VARIoT IoT vulnerabilities database

Ipswitch WhatsUp Professional 2006 only verifies the user's identity via HTTP headers, which allows remote attackers to spoof being a trusted console and bypass authentication by setting HTTP User-Agent header to "Ipswitch/1.0" and the User-Application header to "NmConsole". Ipswitch WhatsUp Professional 2006 is susceptible to a remote authentication-bypass vulnerability. This issue allows remote attackers to gain administrative access to the web-based administrative interface of the application. This will aid them in further network attacks. Whatsup Professional software is a tool developed by Ipswitch to monitor the network status of TCP/IP, NetBEUI and IPX. What\'\'s Up Professional 2006 has an authentication bypass vulnerability, an attacker can bypass the authentication mechanism and log in without credentials. An attacker can trick the application into believing that the request is coming from the console, which is trusted, by sending HTTP requests with specially crafted headers

Multiple cross-site scripting (XSS) vulnerabilities in Mobotix IP Network Cameras M1 1.9.4.7 and M10 2.0.5.2, and other versions before 2.2.3.18 for M10/D10 and 3.0.3.31 for M22, allow remote attackers to inject arbitrary web script or HTML via URL-encoded values in (1) the query string to help/help, (2) the get_image_info_abspath parameter to control/eventplayer, and (3) the source_ip parameter to events.tar. The Mobotix IP camera is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the device to properly sanitize user-supplied input. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. A remote attacker can inject arbitrary web scripts or HTML. Some input isn't properly sanitised before being returned to the user. Examples: http://[host]/help/help?%3CBODY%20ONLOAD=[code]%3E http://[host]/control/events.tar?source_ip=%3CBODY%20ONLOAD=[code]%3E&download=egal http://[host]/control/eventplayer?get_image_info_abspath=%3CBODY%20ONLOAD=[code]%3E The vulnerabilities have been reported in version 2.0.5.2 for the M10 series and in version 1.9.4.7 for the M1 series. Other versions may also be affected. SOLUTION: Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities. PROVIDED AND/OR DISCOVERED BY: Jaime Blasco ORIGINAL ADVISORY: http://www.eazel.es/media/advisory001.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in Hitachi EUR Professional Edition, EUR Viewer, EUR Print Service, and EUR Print Service for ILF allows remote authenticated users to execute arbitrary SQL commands via unknown attack vectors. Hitachi EUR is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. A successful attack could allow an attacker to compromise the application, access or modify data, gain administrative access to the application, or exploit vulnerabilities in the underlying database implementation. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability has been reported in the following products: * EUR Professional Edition version 05-00 through 05-06 (Windows). * EUR Viewer version 05-00 through 05-06 (Windows). (Windows). (Linux/AIX/HP-UX/Solaris). Contact the vendor to obtain the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS06-010_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in IPswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allow remote attackers to inject arbitrary web script or HTML via unknown vectors in (1) NmConsole/Tools.asp and (2) NmConsole/DeviceSelection.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. Example: http://[host]:8022/NmConsole The vulnerabilities and weaknesses have been confirmed in WhatsUp Professional 2006. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

NmConsole/DeviceSelection.asp in Ipswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allows remote attackers to redirect users to other websites via the (1) sCancelURL and possibly (2) sRedirectUrl parameters. TITLE: WhatsUp Professional Cross-Site Scripting and Information Disclosure SECUNIA ADVISORY ID: SA20075 VERIFY ADVISORY: http://secunia.com/advisories/20075/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Ipswitch WhatsUp Professional 2006 http://secunia.com/product/9917/ Ipswitch WhatsUp Professional 2006 Premium http://secunia.com/product/9918/ DESCRIPTION: Some vulnerabilities and weaknesses have been discovered in WhatsUp Professional, which can be exploited by malicious people to gain knowledge of certain information or conduct cross-site scripting attacks. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

NmConsole/Login.asp in Ipswitch WhatsUp Professional 2006 and Ipswitch WhatsUp Professional 2006 Premium generates different error messages in a way that allows remote attackers to enumerate valid usernames. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. WhatsUp Professional 2005 is prone to a remote security vulnerability. TITLE: WhatsUp Professional Cross-Site Scripting and Information Disclosure SECUNIA ADVISORY ID: SA20075 VERIFY ADVISORY: http://secunia.com/advisories/20075/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Ipswitch WhatsUp Professional 2006 http://secunia.com/product/9917/ Ipswitch WhatsUp Professional 2006 Premium http://secunia.com/product/9918/ DESCRIPTION: Some vulnerabilities and weaknesses have been discovered in WhatsUp Professional, which can be exploited by malicious people to gain knowledge of certain information or conduct cross-site scripting attacks. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Ipswitch WhatsUp Professional 2006 and Ipswitch WhatsUp Professional 2006 Premium allows remote attackers to obtain full path information via 404 error messages. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

