VARIoT IoT vulnerabilities database
VAR-200207-0061 | CVE-2002-0676 | MacOS X SoftwareUpdate Any package installation vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SoftwareUpdate for MacOS 10.1.x does not use authentication when downloading a software update, which could allow remote attackers to execute arbitrary code by posing as the Apple update server via techniques such as DNS spoofing or cache poisoning, and supplying Trojan Horse updates. A vulnerability has been reported for MacOS X where an attacker may use SoftwareUpdate to install malicious software on the vulnerable system. SoftwareUpdate uses HTTP, without any authentication, to obtain updates from Apple. Any updated packages are installed on the system as the root user.
In order to exploit this vulnerability, the attacker must control the machine located at swquery.apple.com, from the perspective of the vulnerable client. It may be possible to create this condition through some known techniques, including DNS cache poisoning and DNS spoofing
VAR-200312-0020 | CVE-2003-1320 | Multiple vendors' Internet Key Exchange (IKE) implementations do not properly handle IKE response packets |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
SonicWALL firmware before 6.4.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) a large number of payloads, or (3) a long payload. Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system. SonicWALL Firmware is prone to a denial-of-service vulnerability. This is reported to cause the daemon to crash.
This issue may be related to the multiple IKE implementation vulnerabilities described in CERT/CC Vulnerability Note VU#287771.
Other vendor products are reported to be affected by similar issues. There are currently not enough details available to determine if PGPFreeware is affected by any of these specific issues.
This issue was reported in PGPFreeware 7.03 running on Windows NT 4.0 SP6. The Cisco VPN Client is prone to a remotely exploitable buffer overflow condition. It is possible to trigger this condition by sending malformed IKE packets to the client. The overflow occurs when the Security Parameter Index payload of the IKE packet is longer than 16 bytes in length. It is possible that exploitation of this vulnerability may affect availability of the client, resulting in a denial of service condition.
This issue is reported to be exploitable when the client software is operating in Aggressive Mode during a phase 1 IKE exchange.
This vulnerability affects versions of the client on all platforms.
When vulnerable clients receive a specific IKE packet with a zero length payload, the VPN client will consume all available processor time. Previous versions of SonicWALL firmware were vulnerable
VAR-200209-0033 | CVE-2002-0853 | Multiple vendors' Internet Key Exchange (IKE) implementations do not properly handle IKE response packets |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Virtual Private Network (VPN) Client 3.5.4 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a packet with a zero-length payload. Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system. This is reported to cause the daemon to crash.
This issue may be related to the multiple IKE implementation vulnerabilities described in CERT/CC Vulnerability Note VU#287771.
Other vendor products are reported to be affected by similar issues. There are currently not enough details available to determine if PGPFreeware is affected by any of these specific issues.
This issue was reported in PGPFreeware 7.03 running on Windows NT 4.0 SP6. The Cisco VPN Client is prone to a remotely exploitable buffer overflow condition. It is possible to trigger this condition by sending malformed IKE packets to the client. The overflow occurs when the Security Parameter Index payload of the IKE packet is longer than 16 bytes in length. It is possible that exploitation of this vulnerability may affect availability of the client, resulting in a denial of service condition.
This issue is reported to be exploitable when the client software is operating in Aggressive Mode during a phase 1 IKE exchange.
This vulnerability affects versions of the client on all platforms.
When vulnerable clients receive a specific IKE packet with a zero length payload, the VPN client will consume all available processor time. The Cisco bug ID for these vulnerabilities is CSCdy26045
VAR-200212-0850 | CVE-2002-2223 | Multiple vendors' Internet Key Exchange (IKE) implementations do not properly handle IKE response packets |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Buffer overflow in NetScreen-Remote 8.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) large number of payloads, or (3) a long payload. Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system. This is reported to cause the daemon to crash.
This issue may be related to the multiple IKE implementation vulnerabilities described in CERT/CC Vulnerability Note VU#287771.
