VARIoT IoT vulnerabilities database

Vulnerability in Compaq ProLiant BL e-Class Integrated Administrator 1.0 and 1.10, allows authenticated users with Telnet, SSH, or console access to conduct unauthorized activities. The Compaq ProLiant BL e-Class enclosure utilizes the Integrated Administrator to provide system management. No further technical details are currently available

Cisco IOS 11.2.x and 12.0.x does not limit the size of its redirect table, which allows remote attackers to cause a denial of service (memory consumption) via spoofed ICMP redirect packets to the router. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. This vulnerability has been assigned Cisco bug ID CSCdx32056. The following products are known to be affected: Cisco 1005 running IOS 11.0(18) Cisco 1603 running IOS 11.3(11b) Cisco 1603 running IOS 12.0(3) Cisco 2503 running IOS 11.0(22a) Cisco 2503 running IOS 11.1(24a). Cisco IOS 11.2.x and 12.0.x do not limit the size of the redirection table

Buffer overflow in the LDAP component of Ipswitch IMail 7.1 and earlier allows remote attackers to execute arbitrary code via a long "bind DN" parameter. Ipswitch IMail is an e-mail server that serves clients their mail via a web interface. It runs on Microsoft Windows operating systems. IMail normally runs in the SYSTEM context, meaning that successful exploitation will result in a full compromise of the underlying system. It should be noted that this condition may also be exploited to trigger a denial of service. The Ipswitch IMail service program includes multiple components including LDAP service, which allows remote clients to read the IMail directory, and there is a loophole in the authentication process that allows remote attackers to access the server with the authority of the SYSTEM account

Directory traversal vulnerability in the web server for Cisco IDS Device Manager before 3.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the HTTPS request. It is distributed and maintained by Cisco Systems. The IDS Device Manager may allow a remote user to gain access to sensitive information on the system. Due to improper handling of user-supplied input, it is possible for a user to gain access to arbitrary files on the system using an elementary directory traversal attack. By placing a request to the process, with an appended dot-dot-slash (../) tag pointing to a file, a remote user may read the specified file on the affected system. Since there is no effective security check on the data entered by the user, the attacker can view the content of any file in the target system with the authority of IDS Device Manager by submitting strings containing multiple \"../\" for directory traversal. Leakage of sensitive system information. <**>

Cross-site scripting (XSS) vulnerability in content blocking in SonicWALL SOHO3 6.3.0.0 allows remote attackers to inject arbitrary web script or HTML via a blocked URL. The Sonicwall SOHO3 is an Internet security appliance that provides firewall security solutions. Reportedly, a vulnerability exists in the product that allows for a script injection attack to be launched from a malicious user within the internal LAN. It is possible to configure Sonicwall to block domains from a list of user entered domains. Sonicwall will deny local users access to the websites that have been blocked. Attempts to access blocked domains will be entered into the log files of Sonicwall. An administrator viewing the log files will automatically cause the malicious script code execute. If the attacker's script code is injected into the logfile then the administrator will not be able to access the log normally. To regain access to the logs the appliance will need to be rebooted. It should be noted that rebooting the appliance will cause the logs to be cleared and will effectively eliminate any indication in the logs of which user initiated the attack. It is possible for a malicious remote user to exploit this issue by crafting a URL of a known blocked domain that includes script code, and enticing a local user into following the link

The default configuration of the proxy for Cisco Cache Engine and Content Engine allows remote attackers to use HTTPS to make TCP connections to allowed IP addresses while hiding the actual source IP. Cisco Cache Engines offer the ability to proxy HTTP, HTTPS and FTP transactions. Since these services may be placed on one of numerous ports, the default configuration allows a user behind the proxy to connect to another system on any port. Insufficient default access control is set on the device, allowing any user that can connect to the system to proxy a request through to another system. Cisco Cache Engine series products are network-integrated cache solutions developed and maintained by CISCO, which can reduce WAN bandwidth usage, maximize network service quality, and improve the scalability of existing networks