NmConsole/utility/RenderMap.asp in Ipswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allows remote attackers to obtain sensitive information about network nodes via a modified nDeviceGroupID parameter. WhatsUp is prone to a information disclosure vulnerability. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. Example: http://[host]:8022/NmConsole The vulnerabilities and weaknesses have been confirmed in WhatsUp Professional 2006. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Ipswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allows remote attackers to obtain source code for scripts via a trailing dot in a request to NmConsole/Login.asp. TITLE: WhatsUp Professional Cross-Site Scripting and Information Disclosure SECUNIA ADVISORY ID: SA20075 VERIFY ADVISORY: http://secunia.com/advisories/20075/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Ipswitch WhatsUp Professional 2006 http://secunia.com/product/9917/ Ipswitch WhatsUp Professional 2006 Premium http://secunia.com/product/9918/ DESCRIPTION: Some vulnerabilities and weaknesses have been discovered in WhatsUp Professional, which can be exploited by malicious people to gain knowledge of certain information or conduct cross-site scripting attacks. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in IPswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allow remote attackers to inject arbitrary web script or HTML via the (1) sDeviceView or (2) nDeviceID parameter to (a) NmConsole/Navigation.asp or (3) sHostname parameter to (b) NmConsole/ToolResults.asp. WhatsUp Professional is prone to multiple input-validation vulnerabilities. The issues include remote file-include, information-disclosure, source-code disclosure, cross-site scripting, and input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. Successful exploits of these vulnerabilities could allow an attacker to access or modify data, steal cookie-based authentication credentials, perform username-enumeration, access sensitive information, and gain unauthorized access to script source code. Other attacks are also possible. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The HTTP proxy in Symantec Gateway Security 5000 Series 2.0.1 and 3.0, and Enterprise Firewall 8.0, when NAT is being used, allows remote attackers to determine internal IP addresses by using malformed HTTP requests, as demonstrated using a get request without a space separating the URI. Symantec Enterprise Firewall and Gateway Security products are prone to an information-disclosure weakness. The vendor has reported that the NAT/HTTP proxy component of the products may reveal the internal IP addresses of protected computers. An attacker may use this information to carry out targeted attacks against a potentially vulnerable host. The weakness is caused due to an error when generating responses to certain HTTP requests. SOLUTION: Apply product updates. http://www.symantec.com/techsupp/enterprise/select_product_updates.html PROVIDED AND/OR DISCOVERED BY: The vendor credits Bernhard Mueller. ORIGINAL ADVISORY: Symantec: http://securityresponse.symantec.com/avcenter/security/Content/2006.05.10.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The transparent proxy feature of the Cisco Application Velocity System (AVS) 3110 5.0 and 4.0 and earlier, and 3120 5.0.0 and earlier, has a default configuration that allows remote attackers to proxy arbitrary TCP connections, aka Bug ID CSCsd32143. This software fails to allow only valid TCP ports to be used by remote users. Remote attackers may use the affected software as an open TCP proxy. Attackers have exploited this to send unsolicited commercial email (UCE). Versions of AVS prior to 5.0.1 are vulnerable to this issue. The problem is caused due to insecure default settings allowing anyone to use the device as an open relay to any TCP service able to process data embedded in HTTP POST requests. The security issue affects the following products: * AVS 3110 versions 4.0 and 5.0 (and prior) * AVS 3120 version 5.0.0 (and prior) NOTE: According to Cisco PSIRT, the security issue is actively exploited to send unsolicited commercial e-mails and obscure the true originator. SOLUTION: Update to version 5.0.1. Software for AVS 3110: http://www.cisco.com/pcgi-bin/tablebuild.pl/AVS3110-5.0.1 Software for AVS 3120: http://www.cisco.com/pcgi-bin/tablebuild.pl/AVS3120-5.0.1 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060510-avs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

