offsets. Remote attackers can exploit this vulnerability to construct malicious UPX files, trick users into processing them, and possibly execute arbitrary commands on the system with user process privileges. TITLE: Symantec Multiple Products UPX Parsing Engine Buffer Overflow SECUNIA ADVISORY ID: SA14179 VERIFY ADVISORY: http://secunia.com/advisories/14179/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Symantec Gateway Security 1.x http://secunia.com/product/876/ Symantec Gateway Security 2.x http://secunia.com/product/3104/ SOFTWARE: Norton Internet Security 2004 http://secunia.com/product/2441/ Norton Internet Security 2004 Professional http://secunia.com/product/2442/ Norton SystemWorks 2004 http://secunia.com/product/2796/ Symantec AntiVirus Corporate Edition 8.x http://secunia.com/product/659/ Symantec AntiVirus Corporate Edition 9.x http://secunia.com/product/3549/ Symantec AntiVirus for Caching 4.x http://secunia.com/product/4626/ Symantec AntiVirus for Network Attached Storage 4.x http://secunia.com/product/4625/ Symantec AntiVirus for SMTP Gateways 3.x http://secunia.com/product/2231/ Symantec AntiVirus Scan Engine 4.x http://secunia.com/product/3040/ Symantec AntiVirus/Filtering for Domino http://secunia.com/product/2029/ Symantec Brightmail AntiSpam 4.x http://secunia.com/product/4627/ Symantec Brightmail AntiSpam 5.x http://secunia.com/product/4628/ Symantec Client Security 1.x http://secunia.com/product/2344/ Symantec Client Security 2.x http://secunia.com/product/3478/ Symantec Mail Security for Exchange 4.x http://secunia.com/product/2820/ Symantec Mail Security for SMTP 4.x http://secunia.com/product/3558/ Symantec Norton AntiVirus 2004 http://secunia.com/product/2800/ Symantec Norton AntiVirus for Microsoft Exchange 2.x http://secunia.com/product/1017/ Symantec Web Security 3.x http://secunia.com/product/2813/ DESCRIPTION: ISS X-Force has reported a vulnerability in multiple Symantec products, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the DEC2EXE parsing engine used by the antivirus scanning functionality when processing UPX compressed files. This can be exploited to cause a heap-based buffer overflow via a specially crafted UPX file. The vulnerability affects the following products: * Norton AntiVirus for Microsoft Exchange 2.1 (prior to build 2.18.85) * Symantec Mail Security for Microsoft Exchange 4.0 (prior to build 4.0.10.465) * Symantec Mail Security for Microsoft Exchange 4.5 (prior to build 4.5.3) * Symantec AntiVirus/Filtering for Domino NT 3.1 (prior to build 3.1.1) * Symantec Mail Security for Domino 4.0 (prior to build 4.0.1) * Symantec AntiVirus/Filtering for Domino Ports 3.0 for AIX (prior to build 3.0.6) * Symantec AntiVirus/Filtering for Domino Ports 3.0 for OS400, Linux, Solaris (prior to build 3.0.7) * Symantec AntiVirus Scan Engine 4.3 (prior to build 4.3.3) * Symantec AntiVirus for Network Attached Storage (prior to build 4.3.3) * Symantec AntiVirus for Caching (prior to build 4.3.3) * Symantec AntiVirus for SMTP 3.1 (prior to build 3.1.7) * Symantec Mail Security for SMTP 4.0 (prior to build 4.0.2) * Symantec Web Security 3.0 (prior to build 3.0.1.70) * Symantec BrightMail AntiSpam 4.0 * Symantec BrightMail AntiSpam 5.5 * Symantec AntiVirus Corporate Edition 9.0 (prior to build 9.01.1000) * Symantec AntiVirus Corporate Edition 8.01, 8.1.1 * Symantec Client Security 2.0 (prior to build 9.01.1000) * Symantec Client Security 1.0 * Symantec Gateway Security 2.0, 2.0.1 - 5400 Series * Symantec Gateway Security 1.0 - 5300 Series * Symantec Norton Antivirus 2004 for Windows * Symantec Norton Internet Security 2004 (pro) for Windows * Symantec Norton System Works 2004 for Windows * Symantec Norton Antivirus 2004 for Macintosh * Symantec Norton Internet Security 2004 for Macintosh * Symantec Norton System Works 2004 for Macintosh * Symantec Norton Antivirus 9.0 for Macintosh * Symantec Norton Internet Security for Macintosh 3.0 * Symantec Norton System Works for Macintosh 3.0 SOLUTION: Updates are available (see the vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Alex Wheeler, ISS X-Force. ORIGINAL ADVISORY: Symantec: http://www.sarc.com/avcenter/security/Content/2005.02.08.html ISS X-Force: http://xforce.iss.net/xforce/alerts/id/187 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer signedness error in Apple File Service (AFP Server) allows remote attackers to cause a denial of service (application crash) via a negative UAM string length in a FPLoginExt packet. A remote integer overflow vulnerability reportedly affects Apple Mac OS X AppleFileServer. This issue is due to a failure of the application to properly handle integer signedness while copying data into finite process buffers. An attacker may leverage this issue to cause the affected server process to consume memory resources until triggering an EXC_BAD_ACCESS signal, ultimately causing a denial of service condition

