VARIoT IoT vulnerabilities database

The Cisco 7900 Series is a family of IP telephony support devices. The Cisco 7900 Series handles fake ARP messages incorrectly. A remote attacker can exploit this vulnerability to perform a denial of service attack on a device, or to intercept packets such as \"intermediaries\". No detailed vulnerability details are currently available. Other attacks including man in the middle style attacks, for example packet injection and data interception have also been reported possible

The Cisco 11000 CSS is a content services switch. Using a large number of TCP SYN packets directly sent to the CSS switch's circuit address can cause CSS internal message communication to be interrupted, resulting in a denial of service due to excessive CPU utilization. In the CS800 chassis, the system control module (SCM) sends an ONDM (online diagnostics monitor) message to each SFP card. In order to check whether the interface is active, if the SCM does not get a response within 30 seconds, the SCM will not re-create any CORE information. Start the CS800. By sending a large number of SYN packets to the circuit IP interface of the CSS switch, the communication is sent to the SCM through the internal MADLAN Ethernet interface. If the internal interface is overloaded, the ONDM ping request and response are discarded, and there is no internal communication. Denial of service. It has been reported that under certain circumstances, it may be possible for remote attackers to force the System Controller Module (SCM) on Cisco Content Service Switches to reboot. A component on the device known as the Online Diagnostics Monitor (ONDM) periodically sends out ping packets to other components to verify functionality. It may be possible to prevent delivery of these ping packets, causing the router to believe the component is not functional and cause the SCM to reboot the device

The D-Link 704p is a 4-port DSL/CABLE router. The D-Link 704p management interface incorrectly handles long requests submitted by users. A remote attacker can exploit this vulnerability to perform a denial of service attack on the router. The D-Link 704p can be configured for remote management. The attacker can connect to the WEB service of the management interface and submit a long URL request, which can cause the router to stop responding and need to be restarted to obtain normal services. The issue presents itself when a request of excessive length is sent to the router. This causes the device to behave in an unstable manner. Malicious requests may result in a complete denial of service condition requiring a device reboot, or the loss of the ability to log in to the administration interface. Although unconfirmed, it should be noted that other D-Link devices that use related firmware might also be affected

The DeviceIoControl function in the Norton Device Driver (NAVAP.sys) in Symantec Norton AntiVirus 2002 allows local users to gain privileges by overwriting memory locations via certain control codes (aka "Device Driver Attack"). According to the report, one of the device control operation handlers attempts to write data to an address offset from a pointer parameter passed to DeviceIoControl(). There is no validation on the parameter supplied or the address written to. This vulnerability can be exploited by unprivileged userland programs to crash the affected host or potentially elevate privileges. Norton Antivirus is a popular anti-virus system

It has been reported that under some circumstances, a Cisco appliance running IOS may answer malicious malformed UDP echo packets with replies that contain partial contents from the affected router's memory.

Buffer overflow in the HTTP server for Cisco IOS 12.2 and earlier allows remote attackers to execute arbitrary code via an extremely long (2GB) HTTP GET request. IOS is prone to a remote security vulnerability. Cisco IOS is a very widely deployed network operating system. Many Cisco devices run IOS. The HTTP service program of the Cisco IOS device does not properly handle large data requests. Remote attackers can use this vulnerability to perform buffer overflow attacks on the service, and may run arbitrary commands on the device with system privileges

The HTTP server on Cisco IOS devices is prone to a buffer overrun that can be triggered by sending 2GB of data. This may be exploited to execute arbitrary code on a vulnerable device.

Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. A function originally derived from 4.4BSD, realpath(3), contains a vulnerability that may permit a malicious user to gain root access to the server. This function was derived from the FreeBSD 3.x tree. Other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well. WU-FTPD is implemented in fb_realpath() In the function, the size of the buffer for handling the path is MAXPATHLEN However, the length of the path actually delivered is longer than that. (MAXPATHLEN+1) , one shift (off-by-one) A buffer overflow vulnerability exists.root Arbitrary commands may be executed with sufficient privileges. The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable. Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions. NOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of 'realpath()'. These applications would require their own patches. FreeBSD has published a large list of applications that use 'realpath()'. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory 'FreeBSD-SA-03:08.realpath'. The realpath(3) function is used to determine the absolute path name of the rule in the given path name. The realpath(3) function is part of the FreeBSD standard C language library file. If the parsed pathname is 1024 bytes long and contains two directory separators, the buffer passed to the realpath(3) function can be overwritten with a single NUL byte. Applications that typically use the realpath(3) function can cause denial of service, or execute arbitrary code and privilege escalation attacks. sftp-server(8) is part of OpenSSH, and realpath(3) is used to process the chdir command. 1 cdparanoia-3.9. Synopsis: wu-ftpd fb_realpath() off-by-one bug Product: wu-ftpd Version: 2.5.0 <= 2.6.2 Vendor: http://www.wuftpd.org/ URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466 Author: Wojciech Purczynski <cliph@isec.pl> Janusz Niewiadomski <funkysh@isec.pl> Date: July 31, 2003 Issue: ====== Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system. Details: ======== An off-by-one bug exists in fb_realpath() function. The overflowed buffer lies on the stack. The bug results from misuse of rootd variable in the calculation of length of a concatenated string: ------8<------cut-here------8<------ /* * Join the two strings together, ensuring that the right thing * happens if the last component is empty, or the dirname is root. */ if (resolved[0] == '/' && resolved[1] == '\0') rootd = 1; else rootd = 0; if (*wbuf) { if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) { errno = ENAMETOOLONG; goto err1; } if (rootd == 0) (void) strcat(resolved, "/"); (void) strcat(resolved, wbuf); } ------8<------cut-here------8<------ Since the path is constructed from current working directory and a file name specified as an parameter to various FTP commands attacker needs to create deep directory structure. This may occur for example if wu-ftpd is compiled with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN accordingly) is defined to be exactly 4095 characters. In such cases, the buffer is padded with an extra byte because of variable alignment which is a result of code optimization. Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be 4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x kernels are affected. We believe that exploitation of other little-endian systems is also possible. Impact: ======= Authenticated local user or anonymous FTP user with write-access could execute arbitrary code with root privileges. Vendor Status: ============== June 1, 2003 security@wu-ftpd.org has been notified June 9, 2003 Request for confirmation of receipt sent to security@wu-ftpd.org June 11, 2003 Response received from Kent Landfield July 3, 2003 Request for status update sent July 19, 2003 vendor-sec list notified July 31, 2003 Coordinated public disclosure The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0466 to this issue. -- Janusz Niewiadomski iSEC Security Research http://isec.pl/