S24EvMon.exe in the Intel PROset/Wireless software, possibly 10.1.0.33, uses a S24EventManagerSharedMemory shared memory section with weak permissions, which allows local users to read or modify passwords or other data, or cause a denial of service. Intel PROset/Wireless software is susceptible to a local information-disclosure vulnerability. This issue is due to insecure permissions being applied to shared-memory segments. This issue allows local, unprivileged attackers to gain access to potentially sensitive network configuration and authentication information. Information gathered by exploiting this issue will aid them in further attacks. Version 10.1.0.33 of the Intel PROset/Wireless software is vulnerable to this issue; other versions may also be affected. The vulnerability is caused due to insecure default permissions on the "\BaseNamedObjects\S24EventManagerSharedMemory" shared section used by the Wireless Management Service (S24EvMon.exe). This makes it possible for an unprivileged user to obtain information of the wireless configuration e.g. WEP keys. The vulnerability has been confirmed in version 10.1.0.33. SOLUTION: Restrict access to affected systems. PROVIDED AND/OR DISCOVERED BY: Rub\xe9n Santamarta ORIGINAL ADVISORY: http://www.reversemode.com/index.php?option=com_content&task=view&id=10&Itemid=1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

bgpd in Quagga 0.98 and 0.99 before 20060504 allows local users to cause a denial of service (CPU consumption) via a certain sh ip bgp command entered in the telnet interface. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Quagga , GNU Zebra Is TCP/IP A collection of daemons that support base routing related protocols. Out of them RIP , BGP As a daemon that handles the protocol RIPd , bgpd Is included. Quagga , GNU Zebra Has several security issues: 1) RIPd The daemon RIPv2 Even if the setting is valid only, regardless of the presence or absence of authentication RIPv1 There is a problem that responds to the request. (CVE-2006-2223) If exploited by a remote attacker, SEND UPDATE Such as REQUEST Routing information may be obtained illegally by using packets. 2) RIPd The daemon RIPv2 Despite being enabled for authentication, RIPv1 There is a problem of accepting packets without authentication. (CVE-2006-2224) If exploited by a remote attacker, RIPv1 of RESPONSE By using packet RIP The routing table may be modified incorrectly. (CVE-2006-2276) If exploited by a local attacker, the target system can eventually become unserviceable.Please refer to the “Overview” for the impact of this vulnerability. Quagga is prone to a local denial-of-service vulnerability. An attacker can exploit this issue by using commands that cause the consumption of a large amount of CPU resources. An attacker may cause the application to crash, thus denying service to legitimate users. Version 0.98.3 is vulnerable; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1059-1 security@debian.org http://www.debian.org/security/ Martin Schulze May 19th, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : quagga Vulnerability : several Problem type : remote Debian-specific: no CVE IDs : CVE-2006-2223 CVE-2006-2224 CVE-2006-2276 BugTraq ID : 17808 Debian Bugs : 365940 366980 Konstantin Gavrilenko discovered several vulnerabilities in quagga, the BGP/OSPF/RIP routing daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-2223 Remote attackers may obtain sensitive information via RIPv1 REQUEST packets even if the quagga has been configured to use MD5 authentication. CVE-2006-2224 Remote attackers could inject arbitrary routes using the RIPv1 RESPONSE packet even if the quagga has been configured to use MD5 authentication. The old stable distribution (woody) does not contain quagga packages. For the stable distribution (sarge) these problems have been fixed in version 0.98.3-7.2. For the unstable distribution (sid) these problems have been fixed in version 0.99.4-1. We recommend that you upgrade your quagga package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2.dsc Size/MD5 checksum: 725 e985734e8ee31a87ff96f9c9b7291fa5 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2.diff.gz Size/MD5 checksum: 43801 fe5b28230c268fe7ab141453a82c473c http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3.orig.tar.gz Size/MD5 checksum: 2118348 68be5e911e4d604c0f5959338263356e Architecture independent components: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.98.3-7.2_all.deb Size/MD5 checksum: 488700 c79865480dfe140b106d39111b5379ba Alpha architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_alpha.deb Size/MD5 checksum: 1611704 c44bc78a27990ca9d77fe4529c04e42a AMD64 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_amd64.deb Size/MD5 checksum: 1412990 7ab17ec568d3f0e2122677e81db5a2e2 ARM architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_arm.deb Size/MD5 checksum: 1290442 9a5d285ffe43d8b05c470147c48357d5 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_i386.deb Size/MD5 checksum: 1191426 a0438042e1935582b66a44f17e62b40b Intel IA-64 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_ia64.deb Size/MD5 checksum: 1829114 9e6e40afc51734c572de0f4e6e2d6519 HP Precision architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_hppa.deb Size/MD5 checksum: 1447726 4f6d058646cd78f86994eee61359df22 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_m68k.deb Size/MD5 checksum: 1159670 1438a6da0f5c0672075438df92e82695 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_mips.deb Size/MD5 checksum: 1352522 567e463657f21ec64870c1a243012b49 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_mipsel.deb Size/MD5 checksum: 1355460 3dec77ae54b897882091bb5501b349c7 PowerPC architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_powerpc.deb Size/MD5 checksum: 1316776 adaa0828d830d7145236ee2f216fe46d IBM S/390 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_s390.deb Size/MD5 checksum: 1401616 41b91f2eb90d26b1482696681552d9cb Sun Sparc architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_sparc.deb Size/MD5 checksum: 1287378 3b1624ec028e9f7944edd3fc396b0778 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbehrW5ql+IAeqTIRAu1bAJ0YQwvwCvugopyXVBCit2SwrYl+SACdF09d ELcxVZUFQP8s43SsJQ3mlqo= =Niwk -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200605-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Quagga Routing Suite: Multiple vulnerabilities Date: May 21, 2006 Bugs: #132353 ID: 200605-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Quagga's RIP daemon allows the injection of routes and the disclosure of routing information. The BGP daemon is vulnerable to a Denial of Service. Background ========== The Quagga Routing Suite implements three major routing protocols: RIP (v1/v2/v3), OSPF (v2/v3) and BGP4. Gavrilenko discovered two flaws in the Routing Information Protocol (RIP) daemon that allow the processing of RIP v1 packets (carrying no authentication) even when the daemon is configured to use MD5 authentication or, in another case, even if RIP v1 is completely disabled. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.98.6-r1" References ========== [ 1 ] CVE-2006-2223 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2223 [ 2 ] CVE-2006-2224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2224 [ 3 ] CVE-2006-2276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2276 [ 4 ] Official release information http://www.quagga.net/news2.php?y=2006&m=5&d=8#id1147115280 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200605-15.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Cisco Secure Access Control Server (ACS) 3.x for Windows stores ACS administrator passwords and the master key in the registry with insecure permissions, which allows local users and remote administrators to decrypt the passwords by using Microsoft's cryptographic API functions to obtain the plaintext version of the master key. Cisco Secure ACS is susceptible to an insecure password-storage vulnerability. This issue is due to a failure of the application to properly secure sensitive password information. This issue allows attackers to gain access to encrypted passwords and to the key used to encrypt them. This allows them to obtain the plaintext passwords, aiding them in attacking other services that depend on the ACS server for authentication. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec Vulnerability Research https://www.symantec.com/research Security Advisory Advisory ID : SYMSA-2006-003 Advisory Title: Cisco Secure ACS for Windows - Administrator Password Disclosure Author : Andreas Junestam Release Date : 05-08-2006 Application : Cisco Secure ACS 3.x for Windows Platform : Microsoft Windows Severity : System access / exploit available Vendor status : Vendor verified, workaround available CVE Number : CVE-2006-0561 Reference : http://www.securityfocus.com/bid/16743 Overview: Cisco Secure ACS is a central administration platform for Cisco network devices. It controls authentication and authorization for enrolled devices. Administrative passwords for locally-defined users are stored in such a way they can be obtained from the Windows registry. If remote registry access is enabled, this can be done over the network. The passwords are encrypted using the Crypto API Microsoft Base Cryptographic Provider v1.0. This information can easily be obtained locally by a Windows administrator, and if remote registry access is enabled, it can be obtained over the network. With this, the clear-text passwords can be recovered by decrypting the information in the registry with the supplied key. A locally generated master key is used to encrypt/decrypt the ACS administrator passwords. The master key is also stored in the Windows registry in an encrypted format. One feature of Windows operating systems is the ability to modify the permissions of a registry key to remove access even for local or domain administrators. The following registry key and all of its sub-keys need to be protected. HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators Note: The "CiscoAAAv3.3" portion of the registry key path may differ slightly depending on the version of Cisco Secure ACS for Windows that is installed. The Windows users that need permissions to the registry key will depend on the deployment type. For information about editing the Windows registry, please consult the following Microsoft documentation. For information on restricting remote registry access, please consult the following Microsoft documentation. "How to restrict access to the registry from a remote computer" http://support.microsoft.com/kb/q153183 "How to Manage Remote Access to the Registry" http://support.microsoft.com/kb/q314837 Recommendation: Follow your organization's testing procedures before applying patches or workarounds. See Cisco's instructions on how to place an ACL on the Registry Key, and also how to restrict remote access to the Windows registry. These recommendations do not eliminate the vulnerability, but provide some mitigation. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-0561 - -------Symantec Vulnerability Research Advisory Information------- For questions about this advisory, or to report an error: research@symantec.com For details on Symantec's Vulnerability Reporting Policy: http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf Symantec Vulnerability Research Advisory Archive: http://www.symantec.com/research/ Symantec Vulnerability Research PGP Key: http://www.symantec.com/research/Symantec_Vulnerability_Research_PGP.asc - -------------Symantec Product Advisory Information------------- To Report a Security Vulnerability in a Symantec Product: secure@symantec.com For general information on Symantec's Product Vulnerability reporting and response: http://www.symantec.com/security/ Symantec Product Advisory Archive: http://www.symantec.com/avcenter/security/SymantecAdvisories.html Symantec Product Advisory PGP Key: http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc - --------------------------------------------------------------- Copyright (c) 2006 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Consulting Services. Reprinting the whole or part of this alert in any medium other than electronically requires permission from cs_advisories@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEXR5muk7IIFI45IARArK+AJwOzswbkJN2WirzNweklR+iBBHpsQCgyNOe vKVo3Si7ycswRs/2kiA997I= =dkX3 -----END PGP SIGNATURE-----

Cisco PIX/ASA 7.1.x before 7.1(2) and 7.0.x before 7.0(5), PIX 6.3.x before 6.3.5(112), and FWSM 2.3.x before 2.3(4) and 3.x before 3.1(7), when used with Websense/N2H2, allows remote attackers to bypass HTTP access restrictions by splitting the GET method of an HTTP request into multiple packets, which prevents the request from being sent to Websense for inspection, aka bugs CSCsc67612, CSCsc68472, and CSCsd81734. Multiple Cisco products are susceptible to a content-filtering bypass vulnerability. This issue is due to a failure of the software to properly recognize HTTP request traffic. This issue allows users to bypass content-filtering and access forbidden websites. Cisco is tracking this issue as Bug IDs CSCsc67612, CSCsc68472, and CSCsd81734.http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd81734. Cisco PIX is a very popular network firewall, and FWSM is a firewall service module on Cisco equipment. Attackers can use this loophole to bypass Websense content inspection and filtering. Gal has reported a vulnerability in Cisco PIX/ASA/FWSM, which can be exploited by malicious people to bypass certain security restrictions. Successful exploitation requires that PIX, ASA, or FWSM are configured to use Websense/N2H2 for content filtering. * Cisco PIX/ASA software version 7.x. * Cisco FWSM software version 2.3 and 3.1. SOLUTION: Update to the fixed versions. FWSM version 2.3: Update to version 2.3(4). http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm?psrtdcat20e2 FWSM version 3.1: Update to version 3.1(1.7). Contact Cisco TAC or Cisco support partner for the updates. PIX version 6.3.x: Update to version 6.3.5(112). Contact Cisco TAC or Cisco support partner for the updates. PIX/ASA version 7.x: Update to version 7.0(5) or 7.1(2). http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: George D. Gal ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060508-pix.shtml Virtual Security Research, LLC: http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices Release Date: 2006-05-08 Application: Websense in Conjunction with Cisco PIX Version: Websense 5.5.2 Cisco PIX OS / ASA < 7.0.4.12 Cisco PIX OS < 6.3.5(112) FWSM 2.3.x FWSM 3.x (other versions untested) Severity: Low Author: George D. Gal <ggal_at_vsecurity.com> Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0515 Reference: http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: >>From the WebSense website[1]: "Websense Enterprise, the industry-leading web filtering solution, improves employee productivity, reduces legal liability, and optimizes the use of IT resources. Websense Enterprise integrates seamlessly with leading network infrastructure products to offer unequaled flexibility and control." Vulnerability Overview: On August 9th, 2005 VSR has identified the ability to bypass the Websense URL filtering capabilities when used in conjunction with the Cisco PIX for web content filtering. Shortly thereafter another security researcher [sledge.hammer(a+t)sinhack.net] had published[2] a proof-of-concept for evading the URL filtering performed by Websense claiming that Websense has failed to address the issue. However, the vulnerability has been verified by Cisco as a problem which relies within its handling of filtered requests. However, when splitting the HTTP request into two or more packets on the HTTP method it is possible to circumvent the filtering mechanism. Additionally, requests using this fragmented approach do not appear to be logged within Websense indicating that the request is never sent to Websense for policy inspection. The simplest form required to exploit this vulnerability is to fragment the first character of the HTTP request, followed by a single TCP packet for subsequent data (e.g. setting the PSH flag on the individual packets). Virtual Security Research has created a utility[3] to demonstrate the ability to bypass Websense filtering for the affected versions of Cisco filtering devices enumerated in this advisory header. You may download and run this utility at your own risk from: http://www.vsecurity.com/tools/WebsenseBypassProxy.java The following Snort output demonstrates the fragmented request capable of bypassing Websense: - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 11/04-10:06:36.260991 0:B:DB:DE:19:87 -> 0:0:C:7:AC:5 type:0x800 len:0x43 10.254.5.113:58034 -> 