VARIoT IoT vulnerabilities database
VAR-200312-0365 | CVE-2003-1398 | Cisco IOS ICMP Redirect Routing Table Modification Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Cisco IOS 12.0 through 12.2, when IP routing is disabled, accepts false ICMP redirect messages, which allows remote attackers to cause a denial of service (network routing modification). It has been reported that it is possible to make arbitrary remote modifications to the Cisco IOS routing table. ICMP redirect messages are normally sent to indicate inefficient routing, a new route or a routing change. An attacker may specify a default gateway on the local network that does not exist, thus denying service to the affected router for traffic destined to any location outside the local subnet. Internet Operating System (IOS) is an operating system used on CISCO routers. Another possibility is to advertise that the gateway is on a completely different subnet. If a device proxyes ARP requests for this fake gateway, all communications destined for external subnets will be forwarded to the fake gateway. And if there is no device acting as an ARP request agent for the fake gateway, the information described in the first case will be blocked. A final possibility is for a malicious user to insert the default gateway as the IP address of the attacker's machine, which could lead to interception of all communications
VAR-200312-0345 | CVE-2003-1442 | HM220dp ADSL modem WEB Management interface insecure vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The web administration page for the Ericsson HM220dp ADSL modem does not require authentication, which could allow remote attackers to gain access from the LAN side. This interface does not require any authentication in order to access. There is no option to enable any authentication requirement. Ericsson HM220dp is a small office environment ADSL MODEM
VAR-200312-0394 | CVE-2003-1427 | Netgear FM114P Wireless Firewall File Disclosure Vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in the web configuration interface in Netgear FM114P 1.4 allows remote attackers to read arbitrary files, such as the netgear.cfg configuration file, via a hex-encoded (%2e%2e%2f) ../ (dot dot slash) in the port parameter. Netgear FM114P is a wireless network router that includes a firewall function.
Netgear FM114P wireless firewall lacks proper filtering of web requests submitted by users.
Netgear FM114P's WEB configuration interface lacks sufficient filtering for user-submitted requests. Attackers can submit malicious URL requests to break through the / upnp / service directory limit. Unauthorized access to router configuration files. Configuration files contain dial-up passwords, dynamic DNS configuration passwords, and router configurations. Options, etc. Attackers can use this information to conduct further attacks on routers. Netgear FM114P Wireless Firewalls allow directory traversal using escaped character sequences. It is possible for an unauthenticated user to retrieve the firewall's configuration file by escaping from the /upnp/service directory
VAR-200312-0352 | CVE-2003-1449 | Aladdin Knowledge Systems eSafe OPSEC CVP Virus scanning can bypass the vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Aladdin Knowlege Systems eSafe Gateway 3.5.126.0 does not check the entire stream of Content Vectoring Protocol (CVP) data, which allows remote attackers to bypass virus protection. It has been reported that under some circumstances, eSafe Gateway does not properly scan messages in transit. This problem occurs when data is passed to eSafe via a Check Point OPSEC CVP compliant firewall. Because of this, malicious code may be able to circumvent the filters imposed by the software and enter, or exit the network. This could lead to further compromise of network resources. A remote attacker can exploit this vulnerability to bypass virus filtering. When Checkpoint installed with Feature Pack 3 receives more than 2M files, the scanning program will be unstable during CVP inspection. For example, if the SMTP message exceeds 2MB, FW-1 will perform the following operations: 1. Put the information into the buffer pool. 2. Send data to the CVP server. 3. It will stop when sending 1MB or nearly 2MB of data. 4. Sending will resume after 5 minutes. 5. The CVP server allows data to be placed in spool\d_resend and enters a loop operation until the information is marked as expired
VAR-200312-0367 | CVE-2003-1400 | PHP-Nuke Avatar HTML Injection Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Your_Account module for PHP-Nuke 5.0 through 6.0 allows remote attackers to inject arbitrary web script or HTML via the user_avatar parameter. A problem with PHP-Nuke could allow remote users to execute arbitrary code in the context of the web site. The problem is in the lack of sanitization of some types of input.
PHP-Nuke does not sanitize code submitted to a site from the avatar select box. Due to this, a malicious user may be able to submit embedded code from their profile page instead of an avatar. This would result in code being executed in the location where a user's avatar should normally display. This code would be executed by a victim user's browser in the context of the site
VAR-200911-0271 | CVE-2009-2823 | Web servers enable HTTP TRACE method by default |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The Apache HTTP Server in Apple Mac OS X before 10.6.2 enables the HTTP TRACE method, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software. The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request. The attacker may exploit this issue to steal cookie-based authentication credentials and carry out other attacks.
NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
This update provides a solution to this vulnerability.
Update:
The wrong package was uploaded for 2009.1. This update addresses
that problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2823
http://www.kb.cert.org/vuls/id/867593
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.1:
d20085bdf2db6c017ae2bbd1e66b95a3 2009.1/i586/apache-conf-2.2.11-5.1mdv2009.1.i586.rpm
528faefad6aa4272aa1f4eb028ffa738 2009.1/SRPMS/apache-conf-2.2.11-5.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
3621be7e9f192f73f0c0435891d5ee1e 2009.1/x86_64/apache-conf-2.2.11-5.1mdv2009.1.x86_64.rpm
528faefad6aa4272aa1f4eb028ffa738 2009.1/SRPMS/apache-conf-2.2.11-5.1mdv2009.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLRcf1mqjQ0CJFipgRAu1hAKD028okjckw8ACr/FJhfKYKLYaWKACfYIQK
uxRECffkMfmnBqa56GkQhAA=
=MP9m
-----END PGP SIGNATURE-----
.
Update:
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers
VAR-200511-0133 | CVE-2005-3398 | Sun Solaris Management Console HTTP TRACE Information Disclosure Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers. The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. RFC 2616 According to TRACE Supports methods Web The server is set in the browser Cookie A vulnerability exists in which information is obtained.Set in browser Cookie Authentication information derived from (Basic Authentication: base64 Contains encoded user information ) May get you. Sun Solaris Management Console is prone to an information-disclosure vulnerability. The attacker may exploit this issue along with other attacks, such as cross-site scripting, to steal cookie-based authentication credentials.
TITLE:
Sun Solaris HTTP TRACE Response Cross-Site Scripting Issue
SECUNIA ADVISORY ID:
SA17334
VERIFY ADVISORY:
http://secunia.com/advisories/17334/
CRITICAL:
Not critical
IMPACT:
Cross Site Scripting
WHERE:
>From local network
OPERATING SYSTEM:
Sun Solaris 10
http://secunia.com/product/4813/
Sun Solaris 8
http://secunia.com/product/94/
Sun Solaris 9
http://secunia.com/product/95/
DESCRIPTION:
Sun has acknowledged a security issue in Solaris, which potentially
can be exploited by malicious people to conduct cross-site scripting
attacks. This
can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site when combined
with certain browser vulnerabilities. It is reportedly not possible
to disable the TRACE method.
The security issue has been reported in Solaris 8, 9 and 10 on both
SPARC and x86 platforms.
SOLUTION:
Apply patches when available.
The vendor recommends that the SMC may be disabled as a workaround.
-- SPARC Platform --
Solaris 9:
Apply patch 116807-02 or later.
-- x86 Platform --
Solaris 9:
Apply patch 116808-02 or later.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102016-1
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200301-0039 | No CVE | ZyXEL DSL Modem Default Remote Administrator Password Vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
ZyXEL DSL Modem is a broadband MODEM device developed and maintained by ZyXEL. The ZyXEL DSL Modem management interface has a pre-configured account that allows remote attackers to obtain sensitive information on the device. The ZyXEL DSL Modem has a default username and password. The user name is \"root\" and the password is \"1234\". You can log in to the modem's built-in FTP server to download data files containing sensitive information, such as spt.dat. The file contains the following information: - 0x20 The root password in clear- 0x40 SNMP Location- 0x60 Device name- 0x80 SNMP Sys Contact- 0xac SNMP read community- 0xcc SNMP read community- 0xec SNMP read community - 0x188 SUA Server IP address- 0x1c54 First PPPoE Account config name (Default: ChangeMe )- 0x1dde First PPPoe Username- 0x1dfe First PPPoe Password- 0x21dc Second PPPeE Account config name Use this information to make changes and reconfigure the device. This default account information may also be present in other ZyXEL DSL Series Modems. It has been reported that the administration interface on some ZyXEL devices, including the 642 and 645 series, is remotely accessible and pre-set with a default username and password.
It is important to note that other ZyXEL devices may share this default account
VAR-200312-0489 | CVE-2003-1346 | D-Link DWL-900AP+ Firmware Upgrade Configuration Reset Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
D-Link wireless access point DWL-900AP+ 2.2, 2.3 and possibly 2.5 allows remote attackers to set factory default settings by upgrading the firmware using AirPlus Access Point Manager.
