VARIoT IoT vulnerabilities database

Format string vulnerability in the administration function in Cisco Secure Access Control Server (ACS) for Windows, 2.6.x and earlier and 3.x through 3.01 (build 40), allows remote attackers to crash the CSADMIN module only (denial of service of administration function) or execute arbitrary code via format strings in the URL to port 2002. ACS is the commercial access control server distributed and maintained by Cisco Systems. This problem affects CiscoSecure ACS on the Microsoft Windows platform. ACS does not properly handle user-supplied input. ACS is vulnerable to a format string attack which could allow the execution of arbitrary code. By sending a custom-crafted URL to port 2002 of a vulnerable server, it is possible to execute user-supplied code with the privileges of the ACS server. There is a loophole in the implementation of CiscoSecure ACS software under the Microsoft Windows platform, and a remote attacker may use this loophole to execute arbitrary commands on the host. There is a formatting overflow vulnerability when ACS processes user input

When Siemens mobile phones accept short messages, the format used is PDU format. When displaying special format characters, the S3569i mobile phone has errors, which will cause the mobile phone to shut down directly and cannot delete the short messages. Malicious intruders use this vulnerability to target mobile phones Sending the short message capacity of the mobile phone short message capacity, the mobile phone user cannot process any other short messages.

Check Point Firewall-1 3.0b through 4.0 SP1 follows symlinks and creates a world-writable temporary .cpp file when compiling Policy rules, which could allow local users to gain privileges or modify the firewall policy. Firewall-1 is prone to a local security vulnerability. Local users escalate privileges or modify firewall policies

The RCA Digital Cable Modems DCM225 and DCM225E allow remote attackers to cause a denial of service (modem device reset) by connecting to port 80 on the 10.0.0.0/8 device. The RCA Digital Cable Modem provides a bridge between a computer and cable internet access. Remote users can use the public password to view and modify the modem configuration data through the 10.0.0.0/8 address space monitored by the SNMP interface

RCA Digital Cable Modem DCM225 and DCM225E, and other modems that must conform to the Data-over-Cable Service Interface Specifications DOCSIS standard, uses the "public" community string for SNMP access, which allows remote attackers to read or write MIB information. The RCA Digital Cable Modem provides a bridge between a computer and cable internet access. SNMP access is granted to the public community. Remote users may connect, view, and modify modem configuration data through the SNMP interface listening on the 10.0.0.0/8 address space

Memory leak in the Call Telephony Integration (CTI) Framework authentication for Cisco CallManager 3.0 and 3.1 before 3.1(3) allows remote attackers to cause a denial of service (crash and reload) via a series of authentication failures, e.g. via incorrect passwords. The Cisco Call Manager contains a vulnerability that could permit an intruder to crash the Call Manager. Cisco CallManager is the software based call processing component of the Cisco IP Telephony solution. A denial of service condition has been reported in some versions of the CallManager software. If a user does not properly authenticate when using Call Telephony Integration (CTI), a memory leak may occur. This may result in the vulnerable process crashing and reloading. <*Link: http://www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml *>

index.php for PHP-Nuke 5.4 and earlier allows remote attackers to determine the physical pathname of the web server when the file parameter is set to index.php, which triggers an error message that leaks the pathname. PHP-Nuke is a popular web based Portal system. It allows users to create accounts and contribute content to the site. A vulnerability has been reported in some versions of PHP-Nuke. Reportedly, a maliciously constructed HTTP request will cause the index.php script to return an error message which includes the full path of the script. It has been suggested that this is the result of an insecure server configuration. It can run under Unix and Linux operating systems, and can also run under Microsoft Windows operating systems. PHP-Nuke may leak absolute paths due to problems in handling some wrong WEB requests. Attackers can use this information to carry out further attacks on the target system

Linux Directory Penguin traceroute.pl CGI script 1.0 allows remote attackers to execute arbitrary code via shell metacharacters in the host parameter. Penguin traceroute.pl is a freely available, open source script for tracing network hops from a web server. It is distributed by Linux Directory. The Penguin traceroute script does not adequately filter special characters. This makes it possible for a remote user to embed commands into a request using special characters such as the ';' or '|' characters. The embedded command would be executed with the permissions of the web browser. Penguin traceroute.pl is a program implemented by perl language to provide routing trace function under WEB interface, developed and maintained by Linux Directory. Penguin traceroute.pl does not adequately filter the input when executing the traceroute program, allowing attackers to execute arbitrary commands with httpd privileges. An attacker can enter the metacharacter \";\" and then append any command, which will cause the attacker to execute any command with httpd authority

