Next Page >>
Remote Access
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in
Cisco PIX and Cisco ASA
Advisory ID: cisco-sa-20080903-asa
Revision 1.0
+----------------------------------------------------
Because of a Microsoft Windows NT Domain authentication issue the Cisco
ASA and Cisco PIX devices may be susceptible to a VPN authentication
bypass vulnerability. Cisco ASA or Cisco PIX security appliances that
are configured for IPSec or SSL-based remote access VPN using Microsoft
Windows NT Domain authentication may be vulnerable. Devices that are
using any other type of external authentication (that is, LDAP, RADIUS,
TACACS+, SDI, or local database) are not affected by this vulnerability.
The following example demonstrates how Windows NT domain authentication
Advisory # 1:
TITLE
OS Command Injection Vulnerability in Aruba Remote Access Point
Diagnostic Web Interface.
SUMMARY
An OS command injection vulnerability has been discovered in the Aruba
SEC Consult Vulnerability Lab Security Advisory < 20111012-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Microsoft Forefront Unified Access Gateway Remote
Access Agent (signed Java applet)
vulnerable version: 4.0.0.1
fixed version:
CVE number: CVE-2011-1969
impact: critical
homepage:
BACKGROUND
==========
Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage
servers in remote locations where no administrative IT staff exists. It
provides lights out management with continuous video that provides a
graphical console regardless of the server's state and requires no
operating system services or drivers. Virtual media support provides the
server access to networked CD, floppy, and USB drives for server
BACKGROUND
==========
Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage
servers in remote locations where no administrative IT staff exists. It
provides lights out management with continuous video that provides a
graphical console regardless of the server's state and requires no
operating system services or drivers. Virtual media support provides the
server access to networked CD, floppy, and USB drives for server
VPN Authentication Bypass Vulnerability
+--------------------------------------
Cisco ASA or Cisco PIX security appliances that are configured for IPsec
or SSL-based remote access VPN and have the Override Account Disabled
feature enabled are affected by this vulnerability.
Note: The Override Account Disabled feature was introduced in Cisco
ASA software version 7.1(1). Cisco ASA and PIX software versions 7.1,
7.2, 8.0, and 8.1 are affected by this vulnerability. This feature is
None
Severity
Medium
Remote Access
Yes
Local Access
NoAuthentication Required
Authorized network access normally requiredExploit publicly available
No
vulnerability that may cause all IPsec tunnels terminating on
the appliance to be torn down and prevent new tunnels from being
established. The tunnels are not torn down immediately; IPsec traffic
will continue to flow until the next rekey, at which time the rekey
will fail and the tunnels will be torn down. Both site-to-site and
remote access VPN tunnels are affected. The vulnerability is triggered
when the appliance processes a malformed IKE message on port UDP 4500
that traverses an existing IPsec tunnel. The only way to recover and
re-establish IPsec VPN tunnels is to reload the appliance.
When this vulnerability is exploited, the security appliance will
-----------------------------------------------
Release Date:
29-May-2009
Software:
SonicWALL - SSL-VPN Remote Access
http://www.sonicwall.com/
Description:
"SonicWALL SSL VPN appliances provide small and mid-size organizations an
easy-to-use, secure and affordable remote access solution that requires no
Impact
======
Successful exploitation of this vulnerability may prevent some TCP
applications on Cisco IOS Software from accepting any new connections.
Exploitation could also prevent remote access to the affected system
via the vtys. Remote access to the affected device via out-of-band
connectivity to the console port should still be available.
Software Versions and Fixes
===========================
4. Static Passwords for Privileged User Accounts
The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. It is possible to crack these passwords and gain access to any Accellion system with the secure shell daemon exposed. The scope of our research did not provide time to crack these passwords, but it's a just a question of resource allocation. These accounts include "soggycat","sdadmin", and the "root" user account itself.
5. Remote Access via Stale SSH Authorized Keys
The "soggycat" user account has a static password, as mentioned previously, but also has two SSH keys configured for passwordless login. These keys were generated over eight years ago and should have been changed to reduce the risk of exposure. The comments of these two keys are worrying as well:
[root@fta soggycat]# grep -i comment .ssh2/*.pub
.ssh2/theone.pub:Comment: "i am going to kiiiiiiiiiiiiill you"
CVE-2010-1454: SpringSource tc Server unauthenticated remote access to JMX interface
Severity: Critical
Vendor:
SpringSource, a division of VMware
Versions Affected:
tc Server Runtime 6.0.19.A, 6.0.20.A, 6.0.20.B, 6.0.20.C, 6.0.25.A
Symantec SYMTDI.SYS Device Driver Local Denial of Service
Revision History: None
Risk Impact: Low
Remote Access: No
Local Access: Yes
Authentication Required: Yes, to the local system
Exploit available: No
Hard-Coded Credentials in Cisco UVC Products
+-------------------------------------------
The Linux shell contains three hard-coded usernames and passwords.
The passwords cannot be changed, and the accounts cannot be deleted.
Attackers could leverage these accounts to obtain remote access to a
device by using permitted remote access protocols.