If the user has installed the D-Link AirPlus access point management program for firmware wins, once the program starts, two pages will pop up, of which the lower page is "Aveliable AP", and you can find that the AP is running in the 2.5 firmware version on. The upper window is "Upgrage AP", which can list the firmware version you want to upgrade. After obtaining the relevant version and clicking upgrade, the management program will not prompt for any password, and simply tftp the new firmware to the AP, and once the firmware is uploaded, return the AP to the default settings
VAR-200312-0053 | CVE-2003-1250 | Efficient Networks DSL Router Remote Denial of Service Attack Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Efficient Networks 5861 DSL router, when running firmware 5.3.80 configured to block incoming TCP SYN, packets allows remote attackers to cause a denial of service (crash) via a flood of TCP SYN packets to the WAN interface using a port scanner such as nmap. A denial of service vulnerability has been reported for the Efficient Networks 5861 line of DSL routers.
The vulnerability can be triggered when the router is configured to block incoming TCP SYN flags and is subsequently portscanned.
An attacker can exploit this vulnerability by portscanning a vulnerable DSL router on its WAN interface. When this occurs the device will reportedly lock up and then restart after a period of time. The Efficient Networks DSL Router is a small ADSL router that offers features like firewall and VPN
VAR-200301-0038 | No CVE | Macromedia ColdFusion MX CFInclude and CFModule Mark Sandbox Security Check Bypass Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Macromedia ColdFusion MX is an efficient web application server development environment with high ease of use and development efficiency, based on standard Java technology. Can be integrated with XML, Web Services, and the Microsoft .NET environment. ColdFusion MX does not properly handle cfinclude and cfmodule tags, and remote attackers can exploit this vulnerability to gain unauthorized access to system files. The <cfinclude> and <cfmodule> tags receive filenames using relative paths as arguments, and ColdFusion MX does not check Sandbox security file/directory permissions checks when including files that use these tags, which can result in unauthorized builds of malicious templates that use these tags. data. A vulnerability in the use of the cfinclude and cfmodule Tags exists in ColdFusion MX. In environments that are sandboxed, it may be possible for a script to access files outside of the sandboxed directory. This could lead to unauthorized access to files on the host
VAR-200301-0002 | CVE-2003-0001 | Multiple Vendors Network Device Driver Frame Filling Information Disclosure Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. The network device driver fills in packet data for less than 46 bytes. The Ethernet standard (IEEE 802.3) defines that the minimum field of a packet is 46 bytes. If a higher layer protocol such as IP provides less than 46 bytes, the device driver must fill the data segment to meet the minimum frame size specification specified by IEEE 802. The padding value is generally NULL data. However, many Ethernet device drivers do not operate correctly in accordance with the standard implementation. The data is padded without using NULL bytes, and the previously transmitted frame data is reused for padding. Since the Ethernet frame buffer is allocated in the kernel memory space, some system sensitive information can be obtained by analyzing these padding data. Some device drivers fail to do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across Ethernet segments.
Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.
National Semiconductor Ethernet controller chips are not vulnerable to this issue.
This issue is described in CERT Vulnerability VU#412115 (see
http://www.kb.cert.org/vuls/id/412115 and
http://www.kb.cert.org/vuls/id/JPLA-5BGNYP).
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 2.6 without patch 105181-35
* Solaris 7 without patch 112604-02
* Solaris 8 without patch 112609-02
* Solaris 9 without patch 115172-01
Note: The Am7990 ("LANCE") Ethernet driver le(7D) is for SPARC
platforms only, thus x86 platforms are not affected.
This issue only occurs on SPARC systems that utilize the Am7990
("LANCE") Ethernet driver (le(7D)).
To determine if the Am7990 Ethernet driver is installed on your
system, run the following command:
$ ifconfig -a
le0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.0 netmask ff000000
Any reference to "le0" would indicate an open Lance Ethernet (le)
interface.
3. Symptoms
There are no predictable symptoms that would show the described issue
has been exploited.
SOLUTION SUMMARY:
4. Relief/Workaround
There is no workaround for this issue. Please see "Resolution" section
below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 2.6 with patch 105181-35 or later
* Solaris 7 with patch 112604-02 or later
* Solaris 8 with patch 112609-02 or later
* Solaris 9 with patch 115172-01 or later
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2003 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
_________________________________________________________________
_________________________________________________________________
APPLIES TO:
ATTACHMENTS:
VAR-200312-0067 | CVE-2003-1264 | Longshine Wireless Access Point Device Information Disclosure Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
TFTP server in Longshine Wireless Access Point (WAP) LCS-883R-AC-B, and in D-Link DI-614+ 2.0 which is based on it, allows remote attackers to obtain the WEP secret and gain administrator privileges by downloading the configuration file (config.img) and other files without authentication. The Longshine LCS-883R-AC-B device will allow tftp connections.