The F5 BIG-IP appliance is reported prone to an information leakage vulnerability. It is reported that the vulnerability is triggered when a browser that is using HTTP pipelining is employed to request a web page from a web server that is being load-balanced by a BIG-IP appliance. It is not believed that a remote attacker will be able to control the behavior of the affected appliance during a pipelined request, as a result it is conjectured that this vulnerability may be exploited to trigger a partial denial of service. Additionally, a successful attack may result in a disclosure of potentially sensitive information to unauthorized users. This vulnerability is reported to affect BIG-IP versions 4.0 through 4.6.2 and BIG-IP Blade Controller versions 4.2.1 through 4.6.2, that have 'OneConnect/Web Aggregation' functionality enabled.

The International Domain Name (IDN) support in Safari 1.2.5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. Multiple browsers are reported prone to vulnerabilities that surround the handling of International Domain Names. The vulnerabilities are caused by inconsistencies in how International Domain Names are processed. Reports indicate that attackers can leverage this to spoof address bars, status bars, and SSL certificate values. Remote attackers may exploit these vulnerabilities in phishing-style attacks. Through a false sense of trust, users may voluntarily disclose sensitive information to a malicious website. Although these vulnerabilities are reported to affect browsers, mail clients that depend on the browser to generate HTML code may also be affected. KDE is a free and open source X desktop management program for Linux and Unix workstations. Since version 3.2, KDE and its web browser Konqueror have supported International Domain Names (IDNs), which makes KDE vulnerable to a phishing technique called Homograph

The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file. An insecure file creation vulnerability affects Apple Mac OS X Finder. This issue is due to a failure of the application to validate the existence of files prior to creating or writing to them. An attacker may leverage this issue to cause a system-wide denial of service or to gain escalated privileges on an affected computer, potentially leading to unauthorized superuser access. TITLE: SunShop Shopping Cart "search" Cross-Site Scripting SECUNIA ADVISORY ID: SA14118 VERIFY ADVISORY: http://secunia.com/advisories/14118/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: SunShop Shopping Cart 3.x http://secunia.com/product/4602/ DESCRIPTION: SmOk3 has reported a vulnerability in SunShop Shopping Cart, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "search" parameter in "index.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. The vulnerability has been reported in version 3.4 RC 4. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: SmOk3 ORIGINAL ADVISORY: http://www.systemsecure.org/wwwboard/messages/227.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Linksys PSUS4 running firmware 6032 allows remote attackers to cause a denial of service (device crash) via an HTTP POST request containing an unknown parameter without a value. Cisco Systems (Linksys) of psus4 printserver Exists in unspecified vulnerabilities.None. Linksys PSUS4 is an embedded linksys wireless print server.  Linksys PSUS4 has problems processing wireless HTTP requests. Remote attackers can use this vulnerability to conduct denial of service attacks. An attacker may exploit this condition to deny service to the affected PrintServer

