VARIoT IoT vulnerabilities database

Cisco IP Phone 7940 and 7960 with P0S3-08-6-00 firmware, and other SIP firmware before 8.7(0), allows remote attackers to cause a denial of service (device reboot) via (1) a certain sequence of 10 invalid SIP INVITE and OPTIONS messages; or (2) a certain invalid SIP INVITE message that contains a remote tag, followed by a certain set of two related SIP OPTIONS messages. Cisco IP Phone 7940 and 7960 There is a service disruption ( Reboot device ) There is a vulnerability that becomes a condition.Service disruption by a third party via: ( Reboot device ) There is a possibility of being put into a state. \"Cisco 7940型IP电话是一种多功能通讯设备，通过IP网络传递语音信号. Cisco 7940在处理特定的请求序列时存在漏洞，远程攻击者可能利用此漏洞导致设备不可用. 如果向Cisco 7940 IP电话发送了以下3个消息序列的话： X ------------------------- INVITE -----------------------＞ Cisco X ＜--- 481 transaction does not exists ----- Cisco X ------------------------- OPTIONS--------------------＞ Cisco X ＜--------------------------- OK ------------------------- Cisco X ＜--- 481 transaction does not exists ----- Cisco X ------------------------- OPTIONS--------------------＞ Cisco 或发送以下10个消息序列的话： X ------------------------- INVITE -----------------------＞ Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ------------------------- OPTIONS--------------------＞ Cisco X ＜--------------------- 200 OK ------------------------- Cisco X ------------------------- OPTIONS--------------------＞ Cisco X ＜--------------------- 200 OK ------------------------- Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ------------------------- INVITE -----------------------＞ Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ------------------------- OPTIONS--------------------＞ Cisco X ＜--------------- 404 Not Found ------------------ Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ＜--------------- 400 Bad Request --------------- Cisco X ------------------------- OPTIONS--------------------＞ Cisco X ＜--------------------- 200 OK ------------------------- Cisco X ------------------------- INVITE -----------------------＞ Cisco X ＜----------------100 Trying ------------------------- Cisco X ＜--------------- 404 Not Found ------------------ Cisco X ＜--------------- 404 Not Found ------------------ Cisco X ＜--------------- 404 Not Found ------------------ Cisco X ------------------------- OPTIONS--------------------＞ Cisco X ＜--------------------- 200 OK ------------------------- Cisco X ＜--------------- 404 Not Found ------------------ Cisco X ------------------------- OPTIONS--------------------＞ Cisco X ＜--------------------- 200 OK ------------------------- Cisco X ＜--------------- 404 Not Found ------------------ Cisco 就会导致设备重启. \". Cisco 7940/7960 phones are prone to multiple denial-of-service vulnerabilities. A successful attack can allow remote attackers to crash or reboot an affected device. Cisco 7940/7960 devices running firmware P0S3-08-6-00 and prior are reported vulnerable. "Cisco 7940 type IP A telephone is a multifunctional communication device that IP The network transmits voice signals. Cisco 7940 A vulnerability exists in the processing of a specific sequence of requests that could be exploited by a remote attacker to render the device unusable. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Cisco IP Phone 7940 SIP Message Sequence Denial of Service SECUNIA ADVISORY ID: SA26547 VERIFY ADVISORY: http://secunia.com/advisories/26547/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote SOFTWARE: Cisco IP Phone 7940 http://secunia.com/product/1113/ DESCRIPTION: The Madynes research team at INRIA Lorraine has reported some vulnerabilities in Cisco IP Phone 7940, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to errors within the handling of certain SIP message sequences. These can be exploited to reboot the device by sending a series of specially crafted SIP messages. The vulnerabilities are reported in firmware version POS3-08-6-00. SOLUTION: Use only in a trusted network environment. PROVIDED AND/OR DISCOVERED BY: Madynes research team at INRIA Lorraine ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065401.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065402.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari for Windows 3.0.3 and earlier does not prompt the user before downloading a file, which allows remote attackers to download arbitrary files to the desktop of a client system via certain HTML, as demonstrated by a filename in the DATA attribute of an OBJECT element. NOTE: it could be argued that this is not a vulnerability because a dangerous file is not actually launched, but as of 2007, it is generally accepted that web browsers should prompt users before saving dangerous content. Safari For Windows is prone to a remote security vulnerability. arbitrary files

Cross-site request forgery (CSRF) vulnerability in /xslt in 2wire 1701HG and 2071 Gateway routers, with 3.17.5 and 5.29.51 software, allows remote attackers to perform certain configuration changes as administrators. A remote attacker performs some setting changes like an administrator. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. This can be exploited to perform certain actions on the device when a logged in administrator is tricked into visiting a malicious web page. The vulnerability is reported in 1701HG version 3.17.5 and 2071 Gateway version 5.29.51. Other versions may also be affected. SOLUTION: Do not browse untrusted web sites while being logged in to the administrative section of the device. PROVIDED AND/OR DISCOVERED BY: hkm ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/bugtraq/2007-08/0226.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

