VARIoT IoT vulnerabilities database

Cisco Secure Access Control Server (ACS) 3.2(3) and earlier spawns a separate unauthenticated TCP connection on a random port when a user authenticates to the ACS GUI, which allows remote attackers to bypass authentication by connecting to that port from the same IP address. Cisco Secure Access Control Server and Secure Access Control Server Solution Engine are reported prone to multiple vulnerabilities. These vulnerabilities may allow remote attackers to cause denial of service conditions and gain unauthorized access to AAA clients and ACS administration interface. The following specific vulnerabilities were reported by the vendor: A remote attacker can trigger a denial of service condition in ACS Windows and ACS Solution Engine by establishing a large amount of TCP connections to the CSAdmin application. Cisco Secure ACS is reported prone to another denial of service vulnerability when handling Light Extensible Authentication Protocol (LEAP) authentication requests. Cisco Secure ACS is reported prone to an authentication bypass vulnerability when configured to communicate to a Novell Directory Services (NDS) database for authenticating NDS users. Another vulnerability affecting ACS may allow remote attackers to gain unauthenticated access to the administration interface of the service. Among them, ACS supports NOVELL directory service. However, wrong passwords and incorrect usernames will be rejected for authentication

Cisco Secure Access Control Server (ACS) 3.2(3) and earlier, when configured with an anonymous bind in Novell Directory Services (NDS) and authenticating NDS users with NDS, allows remote attackers to gain unauthorized access to AAA clients via a blank password. Cisco Secure Access Control Server and Secure Access Control Server Solution Engine are reported prone to multiple vulnerabilities. The following specific vulnerabilities were reported by the vendor: A remote attacker can trigger a denial of service condition in ACS Windows and ACS Solution Engine by establishing a large amount of TCP connections to the CSAdmin application. Cisco Secure ACS is reported prone to another denial of service vulnerability when handling Light Extensible Authentication Protocol (LEAP) authentication requests. Another vulnerability affecting ACS may allow remote attackers to gain unauthenticated access to the administration interface of the service. Among them, ACS supports NOVELL directory service. However, wrong passwords and incorrect usernames will be rejected for authentication

Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to execute arbitrary commands via accent (`) and possibly other shell metacharacters in the query string to virtualinput.cgi. Multiple vulnerabilities are reported to reside in multiple Axis network video and camera servers: 1. A shell metacharacter command-execution vulnerability allows an anonymous user to download the contents of the '/etc/passwd' file on the device. Other commands are also likely to work, facilitating other attacks. This issue is reported to affect: - Axis 2100, 2110, 2120, 2420 network cameras with firmware versions 2.34 thru 2.40 - Axis 2130 network cameras - Axis 2401 and 2401 video servers 2. A directory-traversal vulnerability in HTTP POST requests. This attack is demonstrated by an anonymous user calling protected administration scripts. This bypasses authentication checks and gives anonymous users remote adminitration of the devices. This issue is reported to affect: - Axis 2100, 2110, 2120, 2420 network cameras with firmware versions 2.12 thru 2.40 - Axis 2130 network cameras - Axis 2401,and 2401 video servers 3. A hardcoded backdoor administrative-user issue allows remote attackers to administer affected devices. This likely cannot be disabled. This issue is reported to affect: - Axis StorePoint CD E100 CD-ROM Server with firmware version 5.30 Other products and versions of firmware are likely affected by one or more of these vulnerabilities

Directory traversal vulnerability in Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to bypass authentication via a .. (dot dot) in an HTTP POST request to ServerManager.srv, then use these privileges to conduct other activities, such as modifying files using editcgi.cgi. A shell metacharacter command-execution vulnerability allows an anonymous user to download the contents of the '/etc/passwd' file on the device. Other commands are also likely to work, facilitating other attacks. This issue is reported to affect: - Axis 2100, 2110, 2120, 2420 network cameras with firmware versions 2.34 thru 2.40 - Axis 2130 network cameras - Axis 2401 and 2401 video servers 2. A directory-traversal vulnerability in HTTP POST requests. This attack is demonstrated by an anonymous user calling protected administration scripts. This bypasses authentication checks and gives anonymous users remote adminitration of the devices. This issue is reported to affect: - Axis 2100, 2110, 2120, 2420 network cameras with firmware versions 2.12 thru 2.40 - Axis 2130 network cameras - Axis 2401,and 2401 video servers 3. A hardcoded backdoor administrative-user issue allows remote attackers to administer affected devices. This likely cannot be disabled. This issue is reported to affect: - Axis StorePoint CD E100 CD-ROM Server with firmware version 5.30 Other products and versions of firmware are likely affected by one or more of these vulnerabilities

