VARIoT IoT vulnerabilities database

Unspecified vulnerability in Cisco Unified Intelligent Contact Management Enterprise (ICME), Unified ICM Hosted (ICMH), Unified Contact Center Enterprise (UCCE), Unified Contact Center Hosted (UCCH), and System Unified Contact Center Enterprise (SUCCE) 7.1(5) allows remote authenticated users to gain privileges, and read reports or change the SUCCE configuration, via certain web interfaces, aka CSCsj55686. Cisco Unified Communications Management Applications are prone to a privilege-escalation vulnerability. Attackers can exploit this issue to gain unauthorized access to the web-based reporting and script-monitoring tool and the web-based configuration tool. Attackers can gain access to potentially sensitive information and change the application configuration (including application rights). Information harvested may aid in further attacks. Vulnerabilities in the Cisco Unified ICME, Unified ICMH, UCCE, UCCH, and SUCCE Web Administration components in CUCM products allow users defined in any Windows Active Directory domain to gain unauthorized privilege levels, which allows Windows Active Directory users to view arbitrary calls Central Web View report information. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. The vulnerability is caused due to an unspecified error and can be exploited by Windows Active Directory users to e.g. http://tools.cisco.com/support/downloads/go/MDFTree.x?butype=cc PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. CHANGELOG: 2007-10-18: Added CVE reference. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20071017-IPCC.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Firewall Services Module (FWSM) 3.2(1), and 3.1(5) and earlier, allows remote attackers to cause a denial of service (device reload) via a crafted HTTPS request, aka CSCsi77844. Cisco Firewall Services Module (FWSM) is prone to multiple denial-of-service vulnerabilities and a vulnerability that could let attackers corrupt ACLs (access control lists). Three vulnerabilities were reported in total: 1. Specially crafted HTTPS may cause the FWSM to reload. If exploited repeatedly, this could cause a persistent denial of service. 2. Specially crafted MGCP packets may cause the FWSM to reload. If exploited repeatedly, this could cause a persistent denial of service. 3. Manipulating Access Control Entries (ACE) in the ACL via the command line or ASDM (Adaptive Security Device Manager) may inadvertently cause them to not be evaluated. This will corrupt ACLs. Cisco FWSM is a firewall service module on Cisco equipment. The source IP address and interface for receiving HTTPS requests must conform to the configured http <source IP> <source interface> command. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. 1) An unspecified error exists within the handling of HTTPS packets. Successful exploitation requires that the HTTPS server is enabled (disabled by default). 2) An unspecified error exists within the handling of Media Gateway Control Protocol (MGCP) packets. Successful exploitation requires that the MGCP application layer protocol inspection is enabled (disabled by default). NOTE: An error when loading manipulated ACLs (Access Control Lists) is also reported. SOLUTION: Update to a fixed version (please see vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20071017-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco PIX and ASA appliances with 7.0 through 8.0 software, and Cisco Firewall Services Module (FWSM) 3.1(5) and earlier, allow remote attackers to cause a denial of service (device reload) via a crafted MGCP packet, aka CSCsi90468 (appliance) and CSCsi00694 (FWSM). (CSCsi90468 and CSCsi00694)Device restarted by third party, denial of service (DoS) There is a possibility of being put into a state. An attacker can exploit these issues to cause the affected devices to reload, denying service to legitimate users. Repeat attacks will result in a prolonged denial-of-service condition. MGCP messages are transported over the User Datagram Protocol (UDP), which allows specially crafted MGCP messages to be initiated from spoofed addresses. Only MGCP for gateway applications (MGCP communication on UDP port 2427) is affected. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. 1) An unspecified error exists within the handling of HTTPS packets. This can be exploited to reboot an affected FWSM by sending specially crafted HTTPS packets. Successful exploitation requires that the HTTPS server is enabled (disabled by default). The vulnerability is reported in versions 3.1 and 3.2. 