Other vendor products are reported to be affected by similar issues. There are currently not enough details available to determine if PGPFreeware is affected by any of these specific issues.
This issue was reported in PGPFreeware 7.03 running on Windows NT 4.0 SP6. The Cisco VPN Client is prone to a remotely exploitable buffer overflow condition. It is possible to trigger this condition by sending malformed IKE packets to the client. The overflow occurs when the Security Parameter Index payload of the IKE packet is longer than 16 bytes in length. It is possible that exploitation of this vulnerability may affect availability of the client, resulting in a denial of service condition.
This issue is reported to be exploitable when the client software is operating in Aggressive Mode during a phase 1 IKE exchange.
This vulnerability affects versions of the client on all platforms.
When vulnerable clients receive a specific IKE packet with a zero length payload, the VPN client will consume all available processor time. < *Link: http://www.netscreen.com/support/alerts/9_6_02.htm* >
VAR-200210-0084 | CVE-2002-0952 | Sun Solaris rcp Command Line Parameter Local Buffer Overflow Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco ONS15454 optical transport platform running ONS 3.1.0 to 3.2.0 allows remote attackers to cause a denial of service (reset) by sending IP packets with non-zero Type of Service (TOS) bits to the Timing Control Card (TCC) LAN interface. The ONS15454 is an optical network platform manufactured and distributed by Cisco.
Under some circumstances, it may be possible to stop the ONS15454 from handling traffic. The receipt of this type of packet via the TCC interface causes the reset of the TCC interface. Solaris 9 is a UNIX operating system developed by Sun, which includes the rcp program for remote copying between hosts. The rcp program does not perform correct boundary checks when processing parameter data submitted by users. Local attackers can exploit this vulnerability to carry out buffer overflow attacks. There is a loophole in rcp's processing of super long command line parameters. The user submits a file name exceeding 10,000 bytes, and the destination host name and destination file name are used as parameters for the rcp program to execute, which may cause buffer overflow. Because rcp runs as suid root in the system Attribute installation, carefully constructed parameter data may allow an attacker to execute arbitrary instructions on the system with root privileges
VAR-200212-0581 | CVE-2002-1706 | Cable Modem Termination System Vulnerability where configuration files with invalid parameters are applied in |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Cisco IOS software 11.3 through 12.2 running on Cisco uBR7200 and uBR7100 series Universal Broadband Routers allows remote attackers to modify Data Over Cable Service Interface Specification (DOCSIS) settings via a DOCSIS file without a Message Integrity Check (MIC) signature, which is approved by the router. CMTS is running on Cisco IOS Due to deficiencies in Cisco uBR7100 and uBR7200 contains a vulnerability in which a configuration file with invalid parameters is applied.Cisco uBR7100 and uBR7200 may apply a configuration file with invalid parameters. A vulnerability has been announced which affects Cisco uBR7200 series and uBR7100 series Universal Broadband Routers under some versions of IOS.
Invalid DOCSIS files without an MIC signature may be accepted by a vulnerable router, even if MIC signatures are required. Exploitation of this vulnerability may allow arbitrary configuration files to be accepted by the network. Even if the router configuration requires MIC signatures to receive files, it may incorrectly receive illegal DOCSIS configuration files, which may lead attackers to exploit This vulnerability reconfigures the router, removes related bandwidth restrictions and other illegal operations
VAR-200212-0249 | CVE-2002-2020 | NetGear RP114 manages access vulnerability through external interface |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Netgear RP114 Cable/DSL Web Safe Router Firmware 3.26 uses a default administrator password and accepts admin logins on the external interface, which allows remote attackers to gain privileges if the password is not changed. NetGear RP114 router can access management through TELNET and HTTP.
The NetGear RP114 router has a vulnerability in restricting management interface access processing. A remote attacker could use this vulnerability to externally access the management interface services.
