VARIoT IoT vulnerabilities database

Multiple buffer overflows in the SupportSoft (1) SmartIssue (tgctlsi.dll) and (2) ScriptRunner (tgctlsr.dll) ActiveX controls, as used by Symantec Automated Support Assistant and Norton AntiVirus, Internet Security, and System Works 2006, allows remote attackers to execute arbitrary code via a crafted HTML message. The affected software component is included in several third-party applications. SupportSoft is a software that implements self-service functions, and users can use it to solve some problems they encounter. Symantec's Norton Internet Security 2006 suite, which includes the SupportSoft tool, is also affected by the vulnerability. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: SupportSoft ActiveX Controls Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA24251 VERIFY ADVISORY: http://secunia.com/advisories/24251/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: SupportSoft ActiveX Controls 5.x http://secunia.com/product/13545/ SupportSoft ActiveX Controls 6.x http://secunia.com/product/13546/ DESCRIPTION: Some vulnerabilities have been reported in various SupportSoft ActiveX controls, which can be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to boundary errors within the SmartIssue, RemoteAssist, and Probe ActiveX controls. These can be exploited to cause stack-based buffer overflows via overly long arguments passed to various methods. Successful exploitation allows execution of arbitrary code but requires that the user is e.g. tricked into visiting a malicious web site. The vulnerabilities reportedly affect versions 5.5, 5.6, and 6.x. SOLUTION: Apply updates. http://www.supportsoft.com/support/controls_update.asp PROVIDED AND/OR DISCOVERED BY: Independently discovered by: * Mark Litchfield, NGSSoftware * Peter Vreugdenhil, reported via iDefense Labs * Will Dormann, CERT/CC ORIGINAL ADVISORY: SupportSoft: http://www.supportsoft.com/support/Security%20Advisory%202006-01-V2007.pdf US-CERT VU#441785: http://www.kb.cert.org/vuls/id/441785 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=478 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Symantec Security Advisory SYM07-002 http://www.symantec.com/avcenter/security/Content/2007.02.22.html BID 22564 22 Feb, 2007 Stack Overflow in Third-Party ActiveX Controls affects Multiple Vendor Products Including Some Symantec Consumer Products and Automated Support Assistant Revision History None Severity High (dependent on configuration and user interaction) BID22564 http://www.symantec.com/avcenter/security/Content/2007.02.22.html Remote Access Yes Local Access No Authentication Required No Exploit publicly available No Overview Vulnerabilities were identified in third-party trouble-shooting ActiveX controls, developed by SupportSoft, www.supportsoft.com . Two of these controls were signed, shipped and installed with the identified versions of Symantec\x92s consumer products and as part of the Symantec Automated Support Assistant support tool. The vulnerability identified in the Symantec shipped controls could potentially result in a stack overflow requiring user interaction to exploit. If successfully exploited this vulnerability could potentially compromise a user\x92s system possibly allowing execution of arbitrary code or unauthorized access to system assets with the permissions of the user\x92s browser. Supported Symantec Product(s) Affected Product Solution(s) Symantec Automated Support Assistant Update Available Symantec Norton AntiVirus 2006 Update Available Symantec Norton Internet Security 2006 Update Available Symantec Norton System Works 2006 Update Available Symantec Products NOT Affected Product(s) Version Symantec 2007 Consumer Products All Symantec Norton 360 Symantec Corporate and Enterprise Products All NOTE: Only Symantec Consumer products indicated as affected above shipped with these vulnerable components. The Symantec Automated Support Assistant is used by online consumer customer support when a consumer customer visits the support site requiring assistance. The Automated Support Assistant tool aids in providing the user with solution information to their problems. TheSupportSoft ActiveX controls were initially implemented mid-2005 on Symantec's consumer support site. During the timeframe up to August 2006, when the non-vulnerable controls were made available, vulnerable controls could potentially be installed by the Automated Support Assistant on customer systems running Symantec consumer products and versions other than those listed above. See Symantec Response section to determine if your product has a vulnerable version of the Automated Support Assistant fix tool. Symantec Corporate and Enterprise products do not ship with these components and are NOT vulnerable to this issue. These SupportSoft ActiveX components did not properly validate external input. This failure could potentially lead to unauthorized access to system resources or the possible execution of malicious code with the privileges of the user\x92s browser, resulting in a potential compromise of the user\x92s system. Any attempt to exploit these issues would require interactive user involvement. An attacker would need to be able to effectively entice a user to visit a malicious web site where their malicious code was hosted or to click on a malicious URL in any attempt to compromise the user\x92s system. While these SupportSoft-developed components should also have been effectively site-locked, which would havefurther reduced the severity, this capability was found to be improperly implemented in the vulnerable versions. Symantec Response