VARIoT IoT vulnerabilities database

Serv-U FTP server 4.x and 5.x allows remote attackers to cause a denial of service (application crash) via a STORE UNIQUE (STOU) command with an MS-DOS device name argument such as (1) COM1, (2) LPT1, (3) PRN, or (4) AUX. Serv-U FTP Server is reported prone to a denial of service vulnerability. This issue presents itself because the application fails to handle exceptional conditions. The vulnerability is a result of Serv-U FTP Server processing certain 'STOU' commands. All versions of Serv-U prior to 5.2.0.1 are reportedly affected by this vulnerability

The Content Scanner Server in F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier, F-Secure Anti-Virus for Microsoft Exchange 6.01 and earlier, and F-Secure Internet Gatekeeper 6.32 and earlier allow remote attackers to cause a denial of service (service crash due to unhandled exception) via a certain malformed packet. F-Secure Content Scanner Server is reported prone to a remote denial of service vulnerability. This issue presents itself when the application handles certain malformed packets. This vulnerability causes an unhandled exception in the process leading to a crash in the process. F-Secure Internet Gatekeeper can perform automatic virus and content filtering on EMAIL and WEB communications. According to the configuration options, a dialog box will be prompted on the desktop stating that the FSAVSD.EXE process has crashed

PPPDialer for Mac OS X 10.2.8 through 10.3.5 allows local users to overwrite system files via a symlink attack on PPPDialer log files. The Apple PPPDialer utility is reported to contain an insecure log file creation vulnerability. The result of this is that log files created by the application are created in a world writeable location. A local attacker may possibly exploit this vulnerability to execute symbolic link file overwrite attacks. Privilege escalation may be possible using this method of attack, if the attacker can control the data that is being written to the target file. The PPPDialer for Mac OS X versions 10.2.8 through 10.3.5 is vulnerable

QuickTime Streaming Server in Mac OS X Server 10.2.8, 10.3.4, and 10.3.5 allows remote attackers to cause a denial of service (application deadlock) via a certain sequence of operations. There is a vulnerability in the Mac OS X CoreFoundation framework that could allow a local attacker to execute arbitrary code. According to the report, remote clients can cause the process to deadlock by issuing a specific sequence of operations. This can render the service inoperable, resulting in a denial of service, until the server is restarted. Mac OS X is an operating system used on Mac machines, based on the BSD system. A reboot is required for normal operation

The CFPlugIn in Core Foundation framework in Mac OS X allows user supplied libraries to be loaded, which could allow local users to gain privileges. There is a vulnerability in the Apple QuickTime Streaming Server that could allow a remote attacker to cause a denial-of-service condition. It is reported that bundles using CoreFoundation can be made to automatically load plug-in executables using the CFPlugIn feature. This is a security vulnerability allowing for local privilege escalation as malicious executable plug-ins can be loaded by a privileged application. At this time, it is not clear whether the application targeted must be in the form of a bundle or if the attacker can perform the attack against any privileged application with a custom bundle. Users are advised to apply the patch provided by Apple, which changes the feature to prevent loading of plug-ins automatically if an executable is already loaded. Mac OS X is an operating system used on Mac machines, based on the BSD system. Apple Mac OS X CoreFoundation has library loading processing issues and buffer overflows. Local attackers can exploit this vulnerability to obtain ROOT privileges. Apple reports that local users can use the CoreFoundation CFPlugIn application to load any user-provided library to obtain ROOT privileges [CVE: CAN -2004-0821]. In addition, local users can modify some environment variables to trigger buffer overflow in CoreFoundation, and can execute arbitrary commands with ROOT process privileges [CVE: CAN-2004-0822]

Buffer overflow in The Core Foundation framework (CoreFoundation.framework) in Mac OS X 10.2.8, 10.3.4, and 10.3.5 allows local users to execute arbitrary code via a certain environment variable. There is a vulnerability in the Apple QuickTime Streaming Server that could allow a remote attacker to cause a denial-of-service condition. It is reported that a buffer overflow vulnerability is present in CoreFoundation related to its handling of an unspecified environment variable. Consequently, privileged applications using CoreFoundation may be exploited by local users to elevate their access level to that of the application. It is not known if all applications using CoreFoundation are vulnerable. Mac OS X is an operating system used on Mac machines, based on the BSD system. Apple Mac OS X CoreFoundation has library loading processing issues and buffer overflows. Local attackers can exploit this vulnerability to obtain ROOT privileges. Apple reports that local users can use the CoreFoundation CFPlugIn application to load any user-provided library to obtain ROOT privileges [CVE: CAN -2004-0821]

OpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 and possibly other operating systems, may allow certain authentication schemes to use hashed (crypt) passwords in the userPassword attribute as if they were plaintext passwords, which allows remote attackers to re-use hashed passwords without decrypting them. There is a vulnerability in the Apple QuickTime Streaming Server that could allow a remote attacker to cause a denial-of-service condition. There is a vulnerability in the Mac OS X CoreFoundation framework that could allow a local attacker to execute arbitrary code. OpenLDAP In using a specific authentication scheme userPassword There is a flaw that prevents password authentication if the password value is obtained because the value stored in is not processed as plain text.Password authentication may be avoided. In certain undisclosed cases, OpenLDAP is reported prone to an ambiguous-password-attribute weakness. If an attacker can retrieve a password hash as contained in the OpenLDAP database, they may then be able to directly authenticate to the LDAP database. The attacker may gain unauthorized access if they can sniff password hashes from the network or if they can retrieve the contents of the 'userPassword' attribute from a database backup or through weak permissions on the database. The OpenLDAP that is included with Apple Mac OS X, versions 10.3.4 and 10.3.5, is reported affected. Versions of OpenLDAP included in other operating systems may also be affected. There is a problem in OpenLDAP's verification of CRYPT passwords. Remote attackers can use this vulnerability to log in using other users' CRYPT values ​​as passwords. An attacker can log in with the target user's authority by using the CRYPT value of the target user's password. Apple reports that CRYPT passwords can be specified as a clear text password as userPassword. According to reports, some authentication mechanisms can use CRYPT values ​​as plaintext passwords. TITLE: Red Hat update for openldap / nss_ldap SECUNIA ADVISORY ID: SA17233 VERIFY ADVISORY: http://secunia.com/advisories/17233/ CRITICAL: Moderately critical IMPACT: Security Bypass, Exposure of sensitive information WHERE: >From remote OPERATING SYSTEM: RedHat Linux Advanced Workstation 2.1 for Itanium http://secunia.com/product/1326/ RedHat Enterprise Linux WS 4 http://secunia.com/product/4670/ RedHat Enterprise Linux WS 3 http://secunia.com/product/2536/ RedHat Enterprise Linux WS 2.1 http://secunia.com/product/1044/ RedHat Enterprise Linux ES 4 http://secunia.com/product/4668/ RedHat Enterprise Linux ES 3 http://secunia.com/product/2535/ RedHat Enterprise Linux ES 2.1 http://secunia.com/product/1306/ RedHat Enterprise Linux AS 4 http://secunia.com/product/4669/ RedHat Enterprise Linux AS 3 http://secunia.com/product/2534/ RedHat Enterprise Linux AS 2.1 http://secunia.com/product/48/ DESCRIPTION: Red Hat has issued updates for openldap / nss_ldap. This fixes two security issues and a vulnerability, which can be exploit by malicious people to gain knowledge of sensitive information or bypass certain security restrictions. For more information: SA15906 SA16518 SA12491 SOLUTION: Updated packages are available from Red Hat Network. http://rhn.redhat.com/ ORIGINAL ADVISORY: http://rhn.redhat.com/errata/RHSA-2005-767.html http://rhn.redhat.com/errata/RHSA-2005-751.html OTHER REFERENCES: SA15906: http://secunia.com/advisories/15906/ SA16518: http://secunia.com/advisories/16518/ SA12491: http://secunia.com/advisories/12491/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 allows remote attackers to cause a denial of service (server crash) via a GET request containing an MS-DOS device name, as demonstrated using "prn.htm". The software supports the performance management of networks, servers, virtual environments and applications. BACKGROUND Ipswitch WhatsUp Gold is a Microsoft Windows based network monitoring application. More information is available at http://www.Ipswitch.com/products/whatsup/index.html II. The problem specifically exists in the handling of reserved DOS device names. By generating a GET request for 'prn.htm' to the HTTP daemon installed by WhatsUp Gold, the application crashes and the following Runtime Library error is displayed: Runtime Error! Program: C:\Program Files\WhatsUp\whatsupg.exe abnormal program termination III. The WhatsUp Gold web server is not enabled by default. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability against WhatsUp Gold versions 8.03 and the latest version 8.03 Hotfix 1. It is suspected that earlier versions are also vulnerable. V. WORKAROUNDS Disable the WhatsUp Gold web server if it is not required. VI. VENDOR RESPONSE A patch to address this issue is available at: http://www.ipswitch.com/Support/WhatsUp/patch-upgrades.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0799 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/12/2004 Initial vendor notification 08/12/2004 iDEFENSE clients notified 08/12/2004 Initial vendor response 09/16/2004 Coordinated public disclosure IX. CREDIT The discoverer wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Engenio/LSI Logic storage controllers, as used in products such as Storagetek D280, and IBM DS4100 (formerly FastT 100) and Brocade SilkWorm Switches, allow remote attackers to cause a denial of service (freeze and possible data corruption) via crafted TCP packets. It is reported that hardware based on Engenio Storage Controllers are prone to a remote denial of service vulnerability. This could also result reportedly result in unrecoverable corruption of data. Affected hardware includes Storagetek D280, and IBM DS4100 (formerly FastT 100) and Brocade SilkWorm Switches. Other devices may be affected such as other Storagetek and IBM FastT storage controllers, SGI, and Teradata storage controllers though this has not confirmed. The problem may exist in the underlying vxWorks operating system though this has also not been confirmed

