VARIoT IoT vulnerabilities database

Multiple vulnerabilities in the H.323 protocol implementation for Nortel Networks Business Communications Manager (BCM), Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. A number of vulnerabilities have been discovered in various implementations of the multimedia telephony protocols H.323 and H.225. Voice over Internet Protocol (VoIP) and video conferencing equpiment and software can use these protocols to interoperate over a variety of computer networks. The majority of the vulnerabilities discovered are limited to denial of service impacts; however, several may allow unauthorized code execution. The implementation of the H.323 protocol contains multiple vulnerabilities. Remote attackers can use this vulnerability to conduct denial-of-service attacks on H.323-implemented devices and software, and may execute arbitrary instructions on the system with process privileges. The current investigation results are as follows: 3Com current supplier has no statement about this issue Alcatel current supplier has no statement about this issue Apple Computer Inc. Mac OS X and Mac OS X Server are not affected by this vulnerability AT&T Current supplier has no statement about this issue To make a statement Avaya can see NISCC Vulnerability Advisory 006489/H323:t http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Borderware Current supplier has no statement on this issue Check Point Current supplier has no Statement on this issue BSDI The current supplier has no statement on this issue Cisco Systems Inc. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities Original release date: January 13, 2004 Last revised: -- Source: CERT/CC, NISCC A complete revision history can be found at the end of this file. I. Description The U.K. H.323 is an international standard protocol, published by the International Telecommunications Union, used to facilitate communication among telephony and multimedia systems. Examples of such systems include VoIP, video-conferencing equipment, and network devices that manage H.323 traffic. A test suite developed by NISCC and the University of Oulu Security Programming Group (OUSPG) has exposed multiple vulnerabilities in a variety of implementations of the H.323 protocol (specifically its connection setup sub-protocol H.225.0). Information about individual vendor H.323 implementations is available in the Vendor Information section below, and in the Vendor Information section of NISCC Vulnerability Advisory 006489/H323. The U.K. National Infrastructure Security Co-ordination Centre is tracking these vulnerabilities as NISCC/006489/H.323. The CERT/CC is tracking this issue as VU#749342. This reference number corresponds to CVE candidate CAN-2003-0819, as referenced in Microsoft Security Bulletin MS04-001. II. III. Solution Apply a patch or upgrade Appendix A and the Systems Affected section of Vulnerability Note VU#749342 contain information provided by vendors for this advisory (<http://www.kb.cert.org/vuls/id/749342#systems>). However, as vendors report new information to the CERT/CC, we will only update VU#749342. If a particular vendor is not listed, we have not received their comments. Please contact your vendor directly. Filter network traffic Sites are encouraged to apply network packet filters to block access to the H.323 services at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be filtered include * 1720/TCP * 1720/UDP If access cannot be filtered at the network perimeter, the CERT/CC recommends limiting access to only those external hosts that require H.323 for normal operation. As a general rule, filtering all types of network traffic that are not required for normal operation is recommended. It is important to note that some firewalls process H.323 packets and may themselves be vulnerable to attack. As noted in some vendor recommendations like Cisco Security Advisory 20040113-h323 and Microsoft Security Bulletin MS04-001, certain sites may actually want to disable application layer inspection of H.323 network packets. Protecting your infrastructure against these vulnerabilities may require careful coordination among application, computer, network, and telephony administrators. You may have to make tradeoffs between security and functionality until vulnerable products can be updated. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. Please see the Systems Affected section of Vulnerability Note VU#749342 and the Vendor Information section of NISCC Vulnerability Advisory 006489/H323 for the latest information regarding the response of the vendor community to this issue. 3Com No statement is currently available from the vendor regarding this vulnerability. Alcatel No statement is currently available from the vendor regarding this vulnerability. Apple Computer Inc. Apple: Not Vulnerable. Mac OS X and Mac OS X Server do not contain the issue described in this note. AT&T No statement is currently available from the vendor regarding this vulnerability. Avaya Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Borderware No statement is currently available from the vendor regarding this vulnerability. Check Point No statement is currently available from the vendor regarding this vulnerability. BSDI No statement is currently available from the vendor regarding this vulnerability. Cisco Systems Inc. Please see http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml Clavister No statement is currently available from the vendor regarding this vulnerability. Computer Associates No statement is currently available from the vendor regarding this vulnerability. Cyberguard Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Debian No statement is currently available from the vendor regarding this vulnerability. D-Link Systems No statement is currently available from the vendor regarding this vulnerability. Conectiva No statement is currently available from the vendor regarding this vulnerability. EMC Corporation No statement is currently available from the vendor regarding this vulnerability. Engarde No statement is currently available from the vendor regarding this vulnerability. eSoft We don't have an H.323 implementation and thus aren't affected by this. Extreme Networks No statement is currently available from the vendor regarding this vulnerability. F5 Networks No statement is currently available from the vendor regarding this vulnerability. Foundry Networks Inc. No statement is currently available from the vendor regarding this vulnerability. FreeBSD No statement is currently available