2wire 1701HG and 2071 Gateway routers, with 5.29.51 and possibly 3.17.5 software, have a blank password by default. 2wire of 1701HG and 2071 Gateway Contains an empty password vulnerability by default.Details of the impact of this vulnerability are unknown. 1701Hg Router is prone to a remote security vulnerability

Unspecified vulnerability in Cisco IOS 12.0 through 12.4 allows context-dependent attackers to cause a denial of service (device restart and BGP routing table rebuild) via certain regular expressions in a "show ip bgp regexp" command. NOTE: unauthenticated remote attacks are possible in environments with anonymous telnet and Looking Glass access. (DoS) There is a vulnerability that becomes a condition.To a third party Cisco IOS Will be restarted BGP The routing table may be rebuilt. Cisco IOS is prone to a remote denial-of-service vulnerability because the software fails to properly handle certain CLI commands. To issue commands that trigger this vulnerability, attackers must be able to successfully authenticate to vulnerable devices. This may be achieved through remote anonymous means or by sending specially crafted input to web interfaces such as 'Looking Glass' web applications. Successfully exploiting this issue allows attackers to trigger device reboots, denying service to legitimate users. This issue is documented as Cisco bug ID CSCsb08386. Cisco IOS releases in the 12.0, 12.1, 12.2, 12.3, and 12.4 ranges are vulnerable to this issue. "Cisco IOS is the operating system used in Cisco network devices. If this happens several times in a row, it may cause The operator's network is unavailable. <* Links: http://www.heise-security.co.uk/news/print/94526 http://www.cisco.com/warp/public/707/cisco-sr- 20070912-regexp.shtml http://secunia.com/advisories/26798/ https://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html http://forum.cisco.com/ eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN% *>". ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Cisco IOS Regular Expressions Denial of Service SECUNIA ADVISORY ID: SA26798 VERIFY ADVISORY: http://secunia.com/advisories/26798/ CRITICAL: Not critical IMPACT: DoS WHERE: Local system OPERATING SYSTEM: Cisco IOS 12.x http://secunia.com/product/182/ Cisco IOS R12.x http://secunia.com/product/50/ DESCRIPTION: A vulnerability has been reported in Cisco IOS, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling regular expressions containing repetition operators and pattern recalls. This can be exploited to cause a stack overflow by sending a command with specially crafted regular expressions to the command line interface. Successful exploitation causes the device to crash and requires a reboot, but requires valid user credentials. The vulnerability is reported in versions 12.0, 12.1, 12.2, 12.3, and 12.4. SOLUTION: Restrict access to trusted people only. PROVIDED AND/OR DISCOVERED BY: Sebastian Wiesinger ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_response09186a00808bb91c.html OTHER REFERENCES: https://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-domain vulnerability in Apple Safari for Windows 3.0.3 and earlier allows remote attackers to bypass the Same Origin Policy, with access from local zones to external domains, via a certain body.innerHTML property value, aka "classic JavaScript frame hijacking.". Apple Safari is susceptible to a vulnerability that allows attacker to violate the same-origin policy. This issue occurs because the application fails to properly enforce the same-origin policy for JavaScript remote data access. An attacker may create a malicious webpage that can access the properties of another domain. This may lead allow the attacker to obtain sensitive information or launch other attacks against a user of the browser. Safari 3 beta is vulnerable to this issue. This vulnerability is also known as "classic JavaScript structure hijacking"

The login interface in Symantec Enterprise Firewall 6.x, when a VPN with pre-shared key (PSK) authentication is enabled, generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames. Symantec Enterprise Firewall is prone to a username-enumeration weakness. An attacker can exploit this issue to enumerate valid user names. This may aid in further attacks. There is a loophole in the processing of certain authentication requests in SEP, and a remote attacker may use this loophole to brute-force guess a valid user name. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Symantec Enterprise Firewall User Enumeration Weakness SECUNIA ADVISORY ID: SA26511 VERIFY ADVISORY: http://secunia.com/advisories/26511/ CRITICAL: Not critical IMPACT: Exposure of sensitive information WHERE: >From remote SOFTWARE: Symantec Enterprise Firewall 6.x http://secunia.com/product/15339/ DESCRIPTION: A weakness has been reported in Symantec Enterprise Firewall, which can be exploited by malicious people to determine valid usernames. The problem is that a different response is sent when using a valid or invalid username and can be exploited to determine valid usernames. Successful exploitation requires that the application is configured for remote access (client-to-gateway) VPN using pre-shared key (PSK) authentication. The weakness is reported in version 6.x. SOLUTION: The vendor recommends adding the "default-ikeuser" username. Please see the vendor's advisory for details. PROVIDED AND/OR DISCOVERED BY: The vendor credits Roy Hill, NTA Monitor Ltd. ORIGINAL ADVISORY: http://securityresponse.symantec.com/avcenter/security/Content/2007.08.16.