VARIoT IoT vulnerabilities database

Cross-site scripting (XSS) vulnerability in the Server component in CA Host-Based Intrusion Prevention System (HIPS) before 8.0.0.93 allows remote attackers to inject arbitrary web script or HTML via requests that are written to logs for later display in the log viewer. Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. This issue affects versions of CA HIPS prior to 8.0.0.93. CA-based host intrusion detection system (HIPS) combines independent firewall, intrusion detection and defense capabilities to provide active centralized threat defense. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Input passed in certain requests to the server is not properly sanitised before being logged. The vulnerability is reported in versions prior to 8.0.0.93. SOLUTION: Apply patches. http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO91494 PROVIDED AND/OR DISCOVERED BY: The vendor credits David Maciejak. ORIGINAL ADVISORY: http://supportconnectw.ca.com/public/cahips/infodocs/cahips-secnotice.asp ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: [CAID 35754]: CA Host-Based Intrusion Prevention System (CA HIPS) Server Vulnerability CA Vuln ID (CAID): 35754 CA Advisory Date: 2007-10-18 Reported By: David Maciejak Impact: A remote attacker can take unauthorized administrative action. The vulnerability, CVE-2007-5472, occurs due to raw request data being displayed in the log when viewed by a browser. Note: The client installation is not vulnerable. Mitigating Factors: The client installation is not vulnerable. Severity: CA has given these vulnerabilities a maximum risk rating of Medium. Affected Products: CA Host-Based Intrusion Prevention System (CA HIPS) r8 Affected Platforms: Windows Status and Recommendation: CA has issued the following patch to address the vulnerabilities. CA Host-Based Intrusion Prevention System (CA HIPS) r8: QO91494 How to determine if you are affected: 1. Log in to the HIPS Administration Console. 2. Scroll down to the end of the Main page. 3. Press the "About" link on the right bottom side of the page. 4. Check the version. If the version is less than 8.0.0.93, the installation is vulnerable. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ Security Notice for CA Host-Based Intrusion Prevention System (CA HIPS) Server http://supportconnectw.ca.com/public/cahips/infodocs/cahips-secnotice.asp Solution Document Reference APARs: QO91494 CA Security Advisor posting: CA Host-Based Intrusion Prevention System (CA HIPS) Server Vulnerability http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=158327 CA Vuln ID (CAID): 35754 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35754 Reported By: David Maciejak CVE References: CVE-2007-5472 - log content injection http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5472 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFHGLWAeSWR3+KUGYURAlHTAJ9Wee7boFMoFj8p/dsrJl7YbkWmvQCbBeJ0 YlGWH5DdYWfAT3nGzaxImnk= =bkku -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in Cisco IOS allows remote attackers to inject arbitrary web script or HTML, and execute IOS commands, via unspecified vectors, aka PSIRT-2022590358. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. IOS is prone to a cross-site scripting vulnerability

Multiple stack-based buffer overflows in Command EXEC in Cisco IOS allow local users to gain privileges via unspecified vectors, aka (1) PSIRT-0474975756 and (2) PSIRT-0388256465. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. Local users can gain privileges with the help of unknown vectors, also known as (1) PSIRT-0474975756 and (2) PSIRT-0388256465

Unspecified vulnerability in Command EXEC in Cisco IOS allows local users to bypass command restrictions and obtain sensitive information via an unspecified "variation of an IOS command" involving "two different methods", aka CSCsk16129. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. There is an unknown vulnerability in Command EXEC of isco IOS

Unspecified vulnerability in Cisco IOS allows remote attackers to obtain the IOS version via unspecified vectors involving a "common network service", aka PSIRT-1255024833. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. Cisco IOS Is IOS There is a vulnerability for obtaining version information.By a third party IOS Version information may be obtained. IOS is prone to a remote security vulnerability

Off-by-one error in Cisco IOS allows remote attackers to execute arbitrary code via unspecified vectors that trigger a heap-based buffer overflow. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. There is an Off-by-one bug in Cisco IOS releases

Integer overflow in Cisco IOS allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes

Heap-based buffer overflow in the Juniper HTTP Service allows remote attackers to execute arbitrary code via a crafted HTTP packet. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes

