VARIoT IoT vulnerabilities database

Dell TrueMobile 1300 WLAN Mini-PCI Card Util TrayApplet 3.10.39.0 does not properly drop SYSTEM privileges when started from the systray applet, which allows local users to gain privileges by accessing the Help functionality. It has been reported that a privilege escalation vulnerability exists in the Dell TrueMobile 1300 Wireless System Tray Applet. The issue is due to the software starting with SYSTEM privileges, to enable access to the wireless hardware, and subsequently failing to drop them. This may allow a local attacker to manipulate the GUI of the vulnerable application to spawn arbitrary processes with the privileges of the affected process. Although only version 3.10.39.0 of the utility has been reported vulnerable, it is likely that other versions are prone as well. Dell TrueMobile TM 1300 WLAN is a mini-PCI wireless network card system, including a system tray Applet program to control the device

Cisco ONS is a fiber optic network platform developed by CISCO. Cisco ONS has multiple vulnerabilities that can result in unauthorized access to the device, denial of service, or lock-in of the account and continued authentication. The Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 can be managed through XTC, TCC+/TCC2, TCCi/TCC2, and TSC control cards, which are typically isolated from the INTERNET and only connected to the local network environment. The following vulnerabilities exist: - CSCec17308/CSCec19124(tftp) The TFTP service uses UDP port 69 by default, allowing GET and PUT commands without any authentication. The client can connect to the fiber device and upload and download any user data. - CSCec17406 (port 1080) Cisco ONS 15327, ONS 15454 and ONS 15454 SDH hardware have ACK denial of service attacks on TCP 1080 ports, and TCP 1080 ports are used for network management to communicate with control cards. A ACK denial of service attack can result in a control card reset on a fiber optic device. - CSCec66884/CSCec71157 (SU access) By default, only superusers are allowed to telnet access to the VxWorks operating system. Due to this vulnerability, if the superuser account is disabled, locked and suspended, the VxWorks shell can still be logged in using the setup password

Cisco ONS is a fiber optic network platform developed by CISCO. Cisco ONS has multiple vulnerabilities that can result in unauthorized access to the device, denial of service, or lock-in of the account and continued authentication. The Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 can be managed through XTC, TCC+/TCC2, TCCi/TCC2, and TSC control cards, which are typically isolated from the INTERNET and only connected to the local network environment. The following vulnerabilities exist: - CSCec17308/CSCec19124(tftp) The TFTP service uses UDP port 69 by default, allowing GET and PUT commands without any authentication. The client can connect to the fiber device and upload and download any user data. - CSCec17406 (port 1080) Cisco ONS 15327, ONS 15454 and ONS 15454 SDH hardware have ACK denial of service attacks on TCP 1080 ports, and TCP 1080 ports are used for network management to communicate with control cards. A ACK denial of service attack can result in a control card reset on a fiber optic device. - CSCec66884/CSCec71157 (SU access) By default, only superusers are allowed to telnet access to the VxWorks operating system. Due to this vulnerability, if the superuser account is disabled, locked and suspended, the VxWorks shell can still be logged in using the setup password

Unknown vulnerability in Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS15600 before 1.3(0) allows a superuser whose account is locked out, disabled, or suspended to gain unauthorized access via a Telnet connection to the VxWorks shell. Cisco Systems optical networking systems software Exists in unspecified vulnerabilities.None. It should be noted that the various ONS platforms are intended to be deployed on networks that are physically separated from the Internet, so exposure to these issues by remote attackers is limited. Cisco ONS is an optical network platform developed by CISCO. Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 can be managed by XTC, TCC+/TCC2, TCCi/TCC2, and TSC control cards. These control cards are generally isolated from the Internet and only connected to the local network environment. There are the following vulnerabilities: - CSCec17308/CSCec19124(tftp) The TFTP service uses UDP port 69 by default, allowing GET and PUT commands without any authentication, and the client can connect to the fiber optic device and upload and download arbitrary user data. - CSCec17406(port 1080) Cisco ONS 15327, ONS 15454 and ONS 15454 SDH hardware has an ACK denial of service attack on TCP port 1080, which is used for network management to communicate with the control card. Through ACK denial of service attack, the control card on the fiber optic equipment can be reset. - CSCec66884/CSCec71157(SU access) By default, only superusers are allowed to have telnet access to the VxWorks operating system. Due to this vulnerability, if the superuser account is banned, locked and suspended, you can still log in to the VxWorks shell with the set password

Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS 15600 before 1.3(0) enable TFTP service on UDP port 69 by default, which allows remote attackers to GET or PUT ONS system files on the current active TCC in the /flash0 or /flash1 directories. Cisco Systems optical networking systems software Exists in unspecified vulnerabilities.None. Cisco ONS is a fiber optic network platform developed by CISCO.  There are multiple vulnerabilities in Cisco ONS that can lead to attacks such as unauthorized access to the device, denial of service, or locked account and continued authentication. These control cards are generally isolated from the Internet and connected only to the local network environment. The following vulnerabilities exist:  -CSCec17308 / CSCec19124 (tftp)  The TFTP service uses UDP port 69 by default, allowing GET and PUT commands to be performed without any authentication, and the client can connect to the fiber optic device to upload and download arbitrary user data. TCP 1080 port is used for network management and control card communication. An ACK denial of service attack can cause the control card on a fiber optic device to reset.  -CSCec66884 / CSCec71157 (SU access)  By default, only superusers are allowed to telnet access to the VxWorks operating system. Due to this vulnerability, if the superuser account is blocked, locked and suspended, you can still log in to the VxWorks shell using the set password. It should be noted that the various ONS platforms are intended to be deployed on networks that are physically separated from the Internet, so exposure to these issues by remote attackers is limited

Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), and ONS 15454 SD before 4.1(3) allows remote attackers to cause a denial of service (reset) by not sending the ACK portion of the TCP three-way handshake and sending an invalid response instead. Cisco Systems optical networking systems software Exists in unspecified vulnerabilities.None. Cisco has reported multiple vulnerabilities in the following platforms: Cisco ONS 15327 Edge Optical Transport Platform Cisco ONS 15454 Optical Transport Platform Cisco ONS 15454 SDH Multiplexer Platform Cisco ONS 15600 Multiservice Switching Platform These issues could permit unauthorized access to devices, including unauthenticated access to GET/PUT TFTP commands on affected platforms, denial of service attacks via incomplete TCP transactions and an issue that may allow locked out superuser accounts to still authenticate. It should be noted that the various ONS platforms are intended to be deployed on networks that are physically separated from the Internet, so exposure to these issues by remote attackers is limited. Cisco ONS 15327 4.1(3), ONS 15454 4.6(1), and ONS 15454 SD4.1(3) previous versions have vulnerabilities

Linksys WAP55AG 1.07 allows remote attackers with access to an SNMP read only community string to gain access to read/write communtiy strings via a query for OID 1.3.6.1.4.1.3955.2.1.13.1.2. Cisco Systems (Linksys) of wap55ag Exists in unspecified vulnerabilities.None. Linksys WAP55AG appliance has been reported prone to an insecure default configuration vulnerability. An attacker may disclose sensitive information in this manner. Although unconfirmed, it may also be possible for the attacker to manipulate the appliance configuration through writeable strings. Linksys WAP55AG is a wireless access device. An attacker can obtain the read/write public string information of the SNMP MIB by querying the Linksys WAP55AG SNMP service

Buffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via an LDAP message with a large tag length. Ipswitch, Inc. of Ipswitch Imail Exists in unspecified vulnerabilities.None. The Ipswitch LDAP daemon has been reported prone to a remote buffer overflow vulnerability. The vulnerability exists due to a lack of sufficient boundary checks performed on user supplied LDAP tags. When attacker-supplied data containing large LDAP tags is processed by the affected service, a stack based buffer overflow condition will be triggered. A remote attacker may exploit this condition to execute arbitrary instructions in the security context of the affected service. Ipswitch IMail server is a WEB-based mail solution. The Ipswitch LDAP daemon does not adequately check user-supplied LDAP tokens. The LDAP message is composed of the length and content of the tag. The following tags 0x02 0x03 0x0A 0x25 0xBD represent integers 665, 501 (0xA25BD). If the length tag provided by the attacker is too long, the data provided by the user will be copied according to the tag length when the program is processed. Lack of sufficient bounds checks, may overwrite the memory address in the stack due to the following assembly specification: .text: 00401188 mov byte ptr [ebp+ecx+var_4], dl Carefully submitted copy data may be executed on the system with LDAP daemon process privileges Arbitrary instructions

