VARIoT IoT vulnerabilities database

Postfix on Mac OS X 10.3.x through 10.3.5, with SMTPD AUTH enabled, does not properly clear the username between authentication attempts, which allows users with the longest username to prevent other valid users from being able to authenticate. This may potentially be exploited to deny certain users access to the server. This condition may only occur if SMTPD AUTH has been enabled. This issue reportedly does not affect the upstream release of Postfix but rather only the version distributed with Apple Mac OS X Panther. Apple Mac OS X is a dedicated operating system developed by Apple for Mac computers

NetInfo Manager on Mac OS X 10.3.x through 10.3.5, after an initial root login, reports the root account as being disabled, even when it has not. Multiple security vulnerabilities are reported in Mac OS X. A security update is available to address these issues and to provide other enhancements. The following issues are reported: Apple AFP server is reported prone to a remote denial of service vulnerability. A weak permissions vulnerability is reported to affect the AFP server. This may result in a false sense of security for an administrator. A vulnerability is reported to exist in the NetInfoManager utility. It is reported that the utility will, under certain circumstances, report the status of certain accounts as disabled when they are not. A heap-based buffer overrun is reported to exist in the QuickTime utility. An attacker may exploit this vulnerability to execute arbitrary instructions in the context of the user that is running the vulnerable software. Finally, ServerAdmin is reported prone to a weak default configuration vulnerability. This may result in ServerAdmin traffic being intercepted and decrypted by a remote attacker. This vulnerability has been split into BID 11344. Some of these issues may already be described in previous BIDs. This BID will be split up into unique BIDs when further analysis of this update is complete

AFP Server on Mac OS X 10.3.x to 10.3.5, under certain conditions, does not properly set the guest group ID, which causes AFP to change a write-only AFP Drop Box to be read-write when the Drop Box is on a share that is mounted by a guest, which allows attackers to read the Drop Box. Multiple security vulnerabilities are reported in Mac OS X. A security update is available to address these issues and to provide other enhancements. The following issues are reported: Apple AFP server is reported prone to a remote denial of service vulnerability. A weak permissions vulnerability is reported to affect the AFP server. This may result in a false sense of security for an administrator. A vulnerability is reported to exist in the NetInfoManager utility. It is reported that the utility will, under certain circumstances, report the status of certain accounts as disabled when they are not. A heap-based buffer overrun is reported to exist in the QuickTime utility. An attacker may exploit this vulnerability to execute arbitrary instructions in the context of the user that is running the vulnerable software. Finally, ServerAdmin is reported prone to a weak default configuration vulnerability. This may result in ServerAdmin traffic being intercepted and decrypted by a remote attacker. This vulnerability has been split into BID 11344. Some of these issues may already be described in previous BIDs. This BID will be split up into unique BIDs when further analysis of this update is complete

Heap-based buffer overflow in Apple QuickTime on Mac OS 10.2.8 through 10.3.5 may allow remote attackers to execute arbitrary code via a certain BMP image. Multiple security vulnerabilities are reported in Mac OS X. A security update is available to address these issues and to provide other enhancements. The following issues are reported: Apple AFP server is reported prone to a remote denial of service vulnerability. A weak permissions vulnerability is reported to affect the AFP server. This may result in a false sense of security for an administrator. A vulnerability is reported to exist in the NetInfoManager utility. It is reported that the utility will, under certain circumstances, report the status of certain accounts as disabled when they are not. A heap-based buffer overrun is reported to exist in the QuickTime utility. An attacker may exploit this vulnerability to execute arbitrary instructions in the context of the user that is running the vulnerable software. Finally, ServerAdmin is reported prone to a weak default configuration vulnerability. This may result in ServerAdmin traffic being intercepted and decrypted by a remote attacker. This vulnerability has been split into BID 11344. Some of these issues may already be described in previous BIDs. This BID will be split up into unique BIDs when further analysis of this update is complete

CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords. When an SMB printer is configured, CUPS stores plain text login information to the log file. CUPS (Common UNIX Printing System) Is SMB When outputting to a shared printer, device URI Included in ID Vulnerabilities exist where passwords are logged in the error log.SMB Host user providing a shared printer ID And you may get a password. CUPS is reported prone to a local password disclosure vulnerability. This issue is reported to present itself when an authenticated user carries out certain methods of remote printing. Reportedly, local attackers can disclose user passwords in the printing system log files. CUPS 1.1.21 and prior are considered vulnerable to this issue. Due to a lack of detail, further information is not available at the moment. This BID will be updated as more information becomes available. SOLUTION: The vulnerability has been fixed in the CVS repository. PROVIDED AND/OR DISCOVERED BY: Gary Smith ORIGINAL ADVISORY: http://www.cups.org/str.php?L920 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200410-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: CUPS: Leakage of sensitive information Date: October 09, 2004 Bugs: #66501 ID: 200410-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== CUPS leaks information about user names and passwords when using remote printing to SMB-shared printers which require authentication. Background ========== The Common UNIX Printing System (CUPS) is a cross-platform print spooler. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-print/cups <= 1.1.20-r2 *>= 1.1.20-r3 == 1.1.21 >= 1.1.21-r1 Description =========== When printing to a SMB-shared printer requiring authentication, CUPS leaks the user name and password to a logfile. Impact ====== A local user could gain knowledge of sensitive authentication data. Workaround ========== There is no known workaround at this time. Resolution ========== All CUPS users should upgrade to the latest version: # emerge sync # emerge -pv ">=net-print/cups-1.1.20-r3" # emerge ">=net-print/cups-1.1.20-r3" References ========== [ 1 ] CAN-2004-0923 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0923 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200410-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0

ServerAdmin in Mac OS X 10.2.8 through 10.3.5 uses the same example self-signed certificate on each system, which allows remote attackers to decrypt sessions. Multiple security vulnerabilities are reported in Mac OS X. A security update is available to address these issues and to provide other enhancements. The following issues are reported: Apple AFP server is reported prone to a remote denial of service vulnerability. A weak permissions vulnerability is reported to affect the AFP server. This may result in a false sense of security for an administrator. A vulnerability is reported to exist in the NetInfoManager utility. It is reported that the utility will, under certain circumstances, report the status of certain accounts as disabled when they are not. A heap-based buffer overrun is reported to exist in the QuickTime utility. An attacker may exploit this vulnerability to execute arbitrary instructions in the context of the user that is running the vulnerable software. Finally, ServerAdmin is reported prone to a weak default configuration vulnerability. This may result in ServerAdmin traffic being intercepted and decrypted by a remote attacker. This vulnerability has been split into BID 11344. Some of these issues may already be described in previous BIDs. This BID will be split up into unique BIDs when further analysis of this update is complete. This vulnerability allows attackers to decrypt all communications between ServerAdmin servers and clients. This facilitates the theft of authentication credentials by sniffing networks containing the affected application, and then utilizing the known private key in applications such as 'ssldump'. Once authentication credentials are stolen, attackers can then utilize ServerAdmin for full system compromise. Previous versions may also be affected

AFP Server on Mac OS X 10.3.x to 10.3.5, when a guest has mounted an AFP volume, allows the guest to "terminate authenticated user mounts" via modified SessionDestroy packets. Multiple security vulnerabilities are reported in Mac OS X. A security update is available to address these issues and to provide other enhancements. The following issues are reported: Apple AFP server is reported prone to a remote denial of service vulnerability. A weak permissions vulnerability is reported to affect the AFP server. This may result in a false sense of security for an administrator. A vulnerability is reported to exist in the NetInfoManager utility. It is reported that the utility will, under certain circumstances, report the status of certain accounts as disabled when they are not. A heap-based buffer overrun is reported to exist in the QuickTime utility. An attacker may exploit this vulnerability to execute arbitrary instructions in the context of the user that is running the vulnerable software. Finally, ServerAdmin is reported prone to a weak default configuration vulnerability. This may result in ServerAdmin traffic being intercepted and decrypted by a remote attacker. This vulnerability has been split into BID 11344. Some of these issues may already be described in previous BIDs. This BID will be split up into unique BIDs when further analysis of this update is complete