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco VPN Client on Windows before 4.8.02.0010 allows local users to gain privileges by enabling the "Start Before Logon" (SBL) and Microsoft Dial-Up Networking options, and then interacting with the dial-up networking dialog box. Cisco VPN Client for Windows is prone to multiple local privilege-escalation vulnerabilities. Successfully exploiting these issues allows attackers with local, interactive access to affected computers to gain SYSTEM-level privileges. This facilitates the complete compromise of affected computers. Versions prior to 4.8.02.0010 and 5.0.01.0600 of Cisco VPN Client for the Microsoft Windows platform are vulnerable to these issues. These issues are tracked as Cisco Bug IDs CSCse89550 and CSCsj00785. "The Cisco VPN Client allows users to create IPSec VPN tunnels to Cisco VPN enabled devices. 1. Note that configuring these two settings does not require the user to have administrative privileges. 2. Unprivileged users can obtain privilege escalation through the use of any executable program Replacing the Cisco VPN Service executable causes arbitrary programs to run with the privileges of the LocalSystem account. The cause of this vulnerability is that the default file permissions assigned to cvpnd.exe (the Cisco VPN Service executable) during installation allow unprivileged interactive users Replace cvpnd.exe with any file.Since the Cisco VPN Service is a Windows service that runs with LocalSystem privileges, unprivileged users can easily elevate privileges

Cisco VPN Client on Windows before 5.0.01.0600, and the 5.0.01.0600 InstallShield (IS) release, uses weak permissions for cvpnd.exe (Modify granted to Interactive Users), which allows local users to gain privileges via a modified cvpnd.exe. Cisco VPN Client for Windows is prone to multiple local privilege-escalation vulnerabilities. Successfully exploiting these issues allows attackers with local, interactive access to affected computers to gain SYSTEM-level privileges. This facilitates the complete compromise of affected computers. Versions prior to 4.8.02.0010 and 5.0.01.0600 of Cisco VPN Client for the Microsoft Windows platform are vulnerable to these issues. These issues are tracked as Cisco Bug IDs CSCse89550 and CSCsj00785. 1. Local privileges over Microsoft Windows Dial-Up Networking interfaces Elevating a non-privileged user can be done by enabling the Start Before Logon (SBL) feature and configuring the VPN configuration to use the Microsoft Dial-Up Networking interface to elevate privileges to that of a LocalSystem account user. Note that configuring these two settings does not require the user to have administrative privileges. 2. Unprivileged users can obtain privilege escalation through the use of any executable program Replacing the Cisco VPN Service executable causes arbitrary programs to run with the privileges of the LocalSystem account

Cross-site request forgery (CSRF) vulnerability in /xslt in 2wire 1701HG, 1800HW, and 2071 Gateway routers, with 3.17.5, 3.7.1, and 5.29.51 software, allows remote attackers to create DNS mappings as administrators, and conduct DNS poisoning attacks, via the NAME and ADDR parameters. Multiple 2Wire routers are prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to execute arbitrary actions on an affected device

The IBM Lenovo Access Support acpRunner ActiveX control, as distributed in acpcontroller.dll before 1.2.8.0 and possibly acpir.dll before 1.0.0.9 (Automated Solutions 1.0 before fix pack 1), does not properly validate digital signatures of downloaded software, which makes it easier for remote attackers to spoof a download. Lenovo Inline Automated Solutions ActiveX controls are prone to multiple vulnerabilities. An attacker may exploit these issues by enticing victims into opening a maliciously crafted HTML document. Failed exploit attempts may result in denial-of-service conditions. These issues affects versions prior to 'acpcontroller.dll' ActiveX control 1.2.8.0 and 'acpir.dll' ActiveX control 1.0.0.9. Automated Solutions is a software package of ActiveX tools installed on Lenovo and IBM computers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-226A Microsoft Updates for Multiple Vulnerabilities Original release date: August 14, 2007 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft Windows Media Player * Microsoft Office * Microsoft Office for Mac * Microsoft XML Core Services * Microsoft Visual Basic * Microsoft Virtual PC * Microsoft Virtual Server Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Internet Explorer, Windows Media Player, Office, Office for Mac, XML Core Services, Visual Basic, Virtual PC, and Virtual Server. I. Description Microsoft has released updates to address vulnerabilities that affect Microsoft Windows, Internet Explorer, Windows Media Player, Office, Office for Mac, XML Core Services, Visual Basic,Virtual PC, and Virtual Server as part of the Microsoft Security Bulletin Summary for August 2007. Further information about the vulnerabilities addressed by these updates is available in the Vulnerability