VARIoT IoT vulnerabilities database

The design of the Internet Key Exchange (IKE) protocol, when using Aggressive Mode for shared secret authentication, does not encrypt initiator or responder identities during negotiation, which may allow remote attackers to determine valid usernames by (1) monitoring responses before the password is supplied or (2) sniffing, as originally reported for FireWall-1 SecuRemote. Vpn-1 Firewall-1 is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions

The POP3 proxy service (POPROXY.EXE) in Norton AntiVirus 2001 allows local users to cause a denial of service (CPU consumption and crash) via a long username with multiple /localhost entries. Norton Antivirus 2001 uses a POP3 proxy to scan incoming email for viruses. This proxy will modify the email client's POP3 username to be "user/POP3Server". The email client itself will connect to the local POP3 proxy created by Norton Antivirus

Buffer overflow in Apple QuickTime 5.0 ActiveX component allows remote attackers to execute arbitrary code via a long pluginspage field. A vulnerability has been reported in the Apple QuickTime ActiveX component for Internet Explorer. The issue is a buffer-overrun condition that occurs because the software fails to perform adequate boundary checks of supplied arguments. If the component is invoked with the 'pluginspage' argument set to an overly long string value, the overrun will occur. Successful exploits may allow attacker-supplied instructions to run on affected client systems. Apple QuickTime is a media player that provides high-quality sound and images. The Apple QuickTime ActiveX control is generally used for movie tracking and other streaming and static media technology processing when embedded in a WEB page. This control lacks correct checks on the buffer boundary when processing the \"pluginspage\" field, and remote attackers can use it to build malicious WEB pages, or sending HTML emails to entice users to open them, can cause buffer overflows on the client side. Carefully constructed \"pluginspage\" field data may execute arbitrary instructions on the system with the permissions of the current user process

NETGEAR FM114P allows remote attackers to bypass access restrictions for web sites via a URL that uses the IP address instead of the hostname. FM114P is an integrated HUB, print service, wireless access point, firewall and IDS hardware solution developed by Netgear. The firewall module supports filtering of domain names.  The Netgear Fm114P firewall module checks that address filtering is not sufficient.  The Netgear Fm114P firewall module cannot resolve host names and domain names by default. Users can bypass the rule restrictions by entering IP instead of host names or domain names. FM114P Prosafe firewalls are a hardware solution manufactured and distributed by Netgear. It has been reported that FM114P firewalls do not sufficiently check addresses when requests are made. Because of this, it would be possible for a user behind the system to reach a restricted-access site by requesting the site on the basis of IP address

Cisco Virtual Private Network (VPN) Client software 2.x.x and 3.x before 3.0.5 allows remote attackers to cause a denial of service (crash) via TCP packets with source and destination ports of 137 (NETBIOS). It is possible for a remote attacker to exploit this condition to shut down a connection that the client has initiated by sending a NETBIOS packet to port 137 of the host running the client. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. CISCO designated this vulnerability number as: CSCdt35749

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x before 3.5.1C, allows local users to use a utility program to obtain the group password. Cisco has reported that a vulnerability exists in the Windows VPN client that may result in unintended disclosure of the password. It is possible to extract the plaintext password value from a "shaded" (replaced with asterisks) field in the authentication property page using a utility. This utility may be the publicly available "Revelation" tool, however this is unconfirmed. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. A local attacker can exploit this vulnerability to conduct password recovery attacks and obtain group password information. There are design loopholes in the Cisco VPN client. These passwords were originally displayed with '*'. CISCO designated this vulnerability number as: CSCdt60391

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x before 3.5.1C, does not properly verify that certificate DN fields match those of the certificate from the VPN Concentrator, which allows remote attackers to conduct man-in-the-middle attacks. A flaw in the Cisco VPN Client prevents the client from sufficiently validating credentials supplied in a certificate used for VPN privacy. The client does not properly validate Distinguished Names (DN) contained in some certificates, and may trust certificates supplied by a third party that represent a malicious host. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. CISCO designated this vulnerability number as: CSCdw87717

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x before 3.5.2B, does not generate sufficiently random numbers, which may make it vulnerable to certain attacks such as spoofing. Cisco has reported that random number generation has been improved in Cisco VPN Client. Weak random number generation may present a security vulnerability to users of the client software, as it may be possible under some circumstances for attackers to anticipate numbers that are generated by the software. If an attacker can anticipate TCP sequence numbers for VPN sessions, it may be possible to mount man-in-the-middle attacks against a connection or possible inject packets into a connection. The attacker may need to be within the VPN to exploit this issue. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. A remote attacker can exploit this vulnerability to attack via the Man-In-Middle method or insert packets into an existing connection. Or remote unauthorized access to the VPN concentrator. CISCO designated this vulnerability number as: CSCdx89416

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x before 3.6(Rel), when configured with all tunnel mode, can be forced into acknowledging a TCP packet from outside the tunnel. This has the potential to leak information about the client system to attackers. This issue does not occur if "split tunneling mode" is enabled. Furthermore, 3.5.x releases of the client are not prone to this issue if the firewall is configured to run in "always on" mode. The 3.6(Rel) version of the client is prone to this issue even under circumstances where the firewall is run in "always on" mode. It can be used under the Microsoft Windows operating system, and can also be used under the Linux operating system. affected by this vulnerability. CISCO designated this vulnerability number as: CSCdy37058