Symantec worked closely with SupportSoft to ensure updates were quickly made available for the identified controls. SupportSoft has posted a Security Bulletin, http://www.supportsoft.com/support/controls_update.asp, for the controls Symantec uses and controls used in other products on their support site, www.supportsoft.com. Symantec immediately removed the vulnerable controls from its consumer support site. Symantec engineers tested the updates provided by SupportSoft extensively and once tested updated the Symantec Automated Support Assistant on Symantec's support site. Additionally, in November 2006, the vulnerable versions of these controls were disabled through LiveUpdate for Symantec consumer customers who regularly run interactive updates to their Symantec applications. Those Symantec consumer customers who rely solely on Automatic LiveUpdate would have received an automatic notification to initiate an interactive LiveUpdate session to obtain all pending updates. To ensure all updates have been properly retrieved and applied to Symantec consumer products, users should regularly run an interactive LiveUpdate session as follows: * Open any installed Symantec consumer product * Click on LiveUpdate in the GUI toolbar * Run LiveUpdate until all available Symantec product updates are downloaded and installed or you are advised that your system has the latest updates available. Symantec recommends customers always ensure they have the latest updates to protect against threats. Symantec customers who previously downloaded the Symantec Automated Support Assistant tool beginning in July 2005 and those who have installed versions of the consumer products indicated above may also go to the Symantec support site, https://www-secure.symantec.com/techsupp/asa/install.jsp to ensure they have the updated version of the Automated Support Assistant fix tool. By downloading the updated version of the Symantec Automated Support Assistant fix tool, any existing legacy controls are updated with non-vulnerable versions. Customers, who have received support assistance since August 2006, will already have the latest non-vulnerable versions of these controls. Symantec has not seen any active attempts against or customer impact from these issues. Mitigation Symantec Security Response is releasing an AntiVirus Bloodhound definition Bloodhound.Exploit.119, a heuristic detection and prevention for attempts to exploit these vulnerable controls. Virus definitions containing this heuristic will be available through Symantec LiveUpdate or Symantec's Intelligent Updater. IDS signatures have also been released to detect and block attempts to exploit this issue. Customers using Symantec Norton Internet Security or Norton Personal Firewall receive regular signature updates if they run LiveUpdate automatically. If not using the Automatic LiveUpdate function, Symantec recommends customers interactively run Symantec LiveUpdate frequently to ensure they have the most current protection available. Establishing more secure Internet zone settings for the local user can prohibit activation of ActiveX controls without the user\x92s consent. An attacker who successfully exploited this vulnerability could gain the user rights of the local user. Users whose accounts are configured to have fewer user rights on the system would be less impacted than users who operate with administrative privileges. As always, if previously unknown malicious code were attempted to be distributed in this manner, Symantec Security Response would react quickly to updated definitions via LiveUpdate to detect and deter any new threat(s). Best Practices As part of normal best practices, Symantec strongly recommends a multi-layered approach to security: * Run under the principle of least privilege where possible. * Keep all operating systems and applications updated with the latest vendor patches. * Users, at a minimum, should run both a personal firewall and antivirus application with current updates to provide multiple points of detection and protection to both inbound and outbound threats. * Users should be cautious of mysterious attachments and executables delivered via email and be cautious of browsing unknown/untrusted websites or clicking on unknown/untrusted URL links. * Do not open unidentified attachments or executables from unknown sources or that you didn't request or were unaware of. * Always err on the side of caution. Even if the sender is known, the source address may be spoofed. * If in doubt, contact the sender to confirm they sent it and why before opening the attachment. If still in doubt, delete the attachment without opening it. CVE A CVE Candidate CVE-2006-6490 has been assigned. This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credit: Symantec has coordinated very closely with SupportSoft to help ensure that all additional affected vendor customer bases has been provide with information concerning affected controls and updates to address the vulnerability. Symantec wants to thank Mark Litchfield of NGS Software Ltd. for the initial identification and notification of this issue and for the excellent, in-depth coordination with both Symantec and SupportSoft while resolving the issue. Additionally, this issue was independently identified by the analysts at CERT, in CERT Vulnerability Note VU#441785, who reported their findings to and worked closely with both Symantec and SupportSoft through to resolution and by Peter Vreugdenhil, working through iDefense who coordinated with Symantec as we resolved the issue. Symantec takes the security and proper functionality of its products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC). Please contact secure@symantec.com if you feel you have discovered a potential or actual security issue with a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec has developed a Product Vulnerability Handling Process document outlining the process we follow in addressing suspected vulnerabilities in our products. We support responsible disclosure of all vulnerability information in a timely manner to protect Symantec customers and the security of the Internet as a result of vulnerability. This document is available from http://www.symantec.com/security/ Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be obtained from the location provided above