Notes Database II. An attacker may also be able to cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the August 2007 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Administrators are encouraged to note any known issues that are described in the Bulletins and test for any potentially adverse effects. Updates for Microsoft Windows and Microsoft Office XP and later are available on the Microsoft Update site. Microsoft Office 2000 updates are available on the Microsoft Office Update site. Apple Mac OS X users should obtain updates from the Mactopia web site. System administrators may wish to consider using an automated patch distribution system such as Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft August 2007 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms07-aug> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * Microsoft Security Bulletin Summary for August 2007 - <http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx> * Microsoft Update - <https://update.microsoft.com/microsoftupdate/> * Microsoft Office Update - <http://officeupdate.microsoft.com/> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> * Mactopia - <http://www.microsoft.com/mac/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/alerts/TA07-226A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-226A Feedback VU#361968" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History August 14, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRsIPdvRFkHkM87XOAQI0pAgAqwe7XJni4X4VcqfNQIZU1XiXDE04/3W+ Tl4jOtH9nxmwmQtUSMrTjrmtxB97DbA9sd6F5kYwwHB3MnPEY4lVe/zifmjQRH1o lvMYH/Zd6KnGU3FFX/w4gZ1x1A/QTpIvXLXTKdFd/vyQxTHqEvZxttpH7BHpt92O MQem58NVIKLxpZ2a1KAh2kdkDRT8sP8vO8G6gKyY1PVHwHSJJW9JKeVzxzGV9kuL +wCZOGGcq6DWxUt71XDK8MEvVoMpwwwxIHazG33a2ybepC3Bg4heILEj6urUaF2N wlkFIzGGfzwVTzDi88VP9ZXHcffJfMOLUA5jeh84rAElYciQIysGvg== =glfP -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. 3) The acpRunner (AcpController.dll) ActiveX control does not restrict potentially dangerous operations to certain domains. tricking a user into visiting a malicious website. SOLUTION: Apply Automated Solutions Fix Pack 1: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-67649 PROVIDED AND/OR DISCOVERED BY: Will Dormann, CERT/CC. ORIGINAL ADVISORY: IBM / Lenovo: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-67649 US-CERT VU#426737: http://www.kb.cert.org/vuls/id/426737 US-CERT VU#599657: http://www.kb.cert.org/vuls/id/599657 US-CERT VU#570705: http://www.kb.cert.org/vuls/id/570705 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The IBM Lenovo Access Support acpRunner ActiveX control, as distributed in acpcontroller.dll before 1.2.8.0 and possibly acpir.dll before 1.0.0.9 (Automated Solutions 1.0 before fix pack 1), exposes unsafe methods to arbitrary web domains, which allows remote attackers to download arbitrary code onto a client system and execute this code. Lenovo Inline Automated Solutions ActiveX controls are prone to multiple vulnerabilities. An attacker may exploit these issues by enticing victims into opening a maliciously crafted HTML document. Failed exploit attempts may result in denial-of-service conditions. These issues affects versions prior to 'acpcontroller.dll' ActiveX control 1.2.8.0 and 'acpir.dll' ActiveX control 1.0.0.9. Automated Solutions is a software package of ActiveX tools installed on Lenovo and IBM computers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-226A Microsoft Updates for Multiple Vulnerabilities Original release date: August 14, 2007 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft Windows Media Player * Microsoft Office * Microsoft Office for Mac * Microsoft XML Core Services * Microsoft Visual Basic * Microsoft Virtual PC * Microsoft Virtual Server Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Internet Explorer, Windows Media Player, Office, Office for Mac, XML Core Services, Visual Basic, Virtual PC, and Virtual Server. I. Description Microsoft has released updates to address vulnerabilities that affect Microsoft Windows, Internet Explorer, Windows Media Player, Office, Office for Mac, XML Core Services, Visual Basic,Virtual PC, and Virtual Server as part of the Microsoft Security Bulletin Summary for August 2007. Further information about the vulnerabilities addressed by these updates is available in the Vulnerability Notes Database II. An attacker may also be able to cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the August 2007 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Administrators are encouraged to note any known issues that are described in the Bulletins and test for any potentially adverse effects. Updates for Microsoft Windows and Microsoft Office XP and later are available on the Microsoft Update site. Microsoft Office 2000 updates are available on the Microsoft Office Update site. Apple Mac OS X users should obtain updates from the Mactopia web site. System administrators may wish to consider using an automated patch distribution system such as Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft August 2007 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms07-aug> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * Microsoft Security Bulletin Summary for August 2007 - <http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx> * Microsoft Update - <https://update.microsoft.com/microsoftupdate/> * Microsoft Office Update - <http://officeupdate.microsoft.com/> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> * Mactopia - <http://www.microsoft.com/mac/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/alerts/TA07-226A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-226A Feedback VU#361968" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History August 14, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRsIPdvRFkHkM87XOAQI0pAgAqwe7XJni4X4VcqfNQIZU1XiXDE04/3W+ Tl4jOtH9nxmwmQtUSMrTjrmtxB97DbA9sd6F5kYwwHB3MnPEY4lVe/zifmjQRH1o lvMYH/Zd6KnGU3FFX/w4gZ1x1A/QTpIvXLXTKdFd/vyQxTHqEvZxttpH7BHpt92O MQem58NVIKLxpZ2a1KAh2kdkDRT8sP8vO8G6gKyY1PVHwHSJJW9JKeVzxzGV9kuL +wCZOGGcq6DWxUt71XDK8MEvVoMpwwwxIHazG33a2ybepC3Bg4heILEj6urUaF2N wlkFIzGGfzwVTzDi88VP9ZXHcffJfMOLUA5jeh84rAElYciQIysGvg== =glfP -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. 