Dynalink RTA 230 is a Linux-based ADSL router. The Dynalink RTA 230 has a default backdoor account that an attacker can use to control the entire ADSL device. According to the check /etc/passwd, you can find two default accounts: # cat /etc/passwd admin:xxxxx(obscured)xxxxx:0:0:Administrator:/:/bin/sh userNotUsed:YNf8oSCwK/0/Y:0: 0: Technical Support: /:/bin/sh These accounts cannot be modified and visible in the web configuration application. However, the WEB configuration application and the telnet service do not listen on the WAN interface by default. An attacker with access to the internal interface can fully control the ADSL device. Other devices that use similar firmware may also have this problem. Devices that may be affected by this vulnerability are: - US Robotics 9105 and 9106 - Siemens SE515 - Buffalo WMR-G54. It is reported that the firmware contains a backdoor account. This account is not visible or modifiable from the web administration interface

Multiple features in Ipswitch IMail Server before 8.13 allow remote attackers to cause a denial of service (crash) via (1) a long sender field to the Queue Manager or (2) a long To field to the Web Messaging component. It is reported that IMail is susceptible to multiple buffer overflow denial of service vulnerabilities. These vulnerabilities allow a remote attacker to crash the affected application, denying service to legitimate users. It is conjectured that it may be possible for an attacker to execute arbitrary code in the context of the affected server application. Versions of the application prior to 8.13 are reported affected by these vulnerabilities. TITLE: IMail Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA12453 VERIFY ADVISORY: http://secunia.com/advisories/12453/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: IMail Server 8.x http://secunia.com/product/3048/ DESCRIPTION: Various vulnerabilities have been reported in IMail, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). 2) An unspecified error within the Web Calendaring can potentially be exploited to cause a crash when a calender entry containing certain content is viewed. SOLUTION: Apply IMail Server 8.13 patch. http://www.ipswitch.com/support/imail/releases/imail_professional/im813.html PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://support.ipswitch.com/kb/IM-20040902-DM01.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Unknown vulnerability in the Web calendaring component of Ipswitch IMail Server before 8.13 allows remote attackers to cause a denial of service (crash) via "specific content.". It is reported that IMail is susceptible to multiple buffer overflow denial of service vulnerabilities. It is conjectured that it may be possible for an attacker to execute arbitrary code in the context of the affected server application. Versions of the application prior to 8.13 are reported affected by these vulnerabilities. TITLE: IMail Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA12453 VERIFY ADVISORY: http://secunia.com/advisories/12453/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: IMail Server 8.x http://secunia.com/product/3048/ DESCRIPTION: Various vulnerabilities have been reported in IMail, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). 1) An unspecified error within the Queue Manager can be exploited to cause a crash via an overly long sender field. 3) An unspecified error within the Web Messaging can potentially be exploited to cause a crash via an overly long "To:" line. SOLUTION: Apply IMail Server 8.13 patch. http://www.ipswitch.com/support/imail/releases/imail_professional/im813.html PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://support.ipswitch.com/kb/IM-20040902-DM01.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Kerio Personal Firewall 4.0 (KPF4) allows local users with administrative privileges to bypass the Application Security feature and execute arbitrary processes by directly writing to \device\physicalmemory to restore the running kernel's SDT ServiceTable. A vulnerability is reported to affect Kerio Personal Firewall (KPF) 'Application Security' functionality that could permit an executable that is run by an administrator to disable KPF 'Application Security' functionality. It is reported that (KPF) 'Application Security' functionality employs a modified Service Description Table in order to function. It is possible to restore the Service Description Table to its original state. A malicious application that is run by an administrator can read an intact SDT table from kernel memory and restore the SDT table in the running kernel by writing to kernel memory space. This will disable Kerio Personal Firewall (KPF) 'Application Security' functionality