VPN Server module in Linksys EtherFast BEFVP41 Cable/DSL VPN Router before 1.40.1 reduces the key lengths for keys that are supplied via manual key entry, which makes it easier for attackers to crack the keys. BEFVP41 is a hardware router that is currently developed and maintained by Linksys.  BEFVP41 supports Triple DES encryption keys (48 hexadecimal characters) and MD5 check keys (32 hexadecimal characters) of the following lengths, respectively.  Encryption:  80C4DAFD9AFC3D7AB57079E19DEBFFF43538A62039768D74  Authentication:  32EA72F58D7F1E063E14A3FF78131172  However, due to a design error, when the user tried to manually enter these keys, they were cut off by mistake, and became 23 hex characters and 19 hex characters respectively.  Encryption:  80C4DAFD9AFC3D7AB57079E  Authentication:  32EA72F58D7F1E063E1  This leads to the eventual use of weak keys, increasing the likelihood of successful brute-force brute-force attacks. However, when a user attempts to manually enter a generated Triple DES key of any length greater than 23 bytes, the key is truncated to a maximum of 23 bytes. Manual entry of the key results in a truncated key maximum length of 19 bytes

Check Point FireWall-1 SecuRemote/SecuClient 4.0 and 4.1 allows clients to bypass the "authentication timeout" by modifying the to_expire or expire values in the client's users.C configuration file. Check Point Firewall-1 is a popular firewall package available from Checkpoint Software Technologies. SecuClient/SecuRemote are VPN-1 implementations for Check Point Firewall-1 products. It is possible to configure a timeout value for cached user credentials. This value is stored on client systems and can be modified by users of client systems. If security policy includes a time limit on cached credentials, malicious authenticated users may bypass the policy by modifying the value. Depending on the operating system of the client host, local administrative privileges on the client host may be required to modify the configuration file. In addition to the timeout values, other sensitive information is reportedly stored on client systems. Further details are not known at this time. SecuClient/SecuRemote is the VPN-1 implementation in the Firewall-1 product. SecuClient/SecuRemote is flawed in design, allowing client-local attackers to bypass certain server-side settings. SecuClient/SecuRemote allows the server to set the time limit for caching authentication information, and if the time limit is exceeded, it will be forced to log in again

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus 2002 allows remote attackers to send viruses that bypass the e-mail scanning via a NULL character in the MIME header before the virus. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but the AutoProtect feature would detect the virus before it is executed. Upon receiving an email message crafted as such, Norton AntiVirus 2002 fails to detect the virus. As a result email messages with malicious content (ie: viruses, trojans etc.) will go undetected and could possibly run on the recipients system

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus (NAV) 2002 allows remote attackers to bypass the initial virus scan and cause NAV to prematurely stop scanning by using a non-RFC compliant MIME header. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but the AutoProtect feature would detect the virus before it is executed. An issue has been discovered which involves Symantec Norton AntiVirus 2002 incoming email scanning protection feature. As a result infected emails could go undetected

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus 2002 allows remote attackers to bypass virus protection via a Word Macro virus with a .nch or .dbx extension, which is automatically recognized and executed as a Microsoft Office document. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but the Office plug-in would detect the virus before it is executed. An issue has been discovered which involves Symantec Norton AntiVirus 2002 incoming email scanning protection feature. Files renamed with either a .dbx or .nch file extension can bypass the email protection feature of Norton. This issue may allow for the execution of files, depending on their original file format

NOTE: this issue has been disputed by the vendor. Symantec Norton AntiVirus (NAV) 2002 allows remote attackers to bypass e-mail scanning via a filename in the Content-Type field with an excluded extension such as .nch or .dbx, but a malicious extension in the Content-Disposition field, which is used by Outlook to obtain the file name. NOTE: the vendor has disputed this issue, acknowledging that the initial scan is bypassed, but Norton AntiVirus or the Office plug-in would detect the virus before it is executed. An issue has been discovered which involves Symantec Norton AntiVirus 2002 incoming email scanning protection feature. Using conflicting MIME headers, it is possible to rename a file to an excluded filetype in the Content-Type field, and include the original filename in the Content-Disposition field, resulting in the execution of the file by the appropriate application. For example: Content-Type: application/msword;name=\filename.nch Content-Transfer-Encoding: base64 Content-Disposition: attachment;filename=\filename.doc Norton will detect the attachment as a .nch file, however Microsoft Office will detect the .doc extension and handle it as such. If the .doc attachment happens to be a Word macro virus, it will execute on the user's sytem

Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges. OpenSSH is a program used to provide secure connection and communications between client and servers. Channels are used to segregate differing traffic between the client and the server. OpenSSH is a suite implementing the SSH protocol. It includes client and server software, and supports ssh and sftp. It was initially developed for BSD, but is also widely used for Linux, Solaris, and other UNIX-like operating systems. A vulnerability has been announced in some versions of OpenSSH. A malicious client may exploit this vulnerability by connecting to a vulnerable server. Valid credentials are believed to be required, since the exploitable condition reportedly occurs after successful authentication. An examination of the code suggests this, but it has not been confirmed by the maintainer. Administrators should assume that this can be exploited without authentication and should patch vulnerable versions immediately. It encrypts and transmits all network communications, thereby avoiding attacks at many network layers, and is a very useful network connection tool. A user with a legal login account can use this vulnerability to obtain the root authority of the host. To implement X11, TCP and proxy forwarding, OpenSSH multiplexes multiple "channels" on a single TCP connection. The program may mistakenly use memory data outside the normal range, and an attacker with a legitimate login account logs in After entering the system, this vulnerability can be exploited to allow sshd to execute arbitrary commands with root privileges

