VARIoT IoT vulnerabilities database

Netgear FM114P firmware 1.3 wireless firewall, when configured to backup configuration information, stores DDNS (DynDNS) user name and password, MAC address filtering table and possibly other information in cleartext, which could allow local users to obtain sensitive information. FM114P is an integrated HUB, print service, wireless access point, firewall and IDS hardware solution developed by Netgear. It includes Cable / DSL Prosafe 802.11b wireless firewall system.  Netgear FM114P Cable / DSL Prosafe 802.11b wireless firewall stores plain text account information during backup operations. Remote attackers can use this vulnerability to obtain account data to further attack the system.  When the FM114P Cable / DSL Prosafe 802.11b wireless firewall is configured for backup operation, the device will save the DDNS (DynDNS) account data in the system in clear text. A remote attacker can obtain account information by accessing this file to help the attacker further attack the WEB interface.  It must be noted that the backup configuration option is not enabled by default

IBM SecureWay Firewall before 4.2.2 performs extra processing before determining that a packet is invalid and dropping it, which allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed TCP packets without any flags set. A vulnerability has been discovered in IBM SecureWay Firewall for the AIX operating system. To reach a denial of service condition, 2.8Mbps of malicious requests must be sent to the vulnerable firewall. Versions prior to IBM SecureWay Firewall 4.2.2 perform additional processes before judging packets as invalid and discarding them

Norton Personal Firewall 2002 4.0, when configured to automatically block attacks, allows remote attackers to block IP addresses and cause a denial of service via spoofed packets. The problem is in the handling of spoofed traffic. Under some circumstances, it is possible for remote users to deny service to various sites for users of PC Firewall software. By sending spoofed traffic that could be deemed malicious by the firewall software package, an attacker could effectively limit the sites a system is capable of reaching. Many PC firewalls have the function of automatically blocking malicious attacks

Microsoft IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (CPU consumption) via an HTTP request with a Host header that contains a large number of "/" (forward slash) characters. Microsoft IIS is reported to be prone to a remotely exploitable denial of service. This condition occurs upon receipt of a malformed HOST field in a HTTP request for 'shtml.dll'. It is possible to reproduce this condition by sending a HTTP POST request with a HOST header field that is composed of an excessive number of slashes (/). Further details are not known at this time

The default configuration of Cisco Unity 2.x and 3.x does not block international operator calls in the predefined restriction tables, which could allow authenticated users to place international calls using call forwarding. Unity is a Cisco software product designed to unify voice message, fax, and e-mail into a user's inbox. Under some circumstances, users may be able to forward calls to unauthorized destinations. However, this does not prevent forwarding to International operators

Cisco IP Phone (VoIP) models 7910, 7940, and 7960 allow remote attackers to cause a denial of service (crash) via malformed packets as demonstrated by (1) "jolt", (2) "jolt2", (3) "raped", (4) "hping2", (5) "bloop", (6) "bubonic", (7) "mutant", (8) "trash", and (9) "trash2.". VoIP Phone CP-7940 is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions. Cisco IP Phone (VoIP) 7910, 7940, and 7960 model versions are vulnerable

The encryption algorithms for enable and passwd commands on Cisco PIX Firewall can be executed quickly due to a limited number of rounds, which make it easier for an attacker to decrypt the passwords using brute force techniques. PIX Firewall is prone to a remote security vulnerability. This vulnerability makes it easier for attackers to use brute force techniques to decipher passwords

The FTP service in Watchguard Soho Firewall 5.0.35a allows remote attackers to gain privileges with a correct password but an incorrect user name. Soho Firewall is prone to a remote security vulnerability

Cisco VPN 3000 Concentrator 2.2.x, 3.6(Rel), and 3.x before 3.5.5, allows remote attackers to cause a denial of service via a long user name. VPN 3000 Concentrator is prone to a denial-of-service vulnerability

NETGEAR FVS318 running firmware 1.1 stores the username and password in a readable format when a backup of the configuration file is made, which allows local users to obtain sensitive information. A vulnerability has been reported in NetGear Firewall/VPN/Routers. When configured to backup configuration settings, the device will store various usernames and passwords in cleartext. Accessing this file could allow an attacker to obtain sensitive information which could aid the attacker in compromising the web administrative interface of the device. It should be noted that the backup option is not enabled by default, but is a common feature used by administrators. Local users get sensitive information

Cross-site scripting (XSS) vulnerability in PHP-Nuke 6.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag. Problems with PHPNuke could make it possible to execute arbitrary script code in a vulnerable client. PHPNuke does not sufficiently filter potentially malicious HTML code from news posts. As a result, when a user views a news posting that contains malicious HTML code, the code contained in the posted message would be executed in the browser of the vulnerable user. This will occur in the context of the site running the PHPNuke software. PHP-Nuke version 6.0 has a cross-site scripting (XSS) vulnerability

The HTTP administration interface for HP Procurve 4000M Switch firmware before C.09.16, with stacking features and remote administration enabled, does not authenticate requests to reset the device, which allows remote attackers to cause a denial of service via a direct request to the device_reset CGI program. When multiple Procurve switches are used interconnected, it is common for an administrator to enable a feature allowing each switch to be viewed through a single interface, accessible via the web. It has been reported that HP Procurve Switches are vulnerable to a denial of service attack, when used in a "stack" configuration. It is possible for an attacker to reset member switches by issuing a device reset command to a vulnerable device. Vulnerable devices do not require authentication before accepting this command. It should be noted that the web interface is not enabled by default

Format string vulnerability in gm4 (aka m4) on Mac OS X may allow local users to gain privileges if gm4 is called by setuid programs. Mac OS X is prone to a local security vulnerability. If gm4 is accessed by a setuid program, local users can elevate privileges

