Next Page >>
IP addresses
Devices configured for ALPS are vulnerable. The default TCP listening
ports for ALPS are 350 and 10000. The following example shows a
vulnerable ALPS configuration:
alps local-peer <ip address>
Further information about ALPS is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.2 - Configuring
the Airline Product Set" at the following link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfalps_ps1835_TSD_Products_Configuration_Guide_Chapter.html
CVE: CVE-2010-2860
Finding:
The Celerra appliance's NFS server freely exports its "/" file system and
enforces access using a factory-defined list of authorized IP addresses.
The addresses found on a recent model are listed in the showmount example
below, however this list may differ depending on product version. The IP
addresses are intended for communication internal to the appliance, but are
still accepted from external sources. An attacker can mount this file system
by spoofing an authorized IP address.
"dlsw local-peer"
or
"dlsw local-peer peer-id <IP address>"
Any version of Cisco IOS prior to the versions which are listed in
the Software Versions and Fixes section below is vulnerable.
To determine the version of Cisco IOS software running on a Cisco
As a workaround, configure an access control list (ACL) in the
signaling / media VLAN on the Route Processor (RP). The following
examples show how VLAN 140 is configured as the signaling / media
VLAN. A separate VLAN (VLAN 77) is configured as Fault Tolerance
(FT). An ACL is added to the signaling/media VLAN on the RP filtering
all TCP port 2000 packets to the alias IP address.
Cisco SBC configuration
interface vlan 140
ip address 10.140.1.90 255.255.255.0
Workarounds
===========
There are no workarounds other than disabling NTP on the device. The
following mitigations have been identified for this vulnerability;
only packets destined for any configured IP address on the device can
exploit this vulnerability. Transit traffic will not exploit this
vulnerability.
Note: NTP peer authentication is not a workaround and is still a
vulnerable configuration.
actually lead to UPnP being exploited remotely, even if the web admin
console is not visible from the Internet!
The following is a non-malicious proof-of-concept exploit which sets
up a port-forwarding rule from port 1337 on the WAN interface to port
445 on the internal IP address 192.168.1.64. Such IP address is the
first usable IP address reserved for clients connected to Speedtouch
and BT Home Hub routers. The exploit has been tested on BT Home Hub -
Firmware version 6.2.6.B. Just to make things clear, UPnP is enabled
by default on the BT Home Hub, just like most IGDs. If your Internet
gateway is a BT Home Hub, clicking on the following link should add a
RFC 2818 covers the requirements for matching CNs and subjectAltNames
in order to establish valid SSL connections. It first discusses CNs
that are for hostnames, and the rules for wildcards in this case.
The next paragraph in the RFC then discusses CNs that are IP
addresses:
'In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.'
complete compromise of the entire system.
------------------------------------------------------------------------
IP spoofing
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
used to mitigate this vulnerability. UDP port 1975 is a registered
port number that can be used by certain applications. However,
filtering all packets that are destined to UDP port 1975 may cause
some applications to malfunction. Therefore, access lists need to
explicitly deny UDP 1975 packets that are sent to any router
interface IP addresses and permit transit traffic. Such access lists
need to be applied on all interfaces to be effective. Since the IPC
channel uses addresses from the 127.0.0.0/8 range, it is also
necessary to filter packets that are sourced from or destined to this
range. An example is given below:
Vulnerability Information
=======================================
Product: Cisco ACE XML Gateway <= 6.0
Vulnerabily: Internal IP Address Disclosure
Vendor: Cisco Systems, Inc. http://www.cisco.com
Product URL: http://www.cisco.com/en/US/products/ps7314/
Author: nitrus [ Alejandro Hernandez H. ]
Discovery Date: 24/Aug/2009
Attack Vector: Remote
* Device is configured with Virtual Private Dial-Up Networks
(VPDN).
The command vpdn enable will appear in the device configuration.
* Device is configured for L2TP or L2TPv3 Client-Initiated VPDN
Tunneling.
The command pseudowire peer-ip-address vcid pw-class
pw-class-name " appears in the device configuration.
* Device is configured with Stack Group Bidding Protocol (SGBP).
The command sgbp group group-name will appear in the device
configuration.
* A L2TP signaling template has been defined.
unicast or multicast. The vulnerability can also allow leaking
multicast traffic from different MPLS VPNs. It is possible to receive
multicast traffic from VPNs that are not connected to the same
Provider Edge (PE) router. In order to successfully exploit this
vulnerability, an attacker needs to know or guess the Border Gateway
Protocol (BGP) peering IP address of a remote PE router and the
address of the multicast group that is used in other MPLS VPNs.
This vulnerability is documented in the Cisco Bug ID CSCsi01470
and has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2008-1156.
and details the following vulnerabilities:
* Unauthenticated Common Gateway Interface (CGI) Access
* CGI Command Injection
* TFTP Information Disclosure
* Malicious IP Address Injection
* XML-Remote Procedure Call (RPC) Command Injection
* Cisco Discovery Protocol Remote Code Execution
Duplicate Issue Identification in Other Cisco TelePresence Advisories
+--------------------------------------------------------------------
=======
Internet Group Management Protocol (IGMP) is the protocol used by
hosts and adjacent routers to manage membership in IP multicast
groups. The IGMP version 3 protocol permits source-specific multicast
which allows hosts to specify the IP address of the multicast source.
