VARIoT IoT vulnerabilities database

VAR-200308-0210 | No CVE | Cisco 7900 Series VoIP Phone ARP Spoofing Remote Denial of Service Attack Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Cisco 7900 Series is a family of IP telephony support devices. The Cisco 7900 Series handles fake ARP messages incorrectly. A remote attacker can exploit this vulnerability to perform a denial of service attack on a device, or to intercept packets such as \"intermediaries\". No detailed vulnerability details are currently available.
Other attacks including man in the middle style attacks, for example packet injection and data interception have also been reported possible
VAR-200308-0211 | No CVE | Cisco Content Services Switch ONDM Ping Failed Remote Denial of Service Attack Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Cisco 11000 CSS is a content services switch. Using a large number of TCP SYN packets directly sent to the CSS switch's circuit address can cause CSS internal message communication to be interrupted, resulting in a denial of service due to excessive CPU utilization. In the CS800 chassis, the system control module (SCM) sends an ONDM (online diagnostics monitor) message to each SFP card. In order to check whether the interface is active, if the SCM does not get a response within 30 seconds, the SCM will not re-create any CORE information. Start the CS800. By sending a large number of SYN packets to the circuit IP interface of the CSS switch, the communication is sent to the SCM through the internal MADLAN Ethernet interface. If the internal interface is overloaded, the ONDM ping request and response are discarded, and there is no internal communication. Denial of service. It has been reported that under certain circumstances, it may be possible for remote attackers to force the System Controller Module (SCM) on Cisco Content Service Switches to reboot. A component on the device known as the Online Diagnostics Monitor (ONDM) periodically sends out ping packets to other components to verify functionality. It may be possible to prevent delivery of these ping packets, causing the router to believe the component is not functional and cause the SCM to reboot the device
VAR-200308-0212 | No CVE | D-Link DI-704P Long URL Remote Denial of Service Attack Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The D-Link 704p is a 4-port DSL/CABLE router. The D-Link 704p management interface incorrectly handles long requests submitted by users. A remote attacker can exploit this vulnerability to perform a denial of service attack on the router. The D-Link 704p can be configured for remote management. The attacker can connect to the WEB service of the management interface and submit a long URL request, which can cause the router to stop responding and need to be restarted to obtain normal services.
The issue presents itself when a request of excessive length is sent to the router. This causes the device to behave in an unstable manner.
Malicious requests may result in a complete denial of service condition requiring a device reboot, or the loss of the ability to log in to the administration interface.
Although unconfirmed, it should be noted that other D-Link devices that use related firmware might also be affected
VAR-200312-0010 | CVE-2003-1310 | Symantec Norton AntiVirus Device Driver Memory Overwrite Vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
The DeviceIoControl function in the Norton Device Driver (NAVAP.sys) in Symantec Norton AntiVirus 2002 allows local users to gain privileges by overwriting memory locations via certain control codes (aka "Device Driver Attack"). According to the report, one of the device control operation handlers attempts to write data to an address offset from a pointer parameter passed to DeviceIoControl(). There is no validation on the parameter supplied or the address written to. This vulnerability can be exploited by unprivileged userland programs to crash the affected host or potentially elevate privileges. Norton Antivirus is a popular anti-virus system
VAR-200308-0245 | No CVE | Cisco IOS UDP Echo Service Memory Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
It has been reported that under some circumstances, a Cisco appliance running IOS may answer malicious malformed UDP echo packets with replies that contain partial contents from the affected router's memory.
VAR-200308-0163 | CVE-2003-0647 | Cisco IOS HTTP Server vulnerable to buffer overflow when processing overly large malformed HTTP GET request |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in the HTTP server for Cisco IOS 12.2 and earlier allows remote attackers to execute arbitrary code via an extremely long (2GB) HTTP GET request. IOS is prone to a remote security vulnerability. Cisco IOS is a very widely deployed network operating system. Many Cisco devices run IOS. The HTTP service program of the Cisco IOS device does not properly handle large data requests. Remote attackers can use this vulnerability to perform buffer overflow attacks on the service, and may run arbitrary commands on the device with system privileges
VAR-200307-0134 | No CVE | Cisco IOS 2GB HTTP GET Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The HTTP server on Cisco IOS devices is prone to a buffer overrun that can be triggered by sending 2GB of data. This may be exploited to execute arbitrary code on a vulnerable device.
VAR-200308-0014 | CVE-2003-0466 | realpath(3) function contains off-by-one buffer overflow |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. A function originally derived from 4.4BSD, realpath(3), contains a vulnerability that may permit a malicious user to gain root access to the server. This function was derived from the FreeBSD 3.x tree. Other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well. WU-FTPD is implemented in fb_realpath() In the function, the size of the buffer for handling the path is MAXPATHLEN However, the length of the path actually delivered is longer than that. (MAXPATHLEN+1) , one shift (off-by-one) A buffer overflow vulnerability exists.root Arbitrary commands may be executed with sufficient privileges. The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable.
Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions.
NOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of 'realpath()'. These applications would require their own patches. FreeBSD has published a large list of applications that use 'realpath()'. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory 'FreeBSD-SA-03:08.realpath'. The realpath(3) function is used to determine the absolute path name of the rule in the given path name. The realpath(3) function is part of the FreeBSD standard C language library file. If the parsed pathname is 1024 bytes long and contains two directory separators, the buffer passed to the realpath(3) function can be overwritten with a single NUL byte. Applications that typically use the realpath(3) function can cause denial of service, or execute arbitrary code and privilege escalation attacks. sftp-server(8) is part of OpenSSH, and realpath(3) is used to process the chdir command. 1 cdparanoia-3.9.
Synopsis: wu-ftpd fb_realpath() off-by-one bug
Product: wu-ftpd
Version: 2.5.0 <= 2.6.2
Vendor: http://www.wuftpd.org/
URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466
Author: Wojciech Purczynski <cliph@isec.pl>
Janusz Niewiadomski <funkysh@isec.pl>
Date: July 31, 2003
Issue:
======
Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local
or remote attacker could exploit this vulnerability to gain root
privileges on a vulnerable system.
Details:
========
An off-by-one bug exists in fb_realpath() function.
The overflowed buffer lies on the stack.
The bug results from misuse of rootd variable in the calculation of
length of a concatenated string:
------8<------cut-here------8<------
/*
* Join the two strings together, ensuring that the right thing
* happens if the last component is empty, or the dirname is root.
*/
if (resolved[0] == '/' && resolved[1] == '\0')
rootd = 1;
else
rootd = 0;
if (*wbuf) {
if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
errno = ENAMETOOLONG;
goto err1;
}
if (rootd == 0)
(void) strcat(resolved, "/");
(void) strcat(resolved, wbuf);
}
------8<------cut-here------8<------
Since the path is constructed from current working directory and a file
name specified as an parameter to various FTP commands attacker needs to
create deep directory structure. This may occur for example if wu-ftpd is compiled
with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN
accordingly) is defined to be exactly 4095 characters. In such cases,
the buffer is padded with an extra byte because of variable alignment
which is a result of code optimization.
Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be
4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x
kernels are affected. We believe that exploitation of other
little-endian systems is also possible.
Impact:
=======
Authenticated local user or anonymous FTP user with write-access could
execute arbitrary code with root privileges.
Vendor Status:
==============
June 1, 2003 security@wu-ftpd.org has been notified
June 9, 2003 Request for confirmation of receipt sent to security@wu-ftpd.org
June 11, 2003 Response received from Kent Landfield
July 3, 2003 Request for status update sent
July 19, 2003 vendor-sec list notified
July 31, 2003 Coordinated public disclosure
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0466 to this issue.
--
Janusz Niewiadomski
iSEC Security Research
http://isec.pl/
VAR-200308-0076 | CVE-2003-0511 | Cisco AP1x00 HTTP GET Request Remote Denial Of Service Attack Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL. The Cisco Aironet AP1X00 series is a wireless access point issued by Cisco that provides wireless access solutions based on the 802.11b WIFI standard.
The web interface of the Cisco Aironet AP1X00 does not properly handle HTTP GET requests. A remote attacker could use this vulnerability to conduct a denial of service attack on the device. This attack does not require any authentication. After the attack is successful, the device needs to be restarted or it cannot service normal communications.
All VxWorks software-based Cisco Aironet Access Point 1200s are not affected by this vulnerability. These software versions include 11.56, 12.01T1, 12.02T1, and 12.03T. Such a request will cause the device to reload. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: HTTP GET Vulnerability in AP1x00
Revision 1.0
For Public Release 2003 July 28 16:00 UTC (GMT)
----------------------------------------------------------------------
Contents
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures
----------------------------------------------------------------------
Summary
A vulnerability has been reported by an external researcher in Cisco
IOS(R) release for Cisco Aironet AP1x00 Series Wireless devices. This
vulnerability can cause the AP1x00 to reload and is documented as Cisco
bug ID CSCeb49869 (registered customers only) (also CAN-2003-0511). There
are workarounds available to mitigate the effects of this vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml.
The external report can be found at
http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm
leavingcisco.com. Although it mentions two issues only one is addressed by
this advisory. The other issue, Cisco bug ID CSCdz29724 (registered
customers only) (also CAN-2003-512), is present in all IOS software and is
duplicated by the AP1x00 specific Cisco bug ID CSCeb49842 (registered
customers only) . More details about it can be found at
http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml.
In order to determine your software release you should log on the Access
Point using any account available and execute the following command:
access-point> show ver
Cisco Internetwork Operating System Software
IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1) ^^^^^^^^^
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
The Cisco IOS software version is displayed in the second line of the
output. In this example it is 12.2(8)JA.
Impact
Repeated exploitation of this vulnerability can lead to a prolonged
Denial-of-Service (DoS) of the AP1x00.
Obtaining Fixed Software
Cisco is offering free software upgrades to address these vulnerabilities
for all affected customers. Customers may only install and expect support
for the feature sets they have purchased. By installing, downloading,
accessing or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set
forth at the Cisco Connection Online Software Center at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Customers with service contracts should contact their regular update
channels to obtain the free software upgrade identified via this advisory.
For most customers with service contracts, this means that upgrades should
be obtained through the Software Center on Cisco's worldwide website at
http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml. To access the
software download URL, you must be a registered user and you must be
logged in.
Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be free
of charge.
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades
for non-contract customers must be requested through the TAC.
Workarounds
There are two workarounds for this vulnerability.
The example of using access-class is given here:
ap(config)# ip http access-class 10
ap(config)# access-list 10 permit host 10.0.0.1
In this example, host 10.0.0.1 is the only one that is allowed to access
the AP. All other hosts are prohibited.
To disable HTTP and enable SSH use this example:
ap(config)# no ip http server
ap(config)# ip domain name <your-domain>
ap(config)# crypto key generate rsa
The name for the keys will be: ap.your-domain
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
ap(config)# line vty 0 4
ap(config-line)# transport input ssh
Now you can connect to the Cisco Aironet AP using SSH client from your
computer.
In addition to the workarounds it is possible to mitigate the exposure by
configuring ACLs on the device so that only legitimate hosts can use the
http service. This can be done in the following way:
access-list 111 permit tcp host 10.0.0.1 host 10.0.0.50 eq www
In this example the host 10.0.0.1 is the only one that is allowed to
access the device at 10.0.0.50. You will have to change host IP addresses
and the ACL number to suit your configuration. This ACL will have to be
applied to all interfaces and block all IP addresses assigned to the
affected device.
Exploitation and Public Announcements
This vulnerability is reported by Reda Zitouni from Vigilante. Their
report can be found at
http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm
leavingcisco.com.
Status of This Notice: FINAL
This is a final advisory. Although Cisco cannot guarantee the accuracy of
all statements in this advisory, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Cisco will update this
advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.
Distribution
This notice will be posted on Cisco's worldwide website at .
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* full-disclosure@lists.netsys.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged to
check the above URL for any updates.
Revision History
+------------------------------------------+
|Revision|2003-July-28 16:00 UTC |Initial |
|1.0 |(GMT) |public |
| | |release.|
+------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's worldwide
website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
----------------------------------------------------------------------
This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, and
include all date and version information.
----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT
iD4DBQE/JUmbezGozzK2tZARArXRAKCIRsac6s3i7oRAEf4/2khQBKdEcgCXTsum
aQeEFDQLBhqS5wu0CarFkg==
=ehoq
-----END PGP SIGNATURE-----
.
Firmware version 12.2(4)JA and earlier.
The Arionet Bridge is vulnerable to a denial of service.This can be
exploited remotely by an attacker. No user login or password is
necessary. This can be accomplished by
submitting a specially crafted request to the web server. There is no
need to authenticate to perform this attack, only access to the web
server is required. The Aironet bridge reboots upon receiving the
request and failing to handle correctly this one. Afterwards, no further
access to the WLAN or its services is possible.
Vendor status:
**************
Cisco was contacted June 19, 2003 and answered the same day. 5 days
later, they told us that they would release a patch soon. The patch was
finally released July 3, 2003.
Vulnerability Assessment:
A test case to detect this vulnerability was added to SecureScan NX in
the upgrade package of July 28, 2003. You can see the documentation of
this test case 17655 on SecureScan NX web site at
http://securescannx.vigilante.com/tc/17655 . Please note that this version fixes some other
bugs as TC 15438 (refer to release note). If not needed - disable access to the web feature on the Aironet
Bridge.
2. If needed - restrict access to the HTTP service for outside
connections.