Cisco IP/VC Videoconferencing System 3510, 3520, 3525 and 3530 contain hard-coded default SNMP community strings, which allows remote attackers to gain access, cause a denial of service, and modify configuration. A default community string vulnerability affects Cisco IP/VC Videoconferencing System devices. This issue is due to a design flaw where hard-coded community strings are stored on the device. This issue may be leveraged to gain unauthorized administrator access to affected devices. This would allow an attacker to create new services, terminate or affect existing sessions, and redirect traffic to a different destination, among other attacks

Ingate Firewall 4.1.3 and earlier does not terminate the PPTP session for an active user when the administrator disables that user from a resource, which could allow remote authenticated users to retain unauthorized access to resources. Ingate Firewall does not remove PPTP tunnels created by a user that has been disabled by the firewall administrator. Even if the user has been disabled, any PPTP tunnels they have created will persist

Cisco IOS 12.0S through 12.3YH allows remote attackers to cause a denial of service (device restart) via a crafted IPv6 packet. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow attackers to conduct denial-of-service attacks on an affected device. Cisco IOS In IPv6 Physical and logical interfaces due to improper handling of packets (6to4 Tunnel ) At IPv6 If you have enabled multiple invalid IPv6 A vulnerability exists in which a device is restarted by interpreting a packet.System disrupted service operation (DoS) May be in a state. This issue is due to a failure of the affected operating system to properly handle specially crafted network data. It is possible for an attacker to produce a sustained denial of service condition against an affected device by continually sending the malicious network data. An attacker may leverage this issue to cause an affected device to reload, denying service to legitimate users. Cisco IOS is the operating system that runs on many Cisco devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA05-026A Multiple Denial-of-Service Vulnerabilities in Cisco IOS Original release date: January 26, 2005 Last revised: -- Source: US-CERT Systems Affected * Cisco routers and switches running IOS in various configurations Overview Several denial-of-service vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). I. Further details are available in the following vulnerability notes: VU#583638 - Cisco IOS contains DoS vulnerability in MPLS packet processing The IOS implementation of Multi Protocol Label Switching (MPLS) contains a vulnerability that allows malformed MPLS packets to cause an affected device to reload. An unauthenticated attacker can send these malformed packets on a local network segment that is connected to a vulnerable device interface. The vulnerability is exposed on both physical interfaces (i.e., hardware interfaces), and logical interfaces (i.e., software defined interfaces such as tunnels) that are configured for IPv6. VU#689326 - Cisco IOS vulnerable to DoS via malformed BGP packet An IOS device that is enabled for Border Gateway Protocol (BGP) and set up with the bgp log-neighbor-changes option is vulnerable to a denial-of-service attack via a malformed BGP packet. II. Repeated exploitation of these vulnerabilites would result in a sustained denial-of-service condition. Since devices running IOS may transit traffic for a number of other networks, the secondary impacts of a denial of service may be severe. III. Solution Upgrade to a fixed version of IOS Cisco has updated versions of its IOS software to address these vulnerabilities. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in Appendix A for more information on upgrading. Workaround Cisco has also published practical workarounds for VU#689326 and VU#583638. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in Appendix A for more information. Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds. Appendix A. References * Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml> * Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml> * Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml> * US-CERT Vulnerability Note VU#583638 - <http://www.kb.cert.org/vuls/id/583638> * US-CERT Vulnerability Note VU#472582 - <http://www.kb.cert.org/vuls/id/472582> * US-CERT Vulnerability Note VU#689326 - <http://www.kb.cert.org/vuls/id/689326> _________________________________________________________________ Feedback can be directed to the authors: Will Dormann, Chad Dougherty, and Damon Morda _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA05-026A.html> _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History January 26, 2005: Initial release Last updated January 26, 2005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQfgfthhoSezw4YfQAQJQKAf8DxKPd+9aXGsomYzRhFPyCcnjEfy6dv/N 3GcqV8GR5WyshB207vhvw1PDfZdQVFIXiNr/xE9dmBKEhm38En3a70DnVe2UCmXO UobYXGk9tSW+pnR7Cdd3hc8yeZq0ys+LFKF/sztgpPJji/zFWojPnuS1wCcYggA1 kuGCQ9VD6My64Hlh/PStCYqx5C9azgGHNv086W6fQyCssgjwBz51YxdV9gZ9wJUt I8LGjq6T0Fp+5kEEd9SPoUjA+r7bNft3xUPAabb+N4dt8sZUYqzXDP71lYYXgZay z2FE7jkbtX/LYVQCiA4LfgGCbw1sI6p+UQABtj74CPte2CyJZO5hJw== =aHIO -----END PGP SIGNATURE-----

