VARIoT IoT vulnerabilities database

HP ProCurve Switch 4000M C.07.23 allows remote attackers to cause a denial of service (crash) via an SNMP write request containing 85 characters, possibly triggering a buffer overflow. HP ProCurve 4000M Switch is a high-performance switch issued by HP.  The HP ProCurve 4000M switch has a problem handling a certain SNMP variable being written. A remote attacker can use this vulnerability to conduct a denial of service attack on the switch

Buffer overflow in the Web Messaging daemon for Ipswitch IMail before 7.12 allows remote attackers to execute arbitrary code via a long HTTP GET request for HTTP/1.0. IMail is a commercial email server software package distributed and maintained by Ipswitch, Incorporated. IMail is available for Microsoft Operating Systems. The web messaging server is vulnerable to a buffer overflow. When the server receives a request for HTTP version 1.0, and the total request is 96 bytes or greater, a buffer overflow occurs. This could result in the execution of attacker-supplied instructions, and potentially allow an attacker to gain local access. ** Ipswitch has reported they are unable to reproduce this issue. In addition, Ipswitch has stated that the supplied, third party patch may in fact open additional vulnerabilities in the product. Ipswitch suggests that users do not apply the supplied patch. IMail's Web Messaging daemon lacks proper checks for parameters when processing HTTP/1.0 GET requests. Remote attackers can exploit this vulnerability to perform buffer overflow attacks

The default configuration of Mail.app in Mac OS X 10.0 through 10.0.4 and 10.1 through 10.1.5 sends iDisk authentication credentials in cleartext when connecting to Mac.com, which could allow remote attackers to obtain passwords by sniffing network traffic. The iDisk service password is also used by the Mac.com service. Users of both services can use Mail.app to retrieve mail from Mac.com. Authentication credentials for the iDisk service are sent using HTTPS over WebDAV, which ensures that the communications between client and server are encrypted. However, Mail.app does not appear to use the same security measure by default when communicating with Mac.com. While Mail.app can be configured to communicate with mail servers using SSL, this option does not appear to be enabled in the default Mail.app configuration. STARTTLS is supported on the server-side by Mac.com. An attacker may potentially take advantage of this exposure to gain unauthorized access to both Mac.com and iDisk, since the credentials are shared between the two services

Directory traversal vulnerability in GoAhead Web Server 2.1 allows remote attackers to read arbitrary files via a URL with an encoded / (%5C) in a .. (dot dot) sequence. NOTE: it is highly likely that this candidate will be REJECTED because it has been reported to be a duplicate of CVE-2001-0228. GoAhead WebServer is prone to a directory traversal vulnerability

Buffer overflow in HTTP Proxy for Symantec Norton Personal Internet Firewall 3.0.4.91 and Norton Internet Security 2001 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large outgoing HTTP request. The condition is reportedly due to an inability to handle large requests. The overflow occurs in kernel memory. It may be possible to execute arbitrary code in this context to compromise the system. The HTTP proxy component included in NPIF lacks correct buffer boundary checks when handling very long hostnames. Remote attackers can exploit this vulnerability to perform buffer overflow attacks. An attacker could exploit this vulnerability by accessing NPIF's HTTP proxy requests through an internal connection or by attaching a malicious email or instructing the user to connect to a malicious WEB site to download code

Cross-site scripting vulnerability in GoAhead Web Server 2.1 allows remote attackers to execute script as other web users via script in a URL that generates a "404 not found" message, which does not quote the script. A vulnerability has been reported for GoAhead WebServer 2.1. Reportedly, it is possible for attackers to launch cross site scripting attacks against vulnerable systems. GoAhead WebServer includes unsanitized requested URLs when displaying a 404 error page. An attacker may be able to trick a user into following a link which includes malicious script code, and executing the attack

Dynamic VPN Configuration Protocol service (DVCP) in Watchguard Firebox firmware 5.x.x allows remote attackers to cause a denial of service (crash) via a malformed packet containing tab characters to TCP port 4110. A denial of service vulnerability has been reported for WatchGuard Firebox firmware versions 5.x.x. The vulnerability occurs in the DVCP service. WatchGuard Firebox is a firewall for small and medium-sized business offices produced by WatchGuard in the United States. DVCP protocol The protocol used by the WatchGuard Firebox system to transmit IPSec VPN configuration information on the client server. The firewall needs to be restarted to use the DVCP service function again

SoftwareUpdate for MacOS 10.1.x does not use authentication when downloading a software update, which could allow remote attackers to execute arbitrary code by posing as the Apple update server via techniques such as DNS spoofing or cache poisoning, and supplying Trojan Horse updates. A vulnerability has been reported for MacOS X where an attacker may use SoftwareUpdate to install malicious software on the vulnerable system. SoftwareUpdate uses HTTP, without any authentication, to obtain updates from Apple. Any updated packages are installed on the system as the root user. In order to exploit this vulnerability, the attacker must control the machine located at swquery.apple.com, from the perspective of the vulnerable client. It may be possible to create this condition through some known techniques, including DNS cache poisoning and DNS spoofing