from the vendor regarding this vulnerability. Fujitsu Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Global Technology Associates No statement is currently available from the vendor regarding this vulnerability. Hitachi Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Hewlett-Packard Company Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Ingrian Networks No statement is currently available from the vendor regarding this vulnerability. Intel No statement is currently available from the vendor regarding this vulnerability. Intoto No statement is currently available from the vendor regarding this vulnerability. Juniper Networks No statement is currently available from the vendor regarding this vulnerability. Lachman No statement is currently available from the vendor regarding this vulnerability. Linksys No statement is currently available from the vendor regarding this vulnerability. Lotus Software No statement is currently available from the vendor regarding this vulnerability. Lucent Technologies Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Microsoft Corporation Please see http://www.microsoft.com/technet/security/bulletin/MS04-001.asp MontaVista Software No statement is currently available from the vendor regarding this vulnerability. MandrakeSoft No statement is currently available from the vendor regarding this vulnerability. Multi-Tech Systems Inc. No statement is currently available from the vendor regarding this vulnerability. NEC Corporation No statement is currently available from the vendor regarding this vulnerability. NetBSD NetBSD does not ship any H.323 implementations as part of the Operating System. There are a number of third-party implementations available in the pkgsrc system. As these products are found to be vulnerable, or updated, the packages will be updated accordingly. The audit-packages mechanism can be used to check for known-vulnerable package versions. Netfilter No statement is currently available from the vendor regarding this vulnerability. NetScreen No statement is currently available from the vendor regarding this vulnerability. Network Appliance No statement is currently available from the vendor regarding this vulnerability. Nokia No statement is currently available from the vendor regarding this vulnerability. Nortel Networks The following Nortel Networks Generally Available products and solutions are potentially affected by the vulnerabilities identified in NISCC Vulnerability Advisory 006489/H323 and CERT VU#749342: Business Communications Manager (BCM) (all versions) is potentially affected; more information is available in Product Advisory Alert No. PAA 2003-0392-Global. PAA-2003-0465-Global. For more information please contact North America: 1-800-4NORTEL or 1-800-466-7835 Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions are available at http://www.nortelnetworks.com/help/contact/global/ Or visit the eService portal at http://www.nortelnetworks.com/cs under Advanced Search. If you are a channel partner, more information can be found under http://www.nortelnetworks.com/pic under Advanced Search. Novell No statement is currently available from the vendor regarding this vulnerability. Objective Systems Inc. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm OpenBSD No statement is currently available from the vendor regarding this vulnerability. Openwall GNU/*/Linux No statement is currently available from the vendor regarding this vulnerability. RadVision Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Red Hat Inc. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Oracle Corporation No statement is currently available from the vendor regarding this vulnerability. Riverstone Networks No statement is currently available from the vendor regarding this vulnerability. Secure Computing Corporation No statement is currently available from the vendor regarding this vulnerability. SecureWorks No statement is currently available from the vendor regarding this vulnerability. Sequent No statement is currently available from the vendor regarding this vulnerability. Sony Corporation No statement is currently available from the vendor regarding this vulnerability. Stonesoft No statement is currently available from the vendor regarding this vulnerability. Sun Microsystems Inc. Sun SNMP does not provide support for H.323, so we are not vulnerable. And so far we have not found any bundled products that are affected by this vulnerability. We are also actively investigating our unbundled products to see if they are affected. Updates will be provided to this statement as they become available. SuSE Inc. No statement is currently available from the vendor regarding this vulnerability. Symantec Corporation Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Unisys No statement is currently available from the vendor regarding this vulnerability. TandBerg Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Tumbleweed Communications Corp. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm TurboLinux No statement is currently available from the vendor regarding this vulnerability. uniGone Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm WatchGuard No statement is currently available from the vendor regarding this vulnerability. Wirex No statement is currently available from the vendor regarding this vulnerability. Wind River Systems Inc. No statement is currently available from the vendor regarding this vulnerability. Xerox No statement is currently available from the vendor regarding this vulnerability. ZyXEL No statement is currently available from the vendor regarding this vulnerability. _________________________________________________________________ The CERT Coordination Center thanks the NISCC Vulnerability Management Team and the University of Oulu Security Programming Group (OUSPG) for coordinating the discovery and release of the technical details of this issue. _________________________________________________________________ Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi J. McDowell, Shawn V. Hernan and Jason A. Rafail ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2004-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2004 Carnegie Mellon University. Revision History January 13, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQASK7JZ2NNT/dVAVAQG65wP8C7DyEvZGz0HqXtRqk+PAjjpMqex1hdjT BfkT6oHMhTWIdvUE1mpAwnV7OPL+N+UugCC0bAEXQzBy/YkBBOptt7IZdIeOlInh AP0RO5zqt0GqMIrdW7P14iWBX2lLCQaMUgWNyvK4ZTNE9UzpOgBk2JonfBLjbH77 KeVgAqcfP2M= =p0GQ -----END PGP SIGNATURE-----