2) The acpRunner (AcpController.dll) ActiveX control does not properly verify the signature of downloaded packages. 3) The acpRunner (AcpController.dll) ActiveX control does not restrict potentially dangerous operations to certain domains. tricking a user into visiting a malicious website. SOLUTION: Apply Automated Solutions Fix Pack 1: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-67649 PROVIDED AND/OR DISCOVERED BY: Will Dormann, CERT/CC. ORIGINAL ADVISORY: IBM / Lenovo: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-67649 US-CERT VU#426737: http://www.kb.cert.org/vuls/id/426737 US-CERT VU#599657: http://www.kb.cert.org/vuls/id/599657 US-CERT VU#570705: http://www.kb.cert.org/vuls/id/570705 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Format string vulnerability in the IBM Lenovo Access Support acpRunner ActiveX control, as distributed in acpcontroller.dll before 1.2.8.0 and possibly acpir.dll before 1.0.0.9 (Automated Solutions 1.0 before fix pack 1), allows remote attackers to execute arbitrary code via format string specifiers in unknown data. Lenovo Inline Automated Solutions ActiveX controls are prone to multiple vulnerabilities. An attacker may exploit these issues by enticing victims into opening a maliciously crafted HTML document. Failed exploit attempts may result in denial-of-service conditions. These issues affects versions prior to 'acpcontroller.dll' ActiveX control 1.2.8.0 and 'acpir.dll' ActiveX control 1.0.0.9. Automated Solutions is a software package of ActiveX tools installed on Lenovo and IBM computers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-226A Microsoft Updates for Multiple Vulnerabilities Original release date: August 14, 2007 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft Windows Media Player * Microsoft Office * Microsoft Office for Mac * Microsoft XML Core Services * Microsoft Visual Basic * Microsoft Virtual PC * Microsoft Virtual Server Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Internet Explorer, Windows Media Player, Office, Office for Mac, XML Core Services, Visual Basic, Virtual PC, and Virtual Server. I. Description Microsoft has released updates to address vulnerabilities that affect Microsoft Windows, Internet Explorer, Windows Media Player, Office, Office for Mac, XML Core Services, Visual Basic,Virtual PC, and Virtual Server as part of the Microsoft Security Bulletin Summary for August 2007. Further information about the vulnerabilities addressed by these updates is available in the Vulnerability Notes Database II. An attacker may also be able to cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the August 2007 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Administrators are encouraged to note any known issues that are described in the Bulletins and test for any potentially adverse effects. Updates for Microsoft Windows and Microsoft Office XP and later are available on the Microsoft Update site. Microsoft Office 2000 updates are available on the Microsoft Office Update site. Apple Mac OS X users should obtain updates from the Mactopia web site. System administrators may wish to consider using an automated patch distribution system such as Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft August 2007 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms07-aug> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * Microsoft Security Bulletin Summary for August 2007 - <http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx> * Microsoft Update - <https://update.microsoft.com/microsoftupdate/> * Microsoft Office Update - <http://officeupdate.microsoft.com/> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> * Mactopia - <http://www.microsoft.com/mac/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/alerts/TA07-226A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-226A Feedback VU#361968" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History August 14, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRsIPdvRFkHkM87XOAQI0pAgAqwe7XJni4X4VcqfNQIZU1XiXDE04/3W+ Tl4jOtH9nxmwmQtUSMrTjrmtxB97DbA9sd6F5kYwwHB3MnPEY4lVe/zifmjQRH1o lvMYH/Zd6KnGU3FFX/w4gZ1x1A/QTpIvXLXTKdFd/vyQxTHqEvZxttpH7BHpt92O MQem58NVIKLxpZ2a1KAh2kdkDRT8sP8vO8G6gKyY1PVHwHSJJW9JKeVzxzGV9kuL +wCZOGGcq6DWxUt71XDK8MEvVoMpwwwxIHazG33a2ybepC3Bg4heILEj6urUaF2N wlkFIzGGfzwVTzDi88VP9ZXHcffJfMOLUA5jeh84rAElYciQIysGvg== =glfP -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. 2) The acpRunner (AcpController.dll) ActiveX control does not properly verify the signature of downloaded packages. 