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1534 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0xF5B80F51 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32 TCP Options (3) => NOP NOP TS: 148674 160066961 47 G =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-10:06:36.359288 0:30:7B:93:19:4C -> 0:B:DB:DE:19:87 type:0x800 len:0x42 82.165.25.125:80 -> 10.254.5.113:58034 TCP TTL:49 TOS:0x0 ID:36972 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21D6E47 Ack: 0xF5B80F52 Win: 0x16A0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 160066973 148674 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-10:06:36.359387 0:B:DB:DE:19:87 -> 0:0:C:7:AC:5 type:0x800 len:0x185 10.254.5.113:58034 -> 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1535 IpLen:20 DgmLen:375 DF ***AP*** Seq: 0xF5B80F52 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32 TCP Options (3) => NOP NOP TS: 148683 160066973 45 54 20 2F 66 61 76 69 63 6F 6E 2E 69 63 6F 20 ET /favicon.ico 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 HTTP/1.1..Host: 77 77 77 2E 70 68 72 61 63 6B 2E 6F 72 67 0D 0A www.phrack.org.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 3B lla/5.0 (X11; U; 20 46 72 65 65 42 53 44 20 69 33 38 36 3B 20 65 FreeBSD i386; e 6E 2D 55 53 3B 20 72 76 3A 31 2E 37 2E 39 29 20 n-US; rv:1.7.9) 47 65 63 6B 6F 2F 32 30 30 35 30 37 31 38 20 46 Gecko/20050718 F 69 72 65 66 6F 78 2F 31 2E 30 2E 35 0D 0A 41 63 irefox/1.0.5..Ac 63 65 70 74 3A 20 69 6D 61 67 65 2F 70 6E 67 2C cept: image/png, 2A 2F 2A 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 */*;q=0.5..Accep 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 t-Language: en-u 73 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 s,en;q=0.5..Acce 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 pt-Encoding: gzi 70 2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 p,deflate..Accep 74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 t-Charset: ISO-8 38 35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 859-1,utf-8;q=0. 37 2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 7,*;q=0.7..Keep- 41 6C 69 76 65 3A 20 63 6C 6F 73 65 0D 0A 43 6F Alive: close..Co 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D nnection: close. 0A 0D 0A ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-10:06:36.458004 0:30:7B:93:19:4C -> 0:B:DB:DE:19:87 type:0x800 len:0x42 82.165.25.125:80 -> 10.254.5.113:58034 TCP TTL:49 TOS:0x0 ID:55157 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21D6E47 Ack: 0xF5B81095 Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 160066982 148683 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Vendor Response: WebSense and Cisco were first notified on 2005-11-04. While no responses or acknowledgments were received from Websense the following time line outlines the responses from Cisco regarding this issue: 2005-11-04 - Acknowledgment of security notification 2005-12-02 - Subsequent follow-up and response from Cisco to determine cause of observed behavior 2006-01-04 - Subsequent follow-up and response from Cisco acknowledging issue is being addressed by development teams 2006-01-30 - Estimated release of PIX code for 7.0.4 release is 2/20/2006 2006-02-17 - Notified by Cisco that fix will not make estimated delivery date due to regression issues, new release data of 3/20/2006 provided 2006-03-06 - Status update from vendor on new date, targets on track for 7.0 PIX OS release 2006-03-13 - Confirmation from Cisco on 3/20 code release 2006-03-17 - Communications from Cisco notifying VSR of other potential products affected (FWSM). 2006-03-24 - Communications received from Cisco acknowledging communication with FWSM team 2006-04-04 - Communication received from Cisco acknowledging FWSM vulnerability 2006-04-07 - Communications from Cisco confirming fixes for FWSM 2.3.x and 3.x PSIRT awaiting release date for code 2006-04-14 - Communications from Cisco providing coordination details with FWSM team 2006-04-18 - Communications from Cisco providing build details incorporating fixes for FWSM products 2006-04-26 - Communications from Cisco providing details and update on FWSM testing and release availability; coordination for advisory release 2006-05-04 - Communications from Cisco for advisory release coordination Recommendation: Cisco PIX/ASA and FWSM customers should apply the latest upgrades from vendor: PIX OS 7.0.x upgrade is: 7.0.4.12 available at: http://www.cisco.com/cgi-bin/tablebuild.pl/pix-interim http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim PIX OS 6.3 upgrade is: 6.3.5(112) available by customer request via the Cisco TAC FWSM 2.3.x upgrade is: 2.3(4) available at: http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm FWSM 3.x upgrade is: 3.1(1.7) available by customer request via the Cisco TAC - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-0515 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. WebSense Enterprise http://www.websense.com/global/en/ProductsServices/WebsenseEnterprise/ 2. Sinhack.net URL Filtering Evasion http://sinhack.net/URLFilteringEvasion/ 3. Proof-of-Concept WebSense Bypass utility http://www.vsecurity.com/tools/WebsenseBypassProxy.java - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Vulnerability Disclosure Policy: http://www.vsecurity.com/disclosurepolicy.html - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 2006 Virtual Security Research, LLC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEX2nxTY6Rj3GeBOoRAucJAKCM5Bvtn/hyuDSC/87eLEIPDLZmSgCffMYc zVXMT1rLZxcJ0PDF4qWjlDQ= =LrNn -----END PGP SIGNATURE-----