SQL injection vulnerability in PHP-Nuke 6.9 and earlier, and possibly 7.x, allows remote attackers to inject arbitrary SQL code and gain sensitive information via (1) the category variable in the Search module or (2) the admin variable in the Web_Links module. francisco burzi of php-nuke Exists in unspecified vulnerabilities.None. It has been reported that PHPNuke may prone to a SQL injection vulnerability, due to insufficient sanitization user-supplied input. The problem is reported to exist in the $category variable contained within the 'index.php' page. PHPNuke versions 6.9 and prior have been reported to be prone to this issue, however other versions may be affected as well. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. The \'\'index.php\'\' script included in PHP-Nuke lacks adequate filtering of the parameters submitted by users. When performing a search, the index.php script does not fully filter the data submitted by the user to the $category variable. Submitting data containing SQL commands as the $category variable parameter can change the original database logic, obtain database sensitive information and modify database content

Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6.x-7.1.0 allows remote attackers to execute arbitrary script as other users via URL-encoded (1) title or (2) fname parameters in the News or Reviews modules. francisco burzi of php-nuke Exists in unspecified vulnerabilities.None. It has been reported that the PHP-Nuke module 'News' is prone to a cross-site scripting vulnerability. The issue arises due to the module failing to properly sanitize user-supplied information. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious code. This would occur in the security context of the site hosting the software

SQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to 7.1.0 allows remote attackers to obtain the administrator password via the c_mid parameter. francisco burzi of php-nuke Exists in unspecified vulnerabilities.None. The issue is due to improper sanitization of user-defined parameters supplied to the module. As a result, an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information

Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI. Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. Check Point Firewall-1 is a high-performance firewall. An unsuccessful attack will destroy all connected HTTP sessions and stop WEB communication. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HTTP Parsing Vulnerabilities in Check Point Firewall-1 Original release date: February 05, 2004 Last revised: -- Source: US-CERT A complete revision history can be found at the end of this file. This allows the attacker to take control of the firewall, and in some cases, to also control the server it runs on. I. Description The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which provides similar functionality. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf(). Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. For more information, please see the ISS advisory at: http://xforce.iss.net/xforce/alerts/id/162 The CERT/CC is tracking this issue as VU#790771. This reference number corresponds to CVE candidate CAN-2004-0039. II. Failed attempts to exploit this vulnerability may cause the firewall to crash. III. It is unclear at this time whether there are other attack vectors that may still allow exploitation of the underlying software defect. Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers or the Application Intelligence component, as appropriate. _________________________________________________________________ This vulnerability was discovered and researched by Mark Dowd of ISS X-Force. _________________________________________________________________ This document was written by Jeffrey P. Lanza. _________________________________________________________________ This document is available from: http://www.us-cert.gov/cas/techalerts/TA04-036A.html _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Revision History Feb 05, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAIsBMXlvNRxAkFWARApI0AKD4vWl9qb4hYtEr+zlkUScaY3PFcwCfRXcG pglRULK2zVbnACsvG9+BEog= =6SAE -----END PGP SIGNATURE-----

Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet. A buffer overflow vulnerability exists in the Internet Security Association and Key Management Protocol (ISAKMP) implementation used in Check Point VPN-1, SecuRemote, and SecureClient products. An unauthenticated, remote attacker could execute arbitrary code with the privileges of the ISAKMP process, typically root or SYSTEM. Because of this, it is possible for a remote attacker to gain unauthorized access to vulnerable systems. Check Point Firewall-1 is a high-performance firewall, Checkpoint VPN-1 server and Checkpoint VPN client provide VPN access for remote client computers. The IKE component of these products allows non-directional or bi-directional authentication of two remote peers. The Checkpoint VPN-1 server and Checkpoint VPN client lack sufficient checks when handling large certificate loads. Remote attackers can exploit this vulnerability to carry out buffer overflow attacks and possibly control the firewall server with system privileges. Internet Key Exchange (IKE) is used for key negotiation and exchange during encrypted transmission or communication via VPN. The ISAKMP protocol is used for this exchange. Remote unauthenticated users trigger this vulnerability during the initial phase of IKE negotiation when various products such as VPN implementations lack sufficient bounds checks when processing ISAKMP packets containing very large certificate request payloads. Attackers do not need to interact with the target system to exploit this vulnerability, they only need to attack by sending UDP packets with forged source addresses. Successful exploitation of this vulnerability can directly control the entire firewall system

