VARIoT IoT vulnerabilities database
VAR-199808-0020 | No CVE | Cisco PIX and CBAC Fragmentation Attack |
CVSS V2: - CVSS V3: - Severity: - |
Both the Cisco PIX Firewall software as the Context-based Access Control (CBAC) feature of Cisco's IOS Firewall Feature Set do not properly check non-initial fragmented IP packets. Although the non-initial fragmented IP packets might belong to session which would normally be blocked, they are forwarded to the destination host. This may lead to a denial of services (DOS) attack due to the exhaustion of resources required to keep track of the fragmented IP packets.
The problem can be fixed by keeping track of the sessions that fragmented IP packets belong to and by blocking non-initial fragmented IP packets for which no initial packet has been seen.
The DOS attack can easily be carried out by publically available tools.
VAR-199808-0008 | CVE-1999-0159 | Cisco Systems Cisco IOS Vulnerability in |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. Cisco Systems Cisco IOS Exists in unspecified vulnerabilities.None
VAR-199808-0022 | No CVE | Cisco IOS Remote Router Crash |
CVSS V2: - CVSS V3: - Severity: - |
Cisco IOS software is reported prone to a remote denial of service vulnerability. This may allow an attacker to cause a vulnerable device to crash or hang. It is reported that this issue may cause damage to an internal data structure, which could lead to other problems as well. An attacker does not require authentication credentials to exploit this issue, as only access to the login prompt of a device is sufficient to trigger this issue.
VAR-199807-0030 | CVE-1999-1582 | PIX 'established' and 'conduit' command may have unexpected interactions |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
By design, the "established" command on the Cisco PIX firewall allows connections from one host to arbitrary ports of a target host if an alternative conduit has already been allowed, which can cause administrators to configure less restrictive access controls than intended if they do not understand this functionality. A somewhat common configuration of Cisco PIX firewalls may permit a window of opportunity in which an intruder can bypass the firewall. This problem was first publicly described in July, 1998. Cisco Systems Cisco PIX Firewall Software Exists in unspecified vulnerabilities.None. PIX Firewall is prone to a remote security vulnerability
VAR-199807-0005 | CVE-1999-1436 | World Wide Web Authorization Gateway Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "user" parameter. Version 1.0 fails to eliminate characters with special meaning to the shell prior to executing a command. As a result, an attacker can utilize certain characters to execute arbitrary commands on a system remotely, as whatever user invoked the cgi-bin
VAR-199805-0007 | CVE-1999-1204 | Check Point Firewall Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Check Point Firewall-1 does not properly handle certain restricted keywords (e.g., Mail, auth, time) in user-defined objects, which could produce a rule with a default "ANY" address and result in access to more systems than intended by the administrator. Firewall-1 is prone to a remote security vulnerability.
Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks
VAR-199805-0016 | CVE-1999-0816 | Motorola CableRouter Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024. Motorola Cablerouter is prone to a remote security vulnerability.
Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks. The Motorola CableRouter is vulnerable
VAR-199805-0012 | CVE-1999-0919 | Motorola CableRouter Memory leak vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections. Motorola Cablerouter is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks
VAR-199804-0007 | CVE-1999-1015 | AppleShare IP Mail Server Buffer Overflow Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command. apple's AppleShare Mail Server Exists in unspecified vulnerabilities.None. If yu connect to the SMTP port
and issue a HELO command with a large string (500
bytes or more) for a hostname the server, and possibly
the whole machine, will crash
VAR-199804-0010 | CVE-1999-0098 | apple's AppleShare Vulnerabilities in products from multiple vendors such as |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. apple's AppleShare Unspecified vulnerabilities exist in products from multiple vendors.None.
The issue presents itself due to insufficient bounds checking performed when handling malicious SMTP HELO command arguments of excessive length. A remote attacker may exploit this condition to trigger a denial-of-service in the affected daemon.
Sendmail 8.8.8 is affected; earlier versions may also be vulnerable
VAR-199803-0007 | CVE-1999-0060 | Ascend MAX Security hole |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. A variety of Lucent router product lines named "Ascend" using the TAOS operating system support configuration tools to communicate through UDP port 9
VAR-199902-0037 | CVE-1999-0407 | Microsoft IIS of IISADMPWD Vulnerability in obtaining user account information in virtual directories |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. Microsoft IIS is a popular web server package for Windows NT based platforms. Version 4.0 of IIS installs a remotely accessible directory, /IISADMPWD - mapped to c:\winnt\system32\inetsrv\iisadmpwd, which contains a number of vulnerable .HTR files. These were designed to allow system administrators the ability to provide HTTP based password change services to network users. The affected files, achg.htr, aexp*.htr, and anot*.htr can be used in this manner. A microsoft bulletin on the feature recommends using /IISADMPWD/aexp.htr for this purpose. Requesting one of the listed .htr files returns a form that requests the account name, current password, and changed password.