Buffer overflow in XM Easy Personal FTP Server 4.2 and 5.0.1 allows remote authenticated users to cause a denial of service via a long argument to the PORT command. A buffer may be overrun with attacker-supplied data. Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the ftp server application. Failed exploit attempts will likely crash applications, denying service to legitimate users. ---------------------------------------------------------------------- Secunia Survey Secunia would like to invite you to participate in an electronic survey evolving the usefulness of our mailing lists. To value your effort Secunia will offer you free access to the Secunia Security Manager for three months as well as have a prize draw for an iPod nano. We hope that you will give us a few minutes of your time, as your response will help us provide you with better services in the future. The questionnaire contains 19 questions and it takes approximately 5 minutes to answer the questionnaire. https://ca.secunia.com/survey/?survey_url=kei933wBid2 The survey is being conducted in accordance with the general Secunia Security Policy and your answers will of course be kept strictly confidential. The vulnerability is caused due to a boundary error within the handling of the USER command. This can be exploited to cause a heap-based buffer overflow via overly long arguments passed to the command. The vulnerability has been confirmed in version 4.3. Prior versions may also be affected. SOLUTION: Filter malicious requests in a proxy or firewall with FTP filtering capabilities. PROVIDED AND/OR DISCOVERED BY: Muhammad Ahmed Siddiqui ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Kerio WinRoute Firewall before 6.2.1 allows remote attackers to cause a denial of service (application crash) via unknown vectors in the "email protocol inspectors," possibly (1) SMTP and (2) POP3. Kerio WinRoute Firewall is prone to a remote denial-of-service vulnerability. The exact cause of this issue is currently unknown. This issue affects Kerio WinRoute Firewall versions prior to 6.2.1. Kerio WinRoute Firewall is a widely popular firewall software system. ---------------------------------------------------------------------- Secunia Survey Secunia would like to invite you to participate in an electronic survey evolving the usefulness of our mailing lists. To value your effort Secunia will offer you free access to the Secunia Security Manager for three months as well as have a prize draw for an iPod nano. We hope that you will give us a few minutes of your time, as your response will help us provide you with better services in the future. The questionnaire contains 19 questions and it takes approximately 5 minutes to answer the questionnaire. https://ca.secunia.com/survey/?survey_url=kei933wBid2 The survey is being conducted in accordance with the general Secunia Security Policy and your answers will of course be kept strictly confidential. Best regards, Niels Henrik Rasmussen CEO Secunia ---------------------------------------------------------------------- TITLE: Kerio WinRoute Firewall Protocol Inspection Denial of Service SECUNIA ADVISORY ID: SA19947 VERIFY ADVISORY: http://secunia.com/advisories/19947/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: Kerio WinRoute Firewall 6.x http://secunia.com/product/3613/ DESCRIPTION: A vulnerability has been reported in Kerio WinRoute Firewall, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error in the SMTP and POP3 protocol inspectors. This can be exploited to crash the service when a malformed e-mail is sent via SMTP or received via POP3. SOLUTION: Update to version 6.2.1 or later. http://www.kerio.com/kwf_download.html PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.kerio.com/kwf_history.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

OpenVPN 2.0.7 and earlier, when configured to use the --management option with an IP that is not 127.0.0.1, uses a cleartext password for TCP sessions to the management interface, which might allow remote attackers to view sensitive information or cause a denial of service. OpenVPN is prone to a denial-of-service vulnerability

RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly enforce RIPv2 authentication requirements, which allows remote attackers to modify routing state via RIPv1 RESPONSE packets. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Quagga , GNU Zebra Is TCP/IP A collection of daemons that support base routing related protocols. Out of them RIP , BGP As a daemon that handles the protocol RIPd , bgpd Is included. Quagga , GNU Zebra Has several security issues: 1) RIPd The daemon RIPv2 Even if the setting is valid only, regardless of the presence or absence of authentication RIPv1 There is a problem that responds to the request. (CVE-2006-2223) If exploited by a remote attacker, SEND UPDATE Such as REQUEST Routing information may be obtained illegally by using packets. 2) RIPd The daemon RIPv2 Despite being enabled for authentication, RIPv1 There is a problem of accepting packets without authentication. 