<< Previous
UDP port
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
* Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
Unified Communications Manager Administration interface. The software
version can also be determined by running the "show version active"
command via the command-line interface.
A SIP trunk must be configured for the Cisco Unified CallManager
server to begin listening for SIP messages on TCP and UDP port 5060
and TCP/5061. However, in Cisco Unified Communications Manager
versions 5.x and later, the use of SIP as a call signaling protocol
is enabled by default and cannot be disabled.
Cisco IOS Software is also affected by this vulnerability, but it is
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
* Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
Problem Description:
A flaw was found in how CUPS handled the addition and removal of
remote printers via IPP that could allow a remote attacker to send
a malicious IPP packet to the UDP port causing CUPS to crash.
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
~ Protocol (SNMP). SNMP is used by network management systems to
~ monitor hosts. By default ESX has this service enabled and its ports
~ open on the ESX firewall.
~ A flaw was discovered in the way net-snmp handled certain requests. A
~ remote attacker who can connect to the snmpd UDP port could send a
~ malicious packet causing snmpd to crash, resulting in a denial of
~ service.
~ The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~ assigned the name CVE-2007-5846 to this issue.
=======
Cisco Video Surveillance Services Platforms and Cisco Video
Surveillance Integrated Services Platforms are vulnerable to a DoS
condition. An attacker could exploit this vulnerability by sending a
crafted packet to UDP port 37000, which could cause the crash of a
critical process and result in a system reboot. This vulnerability is
documented in Cisco Bug ID CSCsj47924 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-2045.
Cisco Video Surveillance 2500 Series IP Cameras contain an
An information disclosure vulnerability exists within Cisco
TelePresence endpoint devices that could allow an unauthenticated,
remote attacker to retrieve sensitive authentication and
configuration information. The attacker would need to have the
ability to submit a TFTP GET request via UDP port 69 to the affected
device.
Because the vulnerability is within a UDP based service, the attacker
would not be required to perform a handshake prior to making the
crafted request. However, due to the fact that this is an information
vulnerable installations of Novell software which utilize the Novell
Client Trust. Authentication is not required to exploit this
vulnerability.
The specific flaw exists in the Novell Client Trust application,
clntrust.exe, which listens by default on UDP port 3024 on Novell
client machines. During a validation request, the Client Trust process
copies a user-supplied Novell tree name until a wide-character
backslash or a NULL is encountered. If neither is found within the
data, the process will copy excess data which later overflows a static
buffer during a call to wsprintfA.
video calls across IP networks such as the Internet. SIP is
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination. SIP call
signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port
5061) as the underlying transport protocol.
The Cisco Unified Border Element (previously known as the Cisco
Multiservice IP-to-IP Gateway) is a special Cisco IOS Software image
that runs on Cisco multiservice gateway platforms. It provides a
The Mobile IP Support NAT Traversal feature is documented in RFC
3519. It introduces an alternative method for tunneling Mobile IP
data traffic. New extensions in the Mobile IP registration request
and reply messages have been added for establishing User Datagram
Protocol (UDP) tunneling. This feature allows mobile devices in
collocated mode that use a private IP address (RFC 1918) or foreign
agents (FAs) that use a private IP address for the care-of address
(CoA) to establish a tunnel and traverse a NAT-enabled router with
mobile node (MN) data traffic from the home agent (HA).
The Microsoft Windows DNS stub resolver (the component in Windows
that queries the upstream DNS server for address resolutions on
behalf of most Windows programs, e.g. browsers) sends predictable
DNS queries with respect to DNS transaction ID and source UDP
port. This allows some interesting attacks on DNS clients (i.e.
desktops), including DNS cache poisoning of the client's local
DNS cache (which is maintained by the stub resolver).
Affected products: Windows Vista, Windows XP SP2, Windows 2003
and Windows 2000 SP4.
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Tivoli Storage Manager Fastback.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Mount service (FastBackMount.exe).
This process listens by default on UDP port 30005. This process writes
the value 0x01 to the address specified by the second DWORD from a
packet received to it's UDP port. An attacker can exploit this behavior
to execute arbitrary code by making several requests to this service.
-- Vendor Response:
===============
The Acronis Agent is an essential component of Acronis True Image Echo
Server (Workstation and Enterprise packages) and is a server running on
the TCP and UDP port 9876 which allows the local and remote management
of Acronis TrueImage.
The Acronis True Image Windows Agent must be not confused with the
Acronis Snap Deploy Management Agent which uses the same ports but a
different protocol and so it's not affected by this bug.
Cisco IOS UDP Denial of Service Vulnerability
------------------------------------------------------------------
I. Summary
Cisco routers running IOS 15.0 allows a remote attacker to cause a denial of service via a flood of UDP packets (a randomly chosen UDP port).