2) An unspecified error exists within the handling of Media Gateway Control Protocol (MGCP) packets. This can be exploited to reboot the FWSM by sending specially crafted MGCP packets. Successful exploitation requires that the MGCP application layer protocol inspection is enabled (disabled by default). The vulnerability is reported in version 3.1. NOTE: An error when loading manipulated ACLs (Access Control Lists) is also reported. SOLUTION: Update to a fixed version (please see vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20071017-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Adobe Flash Player 9.0.47.0 and earlier, when running on Opera before 9.24 on Mac OS X, has unknown "Highly Severe" impact and unknown attack vectors. Adobe Flash Player may load arbitrary, malformed cross-domain policy files. This could allow an attacker to control cross-domain data loading, potentially allowing the attacker to gain access to sensitive information or to manipulate content in other domains. Very few technical details are currently available. We will update this BID as more information emerges. I. The update addresses vulnerabilities in other vendors' products that ship with Apple OS X or OS X Server. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . 3) An error exists when pinning a hostname to an IP address. This can be exploited to bypass certain security restrictions on web servers hosting cross-domain policy files. 5) Input passed to unspecified parameters when handling the "asfunction:" protocol is not properly sanitised before being returned to the user. This can be exploited to inject arbitrary HTML and script code in a user's browser session in context of an affected site. 6) Input passed to unspecified parameters when calling the "navigateToURL" function is not properly sanitised before being returned to the user. This can be exploited to inject arbitrary HTML and script code in a user's browser session in context of an affected site. 7) An unspecified error can be exploited to modify HTTP headers and conduct HTTP request splitting attacks. 8) An error within the implementation of the Socket or XMLSocket ActionScript classes can be exploited to determine if a port on a remote host is opened or closed. 9) An error within the setting of memory permissions in Adobe Flash Player for Linux can be exploited by malicious, local users to gain escalated privileges. For more information see vulnerability #3 in: SA27277 The vulnerabilities are reported in versions prior to 9.0.115.0. 3) The vendor credits Dan Boneh, Adam Barth, Andrew Bortz, Collin Jackson, and Weidong Shao of Stanford University. and JPCERT/CC. 6) The vendor credits Collin Jackson and Adam Barth of Stanford University. 9) The vendor credits Jesse Michael and Thomas Biege of SUSE. -- SPARC Platform -- Solaris 10: Apply patch 125332-03 or later. OpenSolaris: Fixed in build snv_89 or later. -- x86 Platform -- Solaris 10: Apply patch 125333-03 or later. OpenSolaris: Fixed in build snv_89 or later. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 13) The vendor credits Xeno Kovah, originally reported in Mac OS X 10.5 by heise Security. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in cgi-bin/welcome (aka the login page) in Netgear SSL312 PROSAFE SSL VPN-Concentrator 25 allows remote attackers to inject arbitrary web script or HTML via the err parameter in the context of an error page. NETGEAR ProSafe SSL VPN Concentrator 25-SSL312 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Netgear SSL312 "err" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA27238 VERIFY ADVISORY: http://secunia.com/advisories/27238/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: Netgear SSL312 http://secunia.com/product/16173/ DESCRIPTION: SkyOut has reported a vulnerability in Netgear SSL312, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "err" parameter in e.g. cgi-bin/welcome/XYZ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. SOLUTION: Filter malicious characters and character sequences in a web proxy. Do not follow untrusted links. PROVIDED AND/OR DISCOVERED BY: SkyOut ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066633.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the FTP service in Sun StorEdge/StorageTek 3510 FC Array with firmware before 4.21 allows remote attackers, with access to the Ethernet management interface, to cause a denial of service (I/O request timeout and device hang) via unspecified vectors. Remote attackers may exploit this issue to deny service to legitimate users. Sun StorEdge 3510 FC Array with firmware version 4.21 is affected. If the above vulnerability is present, hosts requesting I/O services from the affected array may report I/O request timeouts and eventually go offline from the array, and a message similar to the following may appear in the array event log: Tue Jan 24 14:03: 06 2007 [Primary] Warning Memory Not Sufficient to Fully Support Current Config ... ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Successful exploitation requires that the attacker has access to the management network to which the array's management Ethernet interface is connected to. The vulnerability is reported in firmware versions prior to 4.21. SOLUTION: Update to firmware 4.21, delivered in patch 113723-18 or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103106-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco CallManager 5.1.1.3000-5 does not verify the Digest authentication header URI against the Request URI in SIP messages, which allows remote attackers to use sniffed Digest authentication credentials to call arbitrary telephone numbers or spoof caller ID (aka "toll fraud and authentication forward attack"). CallManager and Openser are prone to a remote unauthorized-access vulnerability that may lead to toll fraud and caller-ID spoofing. A remote attacker can exploit this issue to initiate unauthorized phone calls and pretend to be a legitimate user. Cisco CallManager does not check that the URI provided by the user in the Digest-Authentication header matches the message's REQUEST-URI, and a malicious user could sniff the Digest-Authentication from a legitimate user and then call arbitrary extensions on behalf of that user. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco CallManager Authentication Header Hijacking Security Issue SECUNIA ADVISORY ID: SA27231 VERIFY ADVISORY: http://secunia.com/advisories/27231/ CRITICAL: Less critical IMPACT: Hijacking WHERE: >From local network SOFTWARE: Cisco Unified CallManager 5.x http://secunia.com/product/12535/ DESCRIPTION: A security issue has been reported in Cisco CallManager, which can be exploited by malicious people to hijack user sessions. The security issue is caused due to the improper processing of SIP messages and can be exploited to make calls from a hijacked account by requesting a URI containing a sniffed authentication header. The security issue is reported in Cisco CallManager system version 5.1.1.3000-5 and administration version 1.1.0.0-1. Other versions may also be affected. SOLUTION: Use Cisco CallManager in a trusted network environment only. PROVIDED AND/OR DISCOVERED BY: Humberto J. Abdelnur, Radu State, and Olivier Festor ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066581.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in the Line Printer Daemon (LPD) in Cisco IOS before 12.2(18)SXF11, 12.4(16a), and 12.4(2)T6 allow remote attackers to execute arbitrary code by setting a long hostname on the target system, then causing an error message to be printed, as demonstrated by a telnet session to the LPD from a source port other than 515. The Cisco IOS Line Printer Daemon contains a buffer overflow vulnerability. If successfully exploited, this vulnerability may allow an attacker to execute arbitrary code or create a denial-of-service condition . (CSCsj86725)Arbitrary code may be executed. Cisco IOS is prone to a remote buffer-overflow vulnerability in its LPD service because it fails to perform adequate boundary checks on user-supplied data. Attackers could also restart the device, resulting in denial-of-service conditions. To exploit this issue, an attacker must be able to change the hostname of affected routers. SNMP write access may allow attackers to change the router's hostname. Versions prior to Cisco IOS 12.2(18)SXF11, 12.4(16a), and 12.4(2)T6 are vulnerable. This issue is being tracked by Cisco bug ID CSCsj86725. NOTE: This issue is related to the vulnerabilities described in BID 25994 (Cisco IOS Multiple Unspecified Stack Overflow Vulnerabilities). Remote attackers may use this vulnerability to control the device or cause the device to deny service. If any source TCP port other than 515 is connected, the following error will be displayed: $ telnet 172.30.3.101 515 Trying 172.30.3.101... Connected to 172.30.3.101 (172.30.3.101). Escape character is '^]'. hostname_of_the_router: /usr/lib/lpd: Malformed from address If the hostname is greater than or equal to 99 characters, it will overflow due to calling the sprintf() function. Although technically a stack overflow, since IOS allocates heap memory for the process stack, the overwritten memory is actually the heap. Since the heap memory is used as a stack, the hostname can overwrite the return address stored before the start of the character buffer in case of overflow, but for some reason the crash does not occur until the buffer reaches the red zone at the heap block boundary, so After a crash and a router reboot, the memory dump shows heap corruption. The hostname must be controlled to exploit this vulnerability. If SNMP is running on the device and you know the rw community string (usually the default value private), you can set the hostname as follows: $ snmpset -Os -c private -v 1 10.0.0.1 system.sysName.0 s long_hostname. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco IOS Line Printer Daemon Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA27169 VERIFY ADVISORY: http://secunia.com/advisories/27169/ CRITICAL: Not critical IMPACT: DoS, System access WHERE: >From local network OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS 12.x http://secunia.com/product/182/ DESCRIPTION: Andy Davis has reported a vulnerability in Cisco IOS, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. This can be exploited to cause a stack-based buffer overflow by e.g. connecting to the default LPD port (515/TCP). Successful exploitation may allow the execution of arbitrary code but requires that the LPD daemon is enabled (disabled by default) and that the attacker can control the hostname of the router. SOLUTION: Update to 12.2(18)SXF11, 12.4(16a), or 12.4(2)T6. PROVIDED AND/OR DISCOVERED BY: Andy Davis, IRM Plc. ORIGINAL ADVISORY: IRM Plc.: http://www.irmplc.com/index.php/155-Advisory-024 Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20071010-lpd.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The conversion utility for converting CiscoWorks Wireless LAN Solution Engine (WLSE) 4.1.91.0 and earlier to Cisco Wireless Control System (WCS) creates administrator accounts with default usernames and passwords, which allows remote attackers to gain privileges. Cisco Wireless Control System is prone to a vulnerability that permits an attacker to gain unauthorized administrative access to the affected device. This issue is being tracked by Cisco Bug ID CSCsj71081 An attacker could exploit this issue to gain unauthorized administrative access to the affected device. Successfully exploiting this issue will result in the complete compromise of the affected device. This issue affects Cisco Wireless Control System 4.1.91.0 and prior versions. Since there is no requirement to change these credentials during the transition, attackers can use these accounts with default credentials to gain full administrative control over WCS after transition

Cisco IOS is prone to multiple unspecified stack-overflow vulnerabilities. A successful attack may allow the attacker to execute arbitrary code and gain unauthorized access to the device. The attacker can also leverage this issue to cause an affected device to reload, denying service to legitimate users. The researchers responsible for these discoveries have stated that there are numerous other IOS security issues that will be released in the near future. NOTE: Judging by the limited information in the security advisory that induced this alert, we assume that all of Cisco IOS 12.x and IOS XR versions are affected by these issues. We cannot verify this at this time. We will update this information when more details emerge.

Cross-site scripting (XSS) vulnerability in the Linksys SPA941 VoIP Phone with firmware 5.1.8 allows remote attackers to inject arbitrary web script or HTML via the From header in a SIP message. Linksys SPA941 devices are prone to an HTML-injection vulnerability because the built-in webserver fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. Linksys SPA941 devices with firmware version 5.1.8 are vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Linksys SPA941 Script Insertion Vulnerability SECUNIA ADVISORY ID: SA27116 VERIFY ADVISORY: http://secunia.com/advisories/27116/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: Linksys SPA941 VoIP Phone http://secunia.com/product/14032/ DESCRIPTION: Radu State has reported a vulnerability in Linksys SPA941, which can be exploited by malicious people to conduct script insertion attacks. Input passed via the "From" field in a SIP message is not properly sanitised before being displayed in the integrated web interface of the device. SOLUTION: Do not use the call history in the integrated web interface. PROVIDED AND/OR DISCOVERED BY: Radu State ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066430.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Tomcat 4.1-based Servlet Service in Fujitsu Interstage Application Server 7.0 through 9.0.0 and Interstage Apworks/Studio 7.0 through 9.0.0 allows remote attackers to obtain sensitive information (web root path) via unspecified vectors that trigger an error message, probably related to enabling the useCanonCaches Java Virtual Machine (JVM) option. Interstage Application Server is prone to a path-disclosure vulnerability. Exploiting this issue can allow an attacker to access sensitive data that may be used to launch further attacks against a vulnerable computer. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Interstage Application Server Full Path Disclosure Weakness SECUNIA ADVISORY ID: SA27136 VERIFY ADVISORY: http://secunia.com/advisories/27136/ CRITICAL: Not critical IMPACT: Exposure of system information WHERE: >From remote SOFTWARE: Interstage Application Server 7.x http://secunia.com/product/13692/ Interstage Application Server 8.x http://secunia.com/product/13685/ Interstage Application Server 9.x http://secunia.com/product/15986/ Interstage Apworks 7.x http://secunia.com/product/13689/ Interstage Apworks 8.x http://secunia.com/product/15987/ Interstage Studio 8.x http://secunia.com/product/13690/ Interstage Studio 9.x http://secunia.com/product/15610/ DESCRIPTION: A weakness has been reported in Interstage Application Server, which can be exploited by malicious people to disclose system information. The weakness is caused due to the full web server path being disclosed in error messages when performing certain unspecified actions on the web server. Please see the vendor advisory for a list of affected products. SOLUTION: The vendor will reportedly address this issue in future versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200705e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in cgi/b/ic/connect in the Thomson SpeedTouch 716 with firmware 5.4.0.14 allows remote attackers to inject arbitrary web script or HTML via the url parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. BT Home Hub and Thomson/Alcatel Speedtouch 7G routers are prone to multiple web-interface vulnerabilities, including a cross-site request-forgery issue, a cross-site scripting issue, multiple HTML-injection issues, and multiple authentication-bypass issues. Successful exploits of many of these issues will allow an attacker to completely compromise the affected device. These issues affect the BT Home Hub and Thomson/Alcatel Speedtouch 7G routers. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Input passed to the "url" parameter in /cgi/b/ic/connect/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in firmware version 5.4.0.14. Other versions may also be affected. SOLUTION: Do not browse untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Remco ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allows remote attackers on an intranet to bypass authentication and gain administrative access via vectors including a '/' (slash) character at the end of the PATH_INFO to cgi/b, aka "double-slash auth bypass." NOTE: remote attackers outside the intranet can exploit this by leveraging a separate CSRF vulnerability. NOTE: SpeedTouch 780 might also be affected by some of these issues. BT Home Hub and Speedtouch 7G are both home wireless Internet routers.  Multiple security vulnerabilities exist in BT Home Hub and SpeedTouch 7G routers, allowing malicious users to perform cross-site footsteps, cross-site request spoofing, script injection attacks, or bypass certain security restrictions.  1) Input validation errors when processing URLs may allow attackers to access and change password-protected resources, such as configuration and settings pages, through specially crafted URLs containing two slashes.  2) Failure to perform proper filtering before recording the login user name may allow the injection of arbitrary HTML and script code. If the user browses the log, it will be executed in the user's browser session.  3) As the input to the name parameter is not properly filtered, arbitrary HTML and script code may be executed in the user's browser session.  4) Failure to properly filter the input of url parameters in the cgi / b / ic / connect / file may result in the execution of arbitrary HTML and script code in the user's browser session.  5) The device does not perform validity checks on user requests, allowing users to perform certain operations through HTTP requests. If the logged-in administrator visits a malicious site, this may cause the administrator password to be changed.  6) Users can directly access certain pages, such as the Wireless Security page, through the URL without authentication.  7) The administrative user can save the backup or load the configuration file through the URL, and these files should only be accessed by the tech account. Successful exploits of many of these issues will allow an attacker to completely compromise the affected device. NOTE: '/' (slash) vectors are covered by CVE-2007-5383

Multiple cross-site request forgery (CSRF) vulnerabilities in the Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allow remote attackers to perform actions as administrators via unspecified POST requests, as demonstrated by enabling an inbound remote-assistance HTTPS session on TCP port 51003. NOTE: an authentication bypass can be leveraged to exploit this in the absence of an existing administrative session. NOTE: SpeedTouch 780 might also be affected by some of these issues. BT Home Hub and Thomson/Alcatel Speedtouch 7G routers are prone to multiple web-interface vulnerabilities, including a cross-site request-forgery issue, a cross-site scripting issue, multiple HTML-injection issues, and multiple authentication-bypass issues. Successful exploits of many of these issues will allow an attacker to completely compromise the affected device. These issues affect the BT Home Hub and Thomson/Alcatel Speedtouch 7G routers