Cisco IOS 12.0 through 12.3YL, with BGP enabled and running the bgp log-neighbor-changes command, allows remote attackers to cause a denial of service (device reload) via a malformed BGP packet. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow attackers to conduct denial-of-service attacks on an affected device. A vulnerability in the way Cisco IOS handles IPv6 packets could result in a remotely exploitable denial of service. This issue is due to a failure of the application to handle malformed network data. A persistent denial of service attack can be triggered as well. Cisco IOS is the operating system that runs on many Cisco devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA05-026A Multiple Denial-of-Service Vulnerabilities in Cisco IOS Original release date: January 26, 2005 Last revised: -- Source: US-CERT Systems Affected * Cisco routers and switches running IOS in various configurations Overview Several denial-of-service vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). I. An unauthenticated attacker can send these malformed packets on a local network segment that is connected to a vulnerable device interface. The vulnerability is exposed on both physical interfaces (i.e., hardware interfaces), and logical interfaces (i.e., software defined interfaces such as tunnels) that are configured for IPv6. II. Impact Although the underlying causes of these three vulnerabilities is different, in each case a remote attacker could cause an affected device to reload the operating system. Repeated exploitation of these vulnerabilites would result in a sustained denial-of-service condition. Since devices running IOS may transit traffic for a number of other networks, the secondary impacts of a denial of service may be severe. III. Solution Upgrade to a fixed version of IOS Cisco has updated versions of its IOS software to address these vulnerabilities. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in Appendix A for more information on upgrading. Workaround Cisco has also published practical workarounds for VU#689326 and VU#583638. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in Appendix A for more information. Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds. Appendix A. References * Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml> * Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml> * Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml> * US-CERT Vulnerability Note VU#583638 - <http://www.kb.cert.org/vuls/id/583638> * US-CERT Vulnerability Note VU#472582 - <http://www.kb.cert.org/vuls/id/472582> * US-CERT Vulnerability Note VU#689326 - <http://www.kb.cert.org/vuls/id/689326> _________________________________________________________________ Feedback can be directed to the authors: Will Dormann, Chad Dougherty, and Damon Morda _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA05-026A.html> _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History January 26, 2005: Initial release Last updated January 26, 2005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQfgfthhoSezw4YfQAQJQKAf8DxKPd+9aXGsomYzRhFPyCcnjEfy6dv/N 3GcqV8GR5WyshB207vhvw1PDfZdQVFIXiNr/xE9dmBKEhm38En3a70DnVe2UCmXO UobYXGk9tSW+pnR7Cdd3hc8yeZq0ys+LFKF/sztgpPJji/zFWojPnuS1wCcYggA1 kuGCQ9VD6My64Hlh/PStCYqx5C9azgGHNv086W6fQyCssgjwBz51YxdV9gZ9wJUt I8LGjq6T0Fp+5kEEd9SPoUjA+r7bNft3xUPAabb+N4dt8sZUYqzXDP71lYYXgZay z2FE7jkbtX/LYVQCiA4LfgGCbw1sI6p+UQABtj74CPte2CyJZO5hJw== =aHIO -----END PGP SIGNATURE-----