3) The acpRunner (AcpController.dll) ActiveX control does not restrict potentially dangerous operations to certain domains. tricking a user into visiting a malicious website. SOLUTION: Apply Automated Solutions Fix Pack 1: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-67649 PROVIDED AND/OR DISCOVERED BY: Will Dormann, CERT/CC. ORIGINAL ADVISORY: IBM / Lenovo: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-67649 US-CERT VU#426737: http://www.kb.cert.org/vuls/id/426737 US-CERT VU#599657: http://www.kb.cert.org/vuls/id/599657 US-CERT VU#570705: http://www.kb.cert.org/vuls/id/570705 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Dell Remote Access Card 4 (DRAC4) with firmware 1.50 Build 02.16 allows remote attackers to cause a denial of service (SSH daemon crash) via certain network traffic, as demonstrated by an "nmap -O" scan with nmap 4.03, possibly related to a Mocana (Mocanada) SSH vulnerability. Attackers can exploit this issue to deny legitimate access to port 22 on affected computers. Dell Remote Access Card 4/P running firmware 1.50 (Build 02.16) is vulnerable; other versions may also be affected. There is a vulnerability in the SSH service of DRAC when processing malformed data connections. If you use the nmap-4.03-3 port scanning tool bundled with Debian unstable or Ubuntu Depper to perform port scanning on the SSH service of the Dell remote access card, the SSH port may become unavailable, and you must use the racadm tool to hard restart the entire system to recover. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. The vulnerability is caused due to an unspecified error and can be exploited to make the SSH service unresponsive e.g. via a port scan using nmap 4.03 with OS detection enabled. Other versions may also be affected. SOLUTION: Restrict network access to the device. PROVIDED AND/OR DISCOVERED BY: ETES GmbH ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065239.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The management interface in ZyNOS firmware 3.62(WK.6) on the Zyxel Zywall 2 device has a certain default password, which allows remote attackers to perform administrative actions. Zywall 2 is prone to a remote security vulnerability. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: ZyXEL ZyWALL / ZyNOS Cross-Site Request Forgery SECUNIA ADVISORY ID: SA26381 VERIFY ADVISORY: http://secunia.com/advisories/26381/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: ZyXEL ZyWALL Series http://secunia.com/product/147/ ZyXEL ZyNOS 3.x http://secunia.com/product/149/ DESCRIPTION: Henri Lindberg has reported a vulnerability in ZyXEL ZyWALL / ZyNOS, which can be exploited by malicious people to conduct cross-site request forgery attacks. This can be exploited to perform certain actions when a logged in administrator is tricked into visiting a malicious website. NOTE: Reportedly, this can further be exploited to conduct script insertion attacks. The vulnerabilities are reported in Zyxell ZyWALL 2 and in ZyNOS firmware version V3.62(WK.6). Other versions may also be affected. SOLUTION: Do not browser untrusted sites while being logged in to the administrative section of the device. PROVIDED AND/OR DISCOVERED BY: Henri Lindberg of Louhi Networks. ORIGINAL ADVISORY: http://www.louhi.fi/advisory/zyxel_070810.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Forms/General_1 in the management interface in ZyNOS firmware 3.62(WK.6) on the Zyxel Zywall 2 device allows remote authenticated administrators to inject arbitrary web script or HTML via the sysSystemName parameter. Zywall 2 is prone to a cross-site scripting vulnerability. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: ZyXEL ZyWALL / ZyNOS Cross-Site Request Forgery SECUNIA ADVISORY ID: SA26381 VERIFY ADVISORY: http://secunia.com/advisories/26381/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: ZyXEL ZyWALL Series http://secunia.com/product/147/ ZyXEL ZyNOS 3.x http://secunia.com/product/149/ DESCRIPTION: Henri Lindberg has reported a vulnerability in ZyXEL ZyWALL / ZyNOS, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to perform certain actions when a logged in administrator is tricked into visiting a malicious website. NOTE: Reportedly, this can further be exploited to conduct script insertion attacks. The vulnerabilities are reported in Zyxell ZyWALL 2 and in ZyNOS firmware version V3.62(WK.6). Other versions may also be affected. SOLUTION: Do not browser untrusted sites while being logged in to the administrative section of the device. PROVIDED AND/OR DISCOVERED BY: Henri Lindberg of Louhi Networks. ORIGINAL ADVISORY: http://www.louhi.fi/advisory/zyxel_070810.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

NETGEAR (formerly Infrant) ReadyNAS RAIDiator before 4.00b2-p2-T1 beta creates a default SSH root password derived from the hardware serial number, which makes it easier for remote attackers to guess the password and obtain login access. ReadyNAS is a direct-attached storage device based on Linux and debian-sparc platforms.  ReadyNAS has two users enabled by default, one is admin (the default password is infrant1) and the other is root. Each time it starts, it uses a hard-coded algorithm to generate the root password, which uses the Ethernet MAC address and software version number. And a hash of the shared secret. The root password cannot be changed permanently, so it is reset every time it is started.  