Multiple vulnerabilities in the H.323 protocol implementation for Cisco IOS 11.3T through 12.2T allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. A number of vulnerabilities have been discovered in various implementations of the multimedia telephony protocols H.323 and H.225. Voice over Internet Protocol (VoIP) and video conferencing equpiment and software can use these protocols to interoperate over a variety of computer networks. The majority of the vulnerabilities discovered are limited to denial of service impacts; however, several may allow unauthorized code execution. H.323 Support protocol Cisco IOS(IOS Software release 11.3T Or later ) At H.323 Insufficient handling of messages. According to the information provided by the vendor, H.323 Supported by protocol Cisco IOS In addition to software, some Cisco IOS Products other than software are also affected. Also, IOS NAT And IOS Firewall ( CBAC ) May be affected for systems that have) enabled. Check the information provided by the vendor for more information. In addition, H.323 Vulnerabilities related to this vulnerability have been confirmed in other systems that implement the protocol. Remote attackers can use this vulnerability to conduct denial-of-service attacks on H.323-implemented devices and software, and may execute arbitrary instructions on the system with process privileges. The current investigation results are as follows: 3Com current supplier has no statement about this issue Alcatel current supplier has no statement about this issue Apple Computer Inc. Mac OS X and Mac OS X Server are not affected by this vulnerability AT&T Current supplier has no statement about this issue To make a statement Avaya can see NISCC Vulnerability Advisory 006489/H323:t http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Borderware Current supplier has no statement on this issue Check Point Current supplier has no Statement on this issue BSDI The current supplier has no statement on this issue Cisco Systems Inc. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities Original release date: January 13, 2004 Last revised: -- Source: CERT/CC, NISCC A complete revision history can be found at the end of this file. I. Description The U.K. H.323 is an international standard protocol, published by the International Telecommunications Union, used to facilitate communication among telephony and multimedia systems. Examples of such systems include VoIP, video-conferencing equipment, and network devices that manage H.323 traffic. A test suite developed by NISCC and the University of Oulu Security Programming Group (OUSPG) has exposed multiple vulnerabilities in a variety of implementations of the H.323 protocol (specifically its connection setup sub-protocol H.225.0). The U.K. National Infrastructure Security Co-ordination Centre is tracking these vulnerabilities as NISCC/006489/H.323. The CERT/CC is tracking this issue as VU#749342. This reference number corresponds to CVE candidate CAN-2003-0819, as referenced in Microsoft Security Bulletin MS04-001. II. III. Solution Apply a patch or upgrade Appendix A and the Systems Affected section of Vulnerability Note VU#749342 contain information provided by vendors for this advisory (<http://www.kb.cert.org/vuls/id/749342#systems>). However, as vendors report new information to the CERT/CC, we will only update VU#749342. If a particular vendor is not listed, we have not received their comments. Please contact your vendor directly. Filter network traffic Sites are encouraged to apply network packet filters to block access to the H.323 services at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be filtered include * 1720/TCP * 1720/UDP If access cannot be filtered at the network perimeter, the CERT/CC recommends limiting access to only those external hosts that require H.323 for normal operation. As a general rule, filtering all types of network traffic that are not required for normal operation is recommended. It is important to note that some firewalls process H.323 packets and may themselves be vulnerable to attack. As noted in some vendor recommendations like Cisco Security Advisory 20040113-h323 and Microsoft Security Bulletin MS04-001, certain sites may actually want to disable application layer inspection of H.323 network packets. Protecting your infrastructure against these vulnerabilities may require careful coordination among application, computer, network, and telephony administrators. You may have to make tradeoffs between security and functionality until vulnerable products can be updated. Appendix A. Please see the Systems Affected section of Vulnerability Note VU#749342 and the Vendor Information section of NISCC Vulnerability Advisory 006489/H323 for the latest information regarding the response of the vendor community to this issue. 