VARIoT IoT vulnerabilities database

Cisco DSL CPE devices running CBOS 2.4.4 and earlier allows remote attackers to cause a denial of service (hang or memory consumption) via (1) a large packet to the DHCP port, (2) a large packet to the Telnet port, or (3) a flood of large packets to the CPE, which causes the TCP/IP stack to consume large amounts of memory. When the CBOS TCP/IP stack is forced to process a high number of unusually large packets, it will consume all memory. This will cause the router to freeze and stop forwarding packets. CBOS (Cisco Broadband Operating System) is the operating system for Cisco 600 series routers. It is possible for a remote user to cause a denial of service of a CPE running CBOS software 2.4.4 and prior. Sending an unusually large packet to the telnet port will exploit this issue. The following devices in the Cisco 600 series of routers are affected by this issue: 605, 626, 627, 633, 673, 675, 675e, 676, 677, 677i and 678. This vulnerability has been assigned Cisco Bug ID CSCdv50135. CBOS does not correctly process the information packets submitted to the DHCP server, which can lead to denial of service attacks by remote attackers. The vulnerability number is: CSCdw90020

Cisco IP Phone (VoIP) models 7910, 7940, and 7960 use a default administrative password, which allows attackers with physical access to the phone to modify the configuration settings. The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by Cisco Systems. If you have the opportunity to physically visit the Cisco VoIP 7900 series, you can also use this combination key to change the configuration, such as changing the TFTP server address and other operation control systems

The web server for Cisco IP Phone (VoIP) models 7910, 7940, and 7960 allows remote attackers to cause a denial of service (reset) and possibly read sensitive memory via a large integer value in (1) the stream ID of the StreamingStatistics script, or (2) the port ID of the PortInformation script. The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by Cisco Systems. It is possible to deny service to users of this line of phones. By placing a request to the /StreamingStatistics script with a stream ID (i.e. http://www.example.com/StreamingStatistics?&lt;stream&gt; where &lt;stream&gt; is an integer value) of arbitrarily high value, the phone will reset itself, creating the inability to place or receive calls for a period of up to thirty seconds. This has been reportedly reproduced by passing stream ID values of greater than 32768, and consistently reproduced with a value of 120000. The web interface of the VoIP Phone 7900 series has a loophole in processing abnormal requests, which can lead to remote attackers to conduct denial of service attacks. VoIP Phone 7900 series has a built-in monitoring port 80 WEB service. This service provides a script page for displaying streaming statistics. Users can use \" target=\"_blank\" > http://www.example.com/StreamingStatistics? < stream > Form access, because these pages can be accessed without authentication, any attacker can submit a relatively high <stream> value to the service program, which will cause the phone to reset. According to the test, providing a <stream> value higher than 32768 can be reset This vulnerability has been discovered, and requesting 120000 <stream> values ​​can reproduce the vulnerability stably

Cisco Catalyst 4000 series switches running CatOS 5.5.5, 6.3.5, and 7.1.2 do not always learn MAC addresses from a single initial packet, which causes unicast traffic to be broadcast across the switch and allows remote attackers to obtain sensitive network information by sniffing. Catalyst is a commercial-grade switch distributed by Cisco. Under normal circumstances, a switch will learn the MAC address of a system connected to a port after one packet. It has been reported that the switch may not learn the MAC of a connected system until several more packets have been sent to the unknown host. By doing so, unicast traffic between two systems across the switch may be broadcast to all systems connected to the switch. Remote attackers can obtain sensitive network information through sniffing

Vulnerability in Compaq ProLiant BL e-Class Integrated Administrator 1.0 and 1.10, allows authenticated users with Telnet, SSH, or console access to conduct unauthorized activities. The Compaq ProLiant BL e-Class enclosure utilizes the Integrated Administrator to provide system management. No further technical details are currently available

Cisco IOS 11.2.x and 12.0.x does not limit the size of its redirect table, which allows remote attackers to cause a denial of service (memory consumption) via spoofed ICMP redirect packets to the router. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. This vulnerability has been assigned Cisco bug ID CSCdx32056. The following products are known to be affected: Cisco 1005 running IOS 11.0(18) Cisco 1603 running IOS 11.3(11b) Cisco 1603 running IOS 12.0(3) Cisco 2503 running IOS 11.0(22a) Cisco 2503 running IOS 11.1(24a). Cisco IOS 11.2.x and 12.0.x do not limit the size of the redirection table