D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address, which allows remote attackers to change the IP address of the camera via a UDP broadcast packet. D-Link Securicam Network DCS-900 Internet Camera is reportedly affected by a remote configuration vulnerability. An attacker may leverage this issue to hijack the vulnerable camera, ultimately triggering a denial of service condition, as the unsuspecting user will be unable to connect to the device without having its IP address

WS_FTP 5.0.2 allows remote authenticated users to cause a denial of service (CPU consumption) via a CD command that contains an invalid path with a "../" sequence. WS_FTP Server is reported prone to a remote denial of service vulnerability. This issue presents itself when the application processes a malformed file path through the 'cd' command. WS_FTP Server version 5.0.2 is reported prone to this issue, however, other versions may be affected as well. Progress Software Ipswitch WS_FTP Server is a set of FTP server software developed by Progress Software Company in the United States. It provides functions such as file transfer control and transfer encryption. There is a security vulnerability in Progress Software Ipswitch WS_FTP Server version 5.0.2

Cisco IOS 12.2(15) and earlier allows remote attackers to cause a denial of service (refused VTY (virtual terminal) connections), via a crafted TCP connection to the Telnet or reverse Telnet port. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability could allow remote attackers to prevent new connections to remote management services on a vulnerable device. Successful exploitation of this vulnerability requires a complete 3-way handshake, so it is difficult to attack by forging IP addresses

Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload. The Entrust LibKMP ISAKMP library is reported to be affected by a remote buffer overflow vulnerability. Malicious ISAKMP packets may trigger a buffer overrun in the affected library resulting in the corruption of process memory. Although unconfirmed, it is conjectured that this vulnerability may be related to the vulnerability described in BID 10273, as Checkpoint VPN-1 may use the affected library. The Entrust LibKmp ISAKMP library is used by multiple VPN vendors to exchange IKE keys for IPSEC-based VPN products. libKmp handles all incoming ISAKMP packets, this library is also used to authenticate and check the processing of incoming requests. The Entrust LibKmp ISAKMP library does not correctly verify incoming ISAKMP packets when implementing the IKE key exchange protocol. Entrust\'\'s LibKmp library is provided by the vendor to third parties to handle the exchange of IKE keys. This library is used in several enterprise firewall VPN products. Entrust\'\'s LibKmp library is fully checked for handling ISAKMP payloads and sizes. But the proposal payload embedded in the main SA payload is not properly filtered. The code that handles these loads has a flaw that can lead to memory corruption, a heap overflow. An attacker exploits this vulnerability to send malicious ISAKMP packets, which can cause the VPN component to crash, and carefully constructed and submitted data may execute arbitrary instructions on the system with process privileges. Product: Symantec Gateway Security 2.0 - Model 5400 Series Copyright \xa9 2004 Symantec Corporation August, 2004 ************************************************************************************ Hotfix: SG8000-20040715-00 - Entrust updates ************************************************************************************ This document contains the following information about the Symantec Gateway Security 2.0 - Model 5400 Series: * Prerequisites * Included modules * Fix description * Installation instructions * Uninstallation instructions ************************************************************************************ Prerequisites: HB8000-20031023-00 - December 2003 patch SG8000-20040405-00 - April 2004 patch ************************************************************************************ Included modules: isakmpd libEntrust.so libkmp.so ************************************************************************************ Fix description: Corrects problem with Denial of Service attack reported against isakmpd in CAN-2004-0369. ************************************************************************************ Installation instructions: The April 2004 patch must be installed prior to installing this hotfix. To install the patch 1. Download the entrust-sgs20.tgz file to a location that is accessible from the Security Gateway Management Interface (SGMI). 2. In the SGMI, on the Action menu, click HotFix. 3. In the left pane of the Hotfix Management window, click Install hotfix. 4. In the right pane of the Hotfix Management window, click Browse. 5. In the Choose file dialog box, browse to and select the entrust-sgs20.tgz file, and then click Open. 6. In the right pane of the Hotfix Management window, click Install. 7. Wait until a message appears in the right pane of the Hotfix Management window. (Note: there is no visible indication of activity.) 8. If the message includes a "Restart" link, click the link and wait until the "Security gateway is restarting" message appears. 9. Close the Hotfix Management window. ************************************************************************************ Uninstallation instructions: To uninstall the patch 1. In the SGMI, on the Action menu, click HotFix. 2. In the left pane of the Hotfix Management window, click Uninstall hotfix. 3. In the right pane of the Hotfix Management window, click the radio button next to hotfix ID SG8000-20040715-00. 4. In the right pane of the Hotfix Management window, click Uninstall. 5. Wait until a message appears in the right pane of the Hotfix Management window. (Note: there is no visible indication of activity.) 6. If the message includes a "Restart" link, click the link and wait until the "Security gateway is restarting" message appears. 7. Close the Hotfix Management window. ************************************************************************************ . Connect to Symantec Gateway Security (SGS) using the SRMC. Connect to the VelociRaptor using the SRMC. Right-click the VelociRaptor icon. Browse to the location of the *.tgz file. Select Open to load the patch. Answer "No" when asked if you want to reboot the system. Connect to the VelociRaptor using the SRMC. Right-click the VelociRaptor. Select All Tasks > SRL Client. Log into the system. Type: cd /usr/vr/hotfixes/SG7004-20040715-00 and press Enter. Type: ./Uninstall and press Enter

