Next Page >>
authentification
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service
Vulnerability
* Crafted TCP Segment Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service
Vulnerability
* NT LAN Manager version 1 (NTLMv1) Authentication Bypass
Vulnerability
These vulnerabilities are not interdependent; a release that is affected
by one vulnerability is not necessarily affected by the others.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: SNMP Version 3 Authentication
Vulnerabilities
Document ID: 107408
Advisory ID: cisco-sa-20080610-snmpv3
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances. This security
advisory outlines details of these vulnerabilities:
* Windows NT Domain Authentication Bypass Vulnerability
* IPv6 Denial of Service Vulnerability
* Crypto Accelerator Memory Leak Vulnerability
Note: These vulnerabilities are independent of each other. A device may
be affected by one vulnerability and not affected by another.
(to get the scripts mentioned by this advisory please get the full
version at http://www.hexale.org/advisories/OCHOA-2010-0209.txt; I did
not include them here to reduce the size of this email)
Windows SMB NTLM Authentication Weak Nonce Vulnerability
Security Advisory
Hernan Ochoa (hernan@gmail.com) - Agustin Azubel (agustin.azubel@gmail.com)
Title: Windows SMB NTLM Authentication Weak Nonce Vulnerability
in a reload of the device or disclosure of confidential information.
This security advisory outlines details of the following
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
* IPSec Client Authentication Processing Vulnerability
* SSL VPN Memory Leak Vulnerability
* URI Processing Error Vulnerability in SSL VPNs
* Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Authentication Bypass in Cisco Unity
Advisory ID: cisco-sa-20081008-unity
http://www.cisco.com/warp/public/707/cisco-sa-20081008-unity.shtml
Revision 1.0
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances. This security
advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used
vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
Hash: SHA1
Aruba Networks Security Advisory
Title: Management User Authentication Bypass Vulnerability When Using
Public Key Based SSH Authentication.
Aruba Advisory ID: AID-42309
Revision: 1.0
Advisory: Geo++(R) GNCASTER: Faulty implementation of HTTP Digest
Authentication
During a penetration test, RedTeam Pentesting discovered that the
GNCaster software has multiple bugs in its implementation of HTTP Digest
Authentication.
Details
=======
A malicious user can abuse the feature "Check for mail using POP3" for
realize the automatic process of password cracking.
As you comment, using this feature exist a lock (for 2 hours) for
authentication attempts, and beyond this limit (100 requests) the
message returned by the application does not allow to known if the
analyzed password is correct or not. However, every 2 hours an attacker
could make 100 authentication attempts.
To overcome this limit (100 authentication attempts), it is sufficient
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
command execution (http://www.milw0rm.com/exploits/8093). As there is a
milw0rm exploit already posted it is likely malicious users are already
exploiting pPIM. I decided to have a closer look at pPIM and, quite
frankly, was horrified by what I found. pPIM contains multiple
vulnerabilities, from version information leakage, to system credential
disclosure, to remote command execution, authentication bypass and cross
site scripting vulnerabilities. Possibly the only class of
vulnerability pPIM is not exposed to is SQL injection as it doesn't
employ any database back end. That said, there seemed to be nothing in
the way of security other than an easily bypassable GET variable check
in the header, present in pPIM. The following is a brief synopsis of my
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aruba Networks Security Advisory
Title: Aruba Mobility Controller TACACS User Authentication and Cross
Site Scripting Vulnerabilities
Aruba Advisory ID: AID-051408
Revision: 1.0
their advisory: "Cisco Secure ACS EAP Parsing Vulnerability". The
original advisory is available at:
http://www.securityfocus.com/archive/1/495937/30/0/threaded
A specially crafted Remote Authentication Dial In User Service
(RADIUS) Extensible Authentication Protocol (EAP) Message Attribute
packet sent to the Cisco Secure Access Control Server (ACS) can crash
the CSRadius and CSAuth processes of Cisco Secure ACS. Because this
affects CSAuth all authentication requests via RADIUS or TACACS+ will
be affected during exploitation of this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2010-018: RSA Security Advisory: RSA, The Security Division of EMC, announces a fix for a potential security vulnerability in RSA® Authentication Client when storing secret key objects on an RSA SecurID® 800 Authenticator
RSA Authentication Client 2.0.x, 3.0, and 3.5.x contain a potential vulnerability that could allow the unintended extraction, by a properly authenticated user, of secret (or symmetric) key objects stored on an RSA SecurID 800 Authenticator. This potential vulnerability is corrected in RSA Authentication Client 3.5.3.