Terminal 1.3 in Apple Mac OS X 10.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a telnet:// link, which is executed by Terminal.app window. Mac OS X is the BSD-based operating system distributed and maintained by Apple. It has been discovered that some types of links, when clicked on, may result in the execution of arbitrary commands. Due to the improper handling of some links, a user clicking on a link containing special characters and embedded commands could cause the execution of the commands in the link to be carried out in a terminal.app window. These commands would be executed in the security context of the user. Because Mac OS X does not properly check the content of some connection types, a local attacker can exploit this vulnerability to elevate privileges

The Cisco IP Phone 7960 is a system that provides voice over IP networks. The firmware image file used by the Cisco IP Phone 7960 is not signed and can be exploited by remote attackers to use malicious firmware image files to entice users to download without being noticed. The firmware image file content used by the Cisco IP Phone 7960 is not signed and verified, so the client cannot determine whether the downloaded firmware information is legal. The higher version of the firmware image file is trusted by the device and is started when the device is started. And install. This process is transparent and does not require any user interaction. If an attacker can control the TFTP server, they can upload malicious firmware, causing malicious content to be installed on the device with this vulnerability. TFTP does not provide authentication. It is also theoretically possible for an attacker to substitute a malicious configuration file by exploiting this weakness

The Cisco IP Phone 7960 uses TFTP (Trivial File Transfer Protocol) to download firmware images and configuration files. TFTP is conducted over UDP and does not provide authentication. Sensitive information is contained in the configuration file (such as the IP address of the SIP Proxy Server and the 'phone_password' credential). If an attacker can guess the name of configuration files, then it is possible to retrieve them from the TFTP server. Information gathered in this manner may aid in mounting further documented attacks which have the potential to compromise the IP telephony network.

Check Point FireWall-1 4.1 and Next Generation (NG), with UserAuth configured to proxy HTTP traffic only, allows remote attackers to pass unauthorized HTTPS, FTP and possibly other traffic through the firewall. Firewall-1 is an enterprise level firewall package distributed by Check Point Technologies. It is available for the Unix, Linux, and Microsoft Windows platforms. It has been reported that Firewall-1 does not properly check the contents of sessions when passed through the HTTP proxy server. It is possible for a remote user with access to the proxy server through an authenticated user account to pass protocols through the system that violate security policy. These protocols include FTP, and HTTPS. It should also be noted that this vulnerability affects the HTTPS proxy for Firewall-1. Remote attackers can use this vulnerability to communicate externally through the HTTP proxy server using multiple protocols. When FW-1 is installed using \"out the box\" and set with the following rules: Source Destination Service Action Track AllUsers@SomeNet webserver http UserAuth Long Allow Auth HTTP Any firewall Any drop Long Stealth Rule Any Any Any drop Long CleanUp Rule When Firewall-1 operates using UserAuth, the communication is handled by the security service module, and in the case of an HTTP proxy, by the HTTP security service module (in.ahttpd). However, the default HTTP security service module lacks correct inspection of the session content, which can cause the authenticated user to communicate through this proxy server using different protocols such as (HTTPS, FTP). Firewall-1 using SP6 has made some corrections on this issue. For the SP6 system installed by default, if the HTTP protocol is only allowed to pass through, using the HTTPS protocol to access the site may cause rule conflicts and access failures, and error Information is logged to log files, but FTP protocol communications are still accessible through the HTTP proxy service

Buffer overflows in the Cisco VPN 5000 Client before 5.2.7 for Linux, and VPN 5000 Client before 5.2.8 for Solaris, allow local users to gain root privileges via (1) close_tunnel and (2) open_tunnel. The condition affects the binaries 'close_tunnel' and 'open_tunnel', both installed setuid root by default. Malicious local users may exploit these vulnerabilities to gain superuser privileges on the affected host. Cisco Virtual Private Network (VPN) client program is a program used to securely communicate with enterprise CISCO VPN devices through the Internet. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. CISCO assigned this vulnerability number as: CSCdy20065 <* link: http://www.cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml *>

The Cisco VPN 5000 Client for MacOS before 5.2.2 records the most recently used login password in plaintext when saving "Default Connection" settings, which could allow local users to gain privileges. The Cisco VPN 5000 Client on Mac OS saves configuration information for the default connection in the resource fork of the preferences file. Authentication credentials for the most recent login are included in the configuration. A tool such as ResEdit may be used to extract this information. Cisco Virtual Private Network (VPN) client program is a program used to securely communicate with enterprise CISCO VPN devices through the Internet. Can be used under a variety of operating systems, including MacOS X operating system. Local attackers can use this vulnerability to obtain sensitive information by viewing the configuration file. A local attacker can read password information stored in plain text by using a tool such as ResEdit. This problem exists even when the \"SaveSecrets\" option is used, or when encrypting passwords. CISCO designated this vulnerability number as: CSCdx17109

The MPS functionality in Enterasys SSR8000 (Smart Switch Router) before firmware 8.3.0.10 allows remote attackers to cause a denial of service (crash) via multiple port scans to ports 15077 and 15078. The SSR8000 is a SmartSwitch distributed and maintained by Enterasys. It has been discovered that SSR8000 switches react unpredictably when portscanned. When these switches are scanned using specific types of TCP traffic, and scanned on certain ports, the switch becomes unstable. It has been reported that this can be reproduced consistently to cause the switch to crash. Remote attackers can exploit this vulnerability to carry out denial of service attacks. The SSR8000 switch monitors TCP ports 15077 and 15078 in order to process the MPS code of ATM