The CSAdmin web administration interface for Cisco Secure Access Control Server (ACS) 3.2(2) build 15 allows remote attackers to cause a denial of service (hang) via a flood of TCP connections to port 2002. Cisco Secure Access Control Server and Secure Access Control Server Solution Engine are reported prone to multiple vulnerabilities. Cisco Secure ACS is reported prone to another denial of service vulnerability when handling Light Extensible Authentication Protocol (LEAP) authentication requests. Cisco Secure ACS is reported prone to an authentication bypass vulnerability when configured to communicate to a Novell Directory Services (NDS) database for authenticating NDS users. Among them, ACS supports NOVELL directory service. However, wrong passwords and incorrect usernames will be rejected for authentication

Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter. Ipswitch WhatsUp Gold is affected by a remote buffer-overflow vulnerability because the application fails to properly validate user-supplied string lengths before copying them into static process buffers. An attacker might leverage this issue to execute arbitrary code on the affected computer with the privileges of the user that started the vulnerable application. The software supports the performance management of networks, servers, virtual environments and applications. The _maincfgret.cgi program of WhatsUp Gold does not correctly check and filter the instancename parameter submitted by the user. <**>. BACKGROUND Ipswitch WhatsUp Gold is a Microsoft Windows based network monitoring application. More information is available at: http://www.Ipswitch.com/products/whatsup/index.html II. The problem specifically exists in the _maincfgret.cgi script accessible through the web server installed by WhatsUp Gold. III. The WhatsUp Gold web server is not enabled by default. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability against WhatsUp Gold version 8.03. iDEFENSE has confirmed that the latest version of WhatsUp Gold, version 8.03 Hotfix 1, is not vulnerable. V. WORKAROUND Disable the WhatsUp Gold web server if it is not required. VI. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0798 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/12/2004 Initial vendor notification 08/12/2004 iDEFENSE clients notified 08/12/2004 Initial vendor response 08/25/2004 Public disclosure IX. CREDIT The discoverer wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

Cisco Secure Access Control Server (ACS) 3.2, when configured as a Light Extensible Authentication Protocol (LEAP) RADIUS proxy, allows remote attackers to cause a denial of service (device crash) via certain LEAP authentication requests. Cisco Secure Access Control Server and Secure Access Control Server Solution Engine are reported prone to multiple vulnerabilities. These vulnerabilities may allow remote attackers to cause denial of service conditions and gain unauthorized access to AAA clients and ACS administration interface. The following specific vulnerabilities were reported by the vendor: A remote attacker can trigger a denial of service condition in ACS Windows and ACS Solution Engine by establishing a large amount of TCP connections to the CSAdmin application. Cisco Secure ACS is reported prone to an authentication bypass vulnerability when configured to communicate to a Novell Directory Services (NDS) database for authenticating NDS users. Another vulnerability affecting ACS may allow remote attackers to gain unauthenticated access to the administration interface of the service. Among them, ACS supports NOVELL directory service. However, wrong passwords and incorrect usernames will be rejected for authentication