SonicWALL firmware before 6.4.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) a large number of payloads, or (3) a long payload. Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system. SonicWALL Firmware is prone to a denial-of-service vulnerability. This is reported to cause the daemon to crash. This issue may be related to the multiple IKE implementation vulnerabilities described in CERT/CC Vulnerability Note VU#287771. Other vendor products are reported to be affected by similar issues. There are currently not enough details available to determine if PGPFreeware is affected by any of these specific issues. This issue was reported in PGPFreeware 7.03 running on Windows NT 4.0 SP6. The Cisco VPN Client is prone to a remotely exploitable buffer overflow condition. It is possible to trigger this condition by sending malformed IKE packets to the client. The overflow occurs when the Security Parameter Index payload of the IKE packet is longer than 16 bytes in length. It is possible that exploitation of this vulnerability may affect availability of the client, resulting in a denial of service condition. This issue is reported to be exploitable when the client software is operating in Aggressive Mode during a phase 1 IKE exchange. This vulnerability affects versions of the client on all platforms. When vulnerable clients receive a specific IKE packet with a zero length payload, the VPN client will consume all available processor time. Previous versions of SonicWALL firmware were vulnerable

Cisco Virtual Private Network (VPN) Client 3.5.4 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a packet with a zero-length payload. Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system. This is reported to cause the daemon to crash. This issue may be related to the multiple IKE implementation vulnerabilities described in CERT/CC Vulnerability Note VU#287771. Other vendor products are reported to be affected by similar issues. There are currently not enough details available to determine if PGPFreeware is affected by any of these specific issues. This issue was reported in PGPFreeware 7.03 running on Windows NT 4.0 SP6. The Cisco VPN Client is prone to a remotely exploitable buffer overflow condition. It is possible to trigger this condition by sending malformed IKE packets to the client. The overflow occurs when the Security Parameter Index payload of the IKE packet is longer than 16 bytes in length. It is possible that exploitation of this vulnerability may affect availability of the client, resulting in a denial of service condition. This issue is reported to be exploitable when the client software is operating in Aggressive Mode during a phase 1 IKE exchange. This vulnerability affects versions of the client on all platforms. When vulnerable clients receive a specific IKE packet with a zero length payload, the VPN client will consume all available processor time. The Cisco bug ID for these vulnerabilities is CSCdy26045

Buffer overflow in NetScreen-Remote 8.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) large number of payloads, or (3) a long payload. Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system. This is reported to cause the daemon to crash. This issue may be related to the multiple IKE implementation vulnerabilities described in CERT/CC Vulnerability Note VU#287771. Other vendor products are reported to be affected by similar issues. There are currently not enough details available to determine if PGPFreeware is affected by any of these specific issues. This issue was reported in PGPFreeware 7.03 running on Windows NT 4.0 SP6. The Cisco VPN Client is prone to a remotely exploitable buffer overflow condition. It is possible to trigger this condition by sending malformed IKE packets to the client. The overflow occurs when the Security Parameter Index payload of the IKE packet is longer than 16 bytes in length. It is possible that exploitation of this vulnerability may affect availability of the client, resulting in a denial of service condition. This issue is reported to be exploitable when the client software is operating in Aggressive Mode during a phase 1 IKE exchange. This vulnerability affects versions of the client on all platforms. When vulnerable clients receive a specific IKE packet with a zero length payload, the VPN client will consume all available processor time. < *Link: http://www.netscreen.com/support/alerts/9_6_02.htm* >

Cisco ONS15454 optical transport platform running ONS 3.1.0 to 3.2.0 allows remote attackers to cause a denial of service (reset) by sending IP packets with non-zero Type of Service (TOS) bits to the Timing Control Card (TCC) LAN interface. The ONS15454 is an optical network platform manufactured and distributed by Cisco. Under some circumstances, it may be possible to stop the ONS15454 from handling traffic. The receipt of this type of packet via the TCC interface causes the reset of the TCC interface. Solaris 9 is a UNIX operating system developed by Sun, which includes the rcp program for remote copying between hosts. The rcp program does not perform correct boundary checks when processing parameter data submitted by users. Local attackers can exploit this vulnerability to carry out buffer overflow attacks. There is a loophole in rcp's processing of super long command line parameters. The user submits a file name exceeding 10,000 bytes, and the destination host name and destination file name are used as parameters for the rcp program to execute, which may cause buffer overflow. Because rcp runs as suid root in the system Attribute installation, carefully constructed parameter data may allow an attacker to execute arbitrary instructions on the system with root privileges

Cisco IOS software 11.3 through 12.2 running on Cisco uBR7200 and uBR7100 series Universal Broadband Routers allows remote attackers to modify Data Over Cable Service Interface Specification (DOCSIS) settings via a DOCSIS file without a Message Integrity Check (MIC) signature, which is approved by the router. CMTS is running on Cisco IOS Due to deficiencies in Cisco uBR7100 and uBR7200 contains a vulnerability in which a configuration file with invalid parameters is applied.Cisco uBR7100 and uBR7200 may apply a configuration file with invalid parameters. A vulnerability has been announced which affects Cisco uBR7200 series and uBR7100 series Universal Broadband Routers under some versions of IOS. Invalid DOCSIS files without an MIC signature may be accepted by a vulnerable router, even if MIC signatures are required. Exploitation of this vulnerability may allow arbitrary configuration files to be accepted by the network. Even if the router configuration requires MIC signatures to receive files, it may incorrectly receive illegal DOCSIS configuration files, which may lead attackers to exploit This vulnerability reconfigures the router, removes related bandwidth restrictions and other illegal operations