The web management interface for Cisco Content Service Switch (CSS) 11000 switches allows remote attackers to cause a denial of service (soft reset) via (1) an HTTPS POST request, or (2) malformed XML data. These switches run WebNS software. The attacker does not need to be authenticated to cause this condition to occur. The CSS 11000 series switches are known to be affected by this vulnerability. Since this issue occurs before authentication, any remote attacker without authentication can perform a denial of service attack

The web-based configuration interface for the Cisco ATA 186 Analog Telephone Adaptor allows remote attackers to bypass authentication via an HTTP POST request with a single byte, which allows the attackers to (1) obtain the password from the login screen, or (2) reconfigure the adaptor by modifying certain request parameters. The Cisco ATA-186 Analog Telephone Adapter is a hardware device designed to interface between analog telephones and Voice over IP (VoIP). It includes support for web based configuration. Under some circumstances, it may be possible to bypass the authentication required for this web interface. This may be done with a specially formatted change password request. Exploitation allows a remote attacker to reconfigure the vulnerable device. Reportedly, HTTP requests consisting of a single character will cause the device to disclose sensitive configuration information, including the password to the administrative web interface. By viewing the source code of the configuration tool screen page, it can be seen that there are no hidden parameters used to maintain the state, so you can trust the device usage type and HTTP input to determine whether configuration is allowed: For example: if three \"ChangeUIPasswd\" parameters without any value are provided to the system, the ATA-186 will display the login screen, similarly, if all three values ​​of \"ChangeUIPasswd\" are provided, but one of the values ​​does not match the password stored in the device, the login screen will appear again, if all provided correctly parameters, the device considers that the user has passed the authentication and provides configuration information. Interestingly, if only two \"ChangeUIPasswd\" parameters are passed, the device can also allow the user to configure

Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. Sun Solaris Included in the NFS/RPC Necessary to operate the file system cachefsd In cfsd_calloc function The function does not perform bounds checking properly, so abnormally long cache names and directory names are included. A remotely exploitable buffer overflow condition has been reported in cachefsd. The overflow occurs in the heap and is reportedly exploitable as valid malloc() chunk structures are overwritten. Successful attacks may result in remote attackers gaining root access on the affected system

Snapgear Lite+ firewall 1.5.4 and 1.5.3 allows remote attackers to cause a denial of service (crash) via a large number of connections to (1) the HTTP web management port, or (2) the PPTP port. Snapgear Lite+ is a device with integrated firewall, routing, and VPN support. In version 1.5.4 of the firmware only the web management module will crash, and not the entire firewall in the above situation

Snapgear Lite+ firewall 1.5.3 allows remote attackers to cause a denial of service (IPSEC crash) via a zero length packet to UDP port 500. Snapgear Lite+ is a device with integrated firewall, routing, and VPN support. This may result in a denial of VPN/tunnel service

Snapgear Lite+ firewall 1.5.3 and 1.5.4 allows remote attackers to cause a denial of service (crash) via a large number of packets with malformed IP options. Snapgear Lite+ is a device with integrated firewall, routing, and VPN support. The firewall is unable to handle IP packets with malformed IP options. Sending many such packets will eventually cause the firewall to crash

ISS RealSecure Network Sensor 5.x through 6.5 allows remote attackers to cause a denial of service (crash) via malformed DHCP packets that cause RealSecure to dereference a null pointer. ISS RealSecure Network Sensor "informational signatures" fail to properly process certain types of DHCP traffic, thereby causing the sensor to crash. RealSecure is the commercial Intrusion Detection System (IDS) distributed and maintained by ISS. RealSecure becomes unstable when processing some of the DHCP signatures packaged with the system. Due to the construction of the three DHCP signatures (DHCP_ACK - 7131, DHCP_Discover - 7132, and DHCP_Request - 7133), the RealSecure software may become unstable and crash. This is due to the software attempting to dereference a null pointer. If the sensor is disabled, further attacks may go unnoticed. Vulnerabilities exist in ISS RealSecure Network Sensor versions 5.x to 6.5