The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL. The Cisco Aironet AP1X00 series is a wireless access point issued by Cisco that provides wireless access solutions based on the 802.11b WIFI standard.  The web interface of the Cisco Aironet AP1X00 does not properly handle HTTP GET requests. A remote attacker could use this vulnerability to conduct a denial of service attack on the device. This attack does not require any authentication. After the attack is successful, the device needs to be restarted or it cannot service normal communications.  All VxWorks software-based Cisco Aironet Access Point 1200s are not affected by this vulnerability. These software versions include 11.56, 12.01T1, 12.02T1, and 12.03T. Such a request will cause the device to reload. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: HTTP GET Vulnerability in AP1x00 Revision 1.0 For Public Release 2003 July 28 16:00 UTC (GMT) ---------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures ---------------------------------------------------------------------- Summary A vulnerability has been reported by an external researcher in Cisco IOS(R) release for Cisco Aironet AP1x00 Series Wireless devices. This vulnerability can cause the AP1x00 to reload and is documented as Cisco bug ID CSCeb49869 (registered customers only) (also CAN-2003-0511). There are workarounds available to mitigate the effects of this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml. The external report can be found at http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm leavingcisco.com. Although it mentions two issues only one is addressed by this advisory. The other issue, Cisco bug ID CSCdz29724 (registered customers only) (also CAN-2003-512), is present in all IOS software and is duplicated by the AP1x00 specific Cisco bug ID CSCeb49842 (registered customers only) . More details about it can be found at http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml. In order to determine your software release you should log on the Access Point using any account available and execute the following command: access-point> show ver Cisco Internetwork Operating System Software IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) ^^^^^^^^^ TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. The Cisco IOS software version is displayed in the second line of the output. In this example it is 12.2(8)JA. Impact Repeated exploitation of this vulnerability can lead to a prolonged Denial-of-Service (DoS) of the AP1x00. Obtaining Fixed Software Cisco is offering free software upgrades to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at the Cisco Connection Online Software Center at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Customers with service contracts should contact their regular update channels to obtain the free software upgrade identified via this advisory. For most customers with service contracts, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml. To access the software download URL, you must be a registered user and you must be logged in. Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Workarounds There are two workarounds for this vulnerability. The example of using access-class is given here: ap(config)# ip http access-class 10 ap(config)# access-list 10 permit host 10.0.0.1 In this example, host 10.0.0.1 is the only one that is allowed to access the AP. All other hosts are prohibited. To disable HTTP and enable SSH use this example: ap(config)# no ip http server ap(config)# ip domain name <your-domain> ap(config)# crypto key generate rsa The name for the keys will be: ap.your-domain Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] ap(config)# line vty 0 4 ap(config-line)# transport input ssh Now you can connect to the Cisco Aironet AP using SSH client from your computer. In addition to the workarounds it is possible to mitigate the exposure by configuring ACLs on the device so that only legitimate hosts can use the http service. This can be done in the following way: access-list 111 permit tcp host 10.0.0.1 host 10.0.0.50 eq www In this example the host 10.0.0.1 is the only one that is allowed to access the device at 10.0.0.50. You will have to change host IP addresses and the ACL number to suit your configuration. This ACL will have to be applied to all interfaces and block all IP addresses assigned to the affected device. Exploitation and Public Announcements This vulnerability is reported by Reda Zitouni from Vigilante. Their report can be found at http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm leavingcisco.com. Status of This Notice: FINAL This is a final advisory. Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco will update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This notice will be posted on Cisco's worldwide website at . In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * bugtraq@securityfocus.com * full-disclosure@lists.netsys.com * first-teams@first.org (includes CERT/CC) * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History +------------------------------------------+ |Revision|2003-July-28 16:00 UTC |Initial | |1.0 |(GMT) |public | | | |release.| +------------------------------------------+ Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. ---------------------------------------------------------------------- This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. ---------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT iD4DBQE/JUmbezGozzK2tZARArXRAKCIRsac6s3i7oRAEf4/2khQBKdEcgCXTsum aQeEFDQLBhqS5wu0CarFkg== =ehoq -----END PGP SIGNATURE----- . Firmware version 12.2(4)JA and earlier. The Arionet Bridge is vulnerable to a denial of service.This can be exploited remotely by an attacker. No user login or password is necessary. This can be accomplished by submitting a specially crafted request to the web server. There is no need to authenticate to perform this attack, only access to the web server is required. The Aironet bridge reboots upon receiving the request and failing to handle correctly this one. Afterwards, no further access to the WLAN or its services is possible. Vendor status: ************** Cisco was contacted June 19, 2003 and answered the same day. 5 days later, they told us that they would release a patch soon. The patch was finally released July 3, 2003. Vulnerability Assessment: A test case to detect this vulnerability was added to SecureScan NX in the upgrade package of July 28, 2003. You can see the documentation of this test case 17655 on SecureScan NX web site at http://securescannx.vigilante.com/tc/17655 . Please note that this version fixes some other bugs as TC 15438 (refer to release note). If not needed - disable access to the web feature on the Aironet Bridge. 2. If needed - restrict access to the HTTP service for outside connections. CVE: Common Vulnerabilities and Exposures group ( reachable at http://cve.mitre.org/ ) was contacted and assigned CAN-2003-0511 to this vulnerability. Links: ***** Cisco Advisory: http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml Vigilante Advisory: http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm Product Homepage: http://www.cisco.com/warp/public/cc/pd/witc/ps4570 CVE: CAN-2003-0511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0511 Credit: ****** This vulnerability was discovered by Reda Zitouni, member of our Security Watch Team at VIGILANTe. We wish to thank Cisco PSIRT Team for their fast answer to fix this problem. Copyright VIGILANTe.com, Inc. 2003-07-28 Disclaimer: ********** The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback: ******** Please send suggestions, updates, and comments to securitywatch@vigilante.com

