VARIoT IoT vulnerabilities database

Cisco Cache Engine allows a remote attacker to gain access via a null username and password. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks

Buffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command. The vulnerability is caused by a large USER command

daynad program in Intel InBusiness E-mail Station does not require authentication, which allows remote attackers to modify its configuration, delete files, or read mail. InBusiness eMail Station is prone to a remote security vulnerability. Vulnerability in the daynad program of Intel's InBusiness e-mail site

Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle 200 ARP requests per second allowing a denial of service attack to succeed with a flood of ARP requests exceeding that limit. There is a vulnerability in Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x

Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a remote attacker to gain administrator access by directly calling undocumented URLs such as ncl_items.html and ncl_subjects.html. Certain versions of the Tektronix PhaserLink printer ship with a webserver designed to help facilitate configuration of the device. This service is essentially administrator level access as it can completely modify the system characteristics, restart the machine, asign services etc. Once the password is obtained by the user, they can manipulate the printer in any way they see fit. There is a bug in the web server on Tektronix PhaserLink Printer 840.0 and earlier

bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to read arbitrary files by specifying the target file in the "file" parameter. BigIP is a load balancing system from F5 software. It has a web-based configuration system, which is vulnerable to several standard CGI attacks. According to Guy Cohen <guy@crypto.org.il>, it is possible to view arbitrary files on the BSDI system which it is installed on. To add to this, the configuration program is installed setuid root. This is considered a local vulnerability since htaccess authentication is required to get to the configuration area. No more information on this vulnerability is available. It has a web management interface and configures the program through some CGI scripts. There is an input validation vulnerability in the \"bigconf.cgi\" script in the software package, allowing remote attackers to view arbitrary system files with the authority of the Web Server process. The bug finder did not provide further clarification

Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port. Cisco Router is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause a denial-of-service condition

Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag. There is a buffer overflow in the MidiPlug that may allow arbitrary code to be executed on the local host. Instructions in the text variable may be executed when a user visits the malicious web page

Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock. apple's macOS Exists in unspecified vulnerabilities.None. Under MacOS the key combination CMD-PWR (Command key + Power Key) or the programmer's switch (on models that have one) will start up the micro-debugger or an assembly debugger such as MacsBug. This behavior occurs even while the screen is locked after the user becoming idle. This allows a user to drop into the debugger and kill the screen lock process and obtain access to the desktop. There is a vulnerability in the idle lock function in the MacOS 9 version

Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session. apple's macOS Exists in unspecified vulnerabilities.None. MacOS 9 includes an idle-activated console lock feature, similar to a screensaver password in other operating systems. After a certain length of user inactivity, a dialog box appears stating that a password must be entered. After the user clicks 'OK' another dialog box appears offering the option to either supply a password or to log out the current user. If the 'log out' option is chosen, any programs running will start to shut down. In certain programs, dialog boxes are created in the shutdown process (for example, "Exit without saving? OK/Cancel"). If the user selects 'Cancel', the shutdown process is aborted and the user is returned to the current session without ever having to enter a password. There is a vulnerability in the Idle locking function in the MacOS 9 version

Denial of service in Axent Raptor firewall via malformed zero-length IP options. According to an advisory posted to bugtraq by the perdue CERIAS labs, setting the SECURITY and TIMESTAMP IP options length to 0 can cause an infinite loop to occur within the code that handles the options (resulting in the software freezing). A consequence of this is a remote denial of service. This vulnerability can be caused by an incorrect zero-length IP option