The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files. A flaw in the OpenSSL library could allow a remote attacker to cause a denial of service on an affected application. Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures. OpenSSL include der_chop The script contains a flaw that creates a temporary file in an inappropriate way for security reasons, so there is a vulnerability that is subject to symbolic link attacks.der_chop An arbitrary file may be created or overwritten with the privileges of the user executing the script. OpenSSL is affected by an insecure temporary file creation vulnerability. This issue is likely due to a design error that causes the application to fail to verify the existence of a file before writing to it. An attacker may leverage this issue to overwrite arbitrary files with the privileges of an unsuspecting user that activates the vulnerable application. Reportedly this issue is unlikely to facilitate privilege escalation. OpenSSL is an open source SSL suite. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Gentoo update for openssl SECUNIA ADVISORY ID: SA22544 VERIFY ADVISORY: http://secunia.com/advisories/22544/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: Gentoo Linux 1.x http://secunia.com/product/339/ DESCRIPTION: Gentoo has issued an update for openssl. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. For more information: SA22130 SOLUTION: OpenSSL 0.9.8 users: Update to "dev-libs/openssl-0.9.8d". OpenSSL 0.9.7 users: Update to "dev-libs/openssl-0.9.7l". ORIGINAL ADVISORY: http://www.gentoo.org/security/en/glsa/glsa-200610-11.xml OTHER REFERENCES: SA22130: http://secunia.com/advisories/22130/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unknown versions of Symantec Norton AntiVirus and Microsoft Outlook allow attackers to cause a denial of service (crash) via malformed e-mail messages (1) without a body or (2) without a carriage return ("\n") separating the headers from the body. It is alleged that Symantec Norton AntiVirus is prone to a denial of service vulnerability. The discoverer of this issue reports that when a malformed email is received through Microsoft Outlook and Norton AntiVirus attempts to process this email, the Norton AntiVirus application will crash. Symantec is currently investigating this report; this BID will be updated as soon as this investigation is complete. It should also be noted that the discoverer of the issue has not provided any details about which versions may be affected by this issue, version information will be updated appropriately when this issue is investigated further

Inkra Router Virtual Service Switch is a device implemented by a routed virtual service exchange, which dynamically protects against internal networks and applications. Inkra Router Virtual Service Switch incorrectly handles abnormal network data. Remote attackers can use this vulnerability to conduct denial of service attacks on devices. No detailed vulnerability details are provided at this time. This issue is due to a failure of the application to handle exceptional network data. An attacker may leverage this issue to cause the affected device to crash, denying service to legitimate users

Motorola Wireless Router WR850G running firmware 4.03 allows remote attackers to bypass authentication, log on as an administrator, and obtain sensitive information by repeatedly making an HTTP request for ver.asp until an administrator logs on. Motorola WR850G is a wireless router.  The attacker gains access to the WEB interface through periodic access restricted 'ver.asp' scripts, and can obtain the WEB interface user name and password. Using this password, by accessing frame_debug.asp, the WEB SHELL can be obtained and executed on the system. Any command. This issue is caused by a design error and may allow an attacker to ultimately take complete control over the device. Motorola wireless router WR850G running firmware version 4.03 is reportedly affected by this issue. It is possible that other models and firmware versions are affected as well

Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 allow remote attackers to cause a denial of service (device freeze) via a fast UDP port scan on the WAN interface. These issues are due to a failure of the application to handle exceptional conditions, a default configuration issue exists as well. An attacker can leverage a denial of service issue to cause the affected appliance to stop responding, requiring a power off to bring the device back to functionality. A filter bypass issue allows an attacker to bypass the filters on the 'tftpd', 'snmpd', and 'isakmp' services. An attacker can also read and write the community string of the affected device by default, facilitating disclosure and altering of the device's settings. Symantec Nexland legacy firewall appliances are also affected by these issues. Symantec Enterprise Firewall/VPN is an enterprise-level firewall/VPN system. Symantec Enterprise Firewall/VPN has a default public string, and remote attackers can use this value to obtain sensitive information or perform some configuration operations. Firewalls have default read/write public strings that allow attackers to collect and change firewall configurations. By combining other vulnerabilities, an attacker can send SNMP GET/SET requests to the WAN interface

Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 and Gateway Security 320, 360, and 360R running firmware before 622 allow remote attackers to bypass filtering and determine whether the device is running services such as tftpd, snmpd, or isakmp via a UDP port scan with a source port of UDP 53. These issues are due to a failure of the application to handle exceptional conditions, a default configuration issue exists as well. An attacker can leverage a denial of service issue to cause the affected appliance to stop responding, requiring a power off to bring the device back to functionality. A filter bypass issue allows an attacker to bypass the filters on the 'tftpd', 'snmpd', and 'isakmp' services. An attacker can also read and write the community string of the affected device by default, facilitating disclosure and altering of the device's settings. Symantec Nexland legacy firewall appliances are also affected by these issues. Symantec Enterprise Firewall/VPN is an enterprise-level firewall/VPN system. Symantec Enterprise Firewall/VPN has a default public string, and remote attackers can use this value to obtain sensitive information or perform some configuration operations. Firewalls have default read/write public strings that allow attackers to collect and change firewall configurations. By combining other vulnerabilities, an attacker can send SNMP GET/SET requests to the WAN interface

Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 and Gateway Security 320, 360, and 360R running firmware before 622 uses a default read/write SNMP community string, which allows remote attackers to alter the firewall's configuration file. These issues are due to a failure of the application to handle exceptional conditions, a default configuration issue exists as well. An attacker can leverage a denial of service issue to cause the affected appliance to stop responding, requiring a power off to bring the device back to functionality. A filter bypass issue allows an attacker to bypass the filters on the 'tftpd', 'snmpd', and 'isakmp' services. An attacker can also read and write the community string of the affected device by default, facilitating disclosure and altering of the device's settings. Symantec Nexland legacy firewall appliances are also affected by these issues. Symantec Enterprise Firewall/VPN is an enterprise-level firewall/VPN system. Firewalls have default read/write public strings that allow attackers to collect and change firewall configurations. By combining other vulnerabilities, an attacker can send SNMP GET/SET requests to the WAN interface

login_radius on OpenBSD 3.2, 3.5, and possibly other versions does not verify the shared secret in a response packet from a RADIUS server, which allows remote attackers to bypass authentication by spoofing server replies. OpenBSD is reported prone to an authentication bypass vulnerability when using Radius authentication. This issue can be leveraged by spoofing traffic on a vulnerable network and carrying out a man-in-the-middle attack to gain unauthorized access to an OpenBSD computer. This vulnerability arises if an OpenBSD computer is configured to use Radius authentication and may allow an attacker to gain unauthorized access to the OpenBSD computer. The vulnerability is confirmed in OpenBSD 3.2 and OpenBSD 3.5. Other versions may be vulnerable as well

Apple iChat AV 2.1, AV 2.0, and 1.0.1 allows remote attackers to execute arbitrary programs via a "link" that references the program. This issue is due to a design error that allows attacker to execute arbitrary commands through a vulnerable application. An attacker can leverage this issue to execute arbitrary application on an unsuspecting user's computer. The impact of this issue may be increased when an attacker entices a victim to first download an application or has another means of placing an application on the victim's computer, and then exploits this issue to execute it. Apple iChat is a video chat program

The Pingtel series are SIP products, one of which is the Xpressa SIP desktop phone.  There is a problem with the HTTP management interface of the Pingtel Xpressa phone. A remote attacker could use this vulnerability to conduct a denial-of-service attack on the device and crash the VxWorks operating system.  Pingtel Xpressa phones can be managed through various interfaces (console, Telnet, and HTTP). The embedded HTTP service does not properly handle submission requests, and submits long requests similar to the following:  GET /&lt;buffer>/cgi/application.cgi HTTP / 1.0  Authorization: Basic [base64authstring]  The buffer here exceeds 260 characters, which can cause the VxWorks system to crash. VxWorks The operating system crashed

Serv-U FTP server 4.x and 5.x allows remote attackers to cause a denial of service (application crash) via a STORE UNIQUE (STOU) command with an MS-DOS device name argument such as (1) COM1, (2) LPT1, (3) PRN, or (4) AUX. Serv-U FTP Server is reported prone to a denial of service vulnerability. This issue presents itself because the application fails to handle exceptional conditions. The vulnerability is a result of Serv-U FTP Server processing certain 'STOU' commands. All versions of Serv-U prior to 5.2.0.1 are reportedly affected by this vulnerability

The Content Scanner Server in F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier, F-Secure Anti-Virus for Microsoft Exchange 6.01 and earlier, and F-Secure Internet Gatekeeper 6.32 and earlier allow remote attackers to cause a denial of service (service crash due to unhandled exception) via a certain malformed packet. F-Secure Content Scanner Server is reported prone to a remote denial of service vulnerability. This issue presents itself when the application handles certain malformed packets. This vulnerability causes an unhandled exception in the process leading to a crash in the process. F-Secure Internet Gatekeeper can perform automatic virus and content filtering on EMAIL and WEB communications. According to the configuration options, a dialog box will be prompted on the desktop stating that the FSAVSD.EXE process has crashed

PPPDialer for Mac OS X 10.2.8 through 10.3.5 allows local users to overwrite system files via a symlink attack on PPPDialer log files. The Apple PPPDialer utility is reported to contain an insecure log file creation vulnerability. The result of this is that log files created by the application are created in a world writeable location. A local attacker may possibly exploit this vulnerability to execute symbolic link file overwrite attacks. Privilege escalation may be possible using this method of attack, if the attacker can control the data that is being written to the target file. The PPPDialer for Mac OS X versions 10.2.8 through 10.3.5 is vulnerable