Cisco PIX and ASA appliances with 7.1 and 7.2 software, when configured for TLS sessions to the device, allow remote attackers to cause a denial of service (device reload) via a crafted TLS packet, aka CSCsg43276 and CSCsh97120. (CSCsg43276 and CSCsh97120)Device restarted by third party, denial of service (DoS) There is a possibility of being put into a state. An attacker can exploit these issues to cause the affected devices to reload, denying service to legitimate users. Repeat attacks will result in a prolonged denial-of-service condition. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. PIX and ASA security appliances rely on TLS to protect the confidentiality of communications in all situations. This vulnerability is only possible with clientless WebVPN connections, HTTPS management sessions, pass-through proxies for web access, and TLS proxies for encrypted voice inspection. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. 1) An unspecified error exists within the handling of Transport Layer Security (TLS) packets. This can be exploited to reload an affected device by sending specially crafted TLS packets. 2) An unspecified error exists within the handling of Media Gateway Control Protocol (MGCP) packets. This can be exploited to reload an affected device by sending specially crafted MGCP packets. Successful exploitation of this vulnerability requires that the MGCP application layer protocol inspection is enabled (disabled by default). SOLUTION: Apply updates (please see the vendor's advisory for details). PIX: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 ASA: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20071017-asa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Firewall Services Module (FWSM) 3.1(6), and 3.2(2) and earlier, does not properly enforce edited ACLs, which might allow remote attackers to bypass intended restrictions on network traffic, aka CSCsj52536. Three vulnerabilities were reported in total: 1. Specially crafted HTTPS may cause the FWSM to reload. If exploited repeatedly, this could cause a persistent denial of service. 2. Specially crafted MGCP packets may cause the FWSM to reload. If exploited repeatedly, this could cause a persistent denial of service. 3. Manipulating Access Control Entries (ACE) in the ACL via the command line or ASDM (Adaptive Security Device Manager) may inadvertently cause them to not be evaluated. This will corrupt ACLs. Cisco FWSM is a firewall service module on Cisco equipment. ACLs can be controlled through the command line interface or ASDM, including removing and re-adding ACEs. If the access list is controlled in this way, the internal structure of the ACL will be broken, causing FWSM to not evaluate some ACEs. Because the ACEs in the ACL are not evaluated, the ACL may allow traffic that would normally be denied, or deny traffic that would normally be allowed. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco FWSM HTTPS/MGCP Packet Processing Denial of Service SECUNIA ADVISORY ID: SA27236 VERIFY ADVISORY: http://secunia.com/advisories/27236/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: Cisco Firewall Services Module (FWSM) 3.x http://secunia.com/product/8614/ DESCRIPTION: Cisco has acknowledged some vulnerabilities in Cisco Firewall Services Module (FWSM), which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An unspecified error exists within the handling of HTTPS packets. Successful exploitation requires that the HTTPS server is enabled (disabled by default). 2) An unspecified error exists within the handling of Media Gateway Control Protocol (MGCP) packets. Successful exploitation requires that the MGCP application layer protocol inspection is enabled (disabled by default). NOTE: An error when loading manipulated ACLs (Access Control Lists) is also reported. SOLUTION: Update to a fixed version (please see vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20071017-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Unified Communications Manager (CUCM, formerly CallManager) 5.1 before 5.1(2), and Unified CallManager 5.0, allow remote attackers to cause a denial of service (kernel panic) via a flood of SIP INVITE messages to UDP port 5060, which triggers resource exhaustion, aka CSCsi75822. Cisco Unified Communications Manager is prone to a denial-of-service vulnerability and a buffer-overflow vulnerability. Successfully exploiting these issues allows remote attackers to crash affected devices by triggering kernel panics or to execute arbitrary machine code. These issues facilitate the complete remote compromise of affected devices. Versions of Cisco Unified Communications Manager in the 5 and 6 series prior to 6.0(1) are affected by these issues. A denial of service vulnerability exists in the CUCM Session Initiation Protocol (SIP) stack

Buffer overflow in the Centralized TFTP File Locator Service in Cisco Unified Communications Manager (CUCM, formerly CallManager) 5.1 before 5.1(3), and Unified CallManager 5.0, allows remote attackers to execute arbitrary code or cause a denial of service via unspecified vectors involving the processing of filenames, aka CSCsh47712. Cisco Unified Communications Manager is prone to a denial-of-service vulnerability and a buffer-overflow vulnerability. Successfully exploiting these issues allows remote attackers to crash affected devices by triggering kernel panics or to execute arbitrary machine code. These issues facilitate the complete remote compromise of affected devices. Versions of Cisco Unified Communications Manager in the 5 and 6 series prior to 6.0(1) are affected by these issues