Description:
asa(config-pmap-c)# inspect sip my-inspect tls-proxy my-tls-proxy
asa(config)# service-policy global_policy global
The Cisco ASA is also vulnerable when the Cut-Through Proxy for
Network Access feature is used with HTTPS. This feature is enabled
for direct authentication using HTTPS with the "aaa authentication
listener https" command, as shown in the following example:
ASA(config)# aaa authentication listener https inside port 443
Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL:
http://www.tomneaves.co.uk/Netgear_DG632_Authentication_Bypass.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009
I. DESCRIPTION
Oracle is a widely-deployed Database Management System (DBMS) that supports a variety of applications. Many multi-tier applications are designed to use proxy authentication, restricting a middle tier to establish the database connection on behalf of the users. The standard authentication mechanism requires the client, the middle tier in this case, to provide valid credentials in order to authenticate and connect to the DBMS. User sessions are then created through the proxy connection. Oracle TNS protocol messages are used for session setup, authentication and data transfer.
Scope
Imperva’s Application Defense Center (ADC) conducts extensive research on enterprise applications and databases. During its research, the team has identified a vulnerability in Oracle’s proxy authentication and access control mechanism.
Findings
access-list auth-proxy extended permit tcp any any eq www
access-list auth-proxy extended permit tcp any any eq telnet
access-list auth-proxy extended permit tcp any any eq https
!
aaa authentication match auth-proxy inside LOCAL
aaa authentication secure-http-client
aaa authentication listener https inside port https
A configuration affected by this vulnerability will contain the
command aaa authentication secure-http-client or aaa authentication
Field 1: 10-digit base10 command length field ("0000000027")
Field 2: RPC command ("rxrLogin")
Field 3: Constant Argument Delimiter ("~~")
Field 4: Argument ("administrator")
Vulnerability #1: Authentication Username Overflow
A stack-based buffer overflow exists within the authentication portion
of rxRPC.dll which is accessible via TCP/1900. A sample legitimate
authentication packet resembles the following:
0000000013rxrLogin~~administrator
Summary
=======
Cisco IOS® devices that are configured for Internet Key Exchange
(IKE) protocol and certificate based authentication are vulnerable to
a resource exhaustion attack. Successful exploitation of this
vulnerability may result in the allocation of all available Phase 1
security associations (SA) and prevent the establishment of new IPsec
sessions.
PR07-40: Authentication Bypass, Passwords Leakage and SNMP Injection on
3Com AP 8760
Vulnerability Found: 6th November 2007
Vendor Informed: 2nd May 2008
Date Public: 14th November 2008
Severity: Medium
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Unified Communications Manager Denial
of Service and Authentication Bypass
Vulnerabilities
Advisory ID: cisco-sa-20080625-cucm
Revision 1.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2010-017: RSA, The Security Division of EMC, announces a security
update for RSA Authentication Agent 7.0 for Web, which addresses a
potential directory traversal vulnerability
Security Advisory
Updated September 20, 2010
Vulnerability Details
---------------------
As with many modern browsers, Google Chrome implements a password manager to
help users keep track of credentials used on various web sites. It may be used
to store either HTTP authentication credentials or form-based credentials.
The vulnerability surfaces in a situation where a user visits a web page which
includes an embedded object, such as an image, from a third-party site. If an
attacker had control of the third-party web server, he could request credentials
from the user via HTTP authentication. This style of attack has been documented
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
CSCsj74818 - DNS Response Parsing Stack Overflow
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Video Surveillance IP Gateway and
Services Platform Authentication Vulnerabilities
Advisory ID: cisco-sa-20070905-video
http://www.cisco.com/warp/public/707/cisco-sa-20070905-video.shtml
administrators.
For the administration of the server the same tcp/ip ports are used for the
registration of the out of office call center agents.
In addition there is no real authentication taking place. A tool called
"Tsa_Maintainance.exe" that ships with the product, can be used to view the
debugging functions and status of the call center without any
authentication.
This way every call center agent can monitor the entire call-center,
co-workers, can trace lines, deregister lines, etc...
Next Page>>
|
