Next Page >>
UDP port
Details
=======
Cisco 10000, uBR10012 and uBR7200 series devices use a UDP-based IPC
channel. This channel uses addresses from the 127.0.0.0/8 range and
UDP port 1975. Cisco 10000, uBR10012 and uBR7200 series devices that
are running an affected version of Cisco IOS will process IPC
messages that are sent to UDP port 1975 from outside of the device.
This behavior may be exploited by an attacker to cause a reload of
the device, linecards, or both, resulting in a DoS condition.
=======
Data-link switching (DLSw) provides a means of transporting IBM
Systems Network Architecture (SNA) and network basic input/output
system (NetBIOS) traffic over an IP network. Cisco implementation of
DLSw also uses UDP port 2067 and IP Protocol 91 for Fast Sequenced
Transport (FST).
Multiple vulnerabilities exists in Cisco IOS when processing UDP and
IP protocol 91 packets. These vulnerabilities do not affect TCP
packet processing. A successful exploitation may result in a reload
WebVPN DTLS Denial of Service Vulnerability
+------------------------------------------
Cisco ASA 5500 Series Adaptive Security Appliances are affected by a
vulnerability that may cause the appliance to reload when a malformed
DTLS message is sent to the DTLS port (by default UDP port 443).
Appliances are only vulnerable when they are configured for WebVPN and
DTLS transport.
This vulnerability is only triggered by traffic that is destined to the
appliance; transit traffic will not trigger the vulnerability.
when the device processes a crafted MGCP packet. MGCP application layer
protocol inspection is not enabled by default.
MGCP messages are transmitted over the User Datagram Protocol (UDP),
which does allow the crafted MGCP messages to be sourced from a spoofed
address. Only the MGCP for gateway application (MGCP traffic on UDP port
2427) is affected.
To determine whether MGCP inspection is configured on the PIX or ASA,
log in to the device and issue the CLI command "show service-policy
| include mgcp". If the output contains the text "Inspect: mgcp" and
How To Verify If IPv4 UDP-based Services Are Enabled
+---------------------------------------------------
To determine whether device is affected or not, use the show ip
sockets command to display all UDP ports device is listening to. In
some newer IOS releases the command show ip sockets is obsoleted, and
the alternate command show udp can be used instead. The output is
identical to the show ip sockets command.
The device is vulnerable if the Local Port column (fifth from the
vulnerability.
The "mdt data <group> <mask>" or "mdt data <group> <mask> threshold
<n> list <acl>" commands do not mitigate this vulnerability.
Filtering Packets to UDP Port 3232
+---------------------------------
MDT Data Join messages are sent to UDP port 3232. Creating an
access-list that filters destination UDP port 3232 and applying it on
the VRF interface of the PE router mitigates this vulnerability. Such
device. MGCP application layer protocol inspection is not enabled by
default.
MGCP messages are transmitted over the User Datagram Protocol (UDP),
which does allow the crafted MGCP messages to be sourced from a spoofed
address. Only the MGCP for gateway application (MGCP traffic on UDP port
2427) is affected.
To determine whether MGCP inspection is configured on the FWSM, log
in to the device and issue the CLI command "show service-policy |
include mgcp". If the output contains the text "Inspect: mgcp" and
1 0.000000 fec0:0:beef:f00d::feed fe80::754f:6144:be9e:2ae7 DHCPv6 Reply
Frame 1 (183 bytes on wire, 183 bytes captured)
Ethernet II, Src: 50:48:49:4f:4e:53 (50:48:49:4f:4e:53), Dst: 50:48:49:4f:4e:43 (50:48:49:4f:4e:43)
Internet Protocol Version 6
User Datagram Protocol, Src Port: 547 (547), Dst Port: 546 (546)
DHCPv6
Message type: Reply (7)
Transaction-ID: 0x007f1ea5
Server Identifier
option type: 2
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
Note: UDP port 161 is applicable for all versions of SNMP.
!--- Permit SNMP UDP 161 packets from
!--- trusted hosts destined to infrastructure addresses.
There are no configuration steps for a router running Cisco IOS
Release 12.2(13)T and later. If both VPN devices are NAT-T capable,
NAT Traversal is auto-detected and auto-negotiated.
Note: When you enable NAT-T, the Cisco IOS device automatically opens
UDP port 4500 on all IPSec enabled interfaces.