Cisco 6000, 6500, and 7600 series systems with Multilayer Switch Feature Card 2 (MSFC2) and a FlexWAN or OSM module allow local users to cause a denial of service (hang or reset) by sending a layer 2 frame packet that encapsulates a layer 3 packet, but has inconsistent length values with that packet. A problem has been identified in the handling of specific types of traffic by Cisco 6000, 6500, and 7600 routers with the MSFC2 device. Because of this, an attacker could potentially crash a vulnerable system. layer 2 frame (layer 2 frame) is used to encapsulate layer 3 packets. Cisco 6000/6500/7600 are high-end routers. Cisco 6000, 6500, and 7600 routers using MSFC2 devices improperly handle some communications, and a remote attacker could exploit this vulnerability to perform a denial-of-service attack on the device. However, this particular package must be soft-swapped on the system affected by this vulnerability to have this problem, and hard-swapping cannot trigger this vulnerability. Although such frames can only be sent from the local network segment, they may also be triggered remotely under certain conditions. To be exploited remotely, the constructed layer 2 frame needs to pass through all source and destination layer 3 devices during the destination, without any pruning

Serv-U FTP Server 4.1 (possibly 4.0) allows remote attackers to cause a denial of service (application crash) via a SITE CHMOD command with a "\\...\" followed by a short string, causing partial memory corruption, a different vulnerability than CVE-2004-2111. RhinoSoft Serv-U FTP Server is prone to a remote post-authentication buffer-overflow vulnerability. The vulnerability occurs when a malicious filename argument is passed to the SITE CHMOD command. The immediate consequences of this issue may be a denial of service. An attacker may be able to leverage this condition to execute arbitrary code in the context of the affected service, but this has not been confirmed

Kerio Personal Firewall (KPF) 2.1.5 allows local users to execute arbitrary code with SYSTEM privileges via the Load button in the Firewall Configuration Files option, which does not drop privileges before opening the file loading dialog box. Kerio Personal Firewall 2.1.5 has been reported to be prone to this issue, however, other versions could be affected as well. Kerio Personal Firewall is a personal firewall

Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename. The immediate consequences of this issue may be a denial of service. An attacker may be able to leverage this condition to execute arbitrary code in the context of the affected service, but this has not been confirmed. RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a 'site chmod' command is issued on a non-existant file. Execution of arbitrary code may be possible

Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, allows remote attackers to cause a denial of service (CPU consumption) via arbitrary packets to TCP port 14247, as demonstrated using port scanning. Cisco IBM Director agent fails to authenticate users for remote administration. The issue is reported to present itself when a port that is associated with the affected software is scanned with a port scanner. This will cause the target Cisco voice server to become inoperative until the affected server is rebooted. Cisco voice devices are available on multiple operating platforms, including IBM. By default, TCP and UDP 14247 ports will be opened in an unsafe manner. Scanning through a common network port scanner will cause IBM Director to consume a large amount of resources when processing twgipc.exe. CPU time, thereby stopping other responses

The default installation of Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, does not require authentication, which allows remote attackers to gain administrator privileges by connecting to TCP port 14247. Cisco IBM Director agent fails to authenticate users for remote administration. This could be exploited by any Director Server/Console agent that can connect to the administrative port. Administrative access will permit the attacker to take various malicious actions, including remote command execution, reconfiguration and stopping/starting services. Cisco voice devices are available on multiple operating platforms, including IBM. By default, TCP and UDP port 14247 will be opened in an insecure manner

The default installation of NetScreen-Security Manager before Feature Pack 1 does not enable encryption for communication with devices running ScreenOS 5.0, which allows remote attackers to obtain sensitive information via sniffing. A vulnerability in the NetScreen-Security Manager software could expose sensitive information in cleartext over the network. A problem in the handling of default communications has been identified in NetScreen-Security Manager. Because of this, an attacker may be able to gain access to potentially sensitive information. Netscreen is a firewall security solution, and its operating system is ScreenOS