VARIoT IoT vulnerabilities database

PeerSec MatrixSSL before 1.1 does not implement RSA blinding, which allows context-dependent attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal), a related issue to CVE-2003-0147. MatrixSSL is prone to a cross-site scripting vulnerability

The H.323 protocol agent in StoneSoft firewall engine 2.2.8 and earlier allows remote attackers to cause a denial of service (crash) via crafted H.323 packets. stonesoft of firewall engine Exists in unspecified vulnerabilities.None. There are vulnerabilities in the H.323 proxy protocol of StoneSoft Firewall Engine 2.2.8 and earlier versions

PeerSec MatrixSSL before 1.1 caches session keys for an indefinitely long time, which might make it easier for remote attackers to hijack a session. MatrixSSL is prone to a cross-site scripting vulnerability

The web management interface in Edimax AR-6004 ADSL Routers uses a default administrator name and password, which also appear as the default login text for the management interface, which allows remote attackers to gain access. Full Rate Adsl Router is prone to a remote security vulnerability. A remote attacker could exploit this vulnerability to gain access

F-Secure Anti-Virus 5.41 and 5.42 on Windows, Client Security 5.50 and 5.52, 4.60 for Samba Servers, and 4.52 and earlier for Linux does not properly detect certain viruses in a PKZip archive, which allows viruses such as Sober.D and Sober.G to bypass initial detection

SQL injection vulnerability in 4nGuestbook 0.92 for PHP-Nuke 6.5 through 6.9 allows remote attackers to modify SQL statements via the entry parameter to modules.php, which can also facilitate cross-site scripting (XSS) attacks when MySQL errors are triggered. 4Nguestbook is prone to a cross-site scripting vulnerability. A SQL injection vulnerability exists in 4nGuestbook 0.92 of PHP-Nuke 6.5 and 6.9 versions

Buffer overflow in multiple F-Secure Anti-Virus products, including F-Secure Anti-Virus 5.42 and earlier, allows remote attackers to bypass scanning or cause a denial of service (crash or module restart), depending on the product, via a malformed LHA archive. F-Secure Anti-Virus is prone to a denial-of-service vulnerability. Several F-Secure Anti-Virus products, including F-Secure Anti-Virus 5.42 and earlier versions, have buffer overflow vulnerabilities

Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to obtain sensitive information via direct requests to (1) admin/getparam.cgi, (2) admin/systemlog.cgi, (3) admin/serverreport.cgi, and (4) admin/paramlist.cgi, modify system information via (5) setparam.cgi and (6) factorydefault.cgi, or (7) cause a denial of service (reboot) via restart.cgi. 2420 Video Server is prone to a denial-of-service vulnerability

Unspecified vulnerability in 3Com SuperStack 3 4400 switches with firmware version before 3.31 allows remote attackers to cause a denial of service (device reset) via a crafted request to the web management interface. NOTE: the provenance of this information is unknown; details are obtained from third party reports. 3C17210-Us is prone to a denial-of-service vulnerability. 3Com SuperStack 3 4400 switches with firewall versions prior to 3.31 have an unspecified vulnerability

distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks. Xcode is prone to a remote security vulnerability

