Next Page >>
TCP port
Note: Only the Cisco SBC module reloads after successful
exploitation. The Cisco 7600 series router does not reload and it is
not affected by this vulnerability.
Note: TCP port 2000 is typically used by Skinny Call Control Protocol
(SCCP) applications. However, the Cisco SBC module uses TCP port 2000
for high availability (redundancy) communication, but does not use
the SCCP for this purpose.
This vulnerability is documented in Cisco Bug IDs CSCsq18958 (
* HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP
firmware contain a DoS vulnerability in their internal HTTP
server. By sending a specially crafted HTTP request to TCP port
80 on a vulnerable phone, it may be possible to cause the phone
to reboot. It is possible to workaround this issue by disabling
the internal HTTP server on vulnerable phones. The internal HTTP
server only listens to TCP port 80. This vulnerability is
corrected in SCCP firmware version 3.2(17) for 7935 devices and
Cisco devices that are running Cisco IOS Software are vulnerable when
they are configured for NAT and contain support for one or more of
the following features:
* NetMeeting Directory NAT (LDAP on TCP port 389)
* NAT for Session Initiation Protocol (SIP)
* NAT for H.323
The preferred method to verify whether NAT is enabled on a Cisco IOS
device is to log in to the device and issue the "show ip nat
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Communications Manager version 5.1(3). The vulnerability is
documented in Cisco Bug ID CSCsj80609 and has been assigned the
CVE identifier CVE-2008-1742.
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Communications Manager version 5.1(3). The vulnerability is
documented in Cisco Bug ID CSCsj80609 and has been assigned the
CVE identifier CVE-2008-1742.
Software are currently known to be affected by this vulnerability.
Details
=======
Completion of the 3-way handshake to the associated TCP port number
(s) of any of the features outlined below is required in order for
the vulnerability to be successfully exploited.
Airline Product Set (ALPS)
+-------------------------
Details
=======
The Skinny Call Control Protocol (SCCP) enables voice communication
between an SCCP client and a Call Manager (CM). Typically, the CM
provides service to the SCCP clients on TCP Port 2000 by default.
Initially, an SCCP client connects to the CM by establishing a TCP
connection; the client will also establish a TCP connection with a
secondary CM, if available.
The NAT SCCP Fragmentation Support feature prevents skinny control
determine if the CTL Provider service is enabled on a CUCM server.
The CTL Provider service of the CUCM contains a heap overflow
vulnerability that could allow a remote, unauthenticated user to
cause a DoS condition or execute arbitrary code. The CTL Provider
service listens on TCP port 2444 by default, but the port can be
modified by the user. This issue is documented in Cisco Bug ID
CSCsj22605.
Vulnerability Scoring Details
=============================
and then associated to the instance of the ICM/IPCC Active Directory
hierarchy will have correct permissions. Filters such as Transit ACLs
can then be used to allow access to the Administration Workstation
from only the trusted hosts.
Filters that deny HTTP packets using TCP port 80 and HTTPS packets
using TCP port 443 should be deployed throughout the network as part
of a tACL policy for protection of traffic that enters the network at
ingress access points. This policy should be configured to protect
the network device where the filter is applied and other devices
behind it. Filters for HTTP packets using TCP port 80 and HTTPS
Details
=======
The Skinny Client Control Protocol (SCCP) enables voice communication
between an SCCP client and a Call Manager (CM). Typically, the CM
provides service to the SCCP clients on TCP Port 2000 by default.
Initially, an SCCP client connects to the CM by establishing a TCP
connection; the client will also establish a TCP connection with a
secondary CM, if available.
The NAT SCCP Fragmentation Support feature enables the Skinny
===========
Filters such as Transit ACLs (tACLs) can be used to allow access to
the Administration Workstation from only trusted hosts.