Multiple cross-site scripting (XSS) vulnerabilities in the Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. BT Home Hub Used in etc. Successful exploits of many of these issues will allow an attacker to completely compromise the affected device

Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to the default URI associated with a directory, as demonstrated by (a) the root directory and (b) the view/ directory; (2) parameters associated with saved settings, as demonstrated by (c) the conf_Network_HostName parameter on the Network page and (d) the conf_Layout_OwnTitle parameter to ServerManager.srv; and (3) the query string to ServerManager.srv, which is displayed on the logs page. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings. (1) The default associated with the directory URI Against PATH_INFO (2) Parameters related to saved settings (3) ServerManager.srv Query string for. 2100 Network Camera is prone to a cross-site scripting vulnerability. The query string of srv will be displayed on the page

Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware before 2.43 allow remote attackers to inject arbitrary web script or HTML via (1) parameters associated with saved settings, as demonstrated by the conf_SMTP_MailServer1 parameter to ServerManager.srv; or (2) the subpage parameter to wizard/first/wizard_main_first.shtml. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings. Exploiting these issues could allow an attacker to execute arbitrary script code in the context of the webserver process, control how the site is rendered to the user, compromise the application, obtain sensitive information, and access or modify data. These issues affect 2100 Network Cameras with firmware version 2.43; other firmware versions and models may also be affected

Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to perform actions as administrators, as demonstrated by (1) an SMTP server change through the conf_SMTP_MailServer1 parameter to ServerManager.srv and (2) a hostname change through the conf_Network_HostName parameter on the Network page. AXIX 2100 Network Camera Contains a cross-site scripting vulnerability.An action could be taken by a third party as an administrator. Axis Communications 2100 Network Camera is prone to multiple input-validation vulnerabilities, including a cross-site scripting issue, multiple HTML-injection issues, and a cross-site request-forgery issue, because the application fails to properly sanitize user-supplied input. Exploiting these issues could allow an attacker to execute arbitrary script code in the context of the webserver process, control how the site is rendered to the user, compromise the application, obtain sensitive information, and access or modify data. These issues affect 2100 Network Cameras with firmware version 2.43; other firmware versions and models may also be affected

F-Secure Anti-Virus for Windows Servers 7.0 64-bit edition allows local users to bypass virus scanning by using the system32 directory to store a crafted (1) archive or (2) packed executable. NOTE: in many environments, this does not cross privilege boundaries because any process able to write to system32 could also shut off F-Secure Anti-Virus. F-Secure Anti-Virus for Windows Servers is prone to a vulnerability that may allow certain malware to bypass detection. An attacker may exploit this issue by placing maliciously crafted archives or packed executables in specific locations on a victim's computer. Successful exploits will allow attackers to place on the computer malicious code that the antivirus application will fail to detect. If this code is subsequently run, this may result in a malware infection. F-Secure Anti-Virus for Windows Servers 7.0 is affected by this issue. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: F-Secure Archives and Packed Executables Detection Bypass SECUNIA ADVISORY ID: SA26948 VERIFY ADVISORY: http://secunia.com/advisories/26948/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: F-Secure Anti-Virus for Windows Servers 7.x http://secunia.com/product/14382/ DESCRIPTION: A vulnerability has been reported in F-Secure Anti-Virus, which can be exploited by malware to bypass the scanning functionality. The vulnerability only affects 64-bit server platforms. SOLUTION: Apply patch. ftp://ftp.f-secure.com/support/hotfix/fsav/fsav720-01-signed.fsfix PROVIDED AND/OR DISCOVERED BY: The vendor credits Mr Papadorotheoun. ORIGINAL ADVISORY: http://www.f-secure.com/security/fsc-2007-6.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------