The original patch for the Cisco Content Service Switch 11000 Series authentication bypass vulnerability (CVE-2001-0622) was incomplete, which still allows remote attackers to gain additional privileges by directly requesting the web management URL instead of navigating through the interface, possibly via a variant of the original attack, as identified by Cisco bug ID CSCdw08549. CSS11000 Content Services Switch is prone to a remote security vulnerability

Cisco VPN 3000 Concentrator 3.6(Rel) and earlier, and 2.x.x, when configured to use internal authentication with group accounts and without any user accounts, allows remote VPN clients to log in using PPTP or IPSEC user authentication. Cisco VPN 3000 series concentrators are a family of products for facilitating secure communications via VPN (Virtual Private Networks). This could result in unintended privileges and access

HTML interface for Cisco VPN 3000 Concentrator 2.x.x and 3.x.x before 3.0.3(B) allows remote attackers to cause a denial of service (CPU consumption) via a long URL request. Cisco VPN 3000 series concentrators are a family of products for facilitating secure communications via VPN (Virtual Private Networks). By placing a malicious HTTP request to a vulnerable system, the system becomes unstable

Information leaks in Cisco VPN 3000 Concentrator 2.x.x and 3.x.x before 3.5.4 allow remote attackers to obtain potentially sensitive information via the (1) SSH banner, (2) FTP banner, or (3) an incorrect HTTP request. Cisco VPN 3000 series concentrators are a family of products for facilitating secure communications via VPN (Virtual Private Networks). Under some circumstances, it may be possible for a remote user to gain access to sensitive information. The SSH banner reveals more information than necessary to negotiate a session. This could lead to intelligence gathering, and a directed attack against network resources. Cisco VPN 3000 Concentrator versions 2.xx and 3.xx prior to 3.5.4 have an information disclosure vulnerability

Cisco VPN 3000 Concentrator before 2.5.2(F), with encryption enabled, allows remote attackers to cause a denial of service (reload) via a Windows-based PPTP client with the "No Encryption" option set. Cisco VPN 3000 series concentrators are a family of products for facilitating secure communications via VPN (Virtual Private Networks). Under some circumstances, it may be possible for a remote PPTP client to cause a denial of service. This could result in a denial of service to legitimate users of the device. Cisco VPN 3000 Concentrator versions earlier than 2.5.2(F) have vulnerabilities

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.1, allows restricted administrators to obtain user passwords that are stored in plaintext in HTML source code. Cisco VPN 3000 series concentrators are prone to an issue which may cause user credentials to be disclosed to remote attackers under some circumstances. Cisco VPN 3000 Concentrator versions 2.2.x and 3.x prior to 3.5.1 have vulnerabilities

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.2, allows restricted administrators to obtain certificate passwords that are stored in plaintext in the HTML source code for Certificate Management pages. This may enable an administrative user to gain unauthorized access to the Certificate Management interface. This would only be an issue in circumstances where the policy of an organization using the device restricts certificate management privileges to particular administrative users. Cisco VPN 3000 Concentrator 2.2.x, and versions earlier than 3.5.2 have vulnerabilities

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, adds an "HTTPS on Public Inbound (XML-Auto)(forward/in)" rule but sets the protocol to "ANY" when the XML filter configuration is enabled, which ultimately allows arbitrary traffic to pass through the concentrator. Cisco VPN 3000 series concentrators are prone to an issue with XML filters which may inadvertently allow unauthorized network access to occur. This issue occurs when XML filters have been enabled on the public interface of the device. The vulnerable concentrator checks the destination port only when the value for the protocol is set to "TCP" or "UDP". Since the protocol is mistakenly set to "ANY", this will allow network connections using any protocol to an arbitrary port to occur through the concentrator. Cisco VPN 3000 Concentrator 2.2.x before 3.5.3, and 3.x versions have vulnerabilities

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, allows remote attackers to obtain potentially sensitive information without authentication by directly accessing certain HTML pages. Cisco VPN 3000 series concentrators leave some areas of the web interface exposed to unauthenticated web users. Attackers may use the sensitive information disclosed in this manner to potentially aid in mounting further attacks against the device and the network. Cisco VPN 3000 Concentrator 2.2.x before 3.5.3, and 3.x versions have vulnerabilities

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, allows remote attackers to cause a denial of service (crash) via a long (1) username or (2) password to the HTML login interface. To exploit this condition, the attacker must submit overly long values for the username/password strings using the POST method. The attacker might, for example, submit a modified version of the form for the login page to trigger this condition. Successful exploitation will cause the device to reload. Cisco VPN 3000 Concentrator 2.2.x, and 3.x versions prior to 3.5.3 have vulnerabilities

The LAN-to-LAN IPSEC capability for Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.4, allows remote attackers to cause a denial of service via an incoming LAN-to-LAN connection with an existing security association with another device on the remote network, which causes the concentrator to remove the previous connection. Cisco has reported a security vulnerability in VPN 3000 series concentrator devices. The vulnerability is related to handling of incoming LAN-to-LAN IPSEC tunnel connections. According to Cisco, this behaviour may be exploitable as a denial of service attack. Furthermore, affected devices do not ensure that the data transmitted across a LAN-to-LAN IPSEC tunnel is sourced from the appropriate network. The implications of this potentially separate issue are not yet known. There are loopholes in the LAN-to-LAN IPSEC capability of Cisco VPN 3000 Concentrator 2.2.x and versions 3.x before 3.5.4