The NetGear RP114 router sets the 192.168.0.1 IP address as a local access address. All access restrictions on management tools are only accessible by this address, but there are loopholes. The NetGear RP114 router receives all communications with an IP address in the range of 192.168.xx. If the user has authentication information, he can access the management tool from the external interface for reconfiguration or conduct illegal activities such as denial of service attacks. However, there is a loophole
VAR-200212-0577 | CVE-2002-1702 | PHP Classifieds Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting vulnerability (XSS) in DeltaScripts PHP Classifieds 6.0.5 allows remote attackers to execute arbitrary script as other users via the URL parameter. PHP Classifieds is a web-based directory classification program written in PHP.
PHP Classifieds lacks proper and sufficient filtering of the parameters submitted by users. An attacker can build a link containing URL parameters of malicious code. When the user views this link, the included malicious script code will be in the user's browser Execution, leading to the leakage of information based on cookie authentication
VAR-200210-0161 | CVE-2002-0938 | Cisco Secure ACS Cross-site Scripting Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Cross-site scripting vulnerability in CiscoSecure ACS 3.0 allows remote attackers to execute arbitrary script or HTML as other web users via the action argument in a link to setup.exe. Cisco Secure ACS is an access control and accounting server system. It is distributed and maintained by Cisco, and in this vulnerability affects implementations on the Microsoft Windows NT platform. When this link is visited, the attacker-supplied HTML or script code could be executed in the browser of a user, provided the user has authenticated to the Secure ACS server. The setup.exe program lacks correct input verification for the data submitted by the user to the \"action\" parameter. Attackers can submit data containing malicious script code to the \"action\" parameter
VAR-200212-0041 | CVE-2002-2159 | LinkSys EtherFast Router Remote Management Activation Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Linksys EtherFast Cable/DSL BEFSR11, BEFSR41 and BEFSRU31 with the firmware 1.42.7 upgrade installed opens TCP port 5678 for remote administration even when the "Block WAN" and "Remote Admin" options are disabled, which allows remote attackers to gain access. Linksys EtherFast routers is a small four-port router designed to optimize the use of DSL or Cable connections.
This vulnerability is not present in other versions of firmware. EtherFast BEFSRU31 Router is prone to a remote security vulnerability. A remote attacker gains access
VAR-200304-0101 | CVE-2002-1431 | Belkin F5D5230-4 Inside the router Web Traffic Origin Obfuscation Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Belkin F5D5230-4 4-Port Cable/DSL Gateway Router 1.20.000 modifies the source IP address of internal packets to that of the router's external interface when forwarding a request from an internal host to an internal web server, which allows remote attackers to hide which host is being used to access the web server. The Belkin F5D5230-4 4-Port Cable/DSL Gateway Router is a hardware router for a home or small office.
When a request for a service that has been remapped to the internal network is made via the WAN interface, and the origin is the internal network, the router reacts unpredictably. The origin address is rewritten as the IP address of the external interface by the device before being passed to the internal network. Upon receiving a request of this nature, the device will rewrite all future requests for services mapped to the WAN network, reporting their origin as that of the WAN interface.
This is known to be an issue for requests for port 80, if port 80 has been remapped to a host within the internal network. This may potentially be exploited to obscure the origin of attacks against a webserver in the internal network
VAR-200210-0206 | CVE-2002-1051 | TrACESroute Format string vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Format string vulnerability in TrACESroute 6.0 GOLD (aka NANOG traceroute) allows local users to execute arbitrary code via the -T (terminator) command line argument. A format string vulnerability exists in TrACESroute. The problem exists in the terminator (-T) function of the program. Due to improper use of the fprintf function, an attacker may be able to supply a malicious format string to the program that reults in writing of attacker-supplied values to arbitrary locations in memory
VAR-200212-0439 | CVE-2002-1768 | Cisco IOS Rogue HSRP Service disruption due to packets (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS 11.1 through 12.2, when HSRP support is not enabled, allows remote attackers to cause a denial of service (CPU consumption) via randomly sized UDP packets to the Hot Standby Routing Protocol (HSRP) port 1985. Cisco IOS Random size on the router that runs UDP Interfering with service operation by sending packets (DoS) There is a vulnerability that becomes a condition.Cisco IOS The router that operates is interrupted service operation (DoS) It may be in a state. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. Hot Standby Routing Protocol (HSRP) is a protocol used to allow multiple routers to dynamically act as backups in the event of router failure. HSRP traffic takes place over UDP port 1985.