Cisco IOS 12.1T, 12.2, 12.2T, 12.3 and 12.3T, with Multi Protocol Label Switching (MPLS) installed but disabled, allows remote attackers to cause a denial of service (device reload) via a crafted packet sent to the disabled interface. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow attackers to conduct denial-of-service attacks on an affected device. A vulnerability in the way Cisco IOS handles IPv6 packets could result in a remotely exploitable denial of service. It is reported that the vulnerability presents itself when an affected router handles an unspecified malicious packet on a MPLS disabled interface. A remote attacker that resides on the same network segment as the vulnerable router may exploit this vulnerability continuously to effectively deny network-based services to legitimate users. Cisco IOS is the operating system that runs on many Cisco devices. There is a problem in the processing of special MPLS packets in Cisco IOS devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA05-026A Multiple Denial-of-Service Vulnerabilities in Cisco IOS Original release date: January 26, 2005 Last revised: -- Source: US-CERT Systems Affected * Cisco routers and switches running IOS in various configurations Overview Several denial-of-service vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). I. An unauthenticated attacker can send these malformed packets on a local network segment that is connected to a vulnerable device interface. The vulnerability is exposed on both physical interfaces (i.e., hardware interfaces), and logical interfaces (i.e., software defined interfaces such as tunnels) that are configured for IPv6. VU#689326 - Cisco IOS vulnerable to DoS via malformed BGP packet An IOS device that is enabled for Border Gateway Protocol (BGP) and set up with the bgp log-neighbor-changes option is vulnerable to a denial-of-service attack via a malformed BGP packet. II. Impact Although the underlying causes of these three vulnerabilities is different, in each case a remote attacker could cause an affected device to reload the operating system. Repeated exploitation of these vulnerabilites would result in a sustained denial-of-service condition. Since devices running IOS may transit traffic for a number of other networks, the secondary impacts of a denial of service may be severe. III. Solution Upgrade to a fixed version of IOS Cisco has updated versions of its IOS software to address these vulnerabilities. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in Appendix A for more information on upgrading. Workaround Cisco has also published practical workarounds for VU#689326 and VU#583638. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in Appendix A for more information. Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds. Appendix A. References * Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml> * Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml> * Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml> * US-CERT Vulnerability Note VU#583638 - <http://www.kb.cert.org/vuls/id/583638> * US-CERT Vulnerability Note VU#472582 - <http://www.kb.cert.org/vuls/id/472582> * US-CERT Vulnerability Note VU#689326 - <http://www.kb.cert.org/vuls/id/689326> _________________________________________________________________ Feedback can be directed to the authors: Will Dormann, Chad Dougherty, and Damon Morda _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA05-026A.html> _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History January 26, 2005: Initial release Last updated January 26, 2005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQfgfthhoSezw4YfQAQJQKAf8DxKPd+9aXGsomYzRhFPyCcnjEfy6dv/N 3GcqV8GR5WyshB207vhvw1PDfZdQVFIXiNr/xE9dmBKEhm38En3a70DnVe2UCmXO UobYXGk9tSW+pnR7Cdd3hc8yeZq0ys+LFKF/sztgpPJji/zFWojPnuS1wCcYggA1 kuGCQ9VD6My64Hlh/PStCYqx5C9azgGHNv086W6fQyCssgjwBz51YxdV9gZ9wJUt I8LGjq6T0Fp+5kEEd9SPoUjA+r7bNft3xUPAabb+N4dt8sZUYqzXDP71lYYXgZay z2FE7jkbtX/LYVQCiA4LfgGCbw1sI6p+UQABtj74CPte2CyJZO5hJw== =aHIO -----END PGP SIGNATURE-----

Mail in Mac OS X 10.3.7, when generating a Message-ID header, generates a GUUID that includes information that identifies the Ethernet hardware being used, which allows remote attackers to link mail messages to a particular machine. The Mail application supplied with Apple's Mac OS X operating system identifies the system from which any electronic mail is sent. Apple's Mac OS X operating system contains a flaw in the handling of ICC color profiles, which may allow arbitrary code execution through a heap-based buffer overflow. An information disclosure vulnerability affects the email message ID generation of Apple Mail. This issue is due to a design error that causes the application to insecurely generate email message IDs. An attacker may leverage this issue to identify the specific computer that an email has been sent from, other attacks may also be possible