VARIoT IoT vulnerabilities database

Cisco VPN 3000 Concentrator 2.2.x, 3.6(Rel), and 3.x before 3.5.5, allows remote attackers to cause a denial of service via a long user name. VPN 3000 Concentrator is prone to a denial-of-service vulnerability

NETGEAR FVS318 running firmware 1.1 stores the username and password in a readable format when a backup of the configuration file is made, which allows local users to obtain sensitive information. A vulnerability has been reported in NetGear Firewall/VPN/Routers. When configured to backup configuration settings, the device will store various usernames and passwords in cleartext. Accessing this file could allow an attacker to obtain sensitive information which could aid the attacker in compromising the web administrative interface of the device. It should be noted that the backup option is not enabled by default, but is a common feature used by administrators. Local users get sensitive information

Cross-site scripting (XSS) vulnerability in PHP-Nuke 6.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag. Problems with PHPNuke could make it possible to execute arbitrary script code in a vulnerable client. PHPNuke does not sufficiently filter potentially malicious HTML code from news posts. As a result, when a user views a news posting that contains malicious HTML code, the code contained in the posted message would be executed in the browser of the vulnerable user. This will occur in the context of the site running the PHPNuke software. PHP-Nuke version 6.0 has a cross-site scripting (XSS) vulnerability

The HTTP administration interface for HP Procurve 4000M Switch firmware before C.09.16, with stacking features and remote administration enabled, does not authenticate requests to reset the device, which allows remote attackers to cause a denial of service via a direct request to the device_reset CGI program. When multiple Procurve switches are used interconnected, it is common for an administrator to enable a feature allowing each switch to be viewed through a single interface, accessible via the web. It has been reported that HP Procurve Switches are vulnerable to a denial of service attack, when used in a "stack" configuration. It is possible for an attacker to reset member switches by issuing a device reset command to a vulnerable device. Vulnerable devices do not require authentication before accepting this command. It should be noted that the web interface is not enabled by default

Format string vulnerability in gm4 (aka m4) on Mac OS X may allow local users to gain privileges if gm4 is called by setuid programs. Mac OS X is prone to a local security vulnerability. If gm4 is accessed by a setuid program, local users can elevate privileges

Terminal 1.3 in Apple Mac OS X 10.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a telnet:// link, which is executed by Terminal.app window. Mac OS X is the BSD-based operating system distributed and maintained by Apple. It has been discovered that some types of links, when clicked on, may result in the execution of arbitrary commands. Due to the improper handling of some links, a user clicking on a link containing special characters and embedded commands could cause the execution of the commands in the link to be carried out in a terminal.app window. These commands would be executed in the security context of the user. Because Mac OS X does not properly check the content of some connection types, a local attacker can exploit this vulnerability to elevate privileges

The Cisco IP Phone 7960 is a system that provides voice over IP networks. The firmware image file used by the Cisco IP Phone 7960 is not signed and can be exploited by remote attackers to use malicious firmware image files to entice users to download without being noticed. The firmware image file content used by the Cisco IP Phone 7960 is not signed and verified, so the client cannot determine whether the downloaded firmware information is legal. The higher version of the firmware image file is trusted by the device and is started when the device is started. And install. This process is transparent and does not require any user interaction. If an attacker can control the TFTP server, they can upload malicious firmware, causing malicious content to be installed on the device with this vulnerability. TFTP does not provide authentication. It is also theoretically possible for an attacker to substitute a malicious configuration file by exploiting this weakness

The Cisco IP Phone 7960 uses TFTP (Trivial File Transfer Protocol) to download firmware images and configuration files. TFTP is conducted over UDP and does not provide authentication. Sensitive information is contained in the configuration file (such as the IP address of the SIP Proxy Server and the 'phone_password' credential). If an attacker can guess the name of configuration files, then it is possible to retrieve them from the TFTP server. Information gathered in this manner may aid in mounting further documented attacks which have the potential to compromise the IP telephony network.