Caution: Be aware that you may need to enable IPSec over UDP on Cisco
VPN software clients to support NAT-T. Additionally, you may need to
change firewall rules to allow UDP port 500 for Internet Key Exchange
(IKE) and UDP port 4500 for NAT-T.
Anyway the last two ports are very similar not only because they use
the same game protocol but just because they seem to work with the same
functions too, in fact all the bugs below can be exploited versus both
with the possibility of spoofing the source IP address in case of the
UDP port.
Another important thing is that the vulnerabilities can be exploited
without joining the server, so no password or banning limitations.
------------------
vulnerability. The iACL example shown below should be included as
part of the deployed infrastructure access-list which will protect
all devices with IP addresses in the infrastructure IP address range:
!-- Permit SNMP (UDP port 161) packets from trusted hosts
!-- destined to infrastructure addresses.
!
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 161
!
Vulnerable Products
+------------------
IKE is enabled by default if IPsec is used. Cisco IOS devices that
are configured for IKE will listen on UDP port 500, UDP port 4500 if
the device is configured for NAT Traversal (NAT-T), or UDP ports 848
or 4848 if the device is configured for Group Domain of
Interpretation (GDOI). The following outputs show a router that is
listening on UDP port 500:
This vulnerability affects a limited number of Cisco IOS Software
releases. Consult the "Software Versions and Fixes" section of this
advisory for the details of affected releases.
Only devices that are configured with Cisco IOS Zone-Based Policy
Firewall SIP inspection (UDP port 5060, TCP ports 5060, and 5061) are
vulnerable. Cisco IOS devices that are configured with legacy Cisco
IOS Firewall Support for SIP (context-based access control (CBAC))
are not vulnerable.
Vulnerable Products
to be imposed on the malformed packet might reload the device. This
vulnerability is documented in Cisco bug ID CSCti98219 and has been
assigned CVE ID CVE-2011-3279.
NAT of crafted SIP over UDP packets DoS vulnerabilities: There are two
DoS vulnerabilities related to similar crafted packets on UDP port 5060
that require SIP translation: the first is a vulnerability that will
cause the device to reload and the second will cause a memory leak
that could lead to a DoS condition, including reload of the vulnerable
device. The NAT of SIP vulnerabilities are documented in Cisco bug ID
CSCti48483 and Cisco bug ID CSCtj04672. They have been assigned CVE IDs
1. Send sequentially (i.e., ALMOST on the same time) the following
protocols:
- ICMP: Internet Control Message Protocol
- IGMP: Internet Group Management Protocol
- TCP: Transmission Control Protocol
- UDP: User Datagram Protocol
2. Send an (quite) incredible amount of packets per second, making it a
“second to none” tool:
- More than 1,000,000 pps of SYN Flood (+50% of the network’s uplink) in
a 1000BASE-T Network (Gigabit Ethernet).
The SNMP Trap Agent service of Cisco Unified Communications Manager
versions 4.1, 4.2, 4.3, 5.x and 6.x contain a vulnerability that
occurs when a series of malformed UDP packets are received by a
vulnerable Cisco Unified Communications Manager system and may result
in a DoS condition. The SNMP Trap Agent service listens by default on
UDP port 61441. There is a workaround for this vulnerability. This
vulnerability is fixed in Cisco Unified Communications Manager
versions 4.1(3)SR6, 4.2(3)SR3, 4.3(2), 5.1(3) and 6.1(1). This
vulnerability is documented in Cisco Bug ID CSCsj24113 and has been
assigned the CVE identifier CVE-2008-1746.
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination.
NAT for SIP translates packets using UDP (port 5060) or TCP (port
5060) as the underlying transport protocol. The NAT for SIP DoS
vulnerability can be exploited only with the use of UDP port 5060
packets.
This vulnerability is documented in Cisco bug ID CSCtf17624
Note: In the previous example, the "Product Name" VAM2+ is displayed,
indicating that the router has the VAM2+ installed. The Enabled
keyword under "State" indicates that the VAM2+ is enabled and active.
IKE is enabled by default if IPsec is used. Cisco IOS devices that
are configured for IKE will listen on UDP port 500, UDP port 4500 if
the device is configured for NAT Traversal (NAT-T), or UDP ports 848
or 4848 if the device is configured for Group Domain of
Interpretation (GDOI). The following outputs show a router that is
listening on UDP port 500:
in CUPS 1.1.23 and earlier could allow local admin users to execute
arbitrary code via a crafted URI to the CUPS service (CVE-2007-5848).
