VARIoT IoT vulnerabilities database

The LAN-to-LAN IPSEC capability for Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.4, allows remote attackers to cause a denial of service via an incoming LAN-to-LAN connection with an existing security association with another device on the remote network, which causes the concentrator to remove the previous connection. Cisco has reported a security vulnerability in VPN 3000 series concentrator devices. The vulnerability is related to handling of incoming LAN-to-LAN IPSEC tunnel connections. According to Cisco, this behaviour may be exploitable as a denial of service attack. Furthermore, affected devices do not ensure that the data transmitted across a LAN-to-LAN IPSEC tunnel is sourced from the appropriate network. The implications of this potentially separate issue are not yet known. There are loopholes in the LAN-to-LAN IPSEC capability of Cisco VPN 3000 Concentrator 2.2.x and versions 3.x before 3.5.4

Cisco VPN 3000 Concentrator 2.2.x, 3.6(Rel), and 3.x before 3.5.5, allows remote attackers to cause a denial of service via (1) malformed or (2) large ISAKMP packets. Cisco VPN 3000 series concentrators do not properly handle specially crafted Internet Security Association and Key Management Protocol (ISAKMP) packets, which can cause a vulnerable device to reload, denying service to legitimate users. Denial of network/VPN service may be possible. Cisco has reported a number of vulnerabilities in the VPN 3000 series concentrators. These issues affect models 3005, 3015, 3030, 3060, 3080 and the Cisco VPN 3002 Hardware Client. The nature of these issues varies from disclosure of sensitive information, to denial of service. Some of these issues may allow for remote unauthorized access to the device or the network to occur. VPN 3000 Concentrator is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions

Cisco AS5350 IOS 12.2(11)T with access control lists (ACLs) applied and possibly with ssh running allows remote attackers to cause a denial of service (crash) via a port scan, possibly due to an ssh bug. NOTE: this issue could not be reproduced by the vendor. The Cisco AS5350 Universal Gateway is reported to be prone to a denial of service condition. It is possible to cause this condition by portscanning a vulnerable device. This issue was reported for Cisco AS5350 devices running Cisco IOS release 12.2(11)T. Other firmware and devices may also be affected. There are conflicting reports regarding the existence of this vulnerability. Other sources have indicated that the issue may be related to a configuration problem. Attackers can use the Nmap scanner to scan the ports 1-65535 of the Cisco AS5350 Universal Gateway, which can cause the system to hang and require a restart of the device to obtain normal functions. However, there are many different views on this issue. improper

Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to cause a denial of service (hang and CPU consumption) via a SYN packet flood. Kerio Personal Firewall (KPF) is a personal firewall product for the Microsoft Windows operating system. When KPF recieves a large number of SYN packets are recieved from a single source, the firewall process will consume all available CPU time, and eventually hang the vulnerable system. A reboot may be required in order to regain normal functionality

Belkin F5D6130 Wireless Network Access Point running firmware AP14G8 allows remote attackers to cause a denial of service (connection loss) by sending several SNMP GetNextRequest requests. Reportedly, this issue may be exploited by making a sequence of SNMP requests. A valid community name is not required. After a number of SNMP requests are made, the device will fail to respond to further requests. Additionally, all wireless connections will be dropped, and new connections refused. Under some conditions, the device may also fail to respond on the ethernet interface. Belkin F5D6130 has a design problem. It can make SNMP requests without providing legal SNMP community strings

The remote administration capability for the D-Link DI-804 router 4.68 allows remote attackers to bypass authentication and release DHCP addresses or obtain sensitive information via a direct web request to the pages (1) release.htm, (2) Device Status, or (3) Device Information. DI-804 is a hardware gateway and firewall developed and designed by D-LINK.  DI-804's web management interface lacks access control, which causes the DHCP address that has been allocated to be released.  When the web management interface of DI-804 is enabled, the /release.html page can be used to operate the DHCP-assigned address. Due to the lack of access control to the /release.html page, remote attackers can cause the allocated address to be maliciously released. This page is used to manipulate DHCP allocated addresses, and could be used to revoke leases on assigned addresses. It is possible to access to the Device information and Device status pages. These pages contain information such as the WAN IP, netmask, name server information, DHCP log, and MAC address to IP address mappings. The device information page lists the device name, firmware version, MAC addresses of LAN and WAN interfaces