Cisco IOS 12.2 and earlier generates a "% Login invalid" message instead of prompting for a password when an invalid username is provided, which allows remote attackers to identify valid usernames on the system and conduct brute force password guessing, as reported for the Aironet Bridge. A vulnerability in the Cisco Aironet 1100 Series Access Point may allow a remote attacker to discover valid accounts on the access point. Cisco IOS Specific versions of telnet There is a vulnerability that the response of the authentication result varies depending on the user name when password authentication is performed via.Depending on the response, it may be possible to infer whether the user exists. An information leak has been reported in Cisco Aironet Access Points when the telnet service has been enabled. This may allow a remote attacker to gain potentially sensitive information. If it is illegal, it will prompt the \"\\% Login invalid\" message. VIGILANTe Security Watch Advisory Name: Cisco Aironet AP1100 Valid Account Disclosure Vulnerability Systems Affected: Tested on a Cisco Aironet AP1100 Model 1120B Series Wireless device. Firmware version 12.2(4)JA and earlier. NB : A large number of Cisco IOSes are affected by this flaw. Severity: High Risk Vendor URL: http://www.vigilante.com Authors: Reda Zitouni (reda.zitouni@vigilante.com) Date: 28th July 2003 Advisory Code: VIGILANTE-2003002 Description *********** Cisco Aironet 1100 Series Access Point is a device manufactured by Cisco Systems offering a WLAN solution based on the 802.11b Wifi standard. The Aironet Bridge is vulnerable to a Brute Force attack revealing if an account exists or not. If an attacker submits an existing account as login he will be then prompted for the password. If not the case a ""% Login invalid" reply will be displayed by the server, revealing the account is not existing. By default on the Aironet AP1100, the 'cisco' account is set and is prompted for a password when submitted. That default account then allows an attacker to determine if this flaw on the remote device is patched or not. This may lead to further serious attacks. Vendor status: ************** Cisco was contacted June 19, 2003 and answered the same day. 5 days later, they told us that they would release a patch soon. The patch was finally released July 3, 2003. Please note that this flaw is released by Cisco as a Security Notice in CCO. Vulnerability Assessment: ************************ A test case to detect this vulnerability was added to SecureScan NX in the upgrade package of July 28, 2003. You can see the documentation of this test case 15438 on SecureScan NX web site at http://securescannx.vigilante.com/tc/15438. Fix: A firmware upgrading the Aironet IOS version to c1100-k9w7 has been released by Cisco. Please note that this version fixes some other bugs as TC 17655 (refer to release note). A stronger authentication mechanism, such as SSH can also be implemented. CVE: Common Vulnerabilities and Exposures group ( reachable at http://cve.mitre.org/ ) was contacted and assigned CAN-2003-0512 to this vulnerability. Links: ***** Cisco Advisory: http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml Vigilante Advisory: http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm Product Homepage: http://www.cisco.com/warp/public/cc/pd/witc/ps4570 CVE: CAN-2003-0512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0512 Credit: ****** This vulnerability was discovered by Reda Zitouni, member of our Security Watch Team at VIGILANTe. We wish to thank Cisco PSIRT Team for their fast answer to fix this problem. Copyright VIGILANTe.com, Inc. 2003-07-28 Disclaimer: ********** The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback: ******** Please send suggestions, updates, and comments to securitywatch@vigilante.com

Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to cause a denial of service (crash) via a .. (dot dot) sequence followed by an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0421. A remote attacker can use the MS-DOS device name (such as AUX) followed by the .. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. Denial of Service by HTTP Request for DOS Device Name CVE ID: CAN-2003-0421 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting a DOS device name (e.g. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. For example: ==> GET /AUX HTTP/1.0 Denial of Service by Request for ../ DOS Device Name CVE ID: CAN-2003-0502 Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only) Fixed: In version 4.1.3g (Win32) This is a variant of CAN-2003-0421. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in: ==> GET /../AUX HTTP/1.0 Denial of Service by HTTP Request for /view_broadcast.cgi Script CVE ID: CAN-2003-0422 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. Default Install Allows Remote User to Set Admin Password CVE ID: CAN-2003-0426 Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only) Fixed: In version 4.1.3f (Mac OS X) When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