Unspecified vulnerability in Cisco Unified Intelligent Contact Management Enterprise (ICME), Unified ICM Hosted (ICMH), Unified Contact Center Enterprise (UCCE), Unified Contact Center Hosted (UCCH), and System Unified Contact Center Enterprise (SUCCE) 7.1(5) allows remote authenticated users to gain privileges, and read reports or change the SUCCE configuration, via certain web interfaces, aka CSCsj55686. Cisco Unified Communications Management Applications are prone to a privilege-escalation vulnerability. Attackers can exploit this issue to gain unauthorized access to the web-based reporting and script-monitoring tool and the web-based configuration tool. Attackers can gain access to potentially sensitive information and change the application configuration (including application rights). Information harvested may aid in further attacks. Vulnerabilities in the Cisco Unified ICME, Unified ICMH, UCCE, UCCH, and SUCCE Web Administration components in CUCM products allow users defined in any Windows Active Directory domain to gain unauthorized privilege levels, which allows Windows Active Directory users to view arbitrary calls Central Web View report information. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. The vulnerability is caused due to an unspecified error and can be exploited by Windows Active Directory users to e.g. http://tools.cisco.com/support/downloads/go/MDFTree.x?butype=cc PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. CHANGELOG: 2007-10-18: Added CVE reference. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20071017-IPCC.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Firewall Services Module (FWSM) 3.2(1), and 3.1(5) and earlier, allows remote attackers to cause a denial of service (device reload) via a crafted HTTPS request, aka CSCsi77844. Cisco Firewall Services Module (FWSM) is prone to multiple denial-of-service vulnerabilities and a vulnerability that could let attackers corrupt ACLs (access control lists). Three vulnerabilities were reported in total: 1. Specially crafted HTTPS may cause the FWSM to reload. If exploited repeatedly, this could cause a persistent denial of service. 2. Specially crafted MGCP packets may cause the FWSM to reload. If exploited repeatedly, this could cause a persistent denial of service. 3. Manipulating Access Control Entries (ACE) in the ACL via the command line or ASDM (Adaptive Security Device Manager) may inadvertently cause them to not be evaluated. This will corrupt ACLs. Cisco FWSM is a firewall service module on Cisco equipment. The source IP address and interface for receiving HTTPS requests must conform to the configured http <source IP> <source interface> command. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. 1) An unspecified error exists within the handling of HTTPS packets. Successful exploitation requires that the HTTPS server is enabled (disabled by default). 2) An unspecified error exists within the handling of Media Gateway Control Protocol (MGCP) packets. Successful exploitation requires that the MGCP application layer protocol inspection is enabled (disabled by default). NOTE: An error when loading manipulated ACLs (Access Control Lists) is also reported. SOLUTION: Update to a fixed version (please see vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20071017-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco PIX and ASA appliances with 7.0 through 8.0 software, and Cisco Firewall Services Module (FWSM) 3.1(5) and earlier, allow remote attackers to cause a denial of service (device reload) via a crafted MGCP packet, aka CSCsi90468 (appliance) and CSCsi00694 (FWSM). (CSCsi90468 and CSCsi00694)Device restarted by third party, denial of service (DoS) There is a possibility of being put into a state. An attacker can exploit these issues to cause the affected devices to reload, denying service to legitimate users. Repeat attacks will result in a prolonged denial-of-service condition. MGCP messages are transported over the User Datagram Protocol (UDP), which allows specially crafted MGCP messages to be initiated from spoofed addresses. Only MGCP for gateway applications (MGCP communication on UDP port 2427) is affected. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. 1) An unspecified error exists within the handling of HTTPS packets. This can be exploited to reboot an affected FWSM by sending specially crafted HTTPS packets. Successful exploitation requires that the HTTPS server is enabled (disabled by default). The vulnerability is reported in versions 3.1 and 3.2. 2) An unspecified error exists within the handling of Media Gateway Control Protocol (MGCP) packets. This can be exploited to reboot the FWSM by sending specially crafted MGCP packets. Successful exploitation requires that the MGCP application layer protocol inspection is enabled (disabled by default). The vulnerability is reported in version 3.1. NOTE: An error when loading manipulated ACLs (Access Control Lists) is also reported. SOLUTION: Update to a fixed version (please see vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20071017-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Adobe Flash Player 9.0.47.0 and earlier, when running on Opera before 9.24 on Mac OS X, has unknown "Highly Severe" impact and unknown attack vectors. Adobe Flash Player may load arbitrary, malformed cross-domain policy files. This could allow an attacker to control cross-domain data loading, potentially allowing the attacker to gain access to sensitive information or to manipulate content in other domains. Very few technical details are currently available. We will update this BID as more information emerges. I. The update addresses vulnerabilities in other vendors' products that ship with Apple OS X or OS X Server. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . 3) An error exists when pinning a hostname to an IP address. This can be exploited to bypass certain security restrictions on web servers hosting cross-domain policy files. 5) Input passed to unspecified parameters when handling the "asfunction:" protocol is not properly sanitised before being returned to the user. This can be exploited to inject arbitrary HTML and script code in a user's browser session in context of an affected site. 6) Input passed to unspecified parameters when calling the "navigateToURL" function is not properly sanitised before being returned to the user. This can be exploited to inject arbitrary HTML and script code in a user's browser session in context of an affected site. 7) An unspecified error can be exploited to modify HTTP headers and conduct HTTP request splitting attacks. 8) An error within the implementation of the Socket or XMLSocket ActionScript classes can be exploited to determine if a port on a remote host is opened or closed. 9) An error within the setting of memory permissions in Adobe Flash Player for Linux can be exploited by malicious, local users to gain escalated privileges. For more information see vulnerability #3 in: SA27277 The vulnerabilities are reported in versions prior to 9.0.115.0. 3) The vendor credits Dan Boneh, Adam Barth, Andrew Bortz, Collin Jackson, and Weidong Shao of Stanford University. and JPCERT/CC. 6) The vendor credits Collin Jackson and Adam Barth of Stanford University. 9) The vendor credits Jesse Michael and Thomas Biege of SUSE. -- SPARC Platform -- Solaris 10: Apply patch 125332-03 or later. OpenSolaris: Fixed in build snv_89 or later. -- x86 Platform -- Solaris 10: Apply patch 125333-03 or later. OpenSolaris: Fixed in build snv_89 or later. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 13) The vendor credits Xeno Kovah, originally reported in Mac OS X 10.5 by heise Security. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in cgi-bin/welcome (aka the login page) in Netgear SSL312 PROSAFE SSL VPN-Concentrator 25 allows remote attackers to inject arbitrary web script or HTML via the err parameter in the context of an error page. NETGEAR ProSafe SSL VPN Concentrator 25-SSL312 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Netgear SSL312 "err" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA27238 VERIFY ADVISORY: http://secunia.com/advisories/27238/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: Netgear SSL312 http://secunia.com/product/16173/ DESCRIPTION: SkyOut has reported a vulnerability in Netgear SSL312, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "err" parameter in e.g. cgi-bin/welcome/XYZ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. SOLUTION: Filter malicious characters and character sequences in a web proxy. Do not follow untrusted links. PROVIDED AND/OR DISCOVERED BY: SkyOut ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066633.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the FTP service in Sun StorEdge/StorageTek 3510 FC Array with firmware before 4.21 allows remote attackers, with access to the Ethernet management interface, to cause a denial of service (I/O request timeout and device hang) via unspecified vectors. Remote attackers may exploit this issue to deny service to legitimate users. Sun StorEdge 3510 FC Array with firmware version 4.21 is affected. If the above vulnerability is present, hosts requesting I/O services from the affected array may report I/O request timeouts and eventually go offline from the array, and a message similar to the following may appear in the array event log: Tue Jan 24 14:03: 06 2007 [Primary] Warning Memory Not Sufficient to Fully Support Current Config ... ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Successful exploitation requires that the attacker has access to the management network to which the array's management Ethernet interface is connected to. The vulnerability is reported in firmware versions prior to 4.21. SOLUTION: Update to firmware 4.21, delivered in patch 113723-18 or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103106-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco CallManager 5.1.1.3000-5 does not verify the Digest authentication header URI against the Request URI in SIP messages, which allows remote attackers to use sniffed Digest authentication credentials to call arbitrary telephone numbers or spoof caller ID (aka "toll fraud and authentication forward attack"). CallManager and Openser are prone to a remote unauthorized-access vulnerability that may lead to toll fraud and caller-ID spoofing. A remote attacker can exploit this issue to initiate unauthorized phone calls and pretend to be a legitimate user. Cisco CallManager does not check that the URI provided by the user in the Digest-Authentication header matches the message's REQUEST-URI, and a malicious user could sniff the Digest-Authentication from a legitimate user and then call arbitrary extensions on behalf of that user. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco CallManager Authentication Header Hijacking Security Issue SECUNIA ADVISORY ID: SA27231 VERIFY ADVISORY: http://secunia.com/advisories/27231/ CRITICAL: Less critical IMPACT: Hijacking WHERE: >From local network SOFTWARE: Cisco Unified CallManager 5.x http://secunia.com/product/12535/ DESCRIPTION: A security issue has been reported in Cisco CallManager, which can be exploited by malicious people to hijack user sessions. The security issue is caused due to the improper processing of SIP messages and can be exploited to make calls from a hijacked account by requesting a URI containing a sniffed authentication header. The security issue is reported in Cisco CallManager system version 5.1.1.3000-5 and administration version 1.1.0.0-1. Other versions may also be affected. SOLUTION: Use Cisco CallManager in a trusted network environment only. PROVIDED AND/OR DISCOVERED BY: Humberto J. Abdelnur, Radu State, and Olivier Festor ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066581.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in the Line Printer Daemon (LPD) in Cisco IOS before 12.2(18)SXF11, 12.4(16a), and 12.4(2)T6 allow remote attackers to execute arbitrary code by setting a long hostname on the target system, then causing an error message to be printed, as demonstrated by a telnet session to the LPD from a source port other than 515. The Cisco IOS Line Printer Daemon contains a buffer overflow vulnerability. If successfully exploited, this vulnerability may allow an attacker to execute arbitrary code or create a denial-of-service condition . (CSCsj86725)Arbitrary code may be executed. Cisco IOS is prone to a remote buffer-overflow vulnerability in its LPD service because it fails to perform adequate boundary checks on user-supplied data. Attackers could also restart the device, resulting in denial-of-service conditions. To exploit this issue, an attacker must be able to change the hostname of affected routers. SNMP write access may allow attackers to change the router's hostname. Versions prior to Cisco IOS 12.2(18)SXF11, 12.4(16a), and 12.4(2)T6 are vulnerable. This issue is being tracked by Cisco bug ID CSCsj86725. NOTE: This issue is related to the vulnerabilities described in BID 25994 (Cisco IOS Multiple Unspecified Stack Overflow Vulnerabilities). Remote attackers may use this vulnerability to control the device or cause the device to deny service. If any source TCP port other than 515 is connected, the following error will be displayed: $ telnet 172.30.3.101 515 Trying 172.30.3.101... Connected to 172.30.3.101 (172.30.3.101). Escape character is '^]'. hostname_of_the_router: /usr/lib/lpd: Malformed from address If the hostname is greater than or equal to 99 characters, it will overflow due to calling the sprintf() function. Although technically a stack overflow, since IOS allocates heap memory for the process stack, the overwritten memory is actually the heap. Since the heap memory is used as a stack, the hostname can overwrite the return address stored before the start of the character buffer in case of overflow, but for some reason the crash does not occur until the buffer reaches the red zone at the heap block boundary, so After a crash and a router reboot, the memory dump shows heap corruption. The hostname must be controlled to exploit this vulnerability. If SNMP is running on the device and you know the rw community string (usually the default value private), you can set the hostname as follows: $ snmpset -Os -c private -v 1 10.0.0.1 system.sysName.0 s long_hostname. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco IOS Line Printer Daemon Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA27169 VERIFY ADVISORY: http://secunia.com/advisories/27169/ CRITICAL: Not critical IMPACT: DoS, System access WHERE: >From local network OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS 12.x http://secunia.com/product/182/ DESCRIPTION: Andy Davis has reported a vulnerability in Cisco IOS, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. This can be exploited to cause a stack-based buffer overflow by e.g. connecting to the default LPD port (515/TCP). Successful exploitation may allow the execution of arbitrary code but requires that the LPD daemon is enabled (disabled by default) and that the attacker can control the hostname of the router. SOLUTION: Update to 12.2(18)SXF11, 12.4(16a), or 12.4(2)T6. PROVIDED AND/OR DISCOVERED BY: Andy Davis, IRM Plc. ORIGINAL ADVISORY: IRM Plc.: http://www.irmplc.com/index.php/155-Advisory-024 Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20071010-lpd.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------