3Com No statement is currently available from the vendor regarding this vulnerability. Alcatel No statement is currently available from the vendor regarding this vulnerability. Apple Computer Inc. Apple: Not Vulnerable. Mac OS X and Mac OS X Server do not contain the issue described in this note. AT&T No statement is currently available from the vendor regarding this vulnerability. Avaya Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Borderware No statement is currently available from the vendor regarding this vulnerability. BSDI No statement is currently available from the vendor regarding this vulnerability. Cisco Systems Inc. Please see http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml Clavister No statement is currently available from the vendor regarding this vulnerability. Computer Associates No statement is currently available from the vendor regarding this vulnerability. Cyberguard Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Debian No statement is currently available from the vendor regarding this vulnerability. D-Link Systems No statement is currently available from the vendor regarding this vulnerability. Conectiva No statement is currently available from the vendor regarding this vulnerability. EMC Corporation No statement is currently available from the vendor regarding this vulnerability. Engarde No statement is currently available from the vendor regarding this vulnerability. eSoft We don't have an H.323 implementation and thus aren't affected by this. Extreme Networks No statement is currently available from the vendor regarding this vulnerability. F5 Networks No statement is currently available from the vendor regarding this vulnerability. Foundry Networks Inc. No statement is currently available from the vendor regarding this vulnerability. FreeBSD No statement is currently available from the vendor regarding this vulnerability. Fujitsu Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Global Technology Associates No statement is currently available from the vendor regarding this vulnerability. Hitachi Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Hewlett-Packard Company Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Ingrian Networks No statement is currently available from the vendor regarding this vulnerability. Intel No statement is currently available from the vendor regarding this vulnerability. Intoto No statement is currently available from the vendor regarding this vulnerability. Juniper Networks No statement is currently available from the vendor regarding this vulnerability. Lachman No statement is currently available from the vendor regarding this vulnerability. Linksys No statement is currently available from the vendor regarding this vulnerability. Lotus Software No statement is currently available from the vendor regarding this vulnerability. Lucent Technologies Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Microsoft Corporation Please see http://www.microsoft.com/technet/security/bulletin/MS04-001.asp MontaVista Software No statement is currently available from the vendor regarding this vulnerability. MandrakeSoft No statement is currently available from the vendor regarding this vulnerability. Multi-Tech Systems Inc. No statement is currently available from the vendor regarding this vulnerability. NEC Corporation No statement is currently available from the vendor regarding this vulnerability. NetBSD NetBSD does not ship any H.323 implementations as part of the Operating System. There are a number of third-party implementations available in the pkgsrc system. As these products are found to be vulnerable, or updated, the packages will be updated accordingly. The audit-packages mechanism can be used to check for known-vulnerable package versions. Netfilter No statement is currently available from the vendor regarding this vulnerability. NetScreen No statement is currently available from the vendor regarding this vulnerability. Network Appliance No statement is currently available from the vendor regarding this vulnerability. Nokia No statement is currently available from the vendor regarding this vulnerability. Nortel Networks The following Nortel Networks Generally Available products and solutions are potentially affected by the vulnerabilities identified in NISCC Vulnerability Advisory 006489/H323 and CERT VU#749342: Business Communications Manager (BCM) (all versions) is potentially affected; more information is available in Product Advisory Alert No. PAA 2003-0392-Global. Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway are potentially affected; more information is available in Product Advisory Alert No. PAA-2003-0465-Global. For more information please contact North America: 1-800-4NORTEL or 1-800-466-7835 Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions are available at http://www.nortelnetworks.com/help/contact/global/ Or visit the eService portal at http://www.nortelnetworks.com/cs under Advanced Search. If you are a channel partner, more information can be found under http://www.nortelnetworks.com/pic under Advanced Search. Novell No statement is currently available from the vendor regarding this vulnerability. Objective Systems Inc. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm OpenBSD No statement is currently available from the vendor regarding this vulnerability. Openwall GNU/*/Linux No statement is currently available from the vendor regarding this vulnerability. RadVision Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Red Hat Inc. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Oracle Corporation No statement is currently available from the vendor regarding this vulnerability. Riverstone Networks No statement is currently available from the vendor regarding this vulnerability. Secure Computing Corporation No statement is currently available from the vendor regarding this vulnerability. SecureWorks No statement is currently available from the vendor regarding this vulnerability. Sequent No statement is currently available from the vendor regarding this vulnerability. Sony Corporation No statement is currently available from the vendor regarding this vulnerability. Stonesoft No statement is currently available from the vendor regarding this vulnerability. Sun Microsystems Inc. Sun SNMP does not provide support for H.323, so we are not vulnerable. And so far we have not found any bundled products that are affected by this vulnerability. We are also actively investigating our unbundled products to see if they are affected. Updates will be provided to this statement as they become available. SuSE Inc. No statement is currently available from the vendor regarding this vulnerability. Symantec Corporation Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Unisys No statement is currently available from the vendor regarding this vulnerability. TandBerg Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Tumbleweed Communications Corp. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm TurboLinux No statement is currently available from the vendor regarding this vulnerability. uniGone Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm WatchGuard No statement is currently available from the vendor regarding this vulnerability. Wirex No statement is currently available from the vendor regarding this vulnerability. Wind River Systems Inc. No statement is currently available from the vendor regarding this vulnerability. Xerox No statement is currently available from the vendor regarding this vulnerability. ZyXEL No statement is currently available from the vendor regarding this vulnerability. _________________________________________________________________ The CERT Coordination Center thanks the NISCC Vulnerability Management Team and the University of Oulu Security Programming Group (OUSPG) for coordinating the discovery and release of the technical details of this issue. _________________________________________________________________ Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi J. McDowell, Shawn V. Hernan and Jason A. Rafail ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2004-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2004 Carnegie Mellon University. Revision History January 13, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQASK7JZ2NNT/dVAVAQG65wP8C7DyEvZGz0HqXtRqk+PAjjpMqex1hdjT BfkT6oHMhTWIdvUE1mpAwnV7OPL+N+UugCC0bAEXQzBy/YkBBOptt7IZdIeOlInh AP0RO5zqt0GqMIrdW7P14iWBX2lLCQaMUgWNyvK4ZTNE9UzpOgBk2JonfBLjbH77 KeVgAqcfP2M= =p0GQ -----END PGP SIGNATURE-----