CVE: Common Vulnerabilities and Exposures group ( reachable at
http://cve.mitre.org/ ) was contacted and assigned CAN-2003-0511 to this
vulnerability.
Links:
*****
Cisco Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml
Vigilante Advisory:
http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm
Product Homepage: http://www.cisco.com/warp/public/cc/pd/witc/ps4570
CVE: CAN-2003-0511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0511
Credit:
******
This vulnerability was discovered by Reda Zitouni, member of our
Security Watch Team at VIGILANTe.
We wish to thank Cisco PSIRT Team for their fast answer to fix this
problem.
Copyright VIGILANTe.com, Inc. 2003-07-28
Disclaimer:
**********
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any consequences whatsoever arising out
of or in connection with the use or spread of this information. Any use
of this information lays within the user's responsibility.
Feedback:
********
Please send suggestions, updates, and comments to
securitywatch@vigilante.com
VAR-200308-0077 | CVE-2003-0512 | Cisco Aironet AP1100 fails to provide universal login error messages thereby disclosing validity of user account |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS 12.2 and earlier generates a "% Login invalid" message instead of prompting for a password when an invalid username is provided, which allows remote attackers to identify valid usernames on the system and conduct brute force password guessing, as reported for the Aironet Bridge. A vulnerability in the Cisco Aironet 1100 Series Access Point may allow a remote attacker to discover valid accounts on the access point. Cisco IOS Specific versions of telnet There is a vulnerability that the response of the authentication result varies depending on the user name when password authentication is performed via.Depending on the response, it may be possible to infer whether the user exists. An information leak has been reported in Cisco Aironet Access Points when the telnet service has been enabled. This may allow a remote attacker to gain potentially sensitive information. If it is illegal, it will prompt the \"\\% Login invalid\" message. VIGILANTe Security Watch Advisory
Name: Cisco Aironet AP1100 Valid Account Disclosure Vulnerability
Systems Affected: Tested on a Cisco Aironet AP1100 Model 1120B Series
Wireless device.
Firmware version 12.2(4)JA and earlier.
NB : A large number of Cisco IOSes are affected by this flaw.
Severity: High Risk
Vendor URL: http://www.vigilante.com
Authors: Reda Zitouni (reda.zitouni@vigilante.com)
Date: 28th July 2003
Advisory Code: VIGILANTE-2003002
Description
***********
Cisco Aironet 1100 Series Access Point is a device manufactured by Cisco
Systems offering a WLAN solution based on the 802.11b Wifi standard.
The Aironet Bridge is vulnerable to a Brute Force attack revealing if an
account exists or not.
If an attacker submits an existing account as login he will be then
prompted for the password. If not the case a ""% Login invalid" reply
will be displayed by the server, revealing the account is not existing.
By default on the Aironet AP1100, the 'cisco' account is set and is
prompted for a password when submitted. That default account then allows
an attacker to determine if this flaw on the remote device is patched or
not. This may lead to further serious attacks.
Vendor status:
**************
Cisco was contacted June 19, 2003 and answered the same day. 5 days
later, they told us that they would release a patch soon. The patch was
finally released July 3, 2003. Please note that this flaw is released by
Cisco as a Security Notice in CCO.
Vulnerability Assessment:
************************
A test case to detect this vulnerability was added to SecureScan NX in
the upgrade package of July 28, 2003. You can see the documentation of
this test case 15438 on SecureScan NX web site at
http://securescannx.vigilante.com/tc/15438.
Fix: A firmware upgrading the Aironet IOS version to c1100-k9w7 has
been released by Cisco. Please note that this version fixes some other
bugs as TC 17655 (refer to release note). A
stronger authentication mechanism, such as SSH can also be implemented.
CVE: Common Vulnerabilities and Exposures group ( reachable at
http://cve.mitre.org/ ) was contacted and assigned CAN-2003-0512 to this
vulnerability.
Links:
*****
Cisco Advisory:
http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml
Vigilante Advisory:
http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm
Product Homepage: http://www.cisco.com/warp/public/cc/pd/witc/ps4570
CVE: CAN-2003-0512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0512
Credit:
******
This vulnerability was discovered by Reda Zitouni, member of our
Security Watch Team at VIGILANTe.
We wish to thank Cisco PSIRT Team for their fast answer to fix this
problem.
Copyright VIGILANTe.com, Inc. 2003-07-28
Disclaimer:
**********
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any consequences whatsoever arising out
of or in connection with the use or spread of this information. Any use
of this information lays within the user's responsibility.
Feedback:
********
Please send suggestions, updates, and comments to
securitywatch@vigilante.com
VAR-200308-0067 | CVE-2003-0502 | Apple QuickTime / Darwin Streaming Server service denial vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to cause a denial of service (crash) via a .. (dot dot) sequence followed by an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0421. A remote attacker can use the MS-DOS device name (such as AUX) followed by the .. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________
Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server
Published: July 22, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0015.html
CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
CAN-2003-0425, CAN-2003-0426, CAN-2003-0502
1. Affected system(s):
KNOWN VULNERABLE:
o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
o QuickTime/Darwin Streaming Server v4.1.3 for Win32
o QuickTime/Darwin Streaming Server v4.1.3 for Linux
UNKNOWN/NOT TESTED:
o other platforms (Solaris)
2.
3. Vendor status and information
Apple
http://www.apple.com/
The vendor has been notified and has released fixes for all but
one of the issues, which is currently under investigation.
4. Solution
Upgrade to version 4.1.3g or later of Darwin Streaming Server,
which may be obtained as a free download from:
http://developer.apple.com/darwin/projects/streaming/
Please see the next section for detailed fix information.
5. Detailed analysis
There are several vulnerabilities.
Denial of Service by HTTP Request for DOS Device Name
CVE ID: CAN-2003-0421
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting a DOS device name (e.g. An initial
HTTP 404 response will be returned for the device request,
but future requests will not be serviced. For example:
==> GET /AUX HTTP/1.0
Denial of Service by Request for ../ DOS Device Name
CVE ID: CAN-2003-0502
Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
Fixed: In version 4.1.3g (Win32)
This is a variant of CAN-2003-0421. A fix for CAN-2003-0421
was included in Streaming Server version, 4.1.3f, but further
testing revealed that it was vulnerable to a variant where
the device name was prefixed by dotdot slash (../), as in:
==> GET /../AUX HTTP/1.0
Denial of Service by HTTP Request for /view_broadcast.cgi Script
CVE ID: CAN-2003-0422
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting the /view_broadcast.cgi script over HTTP (port 1220)
will cause a denial of service on the server if the required
request parameters are not sent. The connection will be
closed midway through servicing the request and no new
connections will be allowed to the server.
Example:
==> GET /view_broadcast.cgi HTTP/1.0
<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection
Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of
this issue and they are investigating it further.