Tiny Personal Firewall 3.0 through 3.0.6 allows remote attackers to cause a denial of service (crash) by via SYN, UDP, ICMP and TCP portscans when the administrator selects the Log tab of the Personal Firewall Agent module. Reportedly, Tiny Personal Firewall is vulnerable to a denial of service condition. The vulnerability occurs when a user selects to browse the Personal Firewall Agent Logs and when the system is being portscanned. This will cause Tiny Personal Firewall to consume all CPU resources and cause the system to stop responding and eventually crash. Tiny Personal Firewall is a firewall suitable for personal computers, which can protect against network attacks, worms, Trojan horses and viruses, and can run under the Microsoft Windows operating system. 2) IP forgery and denial of service attack vulnerability: When Tiny Personal Firewall is fully configured and the firewall level is set to high, there is a problem when Tiny Personal Firewall blocks the communication whose source address is the IP address of the firewall itself, and the attacker can forge the source address Bypass firewall rules for packets to the firewall's own IP address

Buffer overflow in GoAhead WebServer 2.1 allows remote attackers to execute arbitrary code via a long HTTP GET request with a large number of subdirectories. GoAhead WebServer is an Open Source embedded web server which supports Active Server Pages, embedded javascript, and SSL authentication and encryption. It is available for a variety of platforms including Microsoft Windows and Linux variant operating systems. It has been discovered that a buffer overflow exists in GoAhead WebServer. This could lead to an attacker gaining remote access to a vulnerable host. GoAhead WebServer lacks correct processing of URL requests submitted by users. <**>

The Gateway GS-400 server has a default root password of "0001n" that can not be changed via the administrative interface, which can allow attackers to gain root privileges. The GS-400 is a storage machine distributed by Gateway. A default vendor password of "0001n" is used on all GS-400 servers. This password is unchangeable via the administrative interface. This could allow an attacker with the ability to remotely connect to the server to gain unauthorized access. Gateway GS-400 server is an IDE RAID system service software, which can be used under the Linux operating system. There is a WEB-based management console in the system, which runs with \"admin\" user authority. This password is saved in the password file in un-shadow mode, and the length of the password used is not strong enough, as long as it can be cracked by brute force guessing (5^36 times)

Buffer overflows in Cisco Virtual Private Network (VPN) Client 3.5.4 and earlier allows remote attackers to cause a denial of service via (1) an Internet Key Exchange (IKE) with a large Security Parameter Index (SPI) payload, or (2) an IKE packet with a large number of valid payloads. VPN Client for Linux is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions. Cisco Virtual Private Network (VPN) Client software is used to communicate with Cisco VPN Concentrator, it can run on Windows, Solaris, redhat linux, Apple MacOS and other systems. The Cisco VPN Client software contains multiple security holes, which can be exploited by attackers to prevent the Cisco VPN Client software program from working properly. * An IKE packet containing more than 57 payloads can trigger VPN Client software buffer overflow. * When the VPN Client software receives a malformed data packet with a payload length of zero, the VPN Client software will occupy 100\\% of the CPU resources of the workstation. The Cisco bug ID for these vulnerabilities is CSCdy26045

Norton Anti-Virus (NAV) allows remote attackers to bypass content filtering via attachments whose Content-Type and Content-Disposition headers are mixed upper and lower case, which is ignored by some mail clients. is prone to a security bypass vulnerability. There is a vulnerability in Norton Anti-Virus (NAV)