The GUI functionality for an interactive session in Symantec LiveUpdate 1.70.x through 1.90.x, as used in Norton Internet Security 2001 through 2004, SystemWorks 2001 through 2004, and AntiVirus and Norton AntiVirus Pro 2001 through 2004, AntiVirus for Handhelds v3.0, allows local users to gain SYSTEM privileges. Symantec LiveUpdate has been reported prone to a local privilege escalation vulnerability. This issue presents itself when a LiveUpdate interactive session is created. The privileges of the process, if different from the user, are not lowered. This may allow a local attacker to employ the vulnerable LiveUpdate component to spawn arbitrary executables with the privileges of the LiveUpdate process. Symantec LiveUpdate is a program used by a large number of Symantec application systems for automatic upgrades. When a non-privileged user logs in, a small window of \"there are Live Updates available, click here to run LiveUpdate\" will be displayed in the Windows task bar. If you click to run online automatic update, you will find LUALL.exe and LUCOMS~1 The .exe will run under the context of the user SYSTEM, click the Help button, and a \"LiveUpdate Help\" window will appear, click the file and open it, browse c:\windows\system32, and then you can run the cmd.exe program with SYSTEM permissions. Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research[at]secnetops[.]com Team Lead Contact kf[at]secnetops[.]com Spam Contact `rm -rf /`@snosoft.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Basic Explanation ************************************************************************ High Level Description : LiveUpdate allows local users to become SYSTEM What to do : run LiveUpdate and apply latest patches. Basic Technical Details ************************************************************************ Proof Of Concept Status : SNO has proof of concept. Low Level Description : Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to individuals, enterprises and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and email filtering, and remote management technologies and security services to enterprises and service providers around the world. Symantec's Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. Symantec's Norton Internet Security 2004 provides essential protection from viruses, hackers, and privacy threats. This issue is similar to the issues that were uncovered in the Windows Help API by both Brett Moore and our SRT team in late 2003. Full details available at: http://www.secnetops.biz/research/SRT2004-01-09-1022.txt and http://www.secnetops.biz/research/SRT2004-01-09-1022.jpg Vendor Status : Symantec promptly attended to the issue and was very responsive during all phases of discovery / research and patching. Fixes are now available via LiveUpdate. Bugtraq URL : To be assigned. CVE candidate CAN-2003-0994. Disclaimer ---------------------------------------------------------------------- This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories but can be obtained under contract.. Contact our sales department at sales[at]secnetops[.]com for further information on how to obtain proof of concept code. ---------------------------------------------------------------------- Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you."