The source code of any file within the web root can be obtained
by issuing a request for /parse_xml.cgi?filename=[file], where
[file] is the file whose source code you wish to view.
This is only a serious risk if the administrator has installed
custom scripts on Darwin Streaming Server that need to be
protected.
Script Source Disclosure by Appending Special Characters
CVE ID: CAN-2003-0424
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
The source code of any script can be obtained by appending the
special characters %2e (period) or %20 (space) to an HTTP request
for that script. For example, requesting /view_broadcast.cgi%2e
will reveal the source code for that script.
Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Any file on the system can be retrieved by using three dots
to break out of the web root. For example, requesting
/.../qtusers will return the QuickTime user/password file.
Default Install Allows Remote User to Set Admin Password
CVE ID: CAN-2003-0426
Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
Fixed: In version 4.1.3f (Mac OS X)
When Darwin Streaming Server is first installed, the
HTTP-based administration server (typically port 1220)
presents a "Setup Assistant" page where the user is prompted
to set a new administrator password. This would allow any
remote user to connect and set up an administrator password
before the server administrator has had a chance to do so.
6. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
VAR-200308-0007 | CVE-2003-0426 | Apple QuickTime / Darwin Streaming Server Privilege escalation vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The installation of Apple QuickTime / Darwin Streaming Server before 4.1.3f starts the administration server with a "Setup Assistant" page that allows remote attackers to set the administrator password and gain privileges before the real administrator. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________
Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server
Published: July 22, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0015.html
CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
CAN-2003-0425, CAN-2003-0426, CAN-2003-0502
1. Affected system(s):
KNOWN VULNERABLE:
o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
o QuickTime/Darwin Streaming Server v4.1.3 for Win32
o QuickTime/Darwin Streaming Server v4.1.3 for Linux
UNKNOWN/NOT TESTED:
o other platforms (Solaris)
2. Summary
Several vulnerabilities have been found in the Apple
QuickTime/Darwin Streaming Server, including denial of service,
web root traversal, and script source disclosure.
3. Vendor status and information
Apple
http://www.apple.com/
The vendor has been notified and has released fixes for all but
one of the issues, which is currently under investigation.
4. Solution
Upgrade to version 4.1.3g or later of Darwin Streaming Server,
which may be obtained as a free download from:
http://developer.apple.com/darwin/projects/streaming/
Please see the next section for detailed fix information.
5. Detailed analysis
There are several vulnerabilities.
Denial of Service by HTTP Request for DOS Device Name
CVE ID: CAN-2003-0421
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
will cause a denial of service on the server. An initial
HTTP 404 response will be returned for the device request,
but future requests will not be serviced. For example:
==> GET /AUX HTTP/1.0
Denial of Service by Request for ../ DOS Device Name
CVE ID: CAN-2003-0502
Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
Fixed: In version 4.1.3g (Win32)
This is a variant of CAN-2003-0421. A fix for CAN-2003-0421
was included in Streaming Server version, 4.1.3f, but further
testing revealed that it was vulnerable to a variant where
the device name was prefixed by dotdot slash (../), as in:
==> GET /../AUX HTTP/1.0
Denial of Service by HTTP Request for /view_broadcast.cgi Script
CVE ID: CAN-2003-0422
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting the /view_broadcast.cgi script over HTTP (port 1220)
will cause a denial of service on the server if the required
request parameters are not sent. The connection will be
closed midway through servicing the request and no new
connections will be allowed to the server.
Example:
==> GET /view_broadcast.cgi HTTP/1.0
<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection
Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of
this issue and they are investigating it further.
The source code of any file within the web root can be obtained
by issuing a request for /parse_xml.cgi?filename=[file], where
[file] is the file whose source code you wish to view.
This is only a serious risk if the administrator has installed
custom scripts on Darwin Streaming Server that need to be
protected.
Script Source Disclosure by Appending Special Characters
CVE ID: CAN-2003-0424
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
The source code of any script can be obtained by appending the
special characters %2e (period) or %20 (space) to an HTTP request
for that script. For example, requesting /view_broadcast.cgi%2e
will reveal the source code for that script.
Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Any file on the system can be retrieved by using three dots
to break out of the web root. For example, requesting
/.../qtusers will return the QuickTime user/password file.
6. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
VAR-200308-0002 | CVE-2003-0421 | Apple QuickTime / Darwin Streaming Server service denial vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0502. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________
Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server
Published: July 22, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0015.html
CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
CAN-2003-0425, CAN-2003-0426, CAN-2003-0502
1. Affected system(s):
KNOWN VULNERABLE:
o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
o QuickTime/Darwin Streaming Server v4.1.3 for Win32
o QuickTime/Darwin Streaming Server v4.1.3 for Linux
UNKNOWN/NOT TESTED:
o other platforms (Solaris)
2.
3. Vendor status and information
Apple
http://www.apple.com/
The vendor has been notified and has released fixes for all but
one of the issues, which is currently under investigation.
4. Solution
Upgrade to version 4.1.3g or later of Darwin Streaming Server,
which may be obtained as a free download from:
http://developer.apple.com/darwin/projects/streaming/
Please see the next section for detailed fix information.
5. Detailed analysis
There are several vulnerabilities. An initial
HTTP 404 response will be returned for the device request,
but future requests will not be serviced. A fix for CAN-2003-0421
was included in Streaming Server version, 4.1.3f, but further
testing revealed that it was vulnerable to a variant where
the device name was prefixed by dotdot slash (../), as in:
==> GET /../AUX HTTP/1.0
Denial of Service by HTTP Request for /view_broadcast.cgi Script
CVE ID: CAN-2003-0422
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting the /view_broadcast.cgi script over HTTP (port 1220)
will cause a denial of service on the server if the required
request parameters are not sent. The connection will be
closed midway through servicing the request and no new
connections will be allowed to the server.
Example:
==> GET /view_broadcast.cgi HTTP/1.0
<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection
Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of
this issue and they are investigating it further.
The source code of any file within the web root can be obtained
by issuing a request for /parse_xml.cgi?filename=[file], where
[file] is the file whose source code you wish to view.
This is only a serious risk if the administrator has installed
custom scripts on Darwin Streaming Server that need to be
protected.
Script Source Disclosure by Appending Special Characters
CVE ID: CAN-2003-0424
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
The source code of any script can be obtained by appending the
special characters %2e (period) or %20 (space) to an HTTP request
for that script. For example, requesting /view_broadcast.cgi%2e
will reveal the source code for that script.
Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Any file on the system can be retrieved by using three dots
to break out of the web root. For example, requesting
/.../qtusers will return the QuickTime user/password file.