The configuration file contains sensitive information including the administrator password and WEP keys.
** The D-Link DI-614+ product, reportedly based on the Longshine device, appears to be vulnerable to this issue however, only some files were accessible
VAR-200212-0385 | CVE-2002-1937 | Symantec Firewall/VPN Appliance Get administrator password vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Symantec Firewall/VPN Appliance 100 through 200R hardcodes the administrator's MAC address inside the firewall's configuration, which allows remote attackers to spoof the administrator's MAC address and perform an ARP poisoning man-in-the-middle attack to obtain the administrator's password. Firewall/VPN Appliance 200 is prone to a remote security vulnerability
VAR-200212-0270 | CVE-2002-1972 | Parallel port powerSwitch Unknown vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Unknown vulnerability in Parallel port powerSwitch (aka pp_powerSwitch) 0.1 does not properly enforce access controls, which allows local users to access arbitrary ports. Pp Powerswitch is prone to a local security vulnerability
VAR-200212-0082 | CVE-2002-2133 | Telindus ADSL Router Encryption mechanism is not strong vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Telindus 1100 ASDL router running firmware 6.0.x uses weak encryption for UDP session traffic, which allows remote attackers to gain unauthorized access by sniffing and decrypting the administrative password. A weakness has been discovered in the encryption algorithm used by Telindus ADSL routers. Due to the use of a weak algorithm, as well as various static values within an encrypted packet, it may be possible for a remote attacker to decipher sensitive router information.
By sniffing sensitive network traffic sent by the router, it may be possible for an attacker to deduce the administrator password.
It should be noted that this issue is partially derived from the vulnerability described in BID 4946. TELINDUS ADSL router can be used for ADSL network connection
VAR-200212-0721 | CVE-2002-2397 | Sygate personal firewall Firewall bypass vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Sygate personal firewall 5.0 could allow remote attackers to bypass firewall filters via spoofed (1) source IP address of 127.0.0.1 or (2) network address of 127.0.0.0. Sygate personal firewall 5.0 is vulnerable
VAR-200212-0882 | No CVE | SkyStream Edge Media Router-5000 Local Buffer Overflow Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The SkyStream Edge Media Router-5000 (EMR5000) is a DVB multicast router product. The Edge Media Router comes with shell support for client access, allowing users to manage and configure the system through this. An overflow vulnerability exists in the user shell implementation that could be exploited by a remote attacker to escalate its privileges. The shell program does not use the GNU readline library, but implements its own dedicated shell control process. There is a buffer overflow problem when reading and verifying user input. An attacker who has obtained shell access rights may use this vulnerability to execute arbitrary instructions. Your own permissions. It is possible to trigger this condition by supplying an overly long string from the command line of the client shell
VAR-200212-0894 | No CVE | Axis Embedded Device Authentication Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Axis Network Cameras, Video Servers, and Network Digital Video Recorders contain an unchecked buffer in the authentication code of their embedded web server. Exploitation may result in a denial of service or potential execution of arbitrary code.
VAR-200212-0835 | CVE-2002-2208 | Cisco IOS EIGRP notice ARP Denial of service attack vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Extended Interior Gateway Routing Protocol (EIGRP), as implemented in Cisco IOS 11.3 through 12.2 and other products, allows remote attackers to cause a denial of service (flood) by sending a large number of spoofed EIGRP neighbor announcements, which results in an ARP storm on the local network. Internet Operating System (IOS) is the firmware developed and maintained by Cisco for Cisco Routers.