------------------------------------------------------------------
II. Description
A potential denial of service condition may exist in Cisco's IOS firmware.
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
NOTE WELL: This update causes BIND to choose a new, random UDP port for
each new query; this may cause problems for some network configurations,
particularly if firewall(s) block incoming UDP packets on particular
ports. The avoid-v4-udp-ports and avoid-v6-udp-ports options should be
used to avoid selecting random port numbers within a blocked range.
Backburner software
The default behavior for the tool is to search for available servers
on the network. The Backburner Manager Server Service listens by
default on tcp port 3234 for incoming jobs and responds to broadcast
discover requests by default on udp port 3234.
The software can be downloaded for free from the vendors site:
http://usa.autodesk.com/adsk/servlet/home?siteID=123112&id=129446
C] crash in MgWTrap3
--------------------
The SNMP Trap Service other than binding the local TCP port 8888 and
the UDP 162 for collecting SNMP queries, binds also an additional UDP
port which changes each time the service is executed (uses the first
free available port).
Sending a packet (empty or with any desired content since it's not
important) directly to this port raises an exception which terminates
the service immediately.
This service is the core of almost all the MG-SOFT products which so
---------------------------
B] heap-overflow in FxAgent
---------------------------
The FxAgent process running on UDP port 6161 is used for handling the
various SNMP requests.
A community field longer than 64 bytes can be used by an attacker to
exploit a heap-overflow.
\xff\xff\xff\xff\xff\xff\x00\x06\xff\xf9
It is also possible to set configuration settings on the remote device with a single unauthenticated request.
-==Mitigation==-
Block external access to UDP port 13364.
-==Disclosure==-
Contacted Rosewill, but received no response.
-==PoCs==-
1. Make sure that your network configuration is compatible with source
port randomization. If you guard your resolver with a stateless packet
filter, you may need to make sure that no non-DNS services listen on on
the 1024--65535 UDP port range and open it at the packet filter. For
instance, packet filters based on etch's Linux 2.6.18 kernel only
support stateless filtering of IPv6 packets, and are therefore pose this
additional difficulty. (If you use IPv4 with iptables and ESTABLISHED
rules, networking changes are likely not required.)
Transport (FST) uses IP Protocol 91. The promiscuous DLSw feature
permits the local peer to establish connection with remote peers that
are not statically configured.
A Cisco IOS device that is configured for DLSw listens for IP
protocol 91 packets. Depending on the DLSw configuration, UDP port
2067, and, one or more TCP ports can also be opened. The
vulnerability described in this document can only be exploited via IP
Protocol 91 and can not be exploited using either the UDP or TCP
transports.
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Symantec VERITAS Storage Foundation.
Authentication is not required to exploit this vulnerability.
The specific flaw resides in the Administrator service, vxsvc.exe,
which listens by default on UDP port 3207. The process trusts a
user-supplied size value, receiving the specified amount of data into a
static heap buffer. By sending a specially crafted packet, an attacker
can overflow that buffer leading to arbitrary code execution in the
context of the SYSTEM user.
V. WORKAROUND
TIBCO has identified the following workarounds:
* Disable the rtserver UDP port if it has been enabled in the rtserver
configuration file.
* Utilize a firewall to restrict access to the rtserver.
* Use a user with restricted privileges to invoke the rtserver
tftpx SERVER ..\../..\../boot.ini none
tftpx SERVER c:\boot.ini none
tftpx SERVER \\internal_host\documents\file.txt none
B]
send the bytes 00 01 to UDP port 69 of the server:
echo -n -e \x00\x01|nc SERVER 69 -v -v -u
BlueCat is taking the following steps to address this issue:
1. Release a patch that will modify the firewall rules to restrict all traffic on port 694 to the cluster partner. The patch should be available later today - Friday, August 3rd.
2. Update the version of the Heartbeat software to address this issue permanently. This patch will be made available later this month.
To reduce the risk of this DoS attack, BlueCat recommends that customers check their firewall/router settings to ensure that UDP port 694 is closed. Since HA cluster partners must operate on the same subnet, there is no reason that any traffic on this port is required except between the cluster partners themselves.
For any BlueCat customer that wishes to obtain the patch, or seek more information on the matter, please feel free to contact BlueCat Network's Customer Care at 1.866.491.2228.
Kindest regards,
vulnerable installations of Hewlett Packard StorageWorks Storage
Mirroring. Authentication is not required to exploit this
vulnerability.
The specific flaw exists in the DoubleTake.exe process bound by default
on TCP ports 1100, 1106 and UDP port 1105. During the handling of an
encoded authentication request, the process copies the user-supplied
login information into a fixed length stack buffer. Sending at least 256
bytes will trigger a stack based buffer overflow due to a vulnerable
processing loop. Exploitation of this issue can result in arbitrary code
execution.
<<Previous
|