The ReadyNAS device boots from the built-in flash memory, and the Linux kernel and the initrd image are in this flash memory. At startup, the initrd image will look for the installed hard disk and initialize it. If an uninitialized hard disk is found, it will be added to the RAID array. A part of the hard disk will be used as the root file system. A tarball stored in the flash will initialize it.  After loading the rootfs, some consistency checks are performed, and some important configuration files are encrypted and backed up. These files cannot be changed without decryption.  At startup, the / linuxrc file in the initrd image is first executed as follows:  --------------  SEED1 = `/ sysroot / sbin / ifconfig eth0 | grep HWaddr | sed -e 's /.* HWaddr //'  --e 's / // g'`  SEED2 = `cut -f2 -d = / sysroot / etc / raidiator_version | cut -f1 -d,`  [* EDIT *: removed SEED3 as friendly requested by vendor]  echo "root:` echo \ "$ SEED1 $ SEED2 $ SEED3 \" | md5sum | cut -f1 -d '' `" |  chpasswd  # TAKE ME OUT !!  [-s /sysroot/.os_passwd] && echo "root:` / sysroot / usr / bin / head -1  / sysroot / .os_passwd` "| chpasswd  #################  / sysroot / bin / mv / etc / passwd / sysroot / etc / passwd 2> $ ERR  rm -rf / sysroot / etc / hosts_equiv /sysroot/root/.rhosts  /sysroot/root/.ssh/* 2> $ ERR  --------------  The password is initialized by md5 and the following components:  a.) MAC address obtained from ifconfig  b.) Software version number read from / etc / raidiator_version  c.) Shared keychain in SEED3  Even though the root password varies from device to device (the MAC address is also part of the hash), it is still not secret. First, if the NAS device is in the local LAN, you can query the MAC address through ARP request. Second, the default host name is nas-xx-yy-zz (which can be displayed on the https-based interface), and xx, yy, zz It is the last 3 octal digits of the MAC address; finally, the version of the software can be determined by brute force guessing. Successfully exploiting this issue allows remote attackers to gain superuser-level access to affected devices. This issue affects devices with firmware versions 3.01c1-p1 and 3.01c1-p6 installed; other versions may also be affected. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Infrant ReadyNAS Devices SSH Default Root Password Weakness SECUNIA ADVISORY ID: SA26442 VERIFY ADVISORY: http://secunia.com/advisories/26442/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Infrant ReadyNAS Devices 3.x http://secunia.com/product/15287/ DESCRIPTION: Brian Chapados and Felix Domke have reported a weakness in Infrant ReadyNAS devices, which can be exploited by malicious people to bypass certain security restrictions. The problem is that the device includes an SSH daemon that cannot be disabled and that the password for the SSH root account on the device is generated using certain device-specific values (e.g. MAC address, serial number, version number) and cannot be changed permanently. The weakness is reported in ReadyNAS devices with RAIDiator 3.01c1-p1, 3.01c1-p6. SOLUTION: The vendor has provided the ToggleSSH add-on to disable/enable SSH on the device and has released RAIDiator 4.00b2-p2-T1 beta version, which has SSH disabled by default. http://www.infrant.com/download/addons/ToggleSSH_1.0.bin http://www.infrant.com/beta/raidiator/4.0/RAIDiator-4.00b2-p2-T1 PROVIDED AND/OR DISCOVERED BY: Brian Chapados and Felix Domke ORIGINAL ADVISORY: Infrant Technologies: http://www.infrant.com/forum/viewtopic.php?t=12313 http://www.infrant.com/forum/viewtopic.php?t=12249 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Shared Trace Service in Hitachi JP1/Cm2/Network Node Manager (NNM) 07-10 through 07-10-05, and NNM Starter Edition Enterprise and 250 08-00 through 08-10, allows remote attackers to execute arbitrary code via unspecified vectors. Hitachi JP1/CM2/Network Node Manager is prone to a code-execution vulnerability. Hitachi JP1/CM2/Network Node Manager 07-10 through 07-10-5, 08-00 through 08-00-03, and 08-10 are vulnerable. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: HP OpenView Products Shared Trace Service Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA26394 VERIFY ADVISORY: http://secunia.com/advisories/26394/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: HP OpenView Performance Insight (OVPI) 5.x http://secunia.com/product/15212/ HP OpenView Dashboard 2.x http://secunia.com/product/15211/ HP OpenView Business Process Insight (OVBPI) 1.x http://secunia.com/product/15202/ HP OpenView Business Process Insight (OVBPI) 2.x http://secunia.com/product/15203/ HP OpenView Service Desk Process Insight (SDPI) 1.x http://secunia.com/product/15204/ HP OpenView Service Desk Process Insight (SDPI) 2.x http://secunia.com/product/15205/ HP Business Process Insight (HPBPI) 1.x http://secunia.com/product/15207/ HP Business Process Insight (HPBPI) 2.x http://secunia.com/product/15208/ HP Service Desk Process Insight (HPSDPI) 1.x http://secunia.com/product/15209/ HP Service Desk Process Insight (HPSDPI) 2.x http://secunia.com/product/15210/ HP OpenView Network Node Manager (NNM) 6.x http://secunia.com/product/2384/ HP OpenView Network Node Manager (NNM) 7.x http://secunia.com/product/3608/ HP OpenView Service Quality Manager (OV SQM) 1.x http://secunia.com/product/15200/ HP OpenView Operations Manager for Windows (OVOW) 7.x http://secunia.com/product/15199/ HP OpenView Operations HTTPS Agent 8.x http://secunia.com/product/8641/ HP OpenView Reporter 3.x http://secunia.com/product/15198/ HP OpenView Performance