Cisco Personal Assistant 1.4(1) and 1.4(2) disables password authentication when "Allow Only Cisco CallManager Users" is enabled and the Corporate Directory settings refer to the directory service being used by Cisco CallManager, which allows remote attackers to gain access with a valid username. Cisco Systems Cisco Personal Assistant Exists in unspecified vulnerabilities.None. Remote attackers can exploit this vulnerability to change user parameters and configurations. This vulnerability exists only when the following conditions are true: 1. 2. This vulnerability does not affect users accessing Personal Assistant through the phone interface

Cisco Unity on IBM servers is shipped with default settings that should have been disabled by the manufacturer, which allows local or remote attackers to conduct unauthorized activities via (1) a "bubba" local user account, (2) an open TCP port 34571, or (3) when a local DHCP server is unavailable, a DHCP server on the manufacturer's test network

Buffer overflow in the Cisco Firewall Services Module (FWSM) in Cisco Catalyst 6500 and 7600 series devices allows remote attackers to cause a denial of service (crash and reload) via HTTP auth requests for (1) TACACS+ or (2) RADIUS authentication

Stack-based buffer overflow in swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote authenticated users to execute arbitrary code via a long message parameter in a SendMsg action to action.htm. A vulnerability has been identified in the YaSoft Switch Off software package when handling message requests. The buffer overrun condition exists in the 'swnet.dll' module of the software due to insufficient bounds checking performed by the affected component. The overflow may be caused by sending an excessively long 'message' parameter to the application. This may make it possible for a remote user to execute arbitrary code through a vulnerable server. Switch Off is an easy-to-use tray-based system tool that automates frequently used operations, such as shutting down or restarting a computer, closing a dial-up connection, and more. A remote attacker can use this vulnerability to overflow the buffer of the service program. Carefully submitting data may execute arbitrary instructions on the system with the SYSTEM process privilege. The problem exists in the action.htm script

swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a long packet with two CRLF sequences to the service management port (TCP 8000). This may make it possible for a remote user to deny service to legitimate users of the service. Switch Off is an easy-to-use tray-based system tool that automates frequently used operations, such as shutting down or restarting a computer, closing a dial-up connection, and more. The problematic code exists in \'\'swnet.dll\'\', this vulnerability can consume a lot of CPU and crash the program

Microsoft Internet Information Services (IIS) 5.0 does not log requests that use the TRACK method, which allows remote attackers to obtain sensitive information without detection. A vulnerability has been reported to affect Microsoft IIS. It has been reported that IIS fails to log HTTP TRACK calls made to the affected server. A remote attacker may exploit this condition in order to enumerate server banners

The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by using TRACK to read the contents of the HTTP headers that are returned in the response, a technique that is similar to cross-site tracing (XST) using HTTP TRACE. Microsoft Internet Information Server (IIS) servers support a HTTP method called TRACK. The HTTP TRACK method returns the contents of client HTTP requests in the entity-body of the TRACK response. This behavior could be leveraged by attackers to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request. this is, HTTP TRACE A technique similar to the cross-site tracing used in. IIS 5.0 is vulnerable

Unknown vulnerability in fs_usage in Mac OS X 10.2.8 and 10.3.2 and Mac OS X Server 10.2.8 and 10.3.2 allows local users to gain privileges via unknown attack vectors. Due to a lack of details further information cannot be provided at the moment. This BID will be updated as more information becomes available. No detailed vulnerability details are currently available

AppleFileServer (AFS) in Apple Mac OS X 10.2.8 and 10.3.2 does not properly handle certain malformed requests, with unknown impact. It has been reported that AppleFileServer may be prone to an unspecified security vulnerability due to improper handling of malformed requests. Due to the fact that no details were supplied by the vendor, the implications of exploitation are not currently known. Apple MacOS X AppleFileServer is an Apple file service program

Zebra 0.93b and earlier, and quagga before 0.95, allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface

Cisco has reported the following vulnerabilities in Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series: Cisco FWSM is prone to a buffer overrun vulnerability when handling HTTP Auth data. This would most likely result in a denial of service but could also potentially allow for arbitrary code execution (though this has not been confirmed). Cisco FWSM has also been reported to be prone to denial of service attacks via SNMPv3 messages. This will cause a vulnerable device to reboot. Both of these issues have been addressed in FWSM 1.1.3 and later for affected devices.