Juniper JUNOS 5.x through JUNOS 7.x allows remote attackers to cause a denial of service (routing disabled) via a large number of MPLS packets, which are not filtered or verified before being sent to the Routing Engine, which reduces the speed at which other packets are processed. Juniper routers will become severely disrupted when attacked with specially-crafted MPLS packets. Juniper Routers receive a spoofed packet to disrupt service operation (DoS) You can be attacked.Serious denial of service by remote third party (DoS) You can be attacked. The attack could result in a routing service outage on a router affected by this issue. It is reported that this vulnerability exists in all releases of Juniper JUNOS that were built prior to January 7th 2005. A remote attacker may exploit this vulnerability to effectively deny network-based services to legitimate users. This BID will be updated as soon as further information regarding this vulnerability is made public. Juniper Networks Routers is a router product developed by Juniper Networks in the United States. According to the description of Juniper Security Bulletin PSN-2005-01-010: This vulnerability can be triggered by a directly attached neighbor device or a remote attacker who can send some communication packets to the router. Routers running Junos software with this vulnerability exist. Vulnerability that prevents the use of firewall filtering to protect affected routers. TITLE: Juniper JUNOS Unspecified Packet Processing Denial of Service SECUNIA ADVISORY ID: SA14049 VERIFY ADVISORY: http://secunia.com/advisories/14049/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: JUNOS 6.x http://secunia.com/product/3418/ DESCRIPTION: A vulnerability has been reported in JUNOS, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error within the processing of certain network packets. This can be exploited to disrupt the operation of a vulnerable device via some specially crafted network packets. SOLUTION: See the vendor advisory for information about patches. PROVIDED AND/OR DISCOVERED BY: Qwest Communication Software Certification ORIGINAL ADVISORY: Juniper Networks: https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2005-01-009&actionBtn=Search OTHER REFERENCES: US-CERT VU#409555: http://www.kb.cert.org/vuls/id/409555 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak. James is prone to a memory leak denial of service vulnerability. This issue occurs during an error condition in the spooler. An attacker can exploit this issue by creating multiple error conditions and eventually consume system resources. Successful exploitation will ultimately crash the application denying service to legitimate users

Kerio Winroute Firewall before 6.0.9, ServerFirewall before 1.0.1, and MailServer before 6.0.5, when installed on Windows based systems, do not modify the ACLs for critical files, which allows local users with Power Users privileges to modify programs, install malicious DLLs in the plug-ins folder, and modify XML files related to configuration. Kerio Mailserver is prone to a local security vulnerability. Kerio is a security software company that offers a variety of security software. ______________________________________________________________________ Secure Computer Group - University of A Coruna http://research.tic.udc.es/scg/ -- x -- dotpi.com Information Technologies Research Labs http://www.dotpi.com ______________________________________________________________________ ID: #20041214-2 Document title: Insecure default file system permissions on Microsoft versions of Kerio Software Document revision: 1.0 Coordinated release date: 2004/12/14 Vendor Acknowledge date: 2004/11/10 Reported date: 2004/11/08 CVE Name: CAN-2004-1023 Other references: N/A ______________________________________________________________________ Summary: Impact: Privilege escalation System sofware tampering Trojan injection Second-stage attack vector Alter configuration files Rating/Severity: Low Recommendation: Update to latest version Enforce file system ACLs Vendor: Kerio Technologies Inc. Affected software: Kerio WinRoute Firewall (all versions) Kerio ServerFirewall (all versions) Kerio MailServer (all windows versions) Updates/Patches: Yes (see below) ______________________________________________________________________ General Information: 1. Executive summary: ------------------ As a result of its collaboration relationship the Secure Computer Group (SCG) along with dotpi.com Research Labs have determined the following security issue on some Kerio Software. Kerio WinRoute Firewall, Kerio ServerFirewall and Kerio MailServer are installed by default under 'Program Files' system folder. No change is done to the ACLs after the installation process. System administrators should enforce ACL security settings in order solve this problem. It is also highly recommended to verify this settings as part of the planning, installation, hardening and auditing processes. New versions of the software solve this an other minor problems so it is upgrade its highly recommended. 2. Technical details: ------------------ Following the latest trends and approaches to responsible disclosure, SCG and dotpi.com are going to withhold details of this flaw for three months. Full details will be published on 2005/03/14. This three month window will allow system administrators the time needed to obtain the patch before the details are released to the general public. 3. Risk Assessment factors: ------------------------ The attacker would need local interactive access to the installation directory. Remote access is also possible but default system settings do not make this easy. The most risky scenarios are the ones in which the server machine is shared among two or more users or those situations where Kerio service management have been delegated to a third party any other than local or domain system administrator. Special care should be taken on such environments and every step of the project: design, planning, deployment and management should consider this security issues. Privilege escalation, system and software tampering and the ability to alter service configuration are all real issues and all of them can be used as a second stage attack vector. 4. Solutions and recommendations: ------------------------------ Enforce the file system ACLs and/or upgrade to the latest versions: o Kerio Winroute Firewall 6.0.9 o Kerio ServerFirewall 1.0.1 o Kerio MailServer 6.0.5 As in any other case, follow, as much as possible, the Industry 'Best Practices' on Planning, Deployment and Operation on this kind of services. 5. Common Vulnerabilities and Exposures (CVE) project: --------------------------------------------------- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-1023 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. ______________________________________________________________________ Acknowledgements: 1. Special thanks to Vladimir Toncar and Pavel Dobry and the whole Technical Team from Kerio Technologies (support at kerio.com) for their quick response and professional handling on this issue. 3. The whole Research Lab at dotpi.com and specially to Carlos Veira for his leadership and support. 3. Secure Computer Group at University of A Coruna (scg at udc.es), and specially to Antonino Santos del Riego powering new research paths at University of a Coruna. ______________________________________________________________________ Credits: Javier Munoz (Secure Computer Group) is credited with this discovery. ______________________________________________________________________ Related Links: [1] Kerio Technologies Inc. http://www.kerio.com/ [2] Kerio WinRoute Firewall Downloads & Updates http://www.kerio.com/kwf_download.html [3] Kerio ServerFirewall Downloads & Updates http://www.kerio.com/ksf_download.html [4] Kerio MailServer Downloads & Updates http://www.kerio.com/kms_download.html [5] Secure Computer Group. University of A Coruna http://research.tic.udc.es/scg/ [6] Secure Computer Group. Updated advisory http://research.tic.udc.es/scg/advisories/20041214-2.txt [7] dotpi.com Information Technologies S.L. http://www.dotpi.com/ [8] dotpi.com Research Labs http://www.dotpi.com/research/ ______________________________________________________________________ Legal notice: Copyright (c) 2002-2004 Secure Computer Group. University of A Coruna Copyright (c) 2004 dotpi.com Information Technologies S.L. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of the authors. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact the authors for explicit written permission at the following e-mail addresses: (scg at udc.es) and (info at dotpi.com). Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _____________________________________________________________________

Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow. Apple Mac OS X Directory Service utilities use external programs insecurely, potentially allowing an attacker to execute arbitrary code. LibTIFF Library TIFFFetchStripThing() Perform memory allocation in functions CheckMalloc() An integer overflow vulnerability exists due to a flaw in the validation of the value passed to the function.LibTIFF Arbitrary code may be executed with the execution authority of the application that uses the library

Asante FM2008 running firmware 1.06 is shipped with a default username and password, which could allow remote attackers to gain unauthorized access. Asante FM2008 managed Ethernet switches contain a default backdoor account vulnerability. Note that these credentials aren't usable in the web administration interface, but only in the telnet or serial interfaces. Asante FM2008 v01.06 switches are vulnerable; other devices may be vulnerable as well

The configuration backup in Asante FM2008 running firmware 1.06 stores the username and password in cleartext, which could allow remote attackers to gain unauthorized access. FM2008 Managed Ethernet Switch is prone to a remote security vulnerability

Cisco Unity 2.x, 3.x, and 4.x, when integrated with Microsoft Exchange, has several hard coded usernames and passwords, which allows remote attackers to gain unauthorized access and change configuration settings or read outgoing or incoming e-mail messages. It is reported that vulnerable Unity systems contain default user accounts and passwords that can be used by an attacker to gain unauthorized access. This issue only arises when Unity is integrated with Microsoft Exchange. Unauthorized attakers may use these accounts to gain administrative access to vulnerable systems. Some accounts can allow attackers to disclose messages going to and from external voicemail systems. When used in conjunction with Exchange, there are multiple default username/password combinations. These default accounts are: EAdmin<systemid> UNITY_<servername> UAMIS_<servername> UOMNI_<servername> UVPIM_<servername> ESubsubscriber Accessible management interface with EAdmin <systemid> for application control. Any incoming or outgoing messages can be read using UNITY_<servername>, UAMIS_<servername>, UOMNI_<servername> or UVPIM_<servername>