The installation of Apple QuickTime / Darwin Streaming Server before 4.1.3f starts the administration server with a "Setup Assistant" page that allows remote attackers to set the administrator password and gain privileges before the real administrator. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. Summary Several vulnerabilities have been found in the Apple QuickTime/Darwin Streaming Server, including denial of service, web root traversal, and script source disclosure. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. Denial of Service by HTTP Request for DOS Device Name CVE ID: CAN-2003-0421 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting a DOS device name (e.g. AUX) over HTTP (port 1220) will cause a denial of service on the server. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. For example: ==> GET /AUX HTTP/1.0 Denial of Service by Request for ../ DOS Device Name CVE ID: CAN-2003-0502 Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only) Fixed: In version 4.1.3g (Win32) This is a variant of CAN-2003-0421. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in: ==> GET /../AUX HTTP/1.0 Denial of Service by HTTP Request for /view_broadcast.cgi Script CVE ID: CAN-2003-0422 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0502. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in: ==> GET /../AUX HTTP/1.0 Denial of Service by HTTP Request for /view_broadcast.cgi Script CVE ID: CAN-2003-0422 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. Default Install Allows Remote User to Set Admin Password CVE ID: CAN-2003-0426 Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only) Fixed: In version 4.1.3f (Mac OS X) When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

The 3Com 812 OfficeConnect is a widely used DSL router. 3Com 812 OfficeConnect lacks proper handling of long requests submitted by users to the management interface. Remote attackers can exploit this vulnerability to denial the device. The DSL router does not have any authentication for the user to perform management interface access. Any LAN user submits a request of more than 512 bytes to the WEB management interface, which may cause the router to crash and need to be restarted to obtain normal services. A problem in the 3Com 812 OfficeConnect has been reported that may result in the router becoming unstable. Because of this, an attacker may be able to deny service to legitimate users of the vulnerable router by submitting an excessively long request

Workgroup Manager in Apple Mac OS X Server 10.2 through 10.2.6 does not disable a password for a new account before it is saved for the first time, which allows remote attackers to gain unauthorized access via the new account before it is saved. It has been reported the OS X Server Workgroup Manager may create accounts in an insecure manner. This vulnerability may allow an attacker to gain unauthorized access or elevated privileges to an affected system via the newly created account. Mac OS X is an operating system used on Mac machines, based on the BSD system. However, no detailed vulnerability details have been provided so far

parse_xml.cgi in Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to obtain the source code for parseable files via the filename parameter. Apple QuickTime/Darwin Streaming Server is prone to a source disclosure issue. The issue exists in the parse_xml.cgi administrative script. This could permit an attacker to gain access to sensitive information contained within script source code. This issue is reported to affect versions up to and including 4.1.3g. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. Denial of Service by HTTP Request for DOS Device Name CVE ID: CAN-2003-0421 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting a DOS device name (e.g. AUX) over HTTP (port 1220) will cause a denial of service on the server. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. For example: ==> GET /AUX HTTP/1.0 Denial of Service by Request for ../ DOS Device Name CVE ID: CAN-2003-0502 Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only) Fixed: In version 4.1.3g (Win32) This is a variant of CAN-2003-0421. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in: ==> GET /../AUX HTTP/1.0 Denial of Service by HTTP Request for /view_broadcast.cgi Script CVE ID: CAN-2003-0422 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. Default Install Allows Remote User to Set Admin Password CVE ID: CAN-2003-0426 Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only) Fixed: In version 4.1.3f (Mac OS X) When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via a request to view_broadcast.cgi that does not contain the required parameters. When an HTTP request is made to the view_broadcast.cgi script without specifying any parameters, the server will not accept new connections. This vulnerability was reported to affect QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows. Vulnerabilities exist in Apple QuickTime / Darwin Streaming versions prior to 4.1.3f. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. Denial of Service by HTTP Request for DOS Device Name CVE ID: CAN-2003-0421 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting a DOS device name (e.g. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. Default Install Allows Remote User to Set Admin Password CVE ID: CAN-2003-0426 Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only) Fixed: In version 4.1.3f (Mac OS X) When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