Cisco PIX firewall 6.2.x through 6.2.3, when configured as a VPN Client, allows remote attackers to cause a denial of service (dropped IPSec tunnel connection) via an IKE Phase I negotiation request to the outside interface of the firewall. Cisco PIX has been reported prone to multiple remote denial of service vulnerabilities. The first issue has been reported to present itself when the affected PIX firewall processes an SNMPv3 message, in certain circumstances. Specifically, if the Cisco PIX device receives and processes an SNMPv3 message, the PIX firewall will crash and reload. PIX Firewall is prone to a denial-of-service vulnerability

Cisco Firewall Services Module (FWSM) in Cisco Catalyst 6500 and 7600 series devices allows remote attackers to cause a denial of service (crash and reload) via an SNMPv3 message when snmp-server is set. CSCeb16356 (HTTP Auth) Vulnerability: Passing HTTP Auth requests using TACACS+ or RADIUS authentication can cause Cisco FWSM to crash and reload due to send buffer overflow. This request can be initiated by the user by initiating an FTP, TELNET or HTTP connection. Cisco FWSM will only allow communication if the username and password are authenticated by the specified ACACS+ or RADIUS server. CSCeb88419 (SNMPv3) Vulnerability When configuring snmp-server host <if_name> <ip_addr> or snmp-server host <if_name> <ip_addr> poll on the Cisco FWSM module, when processing the received SNMPv3 message, the Cisco FWSM may crash and generate a rejection Serve. This vulnerability is not affected only when the snmp-server host <if_name> <ip_addr> trap command is configured on the Cisco FWSM module

Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable. iwconfig is prone to a local security vulnerability

Cisco PIX firewall 5.x.x, and 6.3.1 and earlier, allows remote attackers to cause a denial of service (crash and reload) via an SNMPv3 message when snmp-server is set. Cisco PIX Firewall Is SNMP Activate a specific SNMP Management station IP By address setting, SNMPv3 A vulnerability exists that crashes when trying to interpret a packet when it is received.Cisco PIX Firewall Service disruption (DoS) It may be in a state. The first issue has been reported to present itself when the affected PIX firewall processes an SNMPv3 message, in certain circumstances. The second issue that was reported by the vendor is that a remote attacker may close established VPN sessions between a Cisco PIX appliance that is configured as a VPN Client and a remote VPN server. This vulnerability is not affected only when the snmp-server host <if_name> <ip_addr> trap command is configured on the Cisco PIX firewall

Buffer overflow in cd9660.util in Apple Mac OS X 10.0 through 10.3.2 and Apple Mac OS X Server 10.0 through 10.3.2 may allow local users to execute arbitrary code via a long command line parameter. This vulnerability could allow a local attacker to gain elevated privileges on the vulnerable system. The cd9660.util utility has been reported prone to a local buffer overrun vulnerability. Excessive data supplied as an argument for the probe for mounting switch, passed to the cd9660.util utility will overrun the bounds of a reserved buffer in memory. Because memory adjacent to this buffer has been reported to contain saved values that are crucial to controlling execution flow, a local attacker may potentially influence cd9660.util execution flow into attacker-supplied instructions. Mac OS X is an operating system used on Mac machines, based on the BSD system. Due to the lack of sufficient input validation in the cd9660.util tool, local attackers can exploit this vulnerability to carry out buffer overflow attacks, which can lead to privilege escalation. \'\'/System/Library/Filesystems/cd9660.fs/cd9660.util\'\'can submit parameters to detect the mounted device, if the detection device parameter is too long, it may trigger buffer overflow at runtime, careful Building commit data can lead to privilege escalation

The NetGear WAB102 is a wireless access AP. The NetGear WAB102 has multiple password management issues that can be exploited by remote attackers to gain unauthorized access to the device for various malicious operations. An attacker can access the device by providing any password that contains spaces. Another problem is that the default password '1234' is reset when the device is powered down and reset. NetGear WAB102 running firmware version 1.2.3 has been reported to be prone to this issue