3) bgpd Daemon community_str2com() There are deficiencies in the function, Telnet From the management interface show ip bgp If you execute the command, you will end up in an infinite loop CPU There is a problem that consumes resources. (CVE-2006-2276) If exploited by a local attacker, the target system can eventually become unserviceable.Please refer to the “Overview” for the impact of this vulnerability. Quagga is susceptible to remote information-disclosure and route-injection vulnerabilities. The application fails to properly ensure that required authentication and protocol configuration options are enforced. These issues allow remote attackers to gain access to potentially sensitive network-routing configuration information and to inject arbitrary routes into the RIP routing table. This may aid malicious users in further attacks against targeted networks. Quagga versions 0.98.5 and 0.99.3 are vulnerable to these issues; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1059-1 security@debian.org http://www.debian.org/security/ Martin Schulze May 19th, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : quagga Vulnerability : several Problem type : remote Debian-specific: no CVE IDs : CVE-2006-2223 CVE-2006-2224 CVE-2006-2276 BugTraq ID : 17808 Debian Bugs : 365940 366980 Konstantin Gavrilenko discovered several vulnerabilities in quagga, the BGP/OSPF/RIP routing daemon. CVE-2006-2276 Fredrik Widell discovered that local users are can cause a denial of service ia a certain sh ip bgp command entered in the telnet interface. The old stable distribution (woody) does not contain quagga packages. For the stable distribution (sarge) these problems have been fixed in version 0.98.3-7.2. For the unstable distribution (sid) these problems have been fixed in version 0.99.4-1. We recommend that you upgrade your quagga package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2.dsc Size/MD5 checksum: 725 e985734e8ee31a87ff96f9c9b7291fa5 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2.diff.gz Size/MD5 checksum: 43801 fe5b28230c268fe7ab141453a82c473c http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3.orig.tar.gz Size/MD5 checksum: 2118348 68be5e911e4d604c0f5959338263356e Architecture independent components: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.98.3-7.2_all.deb Size/MD5 checksum: 488700 c79865480dfe140b106d39111b5379ba Alpha architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_alpha.deb Size/MD5 checksum: 1611704 c44bc78a27990ca9d77fe4529c04e42a AMD64 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_amd64.deb Size/MD5 checksum: 1412990 7ab17ec568d3f0e2122677e81db5a2e2 ARM architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_arm.deb Size/MD5 checksum: 1290442 9a5d285ffe43d8b05c470147c48357d5 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_i386.deb Size/MD5 checksum: 1191426 a0438042e1935582b66a44f17e62b40b Intel IA-64 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_ia64.deb Size/MD5 checksum: 1829114 9e6e40afc51734c572de0f4e6e2d6519 HP Precision architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_hppa.deb Size/MD5 checksum: 1447726 4f6d058646cd78f86994eee61359df22 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_m68k.deb Size/MD5 checksum: 1159670 1438a6da0f5c0672075438df92e82695 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_mips.deb Size/MD5 checksum: 1352522 567e463657f21ec64870c1a243012b49 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_mipsel.deb Size/MD5 checksum: 1355460 3dec77ae54b897882091bb5501b349c7 PowerPC architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_powerpc.deb Size/MD5 checksum: 1316776 adaa0828d830d7145236ee2f216fe46d IBM S/390 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_s390.deb Size/MD5 checksum: 1401616 41b91f2eb90d26b1482696681552d9cb Sun Sparc architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.2_sparc.deb Size/MD5 checksum: 1287378 3b1624ec028e9f7944edd3fc396b0778 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbehrW5ql+IAeqTIRAu1bAJ0YQwvwCvugopyXVBCit2SwrYl+SACdF09d ELcxVZUFQP8s43SsJQ3mlqo= =Niwk -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200605-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Quagga Routing Suite: Multiple vulnerabilities Date: May 21, 2006 Bugs: #132353 ID: 200605-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Quagga's RIP daemon allows the injection of routes and the disclosure of routing information. The BGP daemon is vulnerable to a Denial of Service. Background ========== The Quagga Routing Suite implements three major routing protocols: RIP (v1/v2/v3), OSPF (v2/v3) and BGP4. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/quagga < 0.98.6-r1 >= 0.98.6-r1 Description =========== Konstantin V. Gavrilenko discovered two flaws in the Routing Information Protocol (RIP) daemon that allow the processing of RIP v1 packets (carrying no authentication) even when the daemon is configured to use MD5 authentication or, in another case, even if RIP v1 is completely disabled. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.98.6-r1" References ========== [ 1 ] CVE-2006-2223 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2223 [ 2 ] CVE-2006-2224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2224 [ 3 ] CVE-2006-2276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2276 [ 4 ] Official release information http://www.quagga.net/news2.php?y=2006&m=5&d=8#id1147115280 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200605-15.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5