Default Install Allows Remote User to Set Admin Password
CVE ID: CAN-2003-0426
Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
Fixed: In version 4.1.3f (Mac OS X)
When Darwin Streaming Server is first installed, the
HTTP-based administration server (typically port 1220)
presents a "Setup Assistant" page where the user is prompted
to set a new administrator password. This would allow any
remote user to connect and set up an administrator password
before the server administrator has had a chance to do so.
6. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
VAR-200307-0049 | No CVE | 3Com DSL Router Management Interface Long Request Denial of Service Attack Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The 3Com 812 OfficeConnect is a widely used DSL router. 3Com 812 OfficeConnect lacks proper handling of long requests submitted by users to the management interface. Remote attackers can exploit this vulnerability to denial the device. The DSL router does not have any authentication for the user to perform management interface access. Any LAN user submits a request of more than 512 bytes to the WEB management interface, which may cause the router to crash and need to be restarted to obtain normal services. A problem in the 3Com 812 OfficeConnect has been reported that may result in the router becoming unstable. Because of this, an attacker may be able to deny service to legitimate users of the vulnerable router by submitting an excessively long request
VAR-200403-0088 | CVE-2003-0601 | Apple Mac OS X Server Workgroup Manager Unsafe account creation vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Workgroup Manager in Apple Mac OS X Server 10.2 through 10.2.6 does not disable a password for a new account before it is saved for the first time, which allows remote attackers to gain unauthorized access via the new account before it is saved.
It has been reported the OS X Server Workgroup Manager may create accounts in an insecure manner. This vulnerability may allow an attacker to gain unauthorized access or elevated privileges to an affected system via the newly created account. Mac OS X is an operating system used on Mac machines, based on the BSD system. However, no detailed vulnerability details have been provided so far
VAR-200308-0004 | CVE-2003-0423 | Apple QuickTime/Darwin Streaming Server parse_xml.cgi Resource exhaustion vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
parse_xml.cgi in Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to obtain the source code for parseable files via the filename parameter. Apple QuickTime/Darwin Streaming Server is prone to a source disclosure issue. The issue exists in the parse_xml.cgi administrative script. This could permit an attacker to gain access to sensitive information contained within script source code.
This issue is reported to affect versions up to and including 4.1.3g. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________
Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server
Published: July 22, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0015.html
CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
CAN-2003-0425, CAN-2003-0426, CAN-2003-0502
1. Affected system(s):
KNOWN VULNERABLE:
o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
o QuickTime/Darwin Streaming Server v4.1.3 for Win32
o QuickTime/Darwin Streaming Server v4.1.3 for Linux
UNKNOWN/NOT TESTED:
o other platforms (Solaris)
2.
3. Vendor status and information
Apple
http://www.apple.com/
The vendor has been notified and has released fixes for all but
one of the issues, which is currently under investigation.
4. Solution
Upgrade to version 4.1.3g or later of Darwin Streaming Server,
which may be obtained as a free download from:
http://developer.apple.com/darwin/projects/streaming/
Please see the next section for detailed fix information.
5. Detailed analysis
There are several vulnerabilities.
Denial of Service by HTTP Request for DOS Device Name
CVE ID: CAN-2003-0421
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
will cause a denial of service on the server. An initial
HTTP 404 response will be returned for the device request,
but future requests will not be serviced. For example:
==> GET /AUX HTTP/1.0
Denial of Service by Request for ../ DOS Device Name
CVE ID: CAN-2003-0502
Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
Fixed: In version 4.1.3g (Win32)
This is a variant of CAN-2003-0421. A fix for CAN-2003-0421
was included in Streaming Server version, 4.1.3f, but further
testing revealed that it was vulnerable to a variant where
the device name was prefixed by dotdot slash (../), as in:
==> GET /../AUX HTTP/1.0
Denial of Service by HTTP Request for /view_broadcast.cgi Script
CVE ID: CAN-2003-0422
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting the /view_broadcast.cgi script over HTTP (port 1220)
will cause a denial of service on the server if the required
request parameters are not sent. The connection will be
closed midway through servicing the request and no new
connections will be allowed to the server.
Example:
==> GET /view_broadcast.cgi HTTP/1.0
<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection
Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of
this issue and they are investigating it further.
The source code of any file within the web root can be obtained
by issuing a request for /parse_xml.cgi?filename=[file], where
[file] is the file whose source code you wish to view.
This is only a serious risk if the administrator has installed
custom scripts on Darwin Streaming Server that need to be
protected.
Script Source Disclosure by Appending Special Characters
CVE ID: CAN-2003-0424
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
The source code of any script can be obtained by appending the
special characters %2e (period) or %20 (space) to an HTTP request
for that script.
Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Any file on the system can be retrieved by using three dots
to break out of the web root. For example, requesting
/.../qtusers will return the QuickTime user/password file.
Default Install Allows Remote User to Set Admin Password
CVE ID: CAN-2003-0426
Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
Fixed: In version 4.1.3f (Mac OS X)
When Darwin Streaming Server is first installed, the
HTTP-based administration server (typically port 1220)
presents a "Setup Assistant" page where the user is prompted
to set a new administrator password. This would allow any
remote user to connect and set up an administrator password
before the server administrator has had a chance to do so.
6. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
VAR-200308-0003 | CVE-2003-0422 | Apple QuickTime/Darwin Streaming server view_broadcast.cgi Service denial vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via a request to view_broadcast.cgi that does not contain the required parameters. When an HTTP request is made to the view_broadcast.cgi script without specifying any parameters, the server will not accept new connections.
This vulnerability was reported to affect QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows. Vulnerabilities exist in Apple QuickTime / Darwin Streaming versions prior to 4.1.3f. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________
Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server
Published: July 22, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0015.html
CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
CAN-2003-0425, CAN-2003-0426, CAN-2003-0502
1. Affected system(s):
KNOWN VULNERABLE:
o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
o QuickTime/Darwin Streaming Server v4.1.3 for Win32
o QuickTime/Darwin Streaming Server v4.1.3 for Linux
UNKNOWN/NOT TESTED:
o other platforms (Solaris)
2.
3. Vendor status and information
Apple
http://www.apple.com/
The vendor has been notified and has released fixes for all but
one of the issues, which is currently under investigation.
4. Solution
Upgrade to version 4.1.3g or later of Darwin Streaming Server,
which may be obtained as a free download from:
http://developer.apple.com/darwin/projects/streaming/
Please see the next section for detailed fix information.
5. Detailed analysis
There are several vulnerabilities.
Denial of Service by HTTP Request for DOS Device Name
CVE ID: CAN-2003-0421
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting a DOS device name (e.g. An initial
HTTP 404 response will be returned for the device request,
but future requests will not be serviced.
Example:
==> GET /view_broadcast.cgi HTTP/1.0
<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection
Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of
this issue and they are investigating it further.
The source code of any file within the web root can be obtained
by issuing a request for /parse_xml.cgi?filename=[file], where
[file] is the file whose source code you wish to view.
