VARIoT IoT vulnerabilities database

Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a remote attacker to gain administrator access by directly calling undocumented URLs such as ncl_items.html and ncl_subjects.html. Certain versions of the Tektronix PhaserLink printer ship with a webserver designed to help facilitate configuration of the device. This service is essentially administrator level access as it can completely modify the system characteristics, restart the machine, asign services etc. Once the password is obtained by the user, they can manipulate the printer in any way they see fit. There is a bug in the web server on Tektronix PhaserLink Printer 840.0 and earlier

bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to read arbitrary files by specifying the target file in the "file" parameter. BigIP is a load balancing system from F5 software. It has a web-based configuration system, which is vulnerable to several standard CGI attacks. According to Guy Cohen <guy@crypto.org.il>, it is possible to view arbitrary files on the BSDI system which it is installed on. To add to this, the configuration program is installed setuid root. This is considered a local vulnerability since htaccess authentication is required to get to the configuration area. No more information on this vulnerability is available. It has a web management interface and configures the program through some CGI scripts. There is an input validation vulnerability in the \"bigconf.cgi\" script in the software package, allowing remote attackers to view arbitrary system files with the authority of the Web Server process. The bug finder did not provide further clarification

Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port. Cisco Router is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause a denial-of-service condition

Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag. There is a buffer overflow in the MidiPlug that may allow arbitrary code to be executed on the local host. Instructions in the text variable may be executed when a user visits the malicious web page

Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock. apple's macOS Exists in unspecified vulnerabilities.None. Under MacOS the key combination CMD-PWR (Command key + Power Key) or the programmer's switch (on models that have one) will start up the micro-debugger or an assembly debugger such as MacsBug. This behavior occurs even while the screen is locked after the user becoming idle. This allows a user to drop into the debugger and kill the screen lock process and obtain access to the desktop. There is a vulnerability in the idle lock function in the MacOS 9 version

Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session. apple's macOS Exists in unspecified vulnerabilities.None. MacOS 9 includes an idle-activated console lock feature, similar to a screensaver password in other operating systems. After a certain length of user inactivity, a dialog box appears stating that a password must be entered. After the user clicks 'OK' another dialog box appears offering the option to either supply a password or to log out the current user. If the 'log out' option is chosen, any programs running will start to shut down. In certain programs, dialog boxes are created in the shutdown process (for example, "Exit without saving? OK/Cancel"). If the user selects 'Cancel', the shutdown process is aborted and the user is returned to the current session without ever having to enter a password. There is a vulnerability in the Idle locking function in the MacOS 9 version

Denial of service in Axent Raptor firewall via malformed zero-length IP options. According to an advisory posted to bugtraq by the perdue CERIAS labs, setting the SECURITY and TIMESTAMP IP options length to 0 can cause an infinite loop to occur within the code that handles the options (resulting in the software freezing). A consequence of this is a remote denial of service. This vulnerability can be caused by an incorrect zero-length IP option

Firewall-1 does not properly restrict access to LDAP attributes. With FireWall-1 Version 4.0 Checkpoint introduced support for the Lightweight Directory Access Protocol (LDAP) for user authentication. It looks like there's a bug in Checkpoint's ldap code which under certain circumstances can lead to unauthorized access to protected systems behind the firewall. A user can authenticate himself at the firewall providing a valid username and password. The firewall acts as a ldap client, validating the credentials by a directory server using the ldap protocol. After successful authentication access will be granted to systems protected by the firewall. In contrast to authentication using the Radius or SecurID protocol, after successful authentication the directory server can supply the firewall with additional ldap attributes for the user like the time and day of a week a user is allowed to login, the source addresses a user can run a client from, or the system behind the firewall a user is allowed to access. This can be done individual for each user. In general I think that's a great idea but it seems Checkpoint made something wrong interpreting the ldap attribute 'fw1allowed-dst' which is supposed to control in detail which protected network object a user can access. It seems this attribute is ignored by the firewall software, granting access to all protected network objects instead. Example: ------ Server 'Foo' | Internet --- FW-1 ---| | ------ Server 'Bar' Supposed there's a user 'Sid' with access only to Server 'Foo', and a second user 'Nancy' with access restricted to Server 'Bar', both controlled by the ldap protocol, using the ldap attribute 'fw1allowed-dst'. The bug will cause that both, Sid and Nancy, will have access to Foo and to Bar. [Quoted from the post by Olaf Selke with permission]

Hybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol. The cable modems use a protocol called HSMP, which uses UDP as its transport layer protocol. This makes it trivial to spoof packets and possible for hackers to compromise cable-modem subscribers anonymously. The possible consequences of this problem being exploited are very serious and range from denial of service attacks to running arbitrary code on the modem

IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability. Any subsequent requests will be denied

IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. IIS 4.0 FTP servers which have installed a specific post SP5 FTP hotfix are vulnerable to an exploit whereby FTP clients may download. Web browser FTP clients may be able to view and/or download these files, while specially crafted requests from non-browser based FTP clients may be able to delete these files. This vulnerability only affects IIS 4.0 servers running NT 4.0 SP5 with a specific post SP5 hotfix for an FTP get error as described in <http://support.microsoft.com/support/kb/articles/Q237/9/87.ASP >. Microsoft states there are no negative ramifications to applying this hotfix to SP4 or SP5 hosts who have not installed the previously referenced FTP hotfix. To see if you are vulnerable, check the file version for Ftpsvc.dll. Versions 0718 through 0722 are thought to be vulnerable, although Microsoft documentation is unclear as to whether the vulnerable versions start with 0718 or 0719. Version 0724 represents the version installed by the latest hotfix. The hotfix designed to correct this problem was not released in time for the upcoming NT 4.0 Service Pack 6. Service Pack 6 contains the "buggy" hotfix and will be vulnerable to this error when it is released. It will be necessary to install the corresponding hotfix after installing Service Pack 6, regardless of whether or not the Service Pack 5 installation was vulnerable

A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows an attacker to crash the mail server and possibly execute arbitrary code by offering more than 128 bytes in a MAIL FROM string. Tfs Gateway Smtp is prone to a denial-of-service vulnerability

Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag. The 802.1q standard is susceptible to issues that allow attackers to send and receive packets from one VLAN to another without authorization. By spoofing various Ethernet frame fields such as the source or destination MAC addresses, IP addresses, and VLAN tags, attackers may cause packets to traverse from one VLAN to another, and possibly back again. Attackers may also add multiple VLAN tags to packets to cause multiple routers to decapsulate the packets in unexpected ways, aiding the attacker in traversing VLANs. This issue allows attackers to traverse from one VLAN to another in an unauthorized fashion. As some users may utilize VLANs to segregate network segments containing differing security properties, this may have various consequences. This issue may be exacerbated by utilizing attacker-controlled external network hosts to bounce packets between VLANs

A non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds. TFS Gateway 4.0, when configured in a specific non-default manner, is vulnerable to a remotely exploitable denial of service attack. If enough emails of sufficient size of this nature are sent it can lead to a degradation or denial of service. Vulnerabilities exist in non-default configurations in TenFour TFS Gateway version 4.0. The vulnerability caused the gateway to keep trying to return information every 10 seconds

A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks

Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers. Microsoft IIS and all other products that use the IIS web engine have a vulnerability whereby a flood of specially formed HTTP request headers will make IIS consume all available memory on the server and then hang

Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host. This issue only seems to take place when the VPN being used for the transport of the packet supports ISAKMP encryption. It has been reported that Solaris hosts being attacked via this method will reboot. Check Point FireWall-1 is vulnerable

FlowPoint DSL router firmware versions prior to 3.0.8 allows a remote attacker to exploit a password recovery feature from the network and conduct brute force password guessing, instead of limiting the feature to the serial console port. Flowpoint Dsl Router is prone to a remote security vulnerability

The SMTP service in Microsoft Internet Information Services (IIS) 4.0 and 5.0 allows remote attackers to bypass anti-relaying rules and send spam or spoofed messages via encapsulated SMTP addresses, a similar vulnerability to CVE-1999-0682. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Exchange Server MTA When this server is connected to the Internet, there is a problem that allows e-mail relaying by a third party from the outside. This can be done by inserting certain characters in the email. If this issue is exploited by a malicious remote attacker, SPAM It may be used as a mail relay point. In addition, this issue can be used to target large emails that are large enough to be heavily loaded. Exchange Processing power can be taken away by sending from the server, and as a result DoS The attack will be successful. The vulnerability was originally announced in Microsoft Security Bulletin MS99-027 and reported to affect Exchange Server 5.5. Microsoft released a patch to fix the vulnerability for Exchange Server 5.5 only. There exists no patch for the IIS SMTP service. This vulnerability poses no threat to the data or software on the server, but could allow spam to be sent from the server without the administrator's knowledge or permission, and could lead to a Denial of Service condition if the volume of the mail relayed is sufficient

Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Exchange Server MTA When this server is connected to the Internet, there is a problem that allows e-mail relaying by a third party from the outside. This can be done by inserting certain characters in the email. In addition, this issue can be used to target large emails that are large enough to be heavily loaded. Exchange Processing power can be taken away by sending from the server, and as a result DoS The attack will be successful. still, Microsoft IIS (Internet Information Server) 4.0/5.0 Implemented as standard SMTP A similar problem exists for services.Please refer to the “Overview” for the impact of this vulnerability. The vulnerability was originally announced in Microsoft Security Bulletin MS99-027 and reported to affect Exchange Server 5.5. Microsoft released a patch to fix the vulnerability for Exchange Server 5.5 only. There exists no patch for the IIS SMTP service. This vulnerability poses no threat to the data or software on the server, but could allow spam to be sent from the server without the administrator's knowledge or permission, and could lead to a Denial of Service condition if the volume of the mail relayed is sufficient