Filters that deny HTTP packets using HTTPS packets using TCP port 443
and TCP port 1741 should be deployed throughout the network as part
of a tACL policy to protect the network from traffic that enters the
network at ingress access points. This policy should be configured to
protect the network device where the filter is applied and other
devices that are behind it. Filters for HTTPS packets that use TCP
Computer Telephony Integration Manager Related Vulnerability
The Computer Telephony Integration (CTI) Manager service of CUCM
versions 5.x and 6.x contains a vulnerability when handling malformed
input that may result in a DoS condition. The CTI Manager service
listens by default on TCP port 2748 and is not user-configurable.
There is no workaround for this vulnerability. This vulnerability is
fixed in CUCM versions 5.1(3c) and 6.1(2). This vulnerability is
documented in Cisco Bug ID CSCso75027 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2008-2061.
A successful exploit could cause the web server to crash or allow the
attacker to execute arbitrary code on the server. Any code would
execute with system administrative privileges.
The vulnerability could be exploited over TCP port 443 or 1741.
Note: The default HTTP and HTTPS ports can be reconfigured on the
server.
The vulnerability affects both CiscoWorks Common Services for Oracle
Clientless WebVPN, SSL VPN Client, and AnyConnect connections are
enabled via the webvpn command. For example, the following
configuration shows a Cisco ASA with WebVPN configured and enabled.
In this case the ASA will listen for WebVPN connections on the
default port, TCP port 443:
http server enable
!
webvpn
enable outside
Clientless WebVPN Connections
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Clientless WebVPN connections are enabled via the "webvpn" command. For
example, the following configuration shows an ASA running 8.0 software
with clientless WebVPN configured and enabled. In this case the ASA will
listen for WebVPN connections on the default port, TCP port 443:
http server enable
!
webvpn
enable outside
Crafted HTTPS packet will crash device
+--------------------------------------
A device configured for SSLVPN may reload or hang when it receives a
specially crafted HTTPS packet. Completion of the 3-way handshake to
the associated TCP port number of the SSLVPN feature is required in
order for the vulnerability to be successfully exploited, however
authentication is "not" required. The default TCP port number for
SSLVPN is 443.
This vulnerability is documented in Cisco bug ID CSCsk62253
Unified Communications Manager Administration interface. The software
version can also be determined by running the "show version active"
command via the command-line interface.
A SIP trunk must be configured for the Cisco Unified CallManager
server to begin listening for SIP messages on TCP and UDP port 5060
and TCP/5061. However, in Cisco Unified Communications Manager
versions 5.x and later, the use of SIP as a call signaling protocol
is enabled by default and cannot be disabled.
Cisco IOS Software is also affected by this vulnerability, but it is
Details
=======
A Cisco IOS device that is configured for SSLVPN or SSH may reload
when it receives a specially crafted TCP packet on TCP port 443
(SSLVPN) or TCP port 22 (SSH). Completion of the three-way handshake
to the associated TCP port number of these features is required for
the vulnerability to be successfully exploited; however,
authentication is not required. A Cisco IOS device that is configured
for IKE encrypted nonces may reload when it receives a specially
Cisco Security Agent for Microsoft Windows. This buffer overflow can be
exploited remotely and causes corruption of kernel memory, which leads
to a Windows stop error (blue screen) or to arbitrary code execution.
The vulnerability is triggered during processing of a crafted TCP
segment destined to TCP port 139 or 445. These ports are used by the
Microsoft Server Message Block (SMB) protocol.
Cisco has released free software updates that address this
vulnerability.
Multiple CGI command injection vulnerabilities exist in Cisco
TelePresence endpoint devices that could allow a remote,
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
* Cisco TelePresence endpoint - CSCtb31640 ( registered customers
Exploitation allows an attacker to execute arbitrary shell commands with
elevated privileges. Since this server runs with root privileges, an
attacker could gain complete control of the affected the system.
Note that authentication is required to reach these ASP applications via
the administration server on TCP port 5100. However, several methods of
bypassing and circumventing authentication have been discovered,
rendering that requirement irrelevant.