This is only a serious risk if the administrator has installed
custom scripts on Darwin Streaming Server that need to be
protected.
Script Source Disclosure by Appending Special Characters
CVE ID: CAN-2003-0424
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
The source code of any script can be obtained by appending the
special characters %2e (period) or %20 (space) to an HTTP request
for that script. For example, requesting /view_broadcast.cgi%2e
will reveal the source code for that script.
Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Any file on the system can be retrieved by using three dots
to break out of the web root. For example, requesting
/.../qtusers will return the QuickTime user/password file.
Default Install Allows Remote User to Set Admin Password
CVE ID: CAN-2003-0426
Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
Fixed: In version 4.1.3f (Mac OS X)
When Darwin Streaming Server is first installed, the
HTTP-based administration server (typically port 1220)
presents a "Setup Assistant" page where the user is prompted
to set a new administrator password. This would allow any
remote user to connect and set up an administrator password
before the server administrator has had a chance to do so.
6. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
VAR-200308-0006 | CVE-2003-0425 | Apple QuickTime/Darwin Streaming Server Directory Traversal Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to read arbitrary files via a ... (triple dot) in an HTTP request. This vulnerability may be possible to exploit using "/.../" sequences within the request sent to the server.
This vulnerability was reported to affect QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________
Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server
Published: July 22, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0015.html
CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
CAN-2003-0425, CAN-2003-0426, CAN-2003-0502
1. Affected system(s):
KNOWN VULNERABLE:
o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
o QuickTime/Darwin Streaming Server v4.1.3 for Win32
o QuickTime/Darwin Streaming Server v4.1.3 for Linux
UNKNOWN/NOT TESTED:
o other platforms (Solaris)
2.
3. Vendor status and information
Apple
http://www.apple.com/
The vendor has been notified and has released fixes for all but
one of the issues, which is currently under investigation.
4. Solution
Upgrade to version 4.1.3g or later of Darwin Streaming Server,
which may be obtained as a free download from:
http://developer.apple.com/darwin/projects/streaming/
Please see the next section for detailed fix information.
5. Detailed analysis
There are several vulnerabilities.
Denial of Service by HTTP Request for DOS Device Name
CVE ID: CAN-2003-0421
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
will cause a denial of service on the server. An initial
HTTP 404 response will be returned for the device request,
but future requests will not be serviced. For example:
==> GET /AUX HTTP/1.0
Denial of Service by Request for ../ DOS Device Name
CVE ID: CAN-2003-0502
Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
Fixed: In version 4.1.3g (Win32)
This is a variant of CAN-2003-0421. A fix for CAN-2003-0421
was included in Streaming Server version, 4.1.3f, but further
testing revealed that it was vulnerable to a variant where
the device name was prefixed by dotdot slash (../), as in:
==> GET /../AUX HTTP/1.0
Denial of Service by HTTP Request for /view_broadcast.cgi Script
CVE ID: CAN-2003-0422
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting the /view_broadcast.cgi script over HTTP (port 1220)
will cause a denial of service on the server if the required
request parameters are not sent. The connection will be
closed midway through servicing the request and no new
connections will be allowed to the server.
Example:
==> GET /view_broadcast.cgi HTTP/1.0
<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection
Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of
this issue and they are investigating it further.
The source code of any file within the web root can be obtained
by issuing a request for /parse_xml.cgi?filename=[file], where
[file] is the file whose source code you wish to view.
This is only a serious risk if the administrator has installed
custom scripts on Darwin Streaming Server that need to be
protected.
Script Source Disclosure by Appending Special Characters
CVE ID: CAN-2003-0424
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
The source code of any script can be obtained by appending the
special characters %2e (period) or %20 (space) to an HTTP request
for that script. For example, requesting /view_broadcast.cgi%2e
will reveal the source code for that script.
Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Any file on the system can be retrieved by using three dots
to break out of the web root. For example, requesting
/.../qtusers will return the QuickTime user/password file.
Default Install Allows Remote User to Set Admin Password
CVE ID: CAN-2003-0426
Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
Fixed: In version 4.1.3f (Mac OS X)
When Darwin Streaming Server is first installed, the
HTTP-based administration server (typically port 1220)
presents a "Setup Assistant" page where the user is prompted
to set a new administrator password. This would allow any
remote user to connect and set up an administrator password
before the server administrator has had a chance to do so.
6. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
VAR-200308-0005 | CVE-2003-0424 | Apple QuickTime/Darwin Streaming Server Script Source Leak Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to obtain the source code for scripts by appending encoded space (%20) or . (%2e) characters to an HTTP request for the script, e.g. view_broadcast.cgi. A problem in the handling of requests appended with special characters has been reported in Apple QuickTime/Darwin Streaming Server. This issue may make it possible for an attacker to gain unauthorized access to source code hosted by the server.
This vulnerability was reported to affect QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________
Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server
Published: July 22, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0015.html
CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
CAN-2003-0425, CAN-2003-0426, CAN-2003-0502
1. Affected system(s):
KNOWN VULNERABLE:
o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
o QuickTime/Darwin Streaming Server v4.1.3 for Win32
o QuickTime/Darwin Streaming Server v4.1.3 for Linux
UNKNOWN/NOT TESTED:
o other platforms (Solaris)
2. Summary
Several vulnerabilities have been found in the Apple
QuickTime/Darwin Streaming Server, including denial of service,
web root traversal, and script source disclosure.
3. Vendor status and information
Apple
http://www.apple.com/
The vendor has been notified and has released fixes for all but
one of the issues, which is currently under investigation.
4. Solution
Upgrade to version 4.1.3g or later of Darwin Streaming Server,
which may be obtained as a free download from:
http://developer.apple.com/darwin/projects/streaming/
Please see the next section for detailed fix information.
5. Detailed analysis
There are several vulnerabilities.
Denial of Service by HTTP Request for DOS Device Name
CVE ID: CAN-2003-0421
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
will cause a denial of service on the server. An initial
HTTP 404 response will be returned for the device request,
but future requests will not be serviced. For example:
==> GET /AUX HTTP/1.0
Denial of Service by Request for ../ DOS Device Name
CVE ID: CAN-2003-0502
Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
Fixed: In version 4.1.3g (Win32)
This is a variant of CAN-2003-0421. A fix for CAN-2003-0421
was included in Streaming Server version, 4.1.3f, but further
testing revealed that it was vulnerable to a variant where
the device name was prefixed by dotdot slash (../), as in:
==> GET /../AUX HTTP/1.0
Denial of Service by HTTP Request for /view_broadcast.cgi Script
CVE ID: CAN-2003-0422
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting the /view_broadcast.cgi script over HTTP (port 1220)
will cause a denial of service on the server if the required
request parameters are not sent. The connection will be
closed midway through servicing the request and no new
connections will be allowed to the server.