Unknown vulnerability in AppleFileServer for Mac OS X 10.3.4, related to "the use of SSH and reporting errors," has unknown impact and attack vectors. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None

Cisco IOS 12.0S, 12.2, and 12.3, with Open Shortest Path First (OSPF) enabled, allows remote attackers to cause a denial of service (device reload) via a malformed OSPF packet. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow remote attackers to conduct denial-of-service attacks on an affected device. Cisco IOS is reported prone to a remote denial of service vulnerability. A remote attacker may exploit this condition in multiple routers that reside on the same network segment as the attacker, to trigger a device reset. The attacker may continuously transmit malicious OSPF packets to the target routers in order to effectively deny network services to legitimate hosts. Cisco IOS is the operating system that runs on many Cisco devices. There is a problem in Cisco IOS processing malformed OSPF packets. OSPF is a routing protocol defined by RFC 2328, designed to manage IP routing within an AS. Some CISCO IOSs have a loophole in the processing of OSPF packets, which can lead to system overload. To successfully exploit this vulnerability, an attacker must know several parameters configured on the interface, such as OSPF Area number, Netmask, hello, and dead timers

The NETGEAR DG834G is a router. The NETGEAR DG834G has a default account that can be exploited by remote attackers to modify device settings. By connecting to the NETGEAR DG834G web service, such as: http://192.168.0.1/setup.cgi?todo=debug, you can start the debug mode of the router, then you can Telnet port 23, get ROOT SHELL, the default password for ZEBRA service\" Zebra\" comes to access, so an attacker can access the modified device settings. It is reported that Netgear DG834G devices contain a default password for their Zebra process. Zebra is a dynamic routing daemon, and contains a telnet-accessible configuration shell. It is reported that Zebra listens on both the WAN and the internal network interfaces. By gaining administrative access to Zebra, an attacker has the ability to modify network routes on the device, possibly redirecting traffic or denying network service to legitimate users. They may also be able to exploit latent vulnerabilities in Zebra itself. Due to code reuse, it is possible that other devices similar to this one are also affected

Safari in Mac OS X before 10.3.5, after sending form data using the POST method, may re-send the data to a GET method URL if that URL is redirected after the POST data and the user uses the forward or backward buttons, which may cause an information leak. There is a vulnerability in the way Safari handles form data that may expose sensitive information when the forward/backward buttons are used. Apple has released Mac OS X 10.3.5. This release addresses a number of security vulnerabilities. A denial-of-service vulnerability in the operating system may allow a remote attacker to disable network traffic. These issues have been addressed in Mac OS X 10.3.5. Individual BIDs will be created upon further analysis. There is a security problem in the Safari browser. Apple reports that when a form is submitted using a POST request, and then the web server returns an HTTP redirect to the GET URL, under some conditions, the browser will re-POST the form data to the GET URL. This can be triggered by the forward/back buttons

The TCP/IP Networking component in Mac OS X before 10.3.5 allows remote attackers to cause a denial of service (memory and resource consumption) via a "Rose Attack" that involves sending a subset of small IP fragments that do not form a complete, larger packet. Apple Mac OS X In TCP/IP In the implementation of a specific fragmented SYN There is a flaw in handling the packet. Therefore, the difference in fragment offsets in the datagram is excessively large SYN There is a problem that system resources are consumed excessively when a large number of packets are processed.By a third party CPU Excessive resource consumption or network operation disrupted service operation (DoS) There is a possibility of being put into a state. Apple has released Mac OS X 10.3.5. This release addresses a number of security vulnerabilities. The following new issues were reported: A remote vulnerability in the Apple Safari Web browser may allow a remote attacker to steal potentially sensitive form data. A denial-of-service vulnerability in the operating system may allow a remote attacker to disable network traffic. These issues have been addressed in Mac OS X 10.3.5. Individual BIDs will be created upon further analysis. There is an issue in the implementation of the Mac OS X TCP/IP stack, which can be exploited by a remote attacker to perform a denial of service attack on the system. TITLE: HP-UX TCP/IP "Rose Attack" Denial of Service Vulnerability SECUNIA ADVISORY ID: SA18082 VERIFY ADVISORY: http://secunia.com/advisories/18082/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: HP-UX 11.x http://secunia.com/product/138/ DESCRIPTION: A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of specially crafted IP fragments. This can be exploited by sending a sequence of specially crafted IP fragments to cause the system to use too much system resources, potentially resulting in DoS. This is commonly known as the "Rose Attack. The vulnerability has been reported in version B.11.00, B.11.04, B.11.11, and B.11.23 running TCP/IP. SOLUTION: Apply updates. http://www.hp.com/go/softwaredepot HP-UX B.11.00: Install PHNE_33395 or later, and run "sqmax 1000". HP-UX B.11.04: Install PHNE_33427 or later, and run "sqmax 1000". HP-UX B.11.11: Install PHNE_31091 or later, and run "sqmax 1000". HP-UX B.11.23: Install PHKL_31500. Alternatively, install IPF-HP revision A.03.05.10.02 or later. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: HPSBUX02087 SSRT4728: http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00579189 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Serv-U FTP server before 5.1.0.0 has a default account and password for local administration, which allows local users to execute arbitrary commands by connecting to the server using the default administrator account, creating a new user, logging in as that new user, and then using the SITE EXEC command. The weak account can be used to log into the site maintenance interface on the loopback interface only, and to create user accounts