Check Point FireWall-1 4.1 and Next Generation (NG), with UserAuth configured to proxy HTTP traffic only, allows remote attackers to pass unauthorized HTTPS, FTP and possibly other traffic through the firewall. Firewall-1 is an enterprise level firewall package distributed by Check Point Technologies. It is available for the Unix, Linux, and Microsoft Windows platforms. It has been reported that Firewall-1 does not properly check the contents of sessions when passed through the HTTP proxy server. It is possible for a remote user with access to the proxy server through an authenticated user account to pass protocols through the system that violate security policy. These protocols include FTP, and HTTPS. It should also be noted that this vulnerability affects the HTTPS proxy for Firewall-1. Remote attackers can use this vulnerability to communicate externally through the HTTP proxy server using multiple protocols. When FW-1 is installed using \"out the box\" and set with the following rules: Source Destination Service Action Track AllUsers@SomeNet webserver http UserAuth Long Allow Auth HTTP Any firewall Any drop Long Stealth Rule Any Any Any drop Long CleanUp Rule When Firewall-1 operates using UserAuth, the communication is handled by the security service module, and in the case of an HTTP proxy, by the HTTP security service module (in.ahttpd). However, the default HTTP security service module lacks correct inspection of the session content, which can cause the authenticated user to communicate through this proxy server using different protocols such as (HTTPS, FTP). Firewall-1 using SP6 has made some corrections on this issue. For the SP6 system installed by default, if the HTTP protocol is only allowed to pass through, using the HTTPS protocol to access the site may cause rule conflicts and access failures, and error Information is logged to log files, but FTP protocol communications are still accessible through the HTTP proxy service

Buffer overflows in the Cisco VPN 5000 Client before 5.2.7 for Linux, and VPN 5000 Client before 5.2.8 for Solaris, allow local users to gain root privileges via (1) close_tunnel and (2) open_tunnel. The condition affects the binaries 'close_tunnel' and 'open_tunnel', both installed setuid root by default. Malicious local users may exploit these vulnerabilities to gain superuser privileges on the affected host. Cisco Virtual Private Network (VPN) client program is a program used to securely communicate with enterprise CISCO VPN devices through the Internet. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. CISCO assigned this vulnerability number as: CSCdy20065 <* link: http://www.cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml *>

The Cisco VPN 5000 Client for MacOS before 5.2.2 records the most recently used login password in plaintext when saving "Default Connection" settings, which could allow local users to gain privileges. The Cisco VPN 5000 Client on Mac OS saves configuration information for the default connection in the resource fork of the preferences file. Authentication credentials for the most recent login are included in the configuration. A tool such as ResEdit may be used to extract this information. Cisco Virtual Private Network (VPN) client program is a program used to securely communicate with enterprise CISCO VPN devices through the Internet. Can be used under a variety of operating systems, including MacOS X operating system. Local attackers can use this vulnerability to obtain sensitive information by viewing the configuration file. A local attacker can read password information stored in plain text by using a tool such as ResEdit. This problem exists even when the \"SaveSecrets\" option is used, or when encrypting passwords. CISCO designated this vulnerability number as: CSCdx17109

The MPS functionality in Enterasys SSR8000 (Smart Switch Router) before firmware 8.3.0.10 allows remote attackers to cause a denial of service (crash) via multiple port scans to ports 15077 and 15078. The SSR8000 is a SmartSwitch distributed and maintained by Enterasys. It has been discovered that SSR8000 switches react unpredictably when portscanned. When these switches are scanned using specific types of TCP traffic, and scanned on certain ports, the switch becomes unstable. It has been reported that this can be reproduced consistently to cause the switch to crash. Remote attackers can exploit this vulnerability to carry out denial of service attacks. The SSR8000 switch monitors TCP ports 15077 and 15078 in order to process the MPS code of ATM

The design of the Internet Key Exchange (IKE) protocol, when using Aggressive Mode for shared secret authentication, does not encrypt initiator or responder identities during negotiation, which may allow remote attackers to determine valid usernames by (1) monitoring responses before the password is supplied or (2) sniffing, as originally reported for FireWall-1 SecuRemote. Vpn-1 Firewall-1 is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions

The POP3 proxy service (POPROXY.EXE) in Norton AntiVirus 2001 allows local users to cause a denial of service (CPU consumption and crash) via a long username with multiple /localhost entries. Norton Antivirus 2001 uses a POP3 proxy to scan incoming email for viruses. This proxy will modify the email client's POP3 username to be "user/POP3Server". The email client itself will connect to the local POP3 proxy created by Norton Antivirus