The command line interface (CLI) in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier allows local users to obtain privileges or cause a denial of service via unspecified vectors. NOTE: this issue can be leveraged remotely via CVE-2007-1063. The problem is CVE-2007-1063 It is a problem that can be attacked remotely via.Authorization and denial of service by local user (DoS) There is a possibility of being put into a state. Unified Ip Phone 7970G is prone to a denial-of-service vulnerability. The CLI in several Cisco products is vulnerable to permissions and access control issues. The vulnerability stems from the lack of effective permissions and access control measures in network systems or products. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco Unified IP Conference Station / IP Phone Default Accounts SECUNIA ADVISORY ID: SA24262 VERIFY ADVISORY: http://secunia.com/advisories/24262/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Cisco Unified IP Conference Station 7936 http://secunia.com/product/13540/ Cisco Unified IP Conference Station 7935 http://secunia.com/product/13541/ Cisco Unified IP Phones 7900 Series http://secunia.com/product/13543/ DESCRIPTION: Some security issues have been reported in Cisco Unified IP Conference Station and IP Phones, which can be exploited by malicious people to access a vulnerable device. 1) A design error in way the administrative HTTP interface of Cisco Unified IP Conference Station handles the state of administrator login sessions can be exploited to bypass the user authentication by accessing management URLs directly. SOLUTION: Update to a fixed version (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Christian Reichert, Christian Blum, and Jens Link of Intact Integrated Services. 2) Reported by the vendor. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070221-phone.shtml http://www.cisco.com/warp/public/707/cisco-air-20070221-phone.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in directory.php in Super Link Exchange Script 1.0 might allow remote attackers to execute arbitrary SQL queries via the cat parameter

The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and Station 7936 3.3(12) and earlier does not properly handle administrator HTTP sessions, which allows remote attackers to bypass authentication controls via a direct URL request to the administrative HTTP interface for a limited time. Cisco Unified IP Conference Station and Unified IP Phone are prone to multiple remote vulnerabilities. These issues include an administrative-bypass issue, an unauthorized-access issue, and a privilege-escalation issue. An attacker can exploit these issues to completely compromise affected devices. The attacker may be able to gain administrative access to the affected device, execute arbitrary code with administrative privileges, or cause the device to become unstable, denying service to legitimate users. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. This can further be exploited to cause a DoS (Denial of Service) or gain escalated privileges. SOLUTION: Update to a fixed version (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Christian Reichert, Christian Blum, and Jens Link of Intact Integrated Services. 2) Reported by the vendor. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070221-phone.shtml http://www.cisco.com/warp/public/707/cisco-air-20070221-phone.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The SSH server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier, uses a hard-coded username and password, which allows remote attackers to access the device. Cisco Unified IP Conference Station and Unified IP Phone are prone to multiple remote vulnerabilities. These issues include an administrative-bypass issue, an unauthorized-access issue, and a privilege-escalation issue. An attacker can exploit these issues to completely compromise affected devices. The attacker may be able to gain administrative access to the affected device, execute arbitrary code with administrative privileges, or cause the device to become unstable, denying service to legitimate users. The SSH server in many Cisco products has a trust management vulnerability. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) A design error in way the administrative HTTP interface of Cisco Unified IP Conference Station handles the state of administrator login sessions can be exploited to bypass the user authentication by accessing management URLs directly. This can further be exploited to cause a DoS (Denial of Service) or gain escalated privileges. SOLUTION: Update to a fixed version (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Christian Reichert, Christian Blum, and Jens Link of Intact Integrated Services. 2) Reported by the vendor. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070221-phone.shtml http://www.cisco.com/warp/public/707/cisco-air-20070221-phone.