Example:
==> GET /view_broadcast.cgi HTTP/1.0
<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection
Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of
this issue and they are investigating it further.
The source code of any file within the web root can be obtained
by issuing a request for /parse_xml.cgi?filename=[file], where
[file] is the file whose source code you wish to view.
This is only a serious risk if the administrator has installed
custom scripts on Darwin Streaming Server that need to be
protected. For example, requesting /view_broadcast.cgi%2e
will reveal the source code for that script.
Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Any file on the system can be retrieved by using three dots
to break out of the web root. For example, requesting
/.../qtusers will return the QuickTime user/password file.
Default Install Allows Remote User to Set Admin Password
CVE ID: CAN-2003-0426
Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
Fixed: In version 4.1.3f (Mac OS X)
When Darwin Streaming Server is first installed, the
HTTP-based administration server (typically port 1220)
presents a "Setup Assistant" page where the user is prompted
to set a new administrator password. This would allow any
remote user to connect and set up an administrator password
before the server administrator has had a chance to do so.
6. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
VAR-200411-0172 | CVE-2004-0079 | OpenSSL contains null-pointer assignment in do_change_cipher_spec() function |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. OpenSSL Is SSL/TLS Due to incomplete implementation of do_change_cipher_spec() In the function NULL A vulnerability exists where pointers are not handled properly.OpenSSL An application that uses the service disrupts service operation (DoS) It may be in a state. OpenSSL is an open source SSL implementation used to implement high-strength encryption of network communications. It is now widely used in various network applications.
Using the Codenomicon TLS test tool, OpenSSL found a NULL pointer allocation in the do_change_cipher_spec () function. Applications that rely on this library will generate a denial of service.
For the first issue, a NULL-pointer assignment can be triggered by attackers during SSL/TLS handshake exchanges. The CVE candidate name for this vulnerability is CAN-2004-0079. Versions 0.9.6c to 0.9.6k (inclusive) and from 0.9.7a to 0.9.7c (inclusive) are vulnerable.
The second issue is also exploited during the SSL/TLS handshake, but only when Kerberos ciphersuites are in use. The vendor has reported that this vulnerability may not be a threat to many, because it occurs only when Kerberos ciphersuites are in use, an uncommon configuration. The CVE candidate name for this vulnerability is CAN-2004-0112. Versions 0.9.7a, 0.9.7b, and 0.9.7c are affected.
This entry will be retired when individual BID records are created for each issue.
*Note: A third denial-of-service vulnerability included in the announcement was discovered affecting 0.9.6 and fixed in 0.9.6d. The CVE candidate name for this vulnerability is CAN-2004-0081. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business and Applications, Oracle Enterprise Manager Grid Control, and Oracle PeopleSoft Applications are reported prone to multiple vulnerabilities.
Oracle has released a Critical Patch Update to address these issues in various supported applications and platforms.
The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. While various levels of authorization are required to leverage some issues, others do not require any authorization.
This BID will be divided and updated into separate BIDs when more information is available. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability
Revision 1.0
For Public Release 2004 March 17 at 1300 UTC (GMT)
----------------------------------------------------------------------
Contents
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures
----------------------------------------------------------------------
Summary
A new vulnerability in the OpenSSL implementation for SSL
has been announced on March 17, 2004.
An affected network device running an SSL server based on an affected
OpenSSL implementation may be vulnerable to a Denial of Service (DoS)
attack. There are workarounds available to mitigate the effects of this
vulnerability on Cisco products in the workaround section of this
advisory. Cisco is providing fixed software, and recommends that customers
upgrade to it when it is available.
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.
* Cisco IOS 12.1(11)E and later in the 12.1E release train. Only crypto
images (56i and k2) are vulnerable for the Cisco 7100 and 7200 Series
Routers.
* Cisco IOS 12.2SY release train. Only crypto images (k8, k9 and k91)
are vulnerable for the Cisco Catalyst 6500 Series and Cisco 7600
Series Routers.
* Cisco PIX Firewall
* Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series and Cisco 7600 Series routers
* Cisco MDS 9000 Series Multilayer Switch
* Cisco Content Service Switch (CSS) 11000 series
* Cisco Global Site Selector (GSS) 4480
* CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common
Management Foundation (CMF) version 2.1
* Cisco Access Registrar (CAR)
The following products have their SSL implementation based on the OpenSSL
code and are not affected by this vulnerability.
* Cisco Secure Intrusion Detection System (NetRanger) appliance. This
includes the IDS-42xx appliances, NM-CIDS and WS-SVS-IDSM2.
* Cisco SN 5428 and SN 5428-2 Storage Router
* Cisco CNS Configuration Engine
* Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and
6500 Series switches and Cisco 7600 Series routers
* Cisco SIP Proxy Server (SPS)
* CiscoWorks 1105 Hosting Solution Engine (HSE)
* CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)
* Cisco Ethernet Subscriber Solution Engine (ESSE)
The following products, which implement SSL, are not affected by this
vulnerability.
* Cisco VPN 3000 Series Concentrators
CatOS does not implement SSL and is not vulnerable.
No other Cisco products are currently known to be affected by this
vulnerability. This vulnerability is still being actively investigated
across Cisco products and status of some products has still not been
determined.
Details
Secure Sockets Layer (SSL), is a protocol used to encrypt the data
transferred over an TCP session. SSL in Cisco products is mainly used by
the HyperText Transfer Protocol Secure (HTTPS) web service for which the
default TCP port is 443. The affected products, listed above, are only
vulnerable if they have the HTTPS service enabled and the access to the
service is not limited to trusted hosts or network management
workstations.
To check if the HTTPS service is enabled one can do the following:
1. Check the configuration on the device to verify the status of the
HTTPS service.
2. Try to connect to the device using a standard web browser that
supports SSL using a URL similar to https://ip_address_of_device/.
3. Try and connect to the default HTTPS port, TCP 443, using Telnet.
telnet ip_address_of_device 443. If the session connects the service
is enabled and accessible. This
crash on many Cisco products would cause the device to reload.
A third vulnerability described in the NISCC advisory is a bug in older
versions of OpenSSL, versions before 0.9.6d, that can also lead to a
Denial of Service attack. None of the Cisco OpenSSL implementations are
known to be affected by this older OpenSSL issue.