IIS 5 and 5.1 supporting WebDAV methods allows remote attackers to determine the internal IP address of the system (which may be obscured by NAT) via (1) a PROPFIND HTTP request with a blank Host header, which leaks the address in an HREF property in a 207 Multi-Status response, or (2) via the WRITE or MKCOL method, which leaks the IP in the Location server header. IIS Far East Edition is prone to a remote security vulnerability

Buffer overflow in WS_FTP FTP Server 3.1.1 allows remote authenticated users to execute arbitrary code via a long SITE CPWD command. Ipswitch WS_FTP Server, is a FTP server for Microsoft Windows platforms. Oversized parameters may corrupt process memory, possibly leading to the execution of arbitrary code as the server process. This issue has been reported in WS_FTP Server 3.1.1. Earlier versions may share this vulnerability, this has not however been confirmed. Progress Software Ipswitch WS_FTP Server is a set of FTP server software developed by Progress Software Company in the United States. It provides functions such as file transfer control and transfer encryption. A buffer error vulnerability exists in Progress Software Ipswitch WS_FTP Server version 3.1.1

Linux-iSCSI iSCSI implementation installs the iscsi.conf file with world-readable permissions on some operating systems, including Red Hat Linux Limbo Beta #1, which could allow local users to gain privileges by reading the cleartext CHAP password. iSCSI leaves administrative credentials stored in a world-readable configuration file. The configuration file that iSCSI uses is stored in /etc/iscsi.conf. Reportedly, this file is installed, by default, with world readable and possibly world writeable permissions enabled. This may have some potentially serious consequences as the configuration file also stores password information in plain text. iSCSI (Small Computer System Interface) is a protocol that supports access to storage devices over a TCP/IP network, which facilitates storage consolidation and sharing of storage resources across organizations. The main authentication mechanism of iSCSI uses the CHAP protocol. There is a configuration problem in the Linux implementation of iSCSI, and local attackers can exploit this vulnerability to obtain sensitive information such as authentication passwords. and other sensitive information

Cisco VPN 5000 series concentrator hardware 6.0.21.0002 and earlier, and 5.2.23.0003 and earlier, when using RADIUS with a challenge type of Password Authentication Protocol (PAP) or Challenge, sends the user password in cleartext in a validation retry request, which could allow remote attackers to steal passwords via sniffing. The VPN 5000 Concentrator line supports the use of a RADIUS server to authenticate client connections. An error has been reported in this authentication process when either PAP or Challenge authentication is used. If more than one authentication message is transmitted, the client password will be sent in plaintext. Cisco has reported that this issue does not exist if CHAP authentication is used. The Cisco VPN 5000 Series Concentrators consist of a general-purpose remote-access virtual private network (VPN) platform and client software that combines high availability, performance, and scalability with today's most advanced encryption and authentication technologies for Professional operators or enterprise users provide services. User passwords may be sent in clear text. VPN 5000 series concentrators support three RADIUS communication methods. The keyword ChallengeType in the [RADIUS] section can be set to CHAP, PAP or Challenge. When using a RADIUS server, access requests are sent to the RADIUS server, and user passwords are encrypted according to RFC regulations. If within a certain period of time due to network or configuration problems, the server does not return an Access-Accept (allowing access) packet, then the concentrator will send a retry packet, but the user password in this packet is sent in plain text. All Cisco VPN 5000 Series Concentrator hardware using software versions 6.0.21.0002 (and earlier) and 5.2.23.0003 (and earlier) are affected by this vulnerability. This series includes the 5001, 5002 and 5008 models. Older versions of the IntraPort family of concentrator hardware are also affected by this vulnerability. This series includes IntraPort 2, IntraPort 2+, IntraPort Enterprise-2 and Enterprise-8, IntraPort Carrier-2 and Carrier-8 models. VPN 3000 series concentrator hardware is not affected by this vulnerability

Microsoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862). ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Micrisoft Internet Explorer (IE) Has implemented SSL as well as Microsoft Outlook Express S/MIME Has a flaw in handling certificates. IE as well as Outlook S/MIME Then, the intermediate certificate authority ( Middle CA) Because it does not check the validity of the domain, it accepts a domain certificate created by a malicious user as normal. Usually an intermediate certificate is Basic Constraints In the extension field, it is described whether you have the authority to sign other certificate authorities. IE as well as Outlook S/MIME In the implementation of this Basic Constraints The extended area is not checked sufficiently. If the root certificate authority can be trusted, it will trust the certificate. for that reason, IE as well as Outlook S/MIME Accepts certificates from any domain signed with a bad certificate created by a malicious user as normal. By exploiting this problem, an attacker can intercept and steal encrypted information, or spoof. Microsoft Windows 2000 SP4 After applying Internet Exploer 6.0 SP1 Vendors have reported that they are affected by this issue. Eliminate this problem Windows 2000 SP4 Patch for (KB329115) But 2003 Year 11 Moon 11 Released by date.Please refer to the “Overview” for the impact of this vulnerability. A flaw has been reported in the handling of X.509 certificates by a number of products, including several web browsers. It may be possible for a malicious party to create certificates for arbitrary domains, which will be treated as trusted by the vulnerable browser. This vulnerability was originally reported in Microsoft's Internet Explorer web browser. Reports state that IIS 5.0 under Windows 2000 is also vulnerable. In this case, client certificate chains are not properly verified. Attackers may exploit this vulnerability to bypass some authentication schemes. This vulnerability also exists in some versions of KDE and the included Konqueror web browser. Versions 3.0.2 and earlier are vulnerable. ** A report suggests that the patch issued by Microsoft may not fully protect against this vulnerability. It may be possible that a malicious site using an invalid certificate may mislead users into believing that a certificate is expired rather than being invalid. ** UPDATE 11/11/03 - Microsoft has updated their bulletin for this issue. Users who installed Internet Explorer 6 after installing Windows 2000 Service Pack 4 may have reintroduced this issue onto their systems. A new patch is available for users who installed Internet Explorer 6 on Windows 2000 SP4 systems

The SSL capability for Konqueror in KDE 3.0.2 and earlier does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ * KDE Is X Window System It is a comprehensive desktop environment developed for use. * Red Hat Linux Implemented in KDE 2.x , 3.x Has several security issues: 1. KDE 3.0.2 Included with Web browser Konqueror of SSL There is a problem that the site that is not functional and treats an untrusted site as a trusted site. 2. KDE 3.0 From 3.0.2 of Konqueror In Cookie of secure There is a flaw that does not detect the flag, Cookie There is a problem that leaks. 3. KDE 3.0.3 previous Konqueror Has a problem with cross-site scripting attacks. 4. KDE 3.0.1 Implemented from kpf There is a problem with a file that allows a local attacker to view an arbitrary file. 5. KDE 2.x From 3.0.4 In rlogin Protocol and telnet There is a flaw in the implementation of the protocol that can be exploited by remote and local attackers KDE There is a problem that arbitrary code is executed with the execution right. 6. KDE LAN Provide browsing function resLISa There is a buffer overflow problem, LISa Has a privilege escalation problem. (LISa The service is disabled by default )Please refer to the “Overview” for the impact of this vulnerability. A flaw has been reported in the handling of X.509 certificates by a number of products, including several web browsers. It may be possible for a malicious party to create certificates for arbitrary domains, which will be treated as trusted by the vulnerable browser. The flaw lies in the handling of intermediate certificate authorities. Normally, intermediate certificates should possess a Basic Constraints field which states the certificate may be used as a signing authority. Vulnerable products do not require the Basic Constraints field be properly defined. A malicious party with one valid certificate may sign a new certificate for an arbitrary domain. This may allow the attacker to spoof a sensitive domain, or to attempt a man-in-the-middle attack against encrypted communications. This vulnerability was originally reported in Microsoft's Internet Explorer web browser. It has been reported that, in the case of Microsoft Internet Explorer, the flaw lies in some cryptographic functions implemented in the operating system. It should be noted that this flaw has not been reported in the Cryptographic API included with Microsoft Windows. Reports state that IIS 5.0 under Windows 2000 is also vulnerable. In this case, client certificate chains are not properly verified. Attackers may exploit this vulnerability to bypass some authentication schemes. Versions 3.0.2 and earlier are vulnerable. ** A report suggests that the patch issued by Microsoft may not fully protect against this vulnerability. It may be possible that a malicious site using an invalid certificate may mislead users into believing that a certificate is expired rather than being invalid. ** UPDATE 11/11/03 - Microsoft has updated their bulletin for this issue. Users who installed Internet Explorer 6 after installing Windows 2000 Service Pack 4 may have reintroduced this issue onto their systems. A new patch is available for users who installed Internet Explorer 6 on Windows 2000 SP4 systems