Kerio Winroute Firewall before 6.0.7, ServerFirewall before 1.0.1, and MailServer before 6.0.5 use symmetric encryption for user passwords, which allows attackers to decrypt the user database and obtain the passwords by extracting the secret key from within the software. Kerio WinRoute Firewall, Kerio ServerFirewall, and Kerio MailServer are all reported prone to a design flaw. It is reported that these products store credentials in a local database store, these credentials are obscured using an unspecified symmetric encryption algorithm. Reports indicate that a universal secret key is employed to extract plain text from the credential hashes; this presents a security risk because the universal secret key is stored in the WinRoute Firewall, Kerio ServerFirewall, and Kerio MailServer binaries. Kerio is an Internet security software company whose main products include firewall and mail system. ______________________________________________________________________ Secure Computer Group - University of A Coruna http://research.tic.udc.es/scg/ -- x -- dotpi.com Information Technologies Research Labs http://www.dotpi.com ______________________________________________________________________ ID: #20041214-1 Document title: Insecure Credential Storage on Kerio Software Document revision: 1.0 Coordinated release date: 2004/12/14 Vendor Acknowledge date: 2004/10/06 Reported date: 2004/10/01 CVE Name: CAN-2004-1022 Other references: N/A ______________________________________________________________________ Summary: Impact: Insecure Credential Storage Rating/Severity: Medium Recommendation: Update to latest version Vendor: Kerio Technologies Inc. Affected software: Kerio WinRoute Firewall (all versions) Kerio ServerFirewall (all versions) Kerio MailServer (all versions) Updates/Patches: Yes (see below) ______________________________________________________________________ General Information: 1. Executive summary: ------------------ As a result of its collaboration relationship the Secure Computer Group (SCG) along with dotpi.com Research Labs have determined this security issue on Kerio WinRoute Firewall (KWF), Kerio ServerFirewall (KSF) and Kerio MailServer (KMS). Anyone with a cyphertext of this database (that is, with access to the configuration files) could reverse the encryption using a universal secret key hidden into the program logic. New versions of the software solve this and other minor problems so it is upgrade its highly recommended. 2. Technical details: ------------------ Following the latest trends and approaches to responsible disclosure, SCG and dotpi.com are going to withhold details of this flaw for three months. Full details will be published on 2005/03/14. This three month window will allow system administrators the time needed to obtain the patch before the details are released to the general public. 3. Risk Assessment factors: ------------------------ The attacker needs access to the user database, which is not normally a usual condition on a properly hardened firewall and/or mail server. Despite this, special care should be taken on shared environments where more than one technical staff work together on the firewall and/or the mail server. This kind of scenarios offer a potential opportunity for the insiders on the work of stealing identities and, therefore, breaking access control measures. It is also important to note that this could be an important second-stage resource for a successful attacker on an already compromised firewall and/or mail server. 4. Solutions and recommendations: ------------------------------ Upgrade to the latest versions: o Kerio Winroute Firewall 6.0.9 o Kerio ServerFirewall 1.0.1 o Kerio MailServer 6.0.5 As in any other case, follow, as much as possible, the Industry 'Best Practices' on Planning, Deployment and Operation on this kind of services. Note: Kerio Winroute Firewall 6.0.7 fixed CAN-2004-1022. Kerio Winroute Firewall 6.0.9 is the current version fixing CAN-2004-1022 and CAN-2004-1023 5. Common Vulnerabilities and Exposures (CVE) project: --------------------------------------------------- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-1022 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. ______________________________________________________________________ Acknowledgements: 1. Special thanks to Vladimir Toncar and Pavel Dobry and the whole Technical Team from Kerio Technologies (support at kerio.com) for their quick response and professional handling on this issue. 3. The whole Research Lab at dotpi.com and specially to Carlos Veira for his leadership and support. 3. Secure Computer Group at University of A Coruna (scg at udc.es), and specially to Antonino Santos del Riego powering new research paths at University of a Coruna. ______________________________________________________________________ Credits: Javier Munoz (Secure Computer Group) is credited with this discovery. ______________________________________________________________________ Related Links: [1] Kerio Technologies Inc. http://www.kerio.com/ [2] Kerio WinRoute Firewall Downloads & Updates http://www.kerio.com/kwf_download.html [3] Kerio ServerFirewall Downloads & Updates http://www.kerio.com/ksf_download.html [4] Kerio MailServer Downloads & Updates http://www.kerio.com/kms_download.html [5] Secure Computer Group. University of A Coruna http://research.tic.udc.es/scg/ [6] Secure Computer Group. Updated advisory http://research.tic.udc.es/scg/advisories/20041214-1.txt [7] dotpi.com Information Technologies S.L. http://www.dotpi.com/ [8] dotpi.com Research Labs http://www.dotpi.com/research/ ______________________________________________________________________ Legal notice: Copyright (c) 2002-2004 Secure Computer Group. University of A Coruna Copyright (c) 2004 dotpi.com Information Technologies S.L. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of the authors. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact the authors for explicit written permission at the following e-mail addresses: (scg at udc.es) and (info at dotpi.com). Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _____________________________________________________________________