Information leaks in IIS 4 through 5.1 allow remote attackers to obtain potentially sensitive information or more easily conduct brute force attacks via responses from the server in which (2) in certain configurations, the server IP address is provided as the realm for Basic authentication, which could reveal real IP addresses that were obscured by NAT, or (3) when NTLM authentication is used, the NetBIOS name of the server and its Windows NT domain are revealed in response to an Authorization request. NOTE: this entry originally contained a vector (1) in which the server reveals whether it supports Basic or NTLM authentication through 401 Access Denied error messages. CVE has REJECTED this vector; it is not a vulnerability because the information is already available through legitimate use, since authentication cannot proceed without specifying a scheme that is supported by both the client and the server. Microsoft IIS supports Basic and NTLM authentication. When a valid authentication request is submitted for either message with an invalid username and password, an error message will be returned. This happens even if anonymous access to the requested resource is allowed. An attacker may be able to use this information to launch further intelligent attacks against the server, or to launch a brute-force password attack against a known username

HP Procurve Switch 4000M running firmware C.08.22 and C.09.09 allows remote attackers to cause a denial of service via a port scan of the management IP address, which disables the telnet service. A problem with the switch could make it possible to deny telnet service to legitimate users of the device. The problem is in the handling of port scans by the device. A ProCurve switch could be led to deny telnet users service of the switch. When the switch is portscanned by a tool such as nmap, which is capable of producing a high amount of TCP connect() requests in a short period of time, the switch will no longer accept new telnet connections. Reportedly, this issue does not affect ICMP or SNMP management of the device, nor are existing telnet sessions disconnected. Rebooting the switch may be required in order to regain normal functionality. HP ProCurve 4000M with firmware version C.09.09 or C.08.22 are reported to be susceptible to this issue. HP ProCurve Switch is a switch product produced by HP

Tiny Personal Firewall (TPF) 2.0.15, under certain configurations, will pop up an alert to the system even when the screen is locked, which could allow an attacker with physical access to the machine to hide activities or bypass access restrictions. Reportedly, this is possible even if the local system is locked. Allegedly, a user scanning the network could initiate an alert dialogue in the foreground of a locked workstation with the firewall installed. The dialogue box requires the user to either permit or deny input. If the workstation is unattended the local attacker could select permit and enter information to the firewall program, without the legitimate user of the services knowledge. Potentially this issue could allow unauthorized users to modify the Personal Tiny Firewal settings. Suppose a Windows 2000 is installed with Tiny Personal Firewall (2.0.15a), and then locked with ctrl + alt + del. Carry out a network scan to this machine, and a dialog box will pop up on the main console of this machine at this time, waiting for the user to select \"Allow/Forbid\". Even if the machine is locked, this dialog box still pops up. Anyone with physical access to the machine can make choices on this dialog, potentially modifying firewall rules

Cisco IOS 11.1CC through 12.2 with Cisco Express Forwarding (CEF) enabled includes portions of previous packets in the padding of a MAC level packet when the MAC packet's length is less than the IP level packet length. A vulnerability exists in multiple versions of Cisco's Internetworking Operating System (IOS) software that allows an attacker to collect fragments of previously processed packets. IOS is the Internet Operating System, used on Cisco routers. It is distributed and maintained by Cisco. Under some circumstances, Cisco IOS may leak information from previously routed packets that are still in memory. The data used to pad the packet is taken from other packets previously routed that are still in the router's memory. It should be noted that this problem occurs only when Cisco Express Forwarding is enabled. Attackers cannot specify the content of the information to be obtained, which reduces the possibility of obtaining sensitive information

The Notify daemon for Symantec Enterprise Firewall (SEF) 6.5.x drops large alerts when SNMP is used as the transport, which could prevent some alerts from being sent in the event of an attack. The Symantec Enterprise Firewall (SEP) is a high performance firewall solution, and is available for both Windows and Solaris systems. SEP includes a notification mechanism for important log messages, which is implemented through the Notify Daemon. It is possible to send notifcations to a specified server through SNMP traps. The SNMP reporting mechanism may, under some circumstances, fail to forward messages. This may occur when the message is over 1024 characters. Although the error is logged, no additional notification is sent. Exploitation of this vulnerability may result in lost information, possibly allowing an attack against the firewall or internal systems to go undetected. Other versions of Symantec Enterprise Firewall may share this vulnerability