TinySSL 1.02 and earlier does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack. A flaw has been reported in the handling of X.509 certificates by a number of products, including several web browsers. It may be possible for a malicious party to create certificates for arbitrary domains, which will be treated as trusted by the vulnerable browser. The flaw lies in the handling of intermediate certificate authorities. Vulnerable products do not require the Basic Constraints field be properly defined. A malicious party with one valid certificate may sign a new certificate for an arbitrary domain. This may allow the attacker to spoof a sensitive domain, or to attempt a man-in-the-middle attack against encrypted communications. This vulnerability was originally reported in Microsoft's Internet Explorer web browser. It has been reported that, in the case of Microsoft Internet Explorer, the flaw lies in some cryptographic functions implemented in the operating system. It should be noted that this flaw has not been reported in the Cryptographic API included with Microsoft Windows. Reports state that IIS 5.0 under Windows 2000 is also vulnerable. In this case, client certificate chains are not properly verified. Attackers may exploit this vulnerability to bypass some authentication schemes. This vulnerability also exists in some versions of KDE and the included Konqueror web browser. Versions 3.0.2 and earlier are vulnerable. ** A report suggests that the patch issued by Microsoft may not fully protect against this vulnerability. It may be possible that a malicious site using an invalid certificate may mislead users into believing that a certificate is expired rather than being invalid. ** UPDATE 11/11/03 - Microsoft has updated their bulletin for this issue. Users who installed Internet Explorer 6 after installing Windows 2000 Service Pack 4 may have reintroduced this issue onto their systems. A new patch is available for users who installed Internet Explorer 6 on Windows 2000 SP4 systems

Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise Firewall 6.5.2 and 7.0, VelociRaptor Models 500/700/1000 and 1100/1200/1300, and Gateway Security 5110/5200/5300 generate easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections. Symantec produces a range of hardware and software firewall products. A number of these products have been reported to have a vulnerability related to the creation of TCP Initial Sequence Numbers (ISNs). Reportedly, vulnerable products will reuse ISN values for connections with the same source and destination IP and port, over a limited time period. An attacker able to gain knowledge of this ISN may spoof new connections from the specified IP address, or inject data into legitimate connections. Remote attackers can use this vulnerability to perform IP spoofing or data insertion attacks on the current connection. The firewall's application-layer protocol inspection technology can prevent session spoofing and hijacking through random TCP initial sequence numbers for new proxy connections. During this time, an attacker can capture the initial TCP handshake of an early session from a legitimate IP

IPSwitch IMail Web Calendaring service (iwebcal) allows remote attackers to cause a denial of service (crash) via an HTTP POST request without a Content-Length field. IMail is a commercial email server software package distributed and maintained by Ipswitch, Incorporated. IMail is available for Microsoft Operating Systems. It has been reported that such a transaction with the service results in a crash of the iwebcal service