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client do not drop privileges when the help facility in the supplicant GUI is invoked, which allows local users to gain privileges, aka CSCsf14120. Cisco CSSC and CTA products are prone to an information-disclosure issue and multiple privilege-escalation vulnerabilities because of design flaws in the software. Exploiting these issues allows local attackers to access sensitive information and to elevate their privileges on affected computers. Cisco Secure Services Client is a tool for deploying a single 802.1X-based authentication framework across multiple Cisco devices. Privilege Escalation+-------------------- * An unprivileged user logged into a computer can elevate privileges locally through the helper tool in the supplicant GUI system user. This vulnerability is documented as Cisco Bug ID CSCsf14120. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) Various design errors can be exploited to gain escalated privileges via e.g. the help functionality, when launching programs, by injecting threads, and when parsing commands. 2) When using various authentication methods, the user's password is stored in cleartext in the application log files. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client allows local users to gain SYSTEM privileges via unspecified vectors in the supplicant, aka CSCsf15836. Cisco CSSC and CTA products are prone to an information-disclosure issue and multiple privilege-escalation vulnerabilities because of design flaws in the software. Exploiting these issues allows local attackers to access sensitive information and to elevate their privileges on affected computers. Cisco Secure Services Client is a tool for deploying a single 802.1X-based authentication framework across multiple Cisco devices. Privilege Escalation+-------------------- * An unprivileged user logged into the computer can launch arbitrary programs on the system, running with SYSTEM privileges from the requester application. This vulnerability is documented as Cisco Bug ID CSCsf15836. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) Various design errors can be exploited to gain escalated privileges via e.g. the help functionality, when launching programs, by injecting threads, and when parsing commands. 2) When using various authentication methods, the user's password is stored in cleartext in the application log files. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client use an insecure default Discretionary Access Control Lists (DACL) for the connection client GUI, which allows local users to gain privileges by injecting "a thread under ConnectionClient.exe," aka CSCsg20558. Cisco CSSC and CTA products are prone to an information-disclosure issue and multiple privilege-escalation vulnerabilities because of design flaws in the software. Exploiting these issues allows local attackers to access sensitive information and to elevate their privileges on affected computers. Cisco Secure Services Client is a tool for deploying a single 802.1X-based authentication framework across multiple Cisco devices. This vulnerability is documented as CiscoBug ID CSCsg20558. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) Various design errors can be exploited to gain escalated privileges via e.g. the help functionality, when launching programs, by injecting threads, and when parsing commands. 2) When using various authentication methods, the user's password is stored in cleartext in the application log files. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client do not properly parse commands, which allows local users to gain privileges via unspecified vectors, aka CSCsh30624. Cisco CSSC and CTA products are prone to an information-disclosure issue and multiple privilege-escalation vulnerabilities because of design flaws in the software. Exploiting these issues allows local attackers to access sensitive information and to elevate their privileges on affected computers. Cisco Secure Services Client is a tool for deploying a single 802.1X-based authentication framework across multiple Cisco devices. Privilege Escalation+-------------------- Due to the way it is used in parsing commands, it is possible for an unprivileged user logged on to a computer to start a process with the privileges of the local system user. This vulnerability is documented as Cisco Bug IDs CSCsh30297 and CSCsh30624. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) Various design errors can be exploited to gain escalated privileges via e.g. the help functionality, when launching programs, by injecting threads, and when parsing commands. 2) When using various authentication methods, the user's password is stored in cleartext in the application log files. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The (1) TTLS CHAP, (2) TTLS MSCHAP, (3) TTLS MSCHAPv2, (4) TTLS PAP, (5) MD5, (6) GTC, (7) LEAP, (8) PEAP MSCHAPv2, (9) PEAP GTC, and (10) FAST authentication methods in Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client store transmitted authentication credentials in plaintext log files, which allows local users to obtain sensitive information by reading these files, aka CSCsg34423. (1) TTLS CHAP Authentication method (2) TTLS MSCHAP Authentication method (3) TTLS MSCHAPv2 Authentication method (4) TTLS PAP Authentication method (5) MD5 Authentication method (6) GTC Authentication method (7) LEAP Authentication method (8) PEAP MSCHAPv2 Authentication method (9) PEAP GTC Authentication method (10) FAST Authentication methodBy reading a plain text log file, a local user may obtain important information. Cisco CSSC and CTA products are prone to an information-disclosure issue and multiple privilege-escalation vulnerabilities because of design flaws in the software. Exploiting these issues allows local attackers to access sensitive information and to elevate their privileges on affected computers. Cisco Secure Services Client is a tool for deploying a single 802.1X-based authentication framework across multiple Cisco devices. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) Various design errors can be exploited to gain escalated privileges via e.g. the help functionality, when launching programs, by injecting threads, and when parsing commands. 2) When using various authentication methods, the user's password is stored in cleartext in the application log files. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Comodo Firewall Pro (formerly Comodo Personal Firewall) 2.4.17.183 and earlier uses a weak cryptographic hashing function (CRC32) to identify trusted modules, which allows local users to bypass security protections by substituting modified modules that have the same CRC32 value. Comodo Firewall Pro is prone to a local security vulnerability

The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client. Nortel SSL VPN Net Direct Client is prone to a local privilege-escalation vulnerability. Successfully exploiting this issue allows local users to execute arbitrary code with superuser privileges, facilitating the complete compromise of affected computers. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Nortel Net Direct Client for Linux Privilege Escalation SECUNIA ADVISORY ID: SA24231 VERIFY ADVISORY: http://secunia.com/advisories/24231/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Nortel Net Direct Client for Linux 6.x http://secunia.com/product/13523/ DESCRIPTION: Jon Hart has reported a vulnerability in Net Direct Client for Linux, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused by a combination of insecure permissions and a race condition when downloading and executed client binaries. The vulnerability is reported in versions 6.0.1 through 6.0.3. SOLUTION: Update to version 6.0.5. PROVIDED AND/OR DISCOVERED BY: Jon Hart, spoofed.org. ORIGINAL ADVISORY: Nortel Networks: http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071 Jon Hart: http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in index.php in Francisco Burzi PHP-Nuke 8.0 Final and earlier, when the "HTTP Referers" block is enabled, allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header (HTTP_REFERER variable). PHP-Nuke is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. PHP-Nuke 8.0 Final and prior versions are vulnerable. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: PHP-Nuke HTTP "referer" SQL Injection Vulnerability SECUNIA ADVISORY ID: SA24224 VERIFY ADVISORY: http://secunia.com/advisories/24224/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 8.x http://secunia.com/product/13524/ PHP-Nuke 7.x http://secunia.com/product/2385/ PHP-Nuke 6.x http://secunia.com/product/329/ PHP-Nuke 5.x http://secunia.com/product/689/ DESCRIPTION: Maciej "krasza" Kukla has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 7.9 and reported in version 8.0. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Maciej "krasza" Kukla ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote attackers to execute arbitrary code via crafted SMB traffic. Snort IDS and Sourcefire Intrusion Sensor are prone to a stack-based buffer-overflow vulnerability because the network intrusion detection (NID) systems fail to handle specially crafted 'DCE' and 'RPC' network packets. An attacker can exploit this issue to execute malicious code in the context of the user running the affected application. Failed attempts will likely cause these applications to crash. The software provides functions such as packet sniffing, packet analysis, and packet inspection. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-050A Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow Original release date: February 19, 2007 Last revised: -- Source: US-CERT Systems Affected * Snort 2.6.1, 2.6.1.1, and 2.6.1.2 * Snort 2.7.0 beta 1 * Sourcefire Intrusion Sensors version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64 * Sourcefire Intrusion Sensors for Crossbeam version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64 Other products that use Snort or Snort components may be affected. I. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC traffic before passing data to the Snort rules. The vulnerable code does not properly reassemble certain types of SMB and DCE/RPC packets. An attacker could exploit this vulnerability by sending a specially crafted TCP packet to a host or network monitored by Snort. The DCE/RPC preprocessor is enabled by default, and it is not necessary for an attacker to complete a TCP handshake. US-CERT is tracking this vulnerability as VU#196240. This vulnerability has been assigned CVE number CVE-2006-5276. Further information is available in advisories from Sourcefire and ISS. II. III. Solution Upgrade Snort 2.6.1.3 is available from the Snort download site. Sourcefire customers should visit the Sourcefire Support Login site. Disable the DCE/RPC Preprocessor To disable the DCE/RPC preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems): [/etc/snort.conf] ... #preprocessor dcerpc... Restart Snort for the change to take effect. Disabling the preprocessor will prevent Snort from reassembling fragmented SMB and DCE/RPC packets. This may allow attacks to evade the IDS. IV. References * US-CERT Vulnerability Note VU#196240 - <http://www.kb.cert.org/vuls/id/196240> * Sourcefire