IV. DETECTION
*Vulnerability Description*
The Borland Interbase 2007 database server [1] is vulnerable to an
integer overflow when a malformed packet is sent to the default TCP port
3050. The integer overflow can cause a stack overflow, which allows
arbitrary code execution with system privileges.
*Vulnerable Packages*
vulnerability is documented in CVE-2008-1158 and Cisco Bug ID
CSCsh50164. The second vulnerability is documented in CVE-2008-1740
and Cisco Bug ID CSCsh20972.
The SIP Proxy service of Cisco Unified Presence versions 6.0(1) and
6.0(2) contain a vulnerability that occurs when a TCP port scan is
received by a vulnerable Cisco Unified Presence system and may result
in a DoS condition. There is no workaround for this vulnerability.
This vulnerability is fixed in Cisco Unified Presence version 6.0(3).
This vulnerability is documented in CVE-2008-1741 and Cisco Bug ID
CSCsj64533.
vulnerability is documented in CVE-2008-1158 and Cisco Bug ID
CSCsh50164. The second vulnerability is documented in CVE-2008-1740 and
Cisco Bug ID CSCsh20972.
The SIP Proxy service of Cisco Unified Presence versions 6.0(1) and
6.0(2) contain a vulnerability that occurs when a TCP port scan is
received by a vulnerable Cisco Unified Presence system and may result in
a DoS condition. There is no workaround for this vulnerability.
This vulnerability is fixed in Cisco Unified Presence version 6.0(3).
This vulnerability is documented in CVE-2008-1741 and Cisco Bug ID
CSCsj64533.
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination.
NAT for SIP translates packets using UDP (port 5060) or TCP (port
5060) as the underlying transport protocol. The NAT for SIP DoS
vulnerability can be exploited only with the use of UDP port 5060
packets.
This vulnerability is documented in Cisco bug ID CSCtf17624
III. Detailed Description
By simply connecting to the memcached TCP port (default: 11211)
or MemcacheDB's TCP port (default: 21201) and issuing a 'stats maps'
command, the software will directly pipe the output of
/proc/self/maps to the client (see memcached.c:1153 and
memcachedb.c:946).
could be achieved via SNMP.
Technical Details:
When the LPD daemon is configured in Cisco IOS it listens on the default
LPD TCP port, 515. If connected to with a source TCP port of anything
other than 515 the following error is displayed:
$ telnet 172.30.3.101 515
Trying 172.30.3.101...
Connected to 172.30.3.101 (172.30.3.101).
EMC Dantz Retrospect 7 backup Client 7.5.116
-- Vulnerability Details:
The retroclient.exe process listens, in a default configuration, on TCP
port 497.
When Continued sending packets with length of 2064 bytes and filling with
0x00,
about 30 seconds to 5 minutes the status box shows: ¡°Client networking
not available, or service not running¡± , keep on sending packets and few
times later retroclient.exe process terminate, backup service lost, TCP
stream data transfer, reliability, efficient flow control, full-duplex
operation, and multiplexing.
When TCP connections are terminated in Cisco IOS Software, they are
allocated a transmission control block (TCB). All allocated TCBs,
associated TCP port numbers, and the TCP state are displayed in the
output of the "show tcp brief all" command-line interface (CLI) command.
Cisco IOS Software version 15.1(2)T contains a vulnerability that could
cause an embryonic TCP connection to remain in SYNRCVD or SYNSENT
state without a further TCP state transition. Examining the output of
I. BACKGROUND
The Host Integration Server is an application suite that is used to
communicate with IBM mainframe servers. One of the components of the
suite is a remote management interface. This interface is implemented
by an RPC server that listens on a dynamic TCP port. The UUID of the
vulnerable RPC service is 'ed6ee250-e0d1-11cf-925a-00aa00c006c1'. For
more information regarding the Host Integration Server, see the
vendor's website found at the following URL.
http://www.microsoft.com/hiserver/default.mspx
Next Page>>
|