A malformed IGMP packet can cause a vulnerable device to reload. This
vulnerability can only be exploited if the malformed IGMP packet is
received on an interface that has been enabled for IGMP version 3 and
Protocol Independent Multicast (PIM). The malformed IGMP packet
For more information on restricting traffic to VTYs, please consult:
http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800873c8.html#wp1017389
The following example permits access to VTYs from the 192.168.1.0/24
netblock and the single IP address 172.16.1.2 while denying access
from anywhere else:
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 1 permit host 172.16.1.2
Router(config)# line vty 0 4
unauthorized access to root NFS export on EMC Celerra NAS.
Vulnerability Details:
A vulnerability in EMC Celerra may allow an attacker to spoof IP addresses
that are normally used between the Celerra Control Station and X-Blade
(Data Mover) over a private IP network. While these IP addresses are
normally intended for communication internal to the Celerra, they are also
accepted from external sources. By spoofing these IP addresses, an attacker
may be able to gain unauthorized access to file systems on the Celerra. The
*Vulnerability Description*
OpenBSD’s DHCP server, dhcpd, implements the Dynamic Host Configuration
Protocol (DHCP) [1] and the Internet Bootstrap Protocol (BOOTP) [2]. DHCP
allows hosts on a TCP/IP network to request and be assigned IP addresses,
and also to discover information about the network to which they are
attached. BOOTP provides similar functionality, with certain restrictions.
The DHCP protocol allows a host which is unknown to the network
administrator to be automatically assigned a new IP address out of a pool
What's important to note is that every time an "authenticated" URL is
accessed, there is _no_ authentication data being sent within HTTP
requests whatsoever. There are no passwords, or session IDs being
submitted at all within HTTP requests. Instead, the AP uses the
administrator's source IP address as authentication data.
This means that the authentication state relies on the false assumption
that post-authentication URLs won't be known by an attacker and that the
attacker and the administrator will _not_ share the same source IP
address. By simply accessing administrative URLs in a browser from _the
Details
=======
Mobile IP is part of both IPv4 and IPv6 standards. Mobile IP allows a
host device to be identified by a single IP address even though the
device may move its physical point of attachment from one network to
another. Regardless of movement between different networks,
connectivity at the different points is achieved seamlessly without
user intervention. Roaming from a wired network to a wireless or
wide-area network is also possible.
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Description:
Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can,
in very rare circumstances, permit a user from a non-permitted IP address
to gain access to a context protected with a valve that extends
RemoteFilterValve.
Mitigation:
Upgrade to:
Disabling remote management limits the exposure as the
vulnerabilities can then only be exploited from the inter LAN
network.
* Limit Remote Management Access to Specific IP Addresses
If remote management is required, secure the device so that it
can be accessed by certain IP addresses only, rather than the
default setting of All IP Addresses. After choosing Network
Management > Remote Management, an administrator can change the
After that, I thought Java Applet could be quite handy when it comes to
force the browser performing a non-standard/malformed HTTP request (e.g.
multiple Host: headers which exploits the Apache feature mentioned above).
At the same time, I also realised that in my testing environment I was
using virtual hosts resolving to the same IP address. Following a
discussion with Apache Security Team and after further research, I have
found that the Java Applet could be used to control the cookie header
sent to a different domain...
But let's come back to your response - you mention about a bug from
Change the setting for the Remote Management field to Disabled.
Disabling remote management limits exposure because the
vulnerability can then be exploited from the inter-LAN network only.
* Limit Remote Management Access to Specific IP Addresses
If remote management is required, secure the device so that it can
be accessed by certain IP addresses only, rather than the default
setting of All IP Addresses. After choosing "Administration > Web
Access Management", an administrator can change the Allowed Remote
listed game servers, asking each for its description. The client's parsing of
the servers' responses is vulnerable to a buffer overflow attack.
The client is designed to listen for incoming UDP packets from
master.corservers.com and from the game servers on port 27901, however it will
accept and parse UDP packets from any IP address even if the client did not
initiate a UDP conversation with that given IP address. As such, an attacker
can send a malformed UDP packet from any source IP address; they need not know
a valid game server's IP address to exploit this buffer overflow vulnerability.
When the client receives a UDP packet on port 27901 that specifies a server's
...
!
phone-proxy <instance name>
media-termination address <IP address>
...
<Rest of phone proxy feature configuration>
Or (Cisco ASA Software version 8.2 and later):
There are some issues in the way IE enforces zone security policies when
an URI is specified in the UNC form (i.e.,
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'). In this case, Internet
Explorer classifies as *Internet Zone* any UNC address pointing to an IP
address including '127.0.0.1'. As a result, any website (belonging to
any security zone) can address and redirect the navigation flow to files
stored in '\\127.0.0.1'.
If an attacker controlling a website finds a way to store HTML with any
valid scripting code the local file system of the visitor and then
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
Note: UDP port 161 is applicable for all versions of SNMP.
description ** Zone Pair - inside to outside **
service-policy type inspect layer4-policymap
!
!
interface GigabitEthernet0/0
ip address 192.168.0.6 255.255.255.0
ip ips myips in
zone-member security inside
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
If you read your own post you would realize that Mitsubishi
kept the device ipaddress prefix as 192.168.1 so only you can attack
yourself.
192.168 cannot be access from the internet ;-) [unless you NAT at which
point its your NAT config problem]
-----Original Message-----
layer 3 access, dropping all SNMP queries destined to the IE3000:
!---
!--- Deny SNMP traffic from all other sources destined to
!--- configured IP addresses on the IE3000.
!---
access-list 150 deny udp any host 192.168.0.1 eq snmp
access-list 150 deny udp any host 192.168.1.1 eq snmp
Next Page>>
|
