Next Page >>
ethernet network
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Hard-Coded SNMP Community Names in Cisco
Industrial Ethernet 3000 Series Switches Vulnerability
Advisory ID: cisco-sa-20100707-snmp
Revision 1.0
Summary
=======
Cisco Intrusion Prevention System (IPS) platforms that have gigabit
network interfaces installed and are deployed in inline mode contain
a denial of service vulnerability in the handling of jumbo Ethernet
frames. This vulnerability may lead to a kernel panic that requires a
power cycle to recover platform operation. Platforms deployed in
promiscuous mode only or that do not contain gigabit network
interfaces are not vulnerable.
*http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
*
*To Known:
* 1.the switch must in Server/Client Mode.
* 2.the port ,attacker connected,must be in trunk Mode.
* Cisco Ethernet ports with no configuration are not
* in trunk.but trunk mode can be obtained through DTP
* attack by Yersinia.
* 3.you must known the vtp domain,this can be sniffed
* 4.some codes are from Yersinia.
*
*http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
*
*To Known:
* 1.the switch must in Server/Client Mode.
* 2.the port ,attacker connected,must be in trunk Mode.
* Cisco Ethernet ports with no configuration are not
* in trunk.but trunk mode can be obtained through DTP
* attack by Yersinia.
* 3.you must known the vtp domain,this can be sniffed
* 4.some codes are from Yersinia.
*
by many wireless ISPs around the world to provide internet and private
office services to hard-to-reach customers.
Currently there is a flaw in the authentication mechanism of these radios
which, if an attacker knows some details, can allow interception of
ethernet packets broadcast from the Access Point to the Subscriber Unit
and potentially allows injection into the communication from the Subscriber Unit
to the Access Point.
There are two parts to the 5830 series radio system, an Access Point, and
a Subscriber Unit. Access Points are generally deployed at a radio tower
It is important to note an attacker does not need to directly connected
to the SRX in order to exploit this vulnerability. In our lab
environment, we recreated a Solar Minimum causing the SRX to overflow
by simply disconnecting the power source from the SRX device. This
caused the device to become unresponsive. Similarly, by disconnecting
ethernet prior to re-creating a Solar Maximum attack, we were able to
cause a denial of service in which all connected devices lost
connectivity to the Internet.
*II. Impact*
Hi @ll,
Intel just released updated drivers for their ethernet network adaptors,
see
<http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=17906&ProdId=3025&lang=eng>
and
<http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=18518&ProdId=3025&lang=eng>
for example.
Unfortunately ALL these driver packages but contain an outdated and
Dear Seth Fogie,
In a same way you can plug an USB Ethernet network adapter with
notebook attached. No active sync required at all. This is a question
of physical security.
--Tuesday, September 30, 2008, 6:08:05 PM, you wrote to bugtraq@securityfocus.com:
SF> White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x
By disconnecting the client between a connection, the server can no
longer reach its destination thus breaking TCP/IP.
II. Impact
A remote or local attacker can unplug an ethernet cable, unplug a switch
or router or bring down an interface and disrupt TCP/IP services.
III. Solution
We are currently working to develop and implement a new RFC labeled
Sup720-3B, or Sup720-3BXL
* Cisco 7600 Series devices with the Sup32, Sup720, Sup720-3B, or
Sup720-3BXL
* Cisco 7600 Series devices with the RSP720, RSP720-3C, or
RSP720-3CXL
* Cisco ME 6524 Ethernet Switch
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
=========================
WBR-3460A comes with firmware version 1.00.06 installed, this happens to be the only available version that is not affected by the vulnerability described below, however it lacks of WPA2-PSK support and also of external/internal port mapping in Virtual servers configuration page, amongst other things.
II Background:
==============
The Level-One WBR-3460A is an ADSL2/2+ Modem/Wireless Router which runs Linux BusyBox v0.61.pre on a 32-bit RISC 4KEc V4.8 processor at 211 BogoMIPS, it incorporates 14 MB of RAM and four 10/100 Ethernet ports.
III Description:
================
Performing an nmap scan on the internal