A vulnerability has been reported with some Cisco products. If malformed HSRP traffic is received when HSRP support is not enabled, vulnerable products may reach high CPU utilization. Under these conditions, the router may fail to respond to additional network traffic, resulting in degraded performance and a denial of service condition. When the HSRP 1985 UDP communication port is opened in the CISCO router configuration, but HSRP is not configured, the attacker can submit random data to this port, which can cause the router to process these random information, resulting in increased CPU utilization and slower response, but will not causing a reboot
VAR-200212-0119 | CVE-2002-2052 | Cisco IOS 12.1 Handling a wide range TCP Scan Denial of Service Attack Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco 2611 router running IOS 12.1(6.5), possibly an interim release, allows remote attackers to cause a denial of service via port scans such as (1) scanning all ports on a single host and (2) scanning a network of hosts for a single open port through the router. NOTE: the vendor could not reproduce this issue, saying that the original reporter was using an interim release of the software. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco.
This vulnerability has been reported to exist on a Cisco 2611 router running IOS 12.1(6.5). Cisco has reported that they are unable to reproduce this problem. It is possible that this issue is the result of a configuration error or site specific conditions. However, according to the test by CISCO technicians, this problem did not occur, which may be caused by specific configurations
VAR-200212-0120 | CVE-2002-2053 | Cisco counterfeit HSRP Loop Rejection Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The design of the Hot Standby Routing Protocol (HSRP), as implemented on Cisco IOS 12.1, when using IRPAS, allows remote attackers to cause a denial of service (CPU consumption) via a router with the same IP address as the interface on which HSRP is running, which causes a loop. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. Hot Standby Routing Protocol (HSRP) is a protocol used to allow multiple routers to dynamically act as backups in the event of router failure. HSRP traffic takes place over UDP port 1985.
A vulnerability has been reported in some versions of IOS. It may be possible for maliciously constructed HSRP traffic to create a loop condition, resulting in a denial of service attack.
It has been reported possible to cause this condition in version 12.1 of IOS. Other versions of IOS may share this vulnerability, this has not however been confirmed. This issue has been assigned Cisco Bug ID CSCdu38323. CISCO's HSRP protocol itself has design problems, which can lead to denial of service attacks by attackers on the local network. The HSRP protocol does not have a strict security verification mechanism, and the router communication on the network is not checked correctly. The attacker can set the loop interface address on the active router. When the virtual router is advertised through the HSRP protocol, the loop interface is directly used. resulting in a denial of service. This attack can only work on the local network because most routers do not forward the address (224.0.0.2) that is multicast to all routers
VAR-200210-0081 | CVE-2002-0949 | Telindus 1100 ADSL Router Administrator Password Disclosure Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Telindus 1100 series ADSL router allows remote attackers to gain privileges to the device via a certain packet to UDP port 9833, which generates a reply that includes the router's password and other sensitive information in cleartext. The 1100 series routers are a broadband connectivity solution distributed by Telindus.
Under some circumstances, a vulnerable Telindus router may leak sensitive information. When an attempt to connect to the router is made using the administrative software, the router sends the password to the client in plain text. This packet is sent via UDP.