Firewall-1 does not properly restrict access to LDAP attributes. With FireWall-1 Version 4.0 Checkpoint introduced support for the Lightweight Directory Access Protocol (LDAP) for user authentication. It looks like there's a bug in Checkpoint's ldap code which under certain circumstances can lead to unauthorized access to protected systems behind the firewall. A user can authenticate himself at the firewall providing a valid username and password. The firewall acts as a ldap client, validating the credentials by a directory server using the ldap protocol. After successful authentication access will be granted to systems protected by the firewall. In contrast to authentication using the Radius or SecurID protocol, after successful authentication the directory server can supply the firewall with additional ldap attributes for the user like the time and day of a week a user is allowed to login, the source addresses a user can run a client from, or the system behind the firewall a user is allowed to access. This can be done individual for each user. In general I think that's a great idea but it seems Checkpoint made something wrong interpreting the ldap attribute 'fw1allowed-dst' which is supposed to control in detail which protected network object a user can access. It seems this attribute is ignored by the firewall software, granting access to all protected network objects instead. Example: ------ Server 'Foo' | Internet --- FW-1 ---| | ------ Server 'Bar' Supposed there's a user 'Sid' with access only to Server 'Foo', and a second user 'Nancy' with access restricted to Server 'Bar', both controlled by the ldap protocol, using the ldap attribute 'fw1allowed-dst'. The bug will cause that both, Sid and Nancy, will have access to Foo and to Bar. [Quoted from the post by Olaf Selke with permission]

Hybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol. The cable modems use a protocol called HSMP, which uses UDP as its transport layer protocol. This makes it trivial to spoof packets and possible for hackers to compromise cable-modem subscribers anonymously. The possible consequences of this problem being exploited are very serious and range from denial of service attacks to running arbitrary code on the modem

IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability. Any subsequent requests will be denied

IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. IIS 4.0 FTP servers which have installed a specific post SP5 FTP hotfix are vulnerable to an exploit whereby FTP clients may download. Web browser FTP clients may be able to view and/or download these files, while specially crafted requests from non-browser based FTP clients may be able to delete these files. This vulnerability only affects IIS 4.0 servers running NT 4.0 SP5 with a specific post SP5 hotfix for an FTP get error as described in <http://support.microsoft.com/support/kb/articles/Q237/9/87.ASP >. Microsoft states there are no negative ramifications to applying this hotfix to SP4 or SP5 hosts who have not installed the previously referenced FTP hotfix. To see if you are vulnerable, check the file version for Ftpsvc.dll. Versions 0718 through 0722 are thought to be vulnerable, although Microsoft documentation is unclear as to whether the vulnerable versions start with 0718 or 0719. Version 0724 represents the version installed by the latest hotfix. The hotfix designed to correct this problem was not released in time for the upcoming NT 4.0 Service Pack 6. Service Pack 6 contains the "buggy" hotfix and will be vulnerable to this error when it is released. It will be necessary to install the corresponding hotfix after installing Service Pack 6, regardless of whether or not the Service Pack 5 installation was vulnerable

A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows an attacker to crash the mail server and possibly execute arbitrary code by offering more than 128 bytes in a MAIL FROM string. Tfs Gateway Smtp is prone to a denial-of-service vulnerability

Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag. The 802.1q standard is susceptible to issues that allow attackers to send and receive packets from one VLAN to another without authorization. By spoofing various Ethernet frame fields such as the source or destination MAC addresses, IP addresses, and VLAN tags, attackers may cause packets to traverse from one VLAN to another, and possibly back again. Attackers may also add multiple VLAN tags to packets to cause multiple routers to decapsulate the packets in unexpected ways, aiding the attacker in traversing VLANs. This issue allows attackers to traverse from one VLAN to another in an unauthorized fashion. As some users may utilize VLANs to segregate network segments containing differing security properties, this may have various consequences. This issue may be exacerbated by utilizing attacker-controlled external network hosts to bounce packets between VLANs

A non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds. TFS Gateway 4.0, when configured in a specific non-default manner, is vulnerable to a remotely exploitable denial of service attack. If enough emails of sufficient size of this nature are sent it can lead to a degradation or denial of service. Vulnerabilities exist in non-default configurations in TenFour TFS Gateway version 4.0. The vulnerability caused the gateway to keep trying to return information every 10 seconds

A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication. Attackers can exploit this issue to perform unauthorized actions. This may aid in further attacks

Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers. Microsoft IIS and all other products that use the IIS web engine have a vulnerability whereby a flood of specially formed HTTP request headers will make IIS consume all available memory on the server and then hang