This vulnerability only affects Linux-based operating system Cisco
UVC products.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01367453
Version: 1
HPSBUX02286 SSRT071466 rev.1 - HP-UX Running System Administration Manager (SAM), Unintended Remote Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-25
Last Updated: 2008-07-30
CSCsc19259 - "All privilege level users can SCP running config"
CVSS Base Score - 6.0
Access Vector - Remote
Access Complexity - Low
Authentication - Required
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
Impact Bias - Normal
Aug 27, 2007
I. BACKGROUND
Motorola Inc.'s Timbuktu Pro is a remote control software which allows
remote access to a computer's desktop. It is available for Mac OS X and
Windows systems and provides integration with Skype and SSH. More
information is available from the product web site at the following
URL.
http://netopia.com/software/products/tb2/
This advisory describes two vulnerabilities that provide access to any
file stored in on a user's desktop system if it is running a vulnerable
version of Internet Explorer. These vulnerabilities can be used in
attacks combined with a number of insecure features of Internet Explorer
to provide remote access to locally stored files without the need for
any further action from the victim after visting a website controlled by
the attacker. The vulnerabilities are simple variations of bugs
disclosed previously in CoreLabs Security Advisories CORE-2008-0103 [1]
and CORE-2008-0826 [2]. Exploitation of these vulnerabilities requires
enticing users to click on URLs otherwise visit a malicious website
code, but are not present in the form on the debug web page.
Command injection is also possible in data2 and data3 payload by using
typical shell commands concatenation.
Impacts:
Remote access and modifications to access point settings and configuration.
Remote extraction of sensitive information such as credentials for
logging into the administration interface, Wi-FI SSIDs and passphrases.
Remote download and execution of malicious applications.
"Remote blind" attacks, where malicious web pages are used by an
attacker over the Internet to execute code on a victim access point with
RS> Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:56 CEST
RS> Interesting ports on xxx.xxx.xxx.xxx:
RS> Not shown: 1693 closed ports
RS> PORT STATE SERVICE VERSION
RS> 22/tcp filtered ssh
RS> 80/tcp open http Dell Embedded Remote Access card webserver 1.0
RS> 443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
RS> 5900/tcp open vnc?
RS> Service Info: Devices: terminal server, remote management
--
> computers worldwide to date, but Chuck Norris is unusual in that it infects
> DSL modems and routers rather than PCs.
>
> It installs itself on routers and modems by guessing default administrative
> passwords and taking advantage of the fact that many devices are configured
> to allow remote access. It also exploits a known vulnerability in D-Link
> Systems devices, Vykopal said in an e-mail interview.
>
> A D-Link spokesman said he was not aware of the botnet, and the company did
> not immediately have any comment on the issue.
>
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 14, 2011
I. BACKGROUND
Citrix's Access Gateway solution provides remote access to customers via
the Web browser. This is accomplished through the use of an ActiveX
control that enables an SSL based VPN. The control itself is provided by
the server upon connecting. Access Gateway functionality is provided by
several models of Access Gateway Appliances. For more information, visit
the URL referenced below.
SMB, DB2, and more, thanks to Tod Bearsdley and contributions from
Thomas Ring.
Metasploit now has support for generating malicious JSP and WAR files
along with exploits for Tomcat and JBoss that use these to gain remote
access to misconfigured installations. A new mixin was creating
compiling and signing Java applets on fly, courtesy of Nathan Keltner.
Thanks to some excellent work by bannedit and Joshua Drake, command
injection of a cmd.exe shell on Windows can be staged into a full
Meterpreter shell using the new "sessions -u" syntax.
Unauthorized access to the MySQL database may allow modification of
system files that could impact the function of ANM or allow execution of
commands on the underlying host operating system.
Successful exploitation of the ANM privilege escalation vulnerability
may result in unauthorized remote access to system processes and
services with the ability to modify. Modification of these services
could result in a denial of service condition.
Software Versions and Fixes
===========================
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 01, 2011
I. BACKGROUND
Cisco's AnyConnect VPN solution provides remote access to customers via
the Web browser. This is accomplished through the use of an ActiveX
control. The control itself is provided by the server upon connecting.
Cisco states that AnyConnect VPN supports all Adaptive Security
Appliance (ASA) models. For more information, visit the following URL.
Jun 25, 2009
I. BACKGROUND
Motorola Inc.'s Timbuktu Pro is a remote control software that allows
remote access to a computer's desktop. It is available for Mac OS X and
Windows systems and provides integration with Skype and SSH. More
information is available on Motorola's web site at the following URL.
http://www.netopia.com/software/products/tb2/
: </script>
Now you can *edit* any file on the system, and this is 'Low' severity?
Worse, you throw in some script code instead of editing something a bit
more serious like editing a system startup file, passwd or some other form
of remote access?
At the very least, this would be 'Medium' by most standards.
Vendor description:
-------------------
The SonicWALL Global VPN Client offers an easy-to-use, easy-to-manage
Virtual Private Network (VPN) solution that provides users at
distributed locations with secure, reliable remote access via broadband,
wireless and dial-up connections.
[source: http://www.sonicwall.com/downloads/Global_VPN_DS_US.pdf]
-------------------
From [1]:
"Citrix(R) Access Gateway(TM) is a secure application access solution that
provides administrators granular application-level control while
empowering users with remote access from anywhere. It gives IT
administrators a single point to manage access control and limit actions
within sessions based on both user identity and the endpoint device,
providing better application security, data protection, and compliance
management."
Next Page>>
|