A system sending spoofed EIGRP announcements may cause a denial of service to all routers and systems on a given network segment. Due to improper limits in the attempt to discover routers, a neighbor announcement received by routers on a given network segment will result in an address resolution protocol (ARP) storm, filling network capacity while routers attempt to contact the announcing neighbor. Additionally, resources on the router such as CPU will also become bound while the router attempts to reach the announcing neighbor. It should be noted that it is also possible to exploit this vulnerability on systems that accept EIGRP announcements via unicast. Remote attackers can use this vulnerability to carry out denial of service attacks on routers and consume all bandwidth. EIGRP uses automatic discovery of neighbor routers for route discovery. An EIGRP router announces its existence by multicasting on enabled interfaces. If two routers discover each other, they will exchange current topology information, and both sides also need to obtain the MAC address of the other router. When using a random source IP address to generate an EIGRP neighbor advertisement, and perform a \'\'flood\'\' attack on the router or the entire network, all receiving CISCO routers will try to contact the sender, and the sender's IP address must be in the current router configuration in the subnet. There is a loophole in CISCO IOS. When contacting the sender, it will continue to request to send the MAC address. There is no timeout operation in this process, unless the EIGRP neighbor keeping time expires. This value is provided by the sender and can exceed 18 hours at most. Multiple neighbor advertisements using non-existent source IP addresses can cause the router to consume a large amount of CPU utilization and consume a large amount of bandwidth, resulting in a denial of service attack. Using IP multicast and EIGRP announcements will have a better attack effect. CISCO IOS versions lower than 12.0 can receive EIGRP Neighbor Advertisement in unicast mode, resulting in the possibility of attacks through the Internet. Arhont Ltd.- Information Security
Arhont Advisory by: Arhont Ltd
Advisory: Unauthenticated EIGRP DoS
Class: design bug
Version: EIGRP version 1.2
Model Specific: Other versions might have the same bug
DETAILS:
We have used our custom EIGRP packet generator written on Perl to
evaluate the security of the EIGRP routing protocol.
In the initial generator testing stage we have successfully reproduced
the known DoS against EIGRP discovered by FX and described
at http://www.securityfocus.com/bid/6443. This attack is canned in the
generator using the --hellodos flag. The testing network was
completely brought down due to the ARP storm.
Moving further, we have discovered a novel selective single peer -
directed DoS attack employing the EIGRP "Goodbye Message". A goodbye
message is sent when an EIGRP routing process is shutting down to tell
the neighbors about the impending topology change to speed up the
convergence. This feature is supported in Cisco IOS Releases later than
12.3(2), 12.3(3)B, and 12.3(2)T. A spoofed "goodbye message" can
be sent to a peer claiming that it's neighbor is down, thus breaking the
neighborhood:
arhontus #/eigrp.pl --ipgoodbye 192.168.66.202 --as 65534 --source
192.168.66.191
469573: Aug 16 2005 03:08:11.773 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.111 (Ethernet0/0) is up: new adjacency
c2611#sh ip eigrp neigh
IP-EIGRP neighbors for process 65534
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec)
(ms) Cnt Num
2 192.168.66.111 Et0/0 13 00:01:08 1 5000
1 0
0 192.168.30.191 Se0/0 12 00:05:06 1 4500
0 198
1 192.168.66.191 Et0/0 13 00:05:14 201 1206
0 199
469574: Aug 16 2005 03:09:31.299 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.111 (Ethernet0/0) is down: retry limit exceeded
c2611#
469575: Aug 16 2005 03:09:32.818 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.111 (Ethernet0/0) is up: new adjacency
c2611#
469576: Aug 16 2005 03:09:56.277 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#
469577: Aug 16 2005 03:09:59.283 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
469578: Aug 16 2005 03:09:59.868 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is up: new adjacency
c2611#
469579: Aug 16 2005 03:10:02.288 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#
469580: Aug 16 2005 03:10:04.676 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is up: new adjacency
469581: Aug 16 2005 03:10:05.289 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#
469582: Aug 16 2005 03:10:08.290 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#sh ip eigrp neigh
IP-EIGRP neighbors for process 65534
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.30.191 Se0/0 14 00:09:50 1 4500
0 286
This selective nighborhood breaking can be used for other purposes, than
DoS. Re-initiating the EIGRP handshake helps a sniffing attacker to find
information about the EIGRP routing domain topology. Possessing such
information, a skilled attacker can selectively break the neighborhood
to redirect
traffic the way he wants.
Of course, on an unportected EIGRP domain there is a much simpler way of
traffic redirection, which is either directly injecting the routes using
our
packet generator or establishing a fake neighbourhood and supplying
metric parameters to the legitimate peers, which would lead DUAL to
favor the fake
neighbor.
Risk Factor: Medium
Workarounds: Always use EIGRP MD5-based authentication.
Communication History: sent to PSIRT on 10/10/05
*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer at least 7 days
before
releasing them to the public domains (such as CERT and BUGTRAQ).
If you would like to get more information about this issue, please do
not hesitate to contact Arhont team.*
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/