Agent http://secunia.com/product/2100/ HP OpenView Performance Manager (OVPM) 5.x http://secunia.com/product/15196/ HP OpenView Performance Manager (OVPM) 6.x http://secunia.com/product/15197/ HP OpenView Internet Service (OVIS) 6.x http://secunia.com/product/15195/ DESCRIPTION: Some vulnerabilities have been reported in HP OpenView products, which can be exploited by malicious people to compromise a vulnerable system. The vulnerabilities are caused due to boundary errors within the Shared Trace Service component when handling certain requests. These can be exploited to cause stack-based buffer overflows via sending specially crafted requests to the service. The vulnerabilities affect the following products and versions: * HP OpenView Internet Service (OVIS) v6.00, v6.10, v6.11 (Japanese), v6.20 running HP OpenView Cross Platform Component (XPL) vB.60.81.00, vB.60.90.00, and vB.61.90.000 * HP OpenView Performance Manager (OVPM) 5.x and 6.x * HP OpenView Performance Agent (OVPA) 4.5 and 4.6 * HP OpenView Reporter 3.7 * HP OpenView Operations (OVO) Agents OVO8.x HTTPS agents * HP OpenView Operations Manager for Windows (OVOW) v7.5 with the OpenView Operations (OVO) add on module for OpenView Operations-Business Availability Center (OVO-BAC) * HP OpenView Quality Manager (OV SQM) v1.2 SP1, v1.3, v1.40 running HP OpenView Cross Platform Component (XPL) 2.60.041, 2.61.060 and 2.61.110 * HP OpenView Network Node Manager (OV NNM) v6.41, v7.01, v7.50 running XPL earlier than 03.10.040 * HP OpenView Business Process Insight (OVBPI), HP Business Process Insight (HPBPI) , HP OpenView Service Desk Process Insight (SDPI), and HP Service Desk Process Insight (HPSDPI) versions 1.0, 1.1x, 2.0x and 2.10x * HP OpenView Dashboard v2.01 running HP OpenView Cross Platform Component (XPL) vB.60.90.00 and vB.61.90.000 * HP OpenView Performance Insight (OVPI) v5.0, v5.1, v5.1.1, v5.1.2, v5.2 running HP OpenView Cross Platform Component (XPL) earlier than v3.10.040 SOLUTION: Apply hotfixes. Please see the vendor's advisories for details. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Cody Pierce, TippingPoint DV Labs. 2) An anonymous researcher, reported via iDefense Labs. ORIGINAL ADVISORY: HPSBMA02235 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01106515 HPSBMA02236 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109171 HPSBMA02237 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109584 HPSBMA02238 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109617 HPSBMA02239 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110576 HPSBMA02240 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110627 HPSBMA02241 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01111851 HPSBMA02242 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01112038 HPSBMA02244 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114023 HPSBMA02245 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114156 HPSBMA02246 SSRT061260: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01115068 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=574 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . No further information is currently available. Please see the vendor's advisory for a list of affected products and versions

Multiple cross-site request forgery (CSRF) vulnerabilities in the management interface in ZyNOS firmware 3.62(WK.6) on the Zyxel Zywall 2 device allow remote attackers to perform certain actions as administrators, as demonstrated by a request to Forms/General_1 with the (1) sysSystemName and (2) sysDomainName parameters. ZyXEL ZyWALL 2 is prone to multiple remote vulnerabilities that affect the management interface. An attacker can exploit these issues to carry out cross-site request forgery, HTML-injection, and denial-of-service attacks. ZyWALL 2 running with firmware V3.62(WK.6) is reported vulnerable to this issue. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: ZyXEL ZyWALL / ZyNOS Cross-Site Request Forgery SECUNIA ADVISORY ID: SA26381 VERIFY ADVISORY: http://secunia.com/advisories/26381/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: ZyXEL ZyWALL Series http://secunia.com/product/147/ ZyXEL ZyNOS 3.x http://secunia.com/product/149/ DESCRIPTION: Henri Lindberg has reported a vulnerability in ZyXEL ZyWALL / ZyNOS, which can be exploited by malicious people to conduct cross-site request forgery attacks. NOTE: Reportedly, this can further be exploited to conduct script insertion attacks. Other versions may also be affected. SOLUTION: Do not browser untrusted sites while being logged in to the administrative section of the device. PROVIDED AND/OR DISCOVERED BY: Henri Lindberg of Louhi Networks. ORIGINAL ADVISORY: http://www.louhi.fi/advisory/zyxel_070810.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The management interface in ZyNOS firmware 3.62(WK.6) on the Zyxel Zywall 2 device allows remote authenticated administrators to cause a denial of service (infinite reboot loop) via invalid configuration data. NOTE: this issue might not cross privilege boundaries, and it might be resultant from CSRF; if so, then it should not be included in CVE. ZyXEL ZyWALL 2 is prone to multiple remote vulnerabilities that affect the management interface. An attacker can exploit these issues to carry out cross-site request forgery, HTML-injection, and denial-of-service attacks. ZyWALL 2 running with firmware V3.62(WK.6) is reported vulnerable to this issue