* Cisco IOS - All 12.1(11)E and later IOS software crypto (56i and k2)
image releases in the 12.1E release train for the Cisco 7100 and 7200
Series Routers are affected by this vulnerability. All IOS software
crypto (k8, k9, and k91) image releases in the 12.2SY release train
for the Cisco Catalyst 6500 Series and Cisco 7600 Series Routers are
affected by this vulnerability. The SSH implementation in IOS is not
dependent on any OpenSSL code. SSH implementations in IOS do not
handle certificates, yet, and therefore do not use any SSL code for
SSH. OpenSSL in 12.1E and 12.2SY release trains is only used for
providing the HTTPS and VPN Device Manager (VDM) services. This
vulnerability is documented in the Cisco Bug Toolkit (registered
customers only) as Bug ID CSCee00041. The HTTPS web service, that uses
the OpenSSL code, on the device is disabled by default. The no ip http
secure-server command may be used to disable the HTTPS web service on
the device, if required. The SSH and IPSec services in IOS are not
vulnerable to this vulnerability.
* Cisco PIX Firewall - PIX 6.x releases are affected by this
vulnerability. PIX 5.x releases do not contain any SSL code and are
not vulnerable. This vulnerability is documented in the Cisco Bug
Toolkit (registered customers only) as Bug ID CSCed90672.
* Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series and Cisco 7600 Series routers - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCee02055.
* Cisco MDS 9000 Series Multilayer Switches - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCed96246.
* Cisco Content Service Switch (CSS) 11000 series - WebNS version 6.x
and 7.x are affected by this vulnerability. This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCee01234 for SCM and is documented in the Cisco Bug Toolkit
(registered customers only) as Bug ID CSCee01240 for the SSL module.
* Cisco Global Site Selector (GSS) 4480 - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCee01057.
* CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common
Management Foundation (CMF) version 2.1 - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCsa13748.
* Cisco Access Registrar (CAR) - This vulnerability is documented in the
Cisco Bug Toolkit (registered customers only) as Bug ID CSCee01956.
The Internetworking Terms and Cisco Systems Acronyms online guides can be
found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.
Impact
An affected network device running an SSL server based on the OpenSSL
implementation may be vulnerable to a Denial of Service (DoS) attack.
Software Versions and Fixes
* Cisco IOS -
+----------------------------------------+
|Release| Fixed Releases |Availability |
| Train | | |
|-------+------------------+-------------|
|12.2SY |12.2(14)SY4 |March 25 |
|-------+------------------+-------------|
| |12.1(13)E14 |April 8 |
|12.1E |12.1.(19)E7 |April 8 |
| |12.1(20)E3 |April 26 |
+----------------------------------------+
* Cisco PIX Firewall - The vulnerability is fixed in software releases
6.0(4)102, 6.1(5)102, 6.2(3)107, and 6.3(3)124. These engineering
builds may be obtained by contacting the Cisco Technical Assistance
Center (TAC). TAC Contact information is given in the Obtaining Fixed
Software section below.
* Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series and Cisco 7600 Series routers - The vulnerability is fixed in
software release 1.1.3(14) which will be available by Monday, 22 of
March, 2004. This engineering builds may be obtained by contacting the
Cisco Technical Assistance Center (TAC). TAC Contact information is
given in the Obtaining Fixed Software section below.
* Cisco MDS 9000 Series Multilayer Switches - No fixed software release
or software availability date has been determined yet.
* Cisco Content Service Switch (CSS) 11000 series -No fixed software
release or software availability date has been determined yet.
* Cisco Global Site Selector (GSS) 4480 - No fixed software release or
software availability date has been determined yet.
* CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common
Management Foundation (CMF) version 2.1 - No fixed software release or
software availability date has been determined yet.
* Cisco Access Registrar (CAR) - The vulnerability is fixed in software
release 3.5.0.12 which will be available by Friday, 26 of March, 2004.
Obtaining Fixed Software
Cisco is offering free software upgrades to address this vulnerability for
all affected customers.
Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise using
such software upgrades, Customers agree to be bound by the terms of
Cisco's software license terms found at
http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set
forth at the Cisco Connection Online Software Center at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com/tacpage/sw-center. To access the software
download URL, you must be a registered user and you must be logged in.
Customers whose Cisco products are provided or maintained through a prior
or existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers, should contact that
support organization for assistance with obtaining the software
upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC) using the contact information listed below. In
these cases, customers are entitled to obtain a free upgrade to a later
version of the same release or as indicated by the applicable corrected
software version in the Software Versions and Fixes section (noted above).
Cisco TAC contacts are as follows:
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized telephone
numbers and instructions and e-mail addresses for use in various
languages.
Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a upgrade. Upgrades for
non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
The Cisco PSIRT recommends that affected users upgrade to a fixed software
version of code as soon as it is available.
* Restrict access to the HTTPS server on the network device. Allow
access to the network device only from trusted workstations by using
access lists / MAC filters that are available on the affected
platforms.
* Disable the SSL server / service on the network device. This
workaround must be weighed against the need for secure communications
with the vulnerable device.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any malicious use of the vulnerability
described in this advisory.
This vulnerability was reported to Cisco PSIRT by NISCC.
Status of This Notice: INTERIM
This is an interim advisory. Although Cisco cannot guarantee the accuracy
of all statements in this advisory, all of the facts have been checked to
the best of our ability. Cisco does not anticipate issuing updated
versions of this advisory unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.
Distribution
This advisory will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml .
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key having the fingerprint 8C82 5207
0CA9 ED40 1DD2 EE2A 7B31 A8CF 32B6 B590 and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org (includes CERT/CC)
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.netsys.com
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged to
check the above URL for any updates.
Revision History
+------------------------------------------+
|Revision 1.0|2004-March-17|Initial |
| | |release. |
+------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's worldwide
website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
This advisory is copyright 2004 by Cisco Systems, Inc. This advisory may
be redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
including all date and version information.
----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT
iD8DBQFAWFvZezGozzK2tZARAqIwAKDXDMLAY6eDYyU8y1MhKZUto2SRxwCg+oid
7AhsNlLsNVSLwTRKTHSigu0=
=gtba
-----END PGP SIGNATURE-----
. Any
application that makes use of OpenSSL's SSL/TLS library may be
affected. Any application that makes use of OpenSSL's SSL/TLS library
may be affected.
Recommendations
---------------
Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications
statically linked to OpenSSL libraries.
OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and
FTP from the following master locations (you can find the various FTP
mirrors under http://www.openssl.org/source/mirror.html):
ftp://ftp.openssl.org/source/
The distribution file names are:
o openssl-0.9.7d.tar.gz
MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5
o openssl-0.9.6m.tar.gz [normal]
MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9
o openssl-engine-0.9.6m.tar.gz [engine]
MD5 checksum: 4c39d2524bd466180f9077f8efddac8c
The checksums were calculated using the following command:
openssl md5 openssl-0.9*.tar.gz
Credits
-------
Patches for these issues were created by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team. The OpenSSL team would
like to thank Codenomicon for supplying the TLS Test Tool which was
used to discover these vulnerabilities, and Joe Orton of Red Hat for
performing the majority of the testing.
References
----------
http://www.codenomicon.com/testtools/tls/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20040317.txt