This can be used to determine whether or not the account requested exists on the host, as well as conduct brute force attacks. If the account does not exist, the message "invalid domain" is returned - if it does, but the password change was unsuccessful, the attacker is notified. This be used against the server and against other machines connected to the local network (and possibly even other machines on the internet), by preceding the account name with an IP address and a backslash. (e.g., XXX.XXX.XXX.XXX\ACCOUNT) The server contacts the networked machine through the NetBIOS session port and attempts to change the password
VAR-199801-0019 | CVE-1999-0293 | Cisco Systems Cisco IOS Vulnerability in |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
AAA authentication on Cisco systems allows attackers to execute commands without authorization. Cisco Systems Cisco IOS Exists in unspecified vulnerabilities.None.
Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks. There is a loophole in the Cisco system's AAA authentication
VAR-199712-0021 | No CVE | Cisco Catalyst Supervisor Remote Reload |
CVSS V2: - CVSS V3: - Severity: - |
This desciprion was taken from the Cisco advisory.
A remote attacker who knows how to exploit this vulnerability, and who can make a connection to TCP port 7161 on an affected switch, can cause the supervisor module of that switch to reload. While the supervisor is reloading, the switch will not forward traffic, and the attack will therefore deny service to the equipment attached to the switch. The switch will recover automatically, but repeated attacks can extend the denial of service indefinitely.
VAR-199903-0037 | CVE-1999-0430 | Cisco Catalyst Switch Remote Denial of Service Attack Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. Cisco Catalyst is a widely used switch product developed by Cisco.
A remote attacker may connect to the TCP 7161 port of the affected switch, causing the management module to reload. At this time, the switch will not forward the packet. Although the switch can automatically recover and forward the packet afterwards, the attacker can continue to attack and form Denial of service attack
VAR-199712-0012 | CVE-1999-0230 | Cisco Systems Cisco IOS Vulnerability in |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Buffer overflow in Cisco 7xx routers through the telnet service. Cisco Systems Cisco IOS Exists in unspecified vulnerabilities.None
VAR-200505-0723 | CVE-2005-1649 |
Microsoft Windows Illegal in IPv6 Service disruption due to packets (Dos) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-199711-0003, VAR-E-199711-0001, VAR-E-200503-0001, VAR-E-200404-0002, VAR-E-199711-0002, VAR-E-199711-0005, VAR-E-199711-0004 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The IPv6 support in Windows XP SP2, 2003 Server SP1, and Longhorn, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, a variant of CVE-2005-0688 and a reoccurrence of the "Land" vulnerability (CVE-1999-0016).
When a packet of this type is handled, an infinite loop is initiated and the affected system halts.
A remote attacker may exploit this issue to deny service for legitimate users
VAR-200503-0010 | CVE-2005-0688 |
Microsoft Windows vulnerable to DoS via LAND attack
Related entries in the VARIoT exploits database: VAR-E-199711-0003, VAR-E-199711-0001, VAR-E-200503-0001, VAR-E-200404-0002, VAR-E-199711-0002, VAR-E-199711-0005, VAR-E-199711-0004 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). Microsoft Windows does not adequately validate IP options, allowing an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service. An attacker could take complete control of a vulnerable system. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible.
----------------------------------------------------------------------
Want a new IT Security job?
Vacant positions at Secunia:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Microsoft Exchange SMTP Service Extended Verb Request Buffer Overflow
SECUNIA ADVISORY ID:
SA14920
VERIFY ADVISORY:
http://secunia.com/advisories/14920/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Microsoft Exchange Server 2000
http://secunia.com/product/41/
Microsoft Exchange Server 2003
http://secunia.com/product/1828/
DESCRIPTION:
ISS X-Force has reported a vulnerability in Microsoft Exchange
Server, which can be exploited by malicious people to compromise a
vulnerable system.
The vulnerability is caused due to a boundary error in the SMTP
service within the handling of a certain extended verb request. This
can be exploited to cause a heap-based buffer overflow by connecting
to the SMTP service and issuing a specially crafted command.
Successful exploitation allows execution of arbitrary code with the
privileges of the SMTP service (by default "Local System"). Instead, this requires permissions
usually only granted to other Exchange servers in a domain.
SOLUTION:
Apply patches.
Microsoft Exchange 2000 Server (requires SP3):
http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479-8AC9-B5544EA0BD66
Microsoft Exchange Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267
Microsoft Exchange Server 2003 (requires SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC
The following versions are not affected:
* Microsoft Exchange Server 5.5 SP4
* Microsoft Exchange Server 5.0 SP2
PROVIDED AND/OR DISCOVERED BY:
Mark Dowd and Ben Layer, ISS X-Force.