**The vendor has released firmware version 6.0.27, dated July 2002. Reports suggest that this firmware does not adequately protect against this vulnerability. The firmware is reported to use an encrypted UDP packet when connecting to the router. However, the firmware uses a weak encryption scheme and thus it is easily circumvented by an attacker. A design vulnerability in the Telindus 1100 series routers could allow a remote attacker to obtain administrator password information. Telindus 1100 series routers provide a management software, which can be downloaded from Telindus website for free, and can be used to remotely manage routers
VAR-200212-0116 | CVE-2002-2049 | Fragroute/Dsniff/Fragrouter Configuration script Trojan vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
configure for Dsniff 2.3, fragroute 1.2, and fragrouter 1.6, when downloaded from monkey.org on May 17, 2002, has been modified to contain a backdoor, which allows remote attackers to access the system. The server hosting fragroute, fragrouter, and dsniff, www.monkey.org, was compromised recently. It has been reported that the intruder made modifications to the source code of fragroute, fragrouter and dsniff to include a backdoor. This backdoor allowed a user from the IP address 216.80.99.202 to remotely execute commands on the host that it was installed on. The source code is reported to have been corrupted on May 17, 2002. Downloads of the source from monkey.org during this time likely contain the trojan code.
A confirmed MD5 sum of a contaminated archive is:
65edbfc51f8070517f14ceeb8f721075
If a fragroute install was based on an archive with this MD5 sum, it is likely that the backdoor code was executed. It is possible for other backdoored archives to have different MD5 sums. If it is believed that a trojan horse copy of fragroute has been installed, administrators should remove systems from the network and thoroughly inspect/clean the system.
As of this writing (05-31-2002), the current version available from monkey.org has the following MD5 sum:
7e4de763fae35a50e871bdcd1ac8e23a
It is believed that this version is clean. Caution should still be exercised when building and installing. Dsniff 2.3, fragroute 1.2, and fragrouter 1.6 configurations are vulnerable
VAR-200205-0150 | CVE-2002-1447 | Unix Under Cisco VPN Client Local Buffer Overflow Vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Buffer overflow in the vpnclient program for UNIX VPN Client before 3.5.2 allows local users to gain administrative privileges via a long profile name in a connect argument. The Cisco VPN Client software is used to establish Virtual Private Network (VPN) connections between client machines and a Cisco VPN Concentrator.
A vulnerability has been reported in some versions of the VPN Client. If an oversized profile name is passed to the vpnclient binary, a buffer overflow condition may occur. As vpnclient runs suid root, exploitation of this vulnerability will grant a local attacker root access to the vulnerable system.
This vulnerability affects the VPN Client version 3.5.1 for Linux, Solaris and Mac OS X. Windows clients are not believed to be vulnerable. Earlier versions of the VPN Client may share this vulnerability, although this has not been confirmed. The Cisco VPN client is installed in the system with the suid root attribute by default, and the program lacks correct and sufficient checks on the data submitted by the user to the \"connect\" parameter, and the attacker can submit a very long file name (over 520 bytes) to The \"connect\" parameter can cause a buffer overflow, and carefully constructing the file name data may execute arbitrary commands in the system with root privileges
VAR-200212-0282 | CVE-2002-1851 | Ipswitch WS_FTP Pro Remote buffer overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in WS_FTP Pro 7.5 allows remote attackers to execute code on a client system via unknown attack vectors. Ipswitch WS_FTP Pro is a FTP client for Microsoft Windows systems. A buffer overflow condition has been reported in WS_FTP Pro. Precise details are not currently available, however it is believed that it may be exploitable by a malicious server. Ipswitch WS_FTP Pro lacks correct checks on the response submitted by the server, which can lead to remote attackers forging server responses and resulting in denial of service attacks. After Ipswitch provides the patch, NGS Software will provide detailed technical details
VAR-200210-0192 | CVE-2002-0891 | NetScreen ScreenOS Remote restart vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web interface (WebUI) of NetScreen ScreenOS before 2.6.1r8, and certain 2.8.x and 3.0.x versions before 3.0.3r1, allows remote attackers to cause a denial of service (crash) via a long user name.
This condition may be the result of an unchecked buffer, which may potentially allow the attacker to execute arbitrary code. This possibility has not been confirmed. Netscreen is a firewall security solution that enables wire-speed packet processing