Kerio WinRoute Firewall before 6.0.9 uses information from PTR queries in response to A queries, which allows remote attackers to poison the DNS cache or cause a denial of service (connection loss). Multiple unspecified remote vulnerabilities reportedly affect Kerio's WinRoute Firewall. These issues are likely due to design errors and a failure or the application to properly handle malformed network data, although this is not verified. The first issue is a remote denial of service that may cause the affected computer to crash or hang. The second issue is a DNS cache poisoning vulnerability. The final issue is an information disclosure vulnerability. An attacker may exploit these issues to gain access to otherwise restricted information and manipulate the DNS cache of the affected firewall, potentially facilitating further attacks against the affected network. Also an attacker may leverage these issues to cause the affected computer to crash or hang, facilitating a denial of service condition. TITLE: Kerio WinRoute Firewall Unspecified DNS Cache Poisoning Vulnerability SECUNIA ADVISORY ID: SA13374 VERIFY ADVISORY: http://secunia.com/advisories/13374/ CRITICAL: Moderately critical IMPACT: Spoofing, Manipulation of data WHERE: >From remote SOFTWARE: Kerio WinRoute Firewall 6.x http://secunia.com/product/3613/ DESCRIPTION: A vulnerability has been reported in Kerio WinRoute Firewall, which can be exploited by malicious people to poison the DNS cache. The vulnerability is caused due to an unspecified error and can be exploited to insert fake information in the DNS cache. The vulnerability has been reported in version 6.0.8. Prior versions may also be affected. NOTE: Other issues have also been fixed, where some may be security related. SOLUTION: Update to version 6.0.9. http://www.kerio.com/kwf_download.html PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Safari 1.x allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability, a different vulnerability than CVE-2004-1122. This issue may allow a remote attacker to carry out phishing style attacks. This issue arises as a user visits a malicious site and follows a link to a trusted site. Once the link to the trusted site is followed, the victim must open a pop up window from the trusted site that can be influenced by the attacker's site. If successful, the contents of the target site's window can be spoofed resulting in phishing style attacks. Safari is a browser of Apple Corporation. Safari 1.x has a window hijacking vulnerability. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website. This is related to: SA11978 Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ The vulnerability has been confirmed in Safari version 1.2.4. Other versions may also be affected. SOLUTION: Do not browse untrusted sites while browsing trusted sites. PROVIDED AND/OR DISCOVERED BY: Secunia Research ORIGINAL ADVISORY: http://secunia.com/secunia_research/2004-13/advisory/ OTHER REFERENCES: SA11978: http://secunia.com/advisories/11978/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------