Buffer overflow in Apple QuickTime 5.0 ActiveX component allows remote attackers to execute arbitrary code via a long pluginspage field. A vulnerability has been reported in the Apple QuickTime ActiveX component for Internet Explorer. The issue is a buffer-overrun condition that occurs because the software fails to perform adequate boundary checks of supplied arguments. If the component is invoked with the 'pluginspage' argument set to an overly long string value, the overrun will occur. Successful exploits may allow attacker-supplied instructions to run on affected client systems. Apple QuickTime is a media player that provides high-quality sound and images. The Apple QuickTime ActiveX control is generally used for movie tracking and other streaming and static media technology processing when embedded in a WEB page. This control lacks correct checks on the buffer boundary when processing the \"pluginspage\" field, and remote attackers can use it to build malicious WEB pages, or sending HTML emails to entice users to open them, can cause buffer overflows on the client side. Carefully constructed \"pluginspage\" field data may execute arbitrary instructions on the system with the permissions of the current user process

NETGEAR FM114P allows remote attackers to bypass access restrictions for web sites via a URL that uses the IP address instead of the hostname. FM114P is an integrated HUB, print service, wireless access point, firewall and IDS hardware solution developed by Netgear. The firewall module supports filtering of domain names.  The Netgear Fm114P firewall module checks that address filtering is not sufficient.  The Netgear Fm114P firewall module cannot resolve host names and domain names by default. Users can bypass the rule restrictions by entering IP instead of host names or domain names. FM114P Prosafe firewalls are a hardware solution manufactured and distributed by Netgear. It has been reported that FM114P firewalls do not sufficiently check addresses when requests are made. Because of this, it would be possible for a user behind the system to reach a restricted-access site by requesting the site on the basis of IP address

Cisco Virtual Private Network (VPN) Client software 2.x.x and 3.x before 3.0.5 allows remote attackers to cause a denial of service (crash) via TCP packets with source and destination ports of 137 (NETBIOS). It is possible for a remote attacker to exploit this condition to shut down a connection that the client has initiated by sending a NETBIOS packet to port 137 of the host running the client. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. CISCO designated this vulnerability number as: CSCdt35749

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x before 3.5.1C, allows local users to use a utility program to obtain the group password. Cisco has reported that a vulnerability exists in the Windows VPN client that may result in unintended disclosure of the password. It is possible to extract the plaintext password value from a "shaded" (replaced with asterisks) field in the authentication property page using a utility. This utility may be the publicly available "Revelation" tool, however this is unconfirmed. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. A local attacker can exploit this vulnerability to conduct password recovery attacks and obtain group password information. There are design loopholes in the Cisco VPN client. These passwords were originally displayed with '*'. CISCO designated this vulnerability number as: CSCdt60391

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x before 3.5.1C, does not properly verify that certificate DN fields match those of the certificate from the VPN Concentrator, which allows remote attackers to conduct man-in-the-middle attacks. A flaw in the Cisco VPN Client prevents the client from sufficiently validating credentials supplied in a certificate used for VPN privacy. The client does not properly validate Distinguished Names (DN) contained in some certificates, and may trust certificates supplied by a third party that represent a malicious host. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. CISCO designated this vulnerability number as: CSCdw87717

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x before 3.5.2B, does not generate sufficiently random numbers, which may make it vulnerable to certain attacks such as spoofing. Cisco has reported that random number generation has been improved in Cisco VPN Client. Weak random number generation may present a security vulnerability to users of the client software, as it may be possible under some circumstances for attackers to anticipate numbers that are generated by the software. If an attacker can anticipate TCP sequence numbers for VPN sessions, it may be possible to mount man-in-the-middle attacks against a connection or possible inject packets into a connection. The attacker may need to be within the VPN to exploit this issue. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. A remote attacker can exploit this vulnerability to attack via the Man-In-Middle method or insert packets into an existing connection. Or remote unauthorized access to the VPN concentrator. CISCO designated this vulnerability number as: CSCdx89416