Advisory 2007-02-19 - <http://www.snort.org/docs/advisory-2007-02-19.html> * Sourcefire Support Login - <https://support.sourcefire.com/> * Sourcefire Snort Release Notes for 2.6.1.3 - <http://www.snort.org/docs/release_notes/release_notes_2613.txt> * Snort downloads - <http://www.snort.org/dl/> * DCE/RPC Preprocessor - <http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html> * IBM Internet Security Systems Protection Advisory - <http://iss.net/threats/257.html> * CVE-2006-5276 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-050A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-050A Feedback VU#196240" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 19, 2007: Initial Release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRdop4+xOF3G+ig+rAQKdtAgAhQY66LRfVlNkH30Q5RI0gIo5Vhu14yDP qulLEyzjDhC7gDHWBGQYdE9eCy9Yf3P4BfKJS0766he/7CFn+BaDs7ohnXaynHQq +kMYNBMBg2RbrGKfOGRLHc0P6X1tSP3w45IppjOv9Yo5SUVDCa7beZWURCIKZyp6 OuYXtnpiGNctHgeU56US0sfuKj8qP7KOd9pCDRDQRhJ3UUd9wDpXee66HBxchh+w RSIQiMxisOX9mMYBW3z4DM/lb7PxXoa2Q7DwjM1NIOe/0tAObCOvF4uYhOLCVyNg +EbcN9123V0PW95FITlHXvJU6K8srnnK+Fhpfyi4vg5bYeEF2WiUrg== =T7v8 -----END PGP SIGNATURE----- . February 19, 2007 Summary: Sourcefire has learned of a remotely exploitable vulnerability in the Snort DCE/RPC preprocessor. Sourcefire has prepared updates for Snort open-source software to address this issue. Mitigating Factors: Users who have disabled the DCE/RPC preprocessor are not vulnerable. Recommended Actions: * Open-source Snort 2.6.1.x users are advised to upgrade to Snort 2.6.1.3 (or later) immediately. * Open-source Snort 2.7 beta users are advised to mitigate this issue by disabling the DCE/RPC preprocessor. This issue will be resolved in Snort 2.7 beta 2. Workarounds: Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should reenable the DCE/RPC preprocessor. Detecting Attacks Against This Vulnerability: Sourcefire will be releasing a rule pack that provides detection for attacks against this vulnerability. Has Sourcefire received any reports that this vulnerability has been exploited? - No. Sourcefire has not received any reports that this vulnerability has been exploited. Acknowledgments: Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting this issue and working with us to resolve it. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-announce mailing list Snort-announce@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-announce . Resolution ========== All Snort users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.3" References ========== [ 1 ] CVE-2006-5276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Apple iTunes 7.0.2 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted XML list of radio stations, which results in memory corruption. NOTE: iTunes retrieves the XML document from a static URL, which requires an attacker to perform DNS spoofing or man-in-the-middle attacks for exploitation. Apple iTunes is prone to a remote denial-of-service vulnerability because the application fails to handle malformed XML playlist files. An attacker can exploit this issue to crash the application, triggering a denial-of-service condition. Apple iTunes version 7.0.2 for Intel and PowerPC are vulnerable to this issue; other versions may also be affected

Ezboo webstats, possibly 3.0.3, allows remote attackers to bypass authentication and gain access via a direct request to (1) update.php and (2) config.php. Ezboo webstats is a statistical tool for website monitoring

Unspecified vulnerability in Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.3), when set to log at the "debug" level, allows remote attackers to cause a denial of service (device reboot) by sending packets that are not of a particular protocol such as TCP or UDP, which triggers the reboot during generation of Syslog message 710006. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. Multiple security vulnerabilities exist in Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances: Processing packets sent to FWSM could lead to reload +---------------- --------------------------------------- This vulnerability causes FWSM to generate 710006 syslog messages when attempting to overload occurs. The following two conditions must be met for this vulnerability to occur: * FWSM receives a message with a device IP address and the message is not the following protocol: TCP, UDP, ICMP, OSPF, Failover, PIM, IGMP, and ESP. Vulnerabilities are independent of the source of the packets. * Logging must be enabled at a high enough level to generate 710006 syslog messages, the default is debug level (level 7). Note that logging is disabled by default, and Cisco recommends logging at the debug level for debugging and error correction purposes only. This vulnerability is documented in Cisco Bug ID as CSCse85707. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco Firewall Services Module Multiple Vulnerabilities SECUNIA ADVISORY ID: SA24172 VERIFY ADVISORY: http://secunia.com/advisories/24172/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS WHERE: >From remote SOFTWARE: Cisco Firewall Services Module (FWSM) 3.x http://secunia.com/product/8614/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Firewall Services, which can be exploited by malicious people to cause a DoS or bypass certain security restrictions. 1) An unspecified error within the enhanced inspection of HTTP traffic can be exploited to cause the device to reload via specially crafted HTTP traffic. Successful exploitation requires that enhanced inspection is enabled. 