Directory traversal vulnerability in Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to read arbitrary files via a ... (triple dot) in an HTTP request. This vulnerability may be possible to exploit using "/.../" sequences within the request sent to the server. This vulnerability was reported to affect QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. Denial of Service by HTTP Request for DOS Device Name CVE ID: CAN-2003-0421 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting a DOS device name (e.g. AUX) over HTTP (port 1220) will cause a denial of service on the server. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. For example: ==> GET /AUX HTTP/1.0 Denial of Service by Request for ../ DOS Device Name CVE ID: CAN-2003-0502 Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only) Fixed: In version 4.1.3g (Win32) This is a variant of CAN-2003-0421. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in: ==> GET /../AUX HTTP/1.0 Denial of Service by HTTP Request for /view_broadcast.cgi Script CVE ID: CAN-2003-0422 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. Default Install Allows Remote User to Set Admin Password CVE ID: CAN-2003-0426 Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only) Fixed: In version 4.1.3f (Mac OS X) When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to obtain the source code for scripts by appending encoded space (%20) or . (%2e) characters to an HTTP request for the script, e.g. view_broadcast.cgi. A problem in the handling of requests appended with special characters has been reported in Apple QuickTime/Darwin Streaming Server. This issue may make it possible for an attacker to gain unauthorized access to source code hosted by the server. This vulnerability was reported to affect QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. Summary Several vulnerabilities have been found in the Apple QuickTime/Darwin Streaming Server, including denial of service, web root traversal, and script source disclosure. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. Denial of Service by HTTP Request for DOS Device Name CVE ID: CAN-2003-0421 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting a DOS device name (e.g. AUX) over HTTP (port 1220) will cause a denial of service on the server. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. For example: ==> GET /AUX HTTP/1.0 Denial of Service by Request for ../ DOS Device Name CVE ID: CAN-2003-0502 Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only) Fixed: In version 4.1.3g (Win32) This is a variant of CAN-2003-0421. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in: ==> GET /../AUX HTTP/1.0 Denial of Service by HTTP Request for /view_broadcast.cgi Script CVE ID: CAN-2003-0422 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. Default Install Allows Remote User to Set Admin Password CVE ID: CAN-2003-0426 Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only) Fixed: In version 4.1.3f (Mac OS X) When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. OpenSSL Is SSL/TLS Due to incomplete implementation of do_change_cipher_spec() In the function NULL A vulnerability exists where pointers are not handled properly.OpenSSL An application that uses the service disrupts service operation (DoS) It may be in a state. OpenSSL is an open source SSL implementation used to implement high-strength encryption of network communications. It is now widely used in various network applications.  Using the Codenomicon TLS test tool, OpenSSL found a NULL pointer allocation in the do_change_cipher_spec () function. Applications that rely on this library will generate a denial of service. For the first issue, a NULL-pointer assignment can be triggered by attackers during SSL/TLS handshake exchanges. The CVE candidate name for this vulnerability is CAN-2004-0079. Versions 0.9.6c to 0.9.6k (inclusive) and from 0.9.7a to 0.9.7c (inclusive) are vulnerable. The second issue is also exploited during the SSL/TLS handshake, but only when Kerberos ciphersuites are in use. The vendor has reported that this vulnerability may not be a threat to many, because it occurs only when Kerberos ciphersuites are in use, an uncommon configuration. The CVE candidate name for this vulnerability is CAN-2004-0112. Versions 0.9.7a, 0.9.7b, and 0.9.7c are affected. This entry will be retired when individual BID records are created for each issue. *Note: A third denial-of-service vulnerability included in the announcement was discovered affecting 0.9.6 and fixed in 0.9.6d. The CVE candidate name for this vulnerability is CAN-2004-0081. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available. Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues. Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues. Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue. CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues. CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues. Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues. HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue. Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues. loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue. Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue. MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues. ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue. QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue. Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues. SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue. servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue. servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue. SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues. traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue. WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue. Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue. X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue. zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business and Applications, Oracle Enterprise Manager Grid Control, and Oracle PeopleSoft Applications are reported prone to multiple vulnerabilities. Oracle has released a Critical Patch Update to address these issues in various supported applications and platforms. The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. While various levels of authorization are required to leverage some issues, others do not require any authorization. This BID will be divided and updated into separate BIDs when more information is available. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability Revision 1.0 For Public Release 2004 March 17 at 1300 UTC (GMT) ---------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures ---------------------------------------------------------------------- Summary A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17, 2004. An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it when it is available. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml. * Cisco IOS 12.1(11)E and later in the 12.1E release train. Only crypto images (56i and k2) are vulnerable for the Cisco 7100 and 7200 Series Routers. * Cisco IOS 12.2SY release train. Only crypto images (k8, k9 and k91) are vulnerable for the Cisco Catalyst 6500 Series and Cisco 7600 Series Routers. * Cisco PIX Firewall * Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers * Cisco MDS 9000 Series Multilayer Switch * Cisco Content Service Switch (CSS) 11000 series * Cisco Global Site Selector (GSS) 4480 * CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common Management Foundation (CMF) version 2.1 * Cisco Access Registrar (CAR) The following products have their SSL implementation based on the OpenSSL code and are not affected by this vulnerability. * Cisco Secure Intrusion Detection System (NetRanger) appliance. This includes the IDS-42xx appliances, NM-CIDS and WS-SVS-IDSM2. * Cisco SN 5428 and SN 5428-2 Storage Router * Cisco CNS Configuration Engine * Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and 6500 Series switches and Cisco 7600 Series routers * Cisco SIP Proxy Server (SPS) * CiscoWorks 1105 Hosting Solution Engine (HSE) * CiscoWorks 1105 Wireless LAN Solution Engine (WLSE) * Cisco Ethernet Subscriber Solution Engine (ESSE) The following products, which implement SSL, are not affected by this vulnerability. * Cisco VPN 3000 Series Concentrators CatOS does not implement SSL and is not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. This vulnerability is still being actively investigated across Cisco products and status of some products has still not been determined. Details Secure Sockets Layer (SSL), is a protocol used to encrypt the data transferred over an TCP session. SSL in Cisco products is mainly used by the HyperText Transfer Protocol Secure (HTTPS) web service for which the default TCP port is 443. The affected products, listed above, are only vulnerable if they have the HTTPS service enabled and the access to the service is not limited to trusted hosts or network management workstations. To check if the HTTPS service is enabled one can do the following: 1. Check the configuration on the device to verify the status of the HTTPS service. 2. Try to connect to the device using a standard web browser that supports SSL using a URL similar to https://ip_address_of_device/. 3. Try and connect to the default HTTPS port, TCP 443, using Telnet. telnet ip_address_of_device 443. If the session connects the service is enabled and accessible. This crash on many Cisco products would cause the device to reload. A third vulnerability described in the NISCC advisory is a bug in older versions of OpenSSL, versions before 0.9.6d, that can also lead to a Denial of Service attack. None of the Cisco OpenSSL implementations are known to be affected by this older OpenSSL issue. * Cisco IOS - All 12.1(11)E and later IOS software crypto (56i and k2) image releases in the 12.1E release train for the Cisco 7100 and 7200 Series Routers are affected by this vulnerability. All IOS software crypto (k8, k9, and k91) image releases in the 12.2SY release train for the Cisco Catalyst 6500 Series and Cisco 7600 Series Routers are affected by this vulnerability. The SSH implementation in IOS is not dependent on any OpenSSL code. SSH implementations in IOS do not handle certificates, yet, and therefore do not use any SSL code for SSH. OpenSSL in 12.1E and 12.2SY release trains is only used for providing the HTTPS and VPN Device Manager (VDM) services. This vulnerability is documented in the Cisco Bug Toolkit (registered customers only) as Bug ID CSCee00041. The HTTPS web service, that uses the OpenSSL code, on the device is disabled by default. The no ip http secure-server command may be used to disable the HTTPS web service on the device, if required. The SSH and IPSec services in IOS are not vulnerable to this vulnerability. * Cisco PIX Firewall - PIX 6.x releases are affected by this vulnerability. PIX 5.x releases do not contain any SSL code and are not vulnerable. This vulnerability is documented in the Cisco Bug Toolkit (registered customers only) as Bug ID CSCed90672. * Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers - This vulnerability is documented in the Cisco Bug Toolkit (registered customers only) as Bug ID CSCee02055. * Cisco MDS 9000 Series Multilayer Switches - This vulnerability is documented in the Cisco Bug Toolkit (registered customers only) as Bug ID CSCed96246. * Cisco Content Service Switch (CSS) 11000 series - WebNS version 6.x and 7.x are affected by this vulnerability. This vulnerability is documented in the Cisco Bug Toolkit (registered customers only) as Bug ID CSCee01234 for SCM and is documented in the Cisco Bug Toolkit (registered customers only) as Bug ID CSCee01240 for the SSL module. * Cisco Global Site Selector (GSS) 4480 - This vulnerability is documented in the Cisco Bug Toolkit (registered customers only) as Bug ID CSCee01057. * CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common Management Foundation (CMF) version 2.1 - This vulnerability is documented in the Cisco Bug Toolkit (registered customers only) as Bug ID CSCsa13748. * Cisco Access Registrar (CAR) - This vulnerability is documented in the Cisco Bug Toolkit (registered customers only) as Bug ID CSCee01956. The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/. Impact An affected network device running an SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. Software Versions and Fixes * Cisco IOS - +----------------------------------------+ |Release| Fixed Releases |Availability | | Train | | | |-------+------------------+-------------| |12.2SY |12.2(14)SY4 |March 25 | |-------+------------------+-------------| | |12.1(13)E14 |April 8 | |12.1E |12.1.