ORIGINAL ADVISORY:
MS05-021 (KB894549):
http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx
ISS X-Force:
http://xforce.iss.net/xforce/alerts/id/193
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-199712-0007 | CVE-1999-0016 |
Microsoft Internet Explorer DHTML objects contain a race condition
Related entries in the VARIoT exploits database: VAR-E-199711-0003, VAR-E-199711-0001, VAR-E-199711-0002, VAR-E-199711-0005, VAR-E-199711-0004 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Land IP denial of service. MSN Messenger clients before version 7.0 will allow remote attackers to take control of a computer if malicious GIF files are processed. Microsoft Windows does not adequately validate IP options, allowing an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service. An attacker could take complete control of a vulnerable system. A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. The TCP/IP network protocol stack is the most widely used network protocol for Internet networking implemented by most operating systems. There are loopholes in the TCP/IP protocol stack implementation of early BSD-derived systems (except Linux) and Windows systems, and remote attackers can use this loophole to carry out denial-of-service attacks on the server. Due to problems in the implementation of TCP/IP, the target system may have problems processing such malformed packets. Many old versions of UNIX-like operating systems will crash, and NT's CPU resource usage will be close to 100\\% (for about five minutes).
The vulnerability is caused due to improper handling of IP packets
with the same destination and source IP and the SYN flag set. This
causes a system to consume all available CPU resources for a certain
period of time.
This kind of attack was first reported in 1997 and became known as
LAND attacks.
SOLUTION:
Filter traffic with the same IP address as source and destination
address at the perimeter.
The vulnerability is caused due to a boundary error in the SMTP
service within the handling of a certain extended verb request. This
can be exploited to cause a heap-based buffer overflow by connecting
to the SMTP service and issuing a specially crafted command. Instead, this requires permissions
usually only granted to other Exchange servers in a domain.
Microsoft Exchange 2000 Server (requires SP3):
http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479-8AC9-B5544EA0BD66
Microsoft Exchange Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267
Microsoft Exchange Server 2003 (requires SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC
The following versions are not affected:
* Microsoft Exchange Server 5.5 SP4
* Microsoft Exchange Server 5.0 SP2
PROVIDED AND/OR DISCOVERED BY:
Mark Dowd and Ben Layer, ISS X-Force.
ORIGINAL ADVISORY:
MS05-021 (KB894549):
http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx
ISS X-Force:
http://xforce.iss.net/xforce/alerts/id/193
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-102A
Multiple Vulnerabilities in Microsoft Windows Components
Original release date: April 12, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows Systems
For a complete list of affected versions of the Windows operating
systems and components, refer to the Microsoft Security Bulletins.
Overview
Microsoft has released a Security Bulletin Summary for April, 2005.
This summary includes several bulletins that address
vulnerabilities in various Windows applications and
components. Details of
the vulnerabilities and their impacts are provided below.
I. Description
The list below provides a mapping between Microsoft's Security
Bulletins and the related US-CERT Vulnerability Notes. More
information related to the vulnerabilities is available in these
documents.
III. Solution
Apply a patch
Microsoft has provided the patches for these vulnerabilities in the
Security Bulletins and on Windows Update.
Appendix A. References
* Microsoft's Security Bulletin Summary for April, 2005 - <
http://www.microsoft.com/technet/security/bulletin/ms05-apr.mspx>
* US-CERT Vulnerability Note VU#774338 -
<http://www.kb.cert.org/vuls/id/774338>
* US-CERT Vulnerability Note VU#756122 -
<http://www.kb.cert.org/vuls/id/756122>
* US-CERT Vulnerability Note VU#222050 -
<http://www.kb.cert.org/vuls/id/222050>
* US-CERT Vulnerability Note VU#275193 -
<http://www.kb.cert.org/vuls/id/275193>
* US-CERT Vulnerability Note VU#633446 -
<http://www.kb.cert.org/vuls/id/633446>
* US-CERT Vulnerability Note VU#233754 -
<http://www.kb.cert.org/vuls/id/233754>
_________________________________________________________________
Feedback can be directed to the authors: Will Dormann, Jeff Gennari,
Chad Dougherty, Ken MacInnis, Jason Rafail, Art Manion, and Jeff
Havrilla.
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA05-102A.html>
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
April 12, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQlxwexhoSezw4YfQAQJ4RAf/bTgaa6SBDMJveqW/GnQET79F9aVPM1S2
glam1w4YFyOdyIHpDYqQZRBqgXgpJjel/MiH02tZreU5mgIjkPIWA3gleepyWvnN
7VYv8KcbSnyvGxDl/8K2YjFz550gxA3pkRD7IiqdpOums87lJ7xM7sjdUY0ZA8aF
JEvA4gfndpgLSuISV7Gf8y1s4MU329DurNy3t8W4EB9Iuef/E4Z058IvHnz9dTnT
XwBnyW1KfH2Ohpy7QBOtcXt1wXU8X0F+d01g/VZmTL7xVwXmcPi8UpS7bPK8A17+
asqo582KjZVR56iL7fqNQzsrXUGZncEnX/8QOhi3Ym2LfAEkKrg3rw==
=BY/p
-----END PGP SIGNATURE-----
VAR-199710-0008 | CVE-1999-0160 | Cisco Systems Cisco IOS Vulnerability in |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. Cisco Systems Cisco IOS Exists in unspecified vulnerabilities.None