AtGuard 3.2 allows remote attackers to bypass firwall filters and execute prohibited programs by changing the filenames to permitted filenames. An issue has been reported in ATGuard Personal Firewall. Reportedly, it is possible for a user to bypass the security restrictions of ATGuard. This is achieved by renaming the restricted web application with an authorized application name. For example, if icq.exe is a restricted service and, iexplore.exe is an authorized application. By renaming icq.exe to iexplore.exe, ATGuard will permit the use of the application. It should be noted that ATGuard Firewall was acquired by Symantec, support for this product may no longer be available. A vulnerability in ATGuard Personal Firewall's outbound connection control handling could allow an attacker to bypass ATGuard's security restrictions. ATGuard Personal Firewall only checks the user name of the application for the restriction of outgoing connections. An attacker can change the name of the Trojan horse so that programs that cannot connect to the outside world can communicate normally

BIOS D845BG, D845HV, D845PT and D845WN on Intel motherboards does not properly restrict access to configuration information when BIOS passwords are enabled, which could allow local users to change the default boot device via the F8 key. The D845 series motherboards are a product of Intel. These motherboards are designed to support the Pentium 4 processor. When a system using a D845 series motherboard is booted, it is possible to halt the boot to change the boot media, even if a BIOS password is set. By pressing the F8 key, the D845 BIOS will give a user at the console a menu. From this menu, a user may specify a different media than the default from which the system is to be booted. Any password set on the BIOS will be circumvented by this procedure. Through this process, a local attacker can bypass the Password protected and successfully booted

The administration function in Cisco Secure Access Control Server (ACS) for Windows, 2.6.x and earlier and 3.x through 3.01 (build 40), allows remote attackers to read HTML, Java class, and image files outside the web root via a ..\.. (modified ..) in the URL to port 2002

LabVIEW Web Server 5.1.1 through 6.1 allows remote attackers to cause a denial of service (crash) via an HTTP GET request that ends in two newline characters, instead of the expected carriage return/newline combinations. A vulnerability has been reported in some versions of National Instruments LabVIEW for Linux and Microsoft Windows. LabVIEW includes an integrated HTTP server. If a malformed HTTP request is received, it is possible to crash the LabVIEW Web Server and LabVIEW itself. This condition occurs when an HTTP GET request is received and terminated with two new line characters, as opposed to the compliant carriage return / new line combination

FTP proxy in Symantec Raptor Firewall 6.5.3 and Enterprise 7.0 rewrites an FTP server's "FTP PORT" responses in a way that allows remote attackers to redirect FTP data connections to arbitrary ports, a variant of the "FTP bounce" vulnerability. Raptor Firewall is an enterprise level firewall originally developed by Axent Technologies and is maintained and distributed by Symantec. Symantec Enterprise Firewall is formerly known as Raptor firewall. It is available for Microsoft Windows and Unix operating systems. As a result, if the attacker can authenticate with the FTP server (anonymously or otherwise), then it is possible to cause the FTP server to make a connection to an arbitrary host. It should be noted that affected firewall implementations disable FTP PORT connections to ports below 1024. Symantec has reported that Enterprise Firewall V7.0 for Solaris is also vulnerable to this issue

The "block fragmented IP Packets" option in Symantec Norton Personal Firewall 2002 (NPW) does not properly protect against certain attacks on Windows vulnerabilities such as jolt2 (CVE-2000-0305). It has been reported that NPW may not adequately filter packet fragments. In particular, denial of service attacks based on fragmented packets have been reported to work effectively against systems protected by NPW. This may happen even if the attacking address is entirely blocked from the system. These issues have not been confirmed

Symantec Norton Personal Firewall 2002 allows remote attackers to bypass the portscan protection by using a (1) SYN/FIN, (2) SYN/FIN/URG, (3) SYN/FIN/PUSH, or (4) SYN/FIN/URG/PUSH scan. Symantec Norton Personal Firewall 2002 (NPW)is a firewall solution for home and small office machines based on some versions of the Microsoft Windows operating systems. It has a variety of features, including the ability to detect and dynamically block portscans. An issue has been reported with the manner in which Personal Firewall 2002 handles portscans. Reportedly, only SYN scans are detected. An attacker may scan with a variety of other methods, including SYN/FIN packets and evade the protective features of NPW. This issue may affect Norton Internet Security 2002, however this has not been confirmed