(19)E7 |April 8 | | |12.1(20)E3 |April 26 | +----------------------------------------+ * Cisco PIX Firewall - The vulnerability is fixed in software releases 6.0(4)102, 6.1(5)102, 6.2(3)107, and 6.3(3)124. These engineering builds may be obtained by contacting the Cisco Technical Assistance Center (TAC). TAC Contact information is given in the Obtaining Fixed Software section below. * Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers - The vulnerability is fixed in software release 1.1.3(14) which will be available by Monday, 22 of March, 2004. This engineering builds may be obtained by contacting the Cisco Technical Assistance Center (TAC). TAC Contact information is given in the Obtaining Fixed Software section below. * Cisco MDS 9000 Series Multilayer Switches - No fixed software release or software availability date has been determined yet. * Cisco Content Service Switch (CSS) 11000 series -No fixed software release or software availability date has been determined yet. * Cisco Global Site Selector (GSS) 4480 - No fixed software release or software availability date has been determined yet. * CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common Management Foundation (CMF) version 2.1 - No fixed software release or software availability date has been determined yet. * Cisco Access Registrar (CAR) - The vulnerability is fixed in software release 3.5.0.12 which will be available by Friday, 26 of March, 2004. Obtaining Fixed Software Cisco is offering free software upgrades to address this vulnerability for all affected customers. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, Customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at the Cisco Connection Online Software Center at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/tacpage/sw-center. To access the software download URL, you must be a registered user and you must be logged in. Customers whose Cisco products are provided or maintained through a prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers, should contact that support organization for assistance with obtaining the software upgrade(s). Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC) using the contact information listed below. In these cases, customers are entitled to obtain a free upgrade to a later version of the same release or as indicated by the applicable corrected software version in the Software Versions and Fixes section (noted above). Cisco TAC contacts are as follows: * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a upgrade. Upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Workarounds The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code as soon as it is available. * Restrict access to the HTTPS server on the network device. Allow access to the network device only from trusted workstations by using access lists / MAC filters that are available on the affected platforms. * Disable the SSL server / service on the network device. This workaround must be weighed against the need for secure communications with the vulnerable device. Exploitation and Public Announcements The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco PSIRT by NISCC. Status of This Notice: INTERIM This is an interim advisory. Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This advisory will be posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml . In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key having the fingerprint 8C82 5207 0CA9 ED40 1DD2 EE2A 7B31 A8CF 32B6 B590 and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org (includes CERT/CC) * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.netsys.com * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History +------------------------------------------+ |Revision 1.0|2004-March-17|Initial | | | |release. | +------------------------------------------+ Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. This advisory is copyright 2004 by Cisco Systems, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. ---------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT iD8DBQFAWFvZezGozzK2tZARAqIwAKDXDMLAY6eDYyU8y1MhKZUto2SRxwCg+oid 7AhsNlLsNVSLwTRKTHSigu0= =gtba -----END PGP SIGNATURE----- . Any application that makes use of OpenSSL's SSL/TLS library may be affected. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Recommendations --------------- Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications statically linked to OpenSSL libraries. OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.7d.tar.gz MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5 o openssl-0.9.6m.tar.gz [normal] MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9 o openssl-engine-0.9.6m.tar.gz [engine] MD5 checksum: 4c39d2524bd466180f9077f8efddac8c The checksums were calculated using the following command: openssl md5 openssl-0.9*.tar.gz Credits ------- Patches for these issues were created by Dr Stephen Henson (steve@openssl.org) of the OpenSSL core team. The OpenSSL team would like to thank Codenomicon for supplying the TLS Test Tool which was used to discover these vulnerabilities, and Joe Orton of Red Hat for performing the majority of the testing. References ---------- http://www.codenomicon.com/testtools/tls/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 URL for this Security Advisory: http://www.openssl.org/news/secadv_20040317.txt