Buffer overflow in the LDAP component of Ipswitch IMail 7.1 and earlier allows remote attackers to execute arbitrary code via a long "bind DN" parameter. Ipswitch IMail is an e-mail server that serves clients their mail via a web interface. It runs on Microsoft Windows operating systems. IMail normally runs in the SYSTEM context, meaning that successful exploitation will result in a full compromise of the underlying system. It should be noted that this condition may also be exploited to trigger a denial of service. The Ipswitch IMail service program includes multiple components including LDAP service, which allows remote clients to read the IMail directory, and there is a loophole in the authentication process that allows remote attackers to access the server with the authority of the SYSTEM account

Directory traversal vulnerability in the web server for Cisco IDS Device Manager before 3.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the HTTPS request. It is distributed and maintained by Cisco Systems. The IDS Device Manager may allow a remote user to gain access to sensitive information on the system. Due to improper handling of user-supplied input, it is possible for a user to gain access to arbitrary files on the system using an elementary directory traversal attack. By placing a request to the process, with an appended dot-dot-slash (../) tag pointing to a file, a remote user may read the specified file on the affected system. Since there is no effective security check on the data entered by the user, the attacker can view the content of any file in the target system with the authority of IDS Device Manager by submitting strings containing multiple \"../\" for directory traversal. Leakage of sensitive system information. <**>

Cross-site scripting (XSS) vulnerability in content blocking in SonicWALL SOHO3 6.3.0.0 allows remote attackers to inject arbitrary web script or HTML via a blocked URL. The Sonicwall SOHO3 is an Internet security appliance that provides firewall security solutions. Reportedly, a vulnerability exists in the product that allows for a script injection attack to be launched from a malicious user within the internal LAN. It is possible to configure Sonicwall to block domains from a list of user entered domains. Sonicwall will deny local users access to the websites that have been blocked. Attempts to access blocked domains will be entered into the log files of Sonicwall. An administrator viewing the log files will automatically cause the malicious script code execute. If the attacker's script code is injected into the logfile then the administrator will not be able to access the log normally. To regain access to the logs the appliance will need to be rebooted. It should be noted that rebooting the appliance will cause the logs to be cleared and will effectively eliminate any indication in the logs of which user initiated the attack. It is possible for a malicious remote user to exploit this issue by crafting a URL of a known blocked domain that includes script code, and enticing a local user into following the link

The default configuration of the proxy for Cisco Cache Engine and Content Engine allows remote attackers to use HTTPS to make TCP connections to allowed IP addresses while hiding the actual source IP. Cisco Cache Engines offer the ability to proxy HTTP, HTTPS and FTP transactions. Since these services may be placed on one of numerous ports, the default configuration allows a user behind the proxy to connect to another system on any port. Insufficient default access control is set on the device, allowing any user that can connect to the system to proxy a request through to another system. Cisco Cache Engine series products are network-integrated cache solutions developed and maintained by CISCO, which can reduce WAN bandwidth usage, maximize network service quality, and improve the scalability of existing networks

The web management interface for Cisco Content Service Switch (CSS) 11000 switches allows remote attackers to cause a denial of service (soft reset) via (1) an HTTPS POST request, or (2) malformed XML data. These switches run WebNS software. The attacker does not need to be authenticated to cause this condition to occur. The CSS 11000 series switches are known to be affected by this vulnerability. Since this issue occurs before authentication, any remote attacker without authentication can perform a denial of service attack

The web-based configuration interface for the Cisco ATA 186 Analog Telephone Adaptor allows remote attackers to bypass authentication via an HTTP POST request with a single byte, which allows the attackers to (1) obtain the password from the login screen, or (2) reconfigure the adaptor by modifying certain request parameters. The Cisco ATA-186 Analog Telephone Adapter is a hardware device designed to interface between analog telephones and Voice over IP (VoIP). It includes support for web based configuration. Under some circumstances, it may be possible to bypass the authentication required for this web interface. This may be done with a specially formatted change password request. Exploitation allows a remote attacker to reconfigure the vulnerable device. Reportedly, HTTP requests consisting of a single character will cause the device to disclose sensitive configuration information, including the password to the administrative web interface. By viewing the source code of the configuration tool screen page, it can be seen that there are no hidden parameters used to maintain the state, so you can trust the device usage type and HTTP input to determine whether configuration is allowed: For example: if three \"ChangeUIPasswd\" parameters without any value are provided to the system, the ATA-186 will display the login screen, similarly, if all three values ​​of \"ChangeUIPasswd\" are provided, but one of the values ​​does not match the password stored in the device, the login screen will appear again, if all provided correctly parameters, the device considers that the user has passed the authentication and provides configuration information. Interestingly, if only two \"ChangeUIPasswd\" parameters are passed, the device can also allow the user to configure

Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. Sun Solaris Included in the NFS/RPC Necessary to operate the file system cachefsd In cfsd_calloc function The function does not perform bounds checking properly, so abnormally long cache names and directory names are included. A remotely exploitable buffer overflow condition has been reported in cachefsd. The overflow occurs in the heap and is reportedly exploitable as valid malloc() chunk structures are overwritten. Successful attacks may result in remote attackers gaining root access on the affected system

Snapgear Lite+ firewall 1.5.4 and 1.5.3 allows remote attackers to cause a denial of service (crash) via a large number of connections to (1) the HTTP web management port, or (2) the PPTP port. Snapgear Lite+ is a device with integrated firewall, routing, and VPN support. In version 1.5.4 of the firmware only the web management module will crash, and not the entire firewall in the above situation

Snapgear Lite+ firewall 1.5.3 allows remote attackers to cause a denial of service (IPSEC crash) via a zero length packet to UDP port 500. Snapgear Lite+ is a device with integrated firewall, routing, and VPN support. This may result in a denial of VPN/tunnel service

Snapgear Lite+ firewall 1.5.3 and 1.5.4 allows remote attackers to cause a denial of service (crash) via a large number of packets with malformed IP options. Snapgear Lite+ is a device with integrated firewall, routing, and VPN support. The firewall is unable to handle IP packets with malformed IP options. Sending many such packets will eventually cause the firewall to crash

ISS RealSecure Network Sensor 5.x through 6.5 allows remote attackers to cause a denial of service (crash) via malformed DHCP packets that cause RealSecure to dereference a null pointer. ISS RealSecure Network Sensor "informational signatures" fail to properly process certain types of DHCP traffic, thereby causing the sensor to crash. RealSecure is the commercial Intrusion Detection System (IDS) distributed and maintained by ISS. RealSecure becomes unstable when processing some of the DHCP signatures packaged with the system. Due to the construction of the three DHCP signatures (DHCP_ACK - 7131, DHCP_Discover - 7132, and DHCP_Request - 7133), the RealSecure software may become unstable and crash. This is due to the software attempting to dereference a null pointer. If the sensor is disabled, further attacks may go unnoticed. Vulnerabilities exist in ISS RealSecure Network Sensor versions 5.x to 6.5

AtGuard 3.2 allows remote attackers to bypass firwall filters and execute prohibited programs by changing the filenames to permitted filenames. An issue has been reported in ATGuard Personal Firewall. Reportedly, it is possible for a user to bypass the security restrictions of ATGuard. This is achieved by renaming the restricted web application with an authorized application name. For example, if icq.exe is a restricted service and, iexplore.exe is an authorized application. By renaming icq.exe to iexplore.exe, ATGuard will permit the use of the application. It should be noted that ATGuard Firewall was acquired by Symantec, support for this product may no longer be available. A vulnerability in ATGuard Personal Firewall's outbound connection control handling could allow an attacker to bypass ATGuard's security restrictions. ATGuard Personal Firewall only checks the user name of the application for the restriction of outgoing connections. An attacker can change the name of the Trojan horse so that programs that cannot connect to the outside world can communicate normally

BIOS D845BG, D845HV, D845PT and D845WN on Intel motherboards does not properly restrict access to configuration information when BIOS passwords are enabled, which could allow local users to change the default boot device via the F8 key. The D845 series motherboards are a product of Intel. These motherboards are designed to support the Pentium 4 processor. When a system using a D845 series motherboard is booted, it is possible to halt the boot to change the boot media, even if a BIOS password is set. By pressing the F8 key, the D845 BIOS will give a user at the console a menu. From this menu, a user may specify a different media than the default from which the system is to be booted. Any password set on the BIOS will be circumvented by this procedure. Through this process, a local attacker can bypass the Password protected and successfully booted

The administration function in Cisco Secure Access Control Server (ACS) for Windows, 2.6.x and earlier and 3.x through 3.01 (build 40), allows remote attackers to read HTML, Java class, and image files outside the web root via a ..\.. (modified ..) in the URL to port 2002