Netgear RP114 Cable/DSL Web Safe Router Firmware 3.26 uses a default administrator password and accepts admin logins on the external interface, which allows remote attackers to gain privileges if the password is not changed. NetGear RP114 router can access management through TELNET and HTTP.  The NetGear RP114 router has a vulnerability in restricting management interface access processing. A remote attacker could use this vulnerability to externally access the management interface services.  The NetGear RP114 router sets the 192.168.0.1 IP address as a local access address. All access restrictions on management tools are only accessible by this address, but there are loopholes. The NetGear RP114 router receives all communications with an IP address in the range of 192.168.xx. If the user has authentication information, he can access the management tool from the external interface for reconfiguration or conduct illegal activities such as denial of service attacks. However, there is a loophole

Cross-site scripting vulnerability (XSS) in DeltaScripts PHP Classifieds 6.0.5 allows remote attackers to execute arbitrary script as other users via the URL parameter. PHP Classifieds is a web-based directory classification program written in PHP.  PHP Classifieds lacks proper and sufficient filtering of the parameters submitted by users. An attacker can build a link containing URL parameters of malicious code. When the user views this link, the included malicious script code will be in the user's browser Execution, leading to the leakage of information based on cookie authentication

Cross-site scripting vulnerability in CiscoSecure ACS 3.0 allows remote attackers to execute arbitrary script or HTML as other web users via the action argument in a link to setup.exe. Cisco Secure ACS is an access control and accounting server system. It is distributed and maintained by Cisco, and in this vulnerability affects implementations on the Microsoft Windows NT platform. When this link is visited, the attacker-supplied HTML or script code could be executed in the browser of a user, provided the user has authenticated to the Secure ACS server. The setup.exe program lacks correct input verification for the data submitted by the user to the \"action\" parameter. Attackers can submit data containing malicious script code to the \"action\" parameter

Linksys EtherFast Cable/DSL BEFSR11, BEFSR41 and BEFSRU31 with the firmware 1.42.7 upgrade installed opens TCP port 5678 for remote administration even when the "Block WAN" and "Remote Admin" options are disabled, which allows remote attackers to gain access. Linksys EtherFast routers is a small four-port router designed to optimize the use of DSL or Cable connections.  This vulnerability is not present in other versions of firmware. EtherFast BEFSRU31 Router is prone to a remote security vulnerability. A remote attacker gains access

Belkin F5D5230-4 4-Port Cable/DSL Gateway Router 1.20.000 modifies the source IP address of internal packets to that of the router's external interface when forwarding a request from an internal host to an internal web server, which allows remote attackers to hide which host is being used to access the web server. The Belkin F5D5230-4 4-Port Cable/DSL Gateway Router is a hardware router for a home or small office. When a request for a service that has been remapped to the internal network is made via the WAN interface, and the origin is the internal network, the router reacts unpredictably. The origin address is rewritten as the IP address of the external interface by the device before being passed to the internal network. Upon receiving a request of this nature, the device will rewrite all future requests for services mapped to the WAN network, reporting their origin as that of the WAN interface. This is known to be an issue for requests for port 80, if port 80 has been remapped to a host within the internal network. This may potentially be exploited to obscure the origin of attacks against a webserver in the internal network

Format string vulnerability in TrACESroute 6.0 GOLD (aka NANOG traceroute) allows local users to execute arbitrary code via the -T (terminator) command line argument. A format string vulnerability exists in TrACESroute. The problem exists in the terminator (-T) function of the program. Due to improper use of the fprintf function, an attacker may be able to supply a malicious format string to the program that reults in writing of attacker-supplied values to arbitrary locations in memory

Cisco IOS 11.1 through 12.2, when HSRP support is not enabled, allows remote attackers to cause a denial of service (CPU consumption) via randomly sized UDP packets to the Hot Standby Routing Protocol (HSRP) port 1985. Cisco IOS Random size on the router that runs UDP Interfering with service operation by sending packets (DoS) There is a vulnerability that becomes a condition.Cisco IOS The router that operates is interrupted service operation (DoS) It may be in a state. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. Hot Standby Routing Protocol (HSRP) is a protocol used to allow multiple routers to dynamically act as backups in the event of router failure. HSRP traffic takes place over UDP port 1985. A vulnerability has been reported with some Cisco products. If malformed HSRP traffic is received when HSRP support is not enabled, vulnerable products may reach high CPU utilization. Under these conditions, the router may fail to respond to additional network traffic, resulting in degraded performance and a denial of service condition. When the HSRP 1985 UDP communication port is opened in the CISCO router configuration, but HSRP is not configured, the attacker can submit random data to this port, which can cause the router to process these random information, resulting in increased CPU utilization and slower response, but will not causing a reboot