Multiple unknown vulnerabilities in the ActiveX and HTML file browsers in Symantec Clientless VPN Gateway 4400 Series 5.0 have unknown attack vectors and unknown impact. The issues include multiple vulnerabilities related to the ActiveX and HTML file browser, cross-site scripting vulnerabilities in the end user interface, and a vulnerability in the end user interface that will allow an unauthorized user to change another user's single signon information. Remote attackers can use this vulnerability to modify other users' authentication information. No detailed vulnerability details are currently available. Cross-site scripting issues have also been reported by end users. 2) Various unspecified input validation errors within the end user UI can be exploited to conduct cross-site scripting attacks. 3) An error within the end user UI can be exploited by malicious users to manipulate other users' signon information (including username and password). SOLUTION: A hotfix is available: ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/SCVG5-20040806-00.tgz PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/hf3-readme.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Symantec Norton AntiVirus 2002 and 2003 allows remote attackers to cause a denial of service (CPU consumption) via a compressed archive that contains a large number of directories. Norton AntiVirus 2003 Professional Edition is prone to a denial-of-service vulnerability

Thomson SpeedTouch 510 ADSL Router with firmware GV8BAA3.270, and possibly earlier versions, generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. The ability to predict TCP sequence numbers may allow a remote attacker to inject packets into a vulnerable data stream, for example the telnet service on the affected modem. Remote attackers can use this vulnerability to carry out TCP communication forgery attacks. The TCP initialization sequence number of the device can be guessed, which can cause the attacker to fail the ADSL Modem communication by forging the communication, or hijack the device. BACKGROUND The Thompson (formerly Alcatel) SpeedTouch is an ADSL router for home and business providing a continuously available, "always on," connection. More information about the product can be found at http://www.speedtouchdsl.com/. II. The problem specifically exists due to the predictable nature of the TCP Initial Sequence Number (ISN) generator on the device. The following sanitized tcpdump output demonstrates the existence of the vulnerability when 10 consecutive TCP connection requests are generated for the telnet server (port 23) on the Thompson device: 48.3 host_a.1096 > host_b.telnet: S 48.3 host_b.telnet > host_a.1096: S 4081040897:4081040897(0) ack 48.3 host_a.1096 > host_b.telnet: R 48.4 host_a.1096 > host_b.telnet: S 48.4 host_b.telnet > host_a.1096: S 4081104897:4081104897(0) ack 48.4 host_a.1096 > host_b.telnet: R 48.6 host_a.1096 > host_b.telnet: S 48.6 host_b.telnet > host_a.1096: S 4081232897:4081232897(0) ack 48.6 host_a.1096 > host_b.telnet: R 48.7 host_a.1096 > host_b.telnet: S 48.7 host_b.telnet > host_a.1096: S 4081296897:4081296897(0) ack 48.7 host_a.1096 > host_b.telnet: R 48.9 host_a.1096 > host_b.telnet: S 48.9 host_b.telnet > host_a.1096: S 4081360897:4081360897(0) ack 48.9 host_a.1096 > host_b.telnet: R 49.0 host_a.1096 > host_b.telnet: S 49.0 host_b.telnet > host_a.1096: S 4081488897:4081488897(0) ack 49.0 host_a.1096 > host_b.telnet: R 49.2 host_a.1096 > host_b.telnet: S 49.2 host_b.telnet > host_a.1096: S 4081552897:4081552897(0) ack 49.2 host_a.1096 > host_b.telnet: R 49.3 host_a.1096 > host_b.telnet: S 49.3 host_b.telnet > host_a.1096: S 4081616897:4081616897(0) ack 49.3 host_a.1096 > host_b.telnet: R 49.5 host_a.1096 > host_b.telnet: S 49.5 host_b.telnet > host_a.1096: S 4081744897:4081744897(0) ack 49.5 host_a.1096 > host_b.telnet: R 49.6 host_a.1096 > host_b.telnet: S 49.6 host_b.telnet > host_a.1096: S 4081808897:4081808897(0) ack 49.6 host_a.1096 > host_b.telnet: R In the above example, host_a is the querying host and host_b is the Thompson device. A clear pattern in ISN generation can be seen as the value increases by approximately 64,000 each millisecond. III. ANALYSIS Successful exploitation of weak ISNs for the purpose of connection spoofing is not a trivial task. Successful exploitation allows an attacker to generate traffic on behalf of the affected device. Such an ability is most dangerous when trust paths exist between the affected device and another remote system. IV. DETECTION iDEFENSE has verified the existence of this vulnerability in Thompson's SpeedTouch firmware version GV8BAA3.270 (1003825). It is suspected that earlier versions are susceptible to exploitation as well. V. WORKAROUNDS Untrusted traffic should be filtered at the network perimeter. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0641 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VII. DISCLOSURE TIMELINE 06/08/04 Initial vendor contact - no response 06/08/04 iDEFENSE clients notified 06/18/04 Secondary vendor contact - no response 08/05/04 Public disclosure VIII. CREDIT The discoverer wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp IX. LEGAL NOTICES Copyright © 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Unknown vulnerability in ScreenOS in Juniper Networks NetScreen firewall 3.x through 5.x allows remote attackers to cause a denial of service (device reboot or hang) via a crafted SSH v1 packet. A vulnerability in the SSHv1 service of NetScreen firewalls could allow an attacker to cause a denial-of-service condition. It is reported that the vulnerability may be triggered by a remote attacker, prior to any form of authentication. Netscreen is a firewall security solution, and its operating system is ScreenOS. The firewall will reboot or hang, stopping normal services

Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products, when Aggressive Mode IKE is implemented, allows remote attackers to execute arbitrary code by initiating an IKE negotiation and then sending an IKE packet with malformed ASN.1 data. A vulnerability exists in Check Point's VPN-1 Server, which is included in many Check Point products. This vulnerability may permit a remote attacker to compromise the gateway system. This issue results from insufficient boundary checks performed by the application when processing user-supplied data. This overflow occurs during the initial key exchange process, and can be triggered with a single UDP packet. Since ISAKMP uses the UDP transport, a spoofed source address can be used in an attack. Check Point reports that for a single packet attack to succeed, VPN-1 must be configured for aggressive mode key exchange. Without aggressive mode, an attacker must initiate a real key negotiation session. This vulnerability can lead to remote code execution in the context of the VPN-1 process. This can lead to a complete system compromise

SQL injection vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to execute arbitrary SQL statements via the instory parameter. PHP-Nuke is prone to a sql-injection vulnerability

The search module in Php-Nuke allows remote attackers to gain sensitive information via the (1) "**" or (2) "+" search patterns, which reveals the path in an error message. PHP-Nuke is prone to a information disclosure vulnerability. There is a vulnerability in Php-Nuke's search module

Multiple cross-site scripting vulnerabilities in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) max, (3) sel1, (4) sel2, (5) sel3, (6) sel4, (7) sel5, (8) match, (9) mod1, (10) mod2, or (11) mod3 parameters. PHP-Nuke is prone to a cross-site scripting vulnerability

Multiple SQL injection vulnerabilities in the Search module in Php-Nuke allow remote attackers to execute arbitrary SQL via the (1) min or (2) categ parameters. PHP-Nuke is prone to a sql-injection vulnerability

The HTTP server in Lexmark T522 and possibly other models allows remote attackers to cause a denial of service (server crash, reload, or hang) via an HTTP header with a long Host field, possibly triggering a buffer overflow. T522 Network Printer is prone to a denial-of-service vulnerability. The HTTP service program of the Lexmark printer does not process some HTTP requests correctly. Remote attackers can use this vulnerability to carry out a denial of service attack on the printer WEB service