The Red Hat Security Team also found two flaws in CUPS 1.1.x where
a malicious user on the local subnet could send a set of carefully
crafted IPP packets to the UDP port in such a way as to cause CUPS
to crash (CVE-2008-0597) or consume memory and lead to a CUPS crash
(CVE-2008-0596).
Finally, another flaw was found in how CUPS handled the addition and
removal of remote printers via IPP that could allow a remote attacker
The SNMP Trap Agent service of Cisco Unified Communications Manager
versions 4.1, 4.2, 4.3, 5.x and 6.x contain a vulnerability that
occurs when a series of malformed UDP packets are received by a
vulnerable Cisco Unified Communications Manager system and may result
in a DoS condition. The SNMP Trap Agent service listens by default on
UDP port 61441. There is a workaround for this vulnerability. This
vulnerability is fixed in Cisco Unified Communications Manager
versions 4.1(3)SR6, 4.2(3)SR3, 4.3(2), 5.1(3) and 6.1(1). This
vulnerability is documented in Cisco Bug ID CSCsj24113 and has been
assigned the CVE identifier CVE-2008-1746.
>
>
> * OpenBSD 2.5-4.2
>
> o libc resolver predictable DNS transaction ID (the
> source UDP port is random though).
>
>
> * Mac OS X 10.0-10.5.1, Mac OS X Server 10.0-10.5.1, Darwin
> 1.0-9.1
>
privileges.
In all cases, no authentication credentials are required to access the
vulnerable code. In order to exploit the first two vulnerabilities, the
attacker needs only the ability to initiate a session with the Timbuktu
service. This service typically runs on TCP or UDP port 407.
The third vulnerability requires access to the local network since the
problem lies in the handling of a response from a scanned server.
Additionally, an attacker would need to persuade a user to attempt to
connect to the malicious server.
SNMP management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SNMP
packets on UDP port 161 that are sent to an affected device. In the
following example, 192.168.100.1 is considered a trusted source that
requires SNMP access to the affected device. Care should be taken to
allow all required management access to the affected device. An
attacker could exploit this vulnerability using spoofed packets. This
workaround cannot provide complete protection against this
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of the Calendar Manager RPC Service.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the CMSD server (rpc.cmsd) which listens
by default on UDP port 32768. The process does not properly handle large
XDR-encoded ASCII strings to RPC call 10 followed by RPC call 6. This
can be abused by an attacker to overflow a buffer on the remote host.
Successful exploitation can result in arbitrary code execution.
-- Vendor Response:
with root privileges.
The vulnerability exists within the Legacy NAT Traversal code. Unlike
the core of the mDNSResponder service, this area of code does not rely
on Multicast UDP. It listens on a dynamically allocated Unicast UDP
port.
The vulnerability occurs when parsing a malformed HTTP request. This
results in an exploitable heap overflow.
III. ANALYSIS
1) Introduction
===============
FTP Log Server is a daemon installed and running with Ipswitch WS_FTP
which works on the UDP port 5151 and is used for all the logging
operations of this FTP server.
#######################################################################
* OpenBSD 2.5-4.2
o libc resolver predictable DNS transaction ID (the
source UDP port is random though).
* Mac OS X 10.0-10.5.1, Mac OS X Server 10.0-10.5.1, Darwin
1.0-9.1
tftpx SERVER ..\../..\../boot.ini none
tftpx SERVER c:\boot.ini none
tftpx SERVER \\internal_host\documents\file.txt none
B]
send the bytes 00 01 to UDP port 69 of the server:
echo -n -e \x00\x01|nc SERVER 69 -v -v -u
vulnerable installations of Hewlett Packard StorageWorks Storage
Mirroring. Authentication is not required to exploit this
vulnerability.
The specific flaw exists in the DoubleTake.exe process bound by default
on TCP ports 1100, 1106 and UDP port 1105. During the handling of an
encoded authentication request, the process copies the user-supplied
login information into a fixed length stack buffer. Sending at least 256
bytes will trigger a stack based buffer overflow due to a vulnerable
processing loop. Exploitation of this issue can result in arbitrary code
execution.
Next Page>>
|