2) An error within the inspection of SIP packets can be exploited to cause the device to reload via specially crafted SIP packets. Successful exploitation requires that SIP inspection is enabled. 3) An unspecified error when processing malformed HTTPS requests can be exploited to cause the device to reload by sending specially crafted HTTPS requests. Successful exploitation requires that "authentication for network access" (auth-proxy) is enabled. 4) An error when processing HTTP requests with a very long URL can be exploited to cause the device to reload, but requires that "authentication for network access" (auth-proxy) is enabled. 5) An unspecified error exists when processing HTTPS traffic that is directed to the FWSM. This can be exploited to cause the device to reload by sending specially crafted HTTPS requests, but requires that the HTTPS server is enabled. 6) An unspecified error when processing malformed SNMP requests from a trusted device can be exploited to cause the affected device to reload. Successful exploitation requires that the other, trusted device has explicit SNMP poll access. 7) A security issue when manipulating ACLs (Access Control Lists) that make use of object groups can corrupt ACLs, resulting in ACEs (Access Control Entries) being skipped or not evaluated in order, which can be exploited to bypass certain security restrictions. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated. A vulnerability that could cause the device to reload when "debugging" is enabled has also been reported. SOLUTION: Apply updated software. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when configured to use the LOCAL authentication method, allows remote authenticated users to gain privileges via unspecified vectors. Cisco PIX 500 Series and Cisco ASA 5500 series The security appliance has user authentication. LOCAL A vulnerability exists that could allow elevation of privilege by remotely authenticated users when using the method. According to information from Cisco Systems, users who exploit this vulnerability are privileged. 0 Defined in the local database, only in this case the user is privileged 15 Has been reported to be able to be elevated to administrator privileges.On devices under certain conditions, it may be possible to gain administrative privileges from a remotely authenticated user. Exploiting this issue allows authenticated attackers to gain administrative privileges on affected computers. This may facilitate the complete compromise of the affected device. This issue is tracked by Cisco Bug ID: CSCsh33287. Both the Cisco PIX and the ASA are very popular firewall devices that provide firewall services capable of stateful packet filtering and deep packet inspection. Remote attackers may use this loophole to elevate their privileges on the device. Only users who meet these conditions can escalate their assigned privileges to level 15. Once an administrator, users can change every aspect of device configuration and operation. A device is affected by this vulnerability if the following line exists in the device configuration: pixfirewall(config)# aaa authentication enable console LOCAL pixfirewall(config)# username <user_name> password <secret_pwd> privilege 0 This vulnerability is documented in Cisco Bug ID as CSCsh33287. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco PIX and ASA Privilege Escalation and Denial of Service SECUNIA ADVISORY ID: SA24160 VERIFY ADVISORY: http://secunia.com/advisories/24160/ CRITICAL: Moderately critical IMPACT: Privilege escalation, DoS WHERE: >From remote OPERATING SYSTEM: Cisco PIX 7.x http://secunia.com/product/6102/ Cisco Adaptive Security Appliance (ASA) 7.x http://secunia.com/product/6115/ DESCRIPTION: Some vulnerabilities have been reported in Cisco PIX and ASA, which can be exploited by malicious users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service). 1) An unspecified error exists within the enhanced HTTP inspection feature. This can be exploited to crash the device via malformed HTTP requests, but requires that enhanced HTTP inspection is enabled. 2) An unspecified error exists within the SIP packet inspection. This can be exploited to crash the device by sending specially crafted SIP packets, but requires that "inspect" is enabled (it is disabled by default). 3) An unspecified error exists within the TCP-based protocol inspection. This can be exploited to crash the device via malformed packets, but requires that inspection of TCP-based protocols (e.g. FTP or HTTP) is enabled. Successful exploitation allows gaining privilege level 15 and changing the complete configuration of the device, but requires that the attacker can authenticate to the device and that he is defined in the local database with privilege level 0. SOLUTION: Apply updated versions. See the vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . 2) An unspecified vulnerability when manipulating ACLs (Access Control Lists) that makes use of object groups can be exploited to corrupt ACLs, resulting in ACE (Access Control Entries) being skipped or not evaluated in order. Successful exploitation requires that "SIP fixup" is enabled, which is the default setting

Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.1) allows remote attackers to cause a denial of service (device reboot) via malformed SNMP requests. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. This vulnerability is documented in Cisco Bug ID as CSCse52679. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) An unspecified error within the enhanced inspection of HTTP traffic can be exploited to cause the device to reload via specially crafted HTTP traffic. Successful exploitation requires that enhanced inspection is enabled. 2) An error within the inspection of SIP packets can be exploited to cause the device to reload via specially crafted SIP packets. Successful exploitation requires that SIP inspection is enabled. 3) An unspecified error when processing malformed HTTPS requests can be exploited to cause the device to reload by sending specially crafted HTTPS requests. Successful exploitation requires that "authentication for network access" (auth-proxy) is enabled. 4) An error when processing HTTP requests with a very long URL can be exploited to cause the device to reload, but requires that "authentication for network access" (auth-proxy) is enabled. 5) An unspecified error exists when processing HTTPS traffic that is directed to the FWSM. This can be exploited to cause the device to reload by sending specially crafted HTTPS requests, but requires that the HTTPS server is enabled. Successful exploitation requires that the other, trusted device has explicit SNMP poll access. 7) A security issue when manipulating ACLs (Access Control Lists) that make use of object groups can corrupt ACLs, resulting in ACEs (Access Control Entries) being skipped or not evaluated in order, which can be exploited to bypass certain security restrictions. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated. A vulnerability that could cause the device to reload when "debugging" is enabled has also been reported. SOLUTION: Apply updated software. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Firewall Services Module (FWSM) before 2.3(4.7) and 3.x before 3.1(3.1) causes the access control entries (ACE) in an ACL to be improperly evaluated, which allows remote authenticated users to bypass intended certain ACL protections. Cisco Firewall Services Module fails to properly inspect SIP messages. This vulnerability may allow a remote attacker to cause a denial of service condition. Multiple Cisco products are prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause vulnerable devices to reload, potentially causing denial-of-service conditions. Multiple security vulnerabilities exist in Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances: Enhanced Inspection Malformed HTTP Traffic +--------------------- -------------------------- Cisco PIX and ASA Security Appliances may crash when checking for malformed HTTP requests if Enhanced HTTP Inspection is enabled . If HTTP application inspection is enabled, the configuration will contain a line similar to inspect http, where the name of the specific HTTP mapping. Note that normal HTTP inspection (configured via inspect http, without HTTP mapping) is not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID as CSCsd75794. To trigger this vulnerability, the SIP fixup (for 6.x software) or inspect (for 7.x software) function must be enabled. SIP fixup (in 6.x and earlier) and SIP check (in 7. x and earlier) is enabled by default. This vulnerability is documented in Cisco Bug IDs as CSCsd97077 and CSCse27708. Check malformed TCP packet flow+------------------------------------------- ------ Cisco PIX and ASA equipment may crash when processing malformed packet flow based on TCP protocol. Protocols must be handled through the inspect function. The message may be sent to the device, or it may only pass through the device. Cisco PIX and ASA appliances can inspect the following TCP-based protocols: * Computer Telephony Interface Quick Buffer Encoding (CITQBE) * Distributed Computing Environment/Remote Procedure Call (DCE/RPC) * Domain Name Service (DNS) * Extended Simple Mail Transfer Protocol (ESMTP) * File Transfer Protocol (FTP) * H.323 Protocol * Hypertext Transfer Protocol (HTTP) * Internet Location Server (ILS) * Instant Messaging (IM) * Point-to-Point Tunneling Protocol (PPTP) * Remote Shell (RSH ) * Real Time Streaming Protocol (RTSP) * Session Initiation Protocol (SIP) *... ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) An unspecified error within the enhanced inspection of HTTP traffic can be exploited to cause the device to reload via specially crafted HTTP traffic. Successful exploitation requires that enhanced inspection is enabled. 2) An error within the inspection of SIP packets can be exploited to cause the device to reload via specially crafted SIP packets. Successful exploitation requires that SIP inspection is enabled. 3) An unspecified error when processing malformed HTTPS requests can be exploited to cause the device to reload by sending specially crafted HTTPS requests. Successful exploitation requires that "authentication for network access" (auth-proxy) is enabled. 4) An error when processing HTTP requests with a very long URL can be exploited to cause the device to reload, but requires that "authentication for network access" (auth-proxy) is enabled. 5) An unspecified error exists when processing HTTPS traffic that is directed to the FWSM. This can be exploited to cause the device to reload by sending specially crafted HTTPS requests, but requires that the HTTPS server is enabled. 6) An unspecified error when processing malformed SNMP requests from a trusted device can be exploited to cause the affected device to reload. Successful exploitation requires that the other, trusted device has explicit SNMP poll access. Note: Only an administrative user can change ACLs. Additionally, this does not affected devices which are reloaded after ACLs have been manipulated. A vulnerability that could cause the device to reload when "debugging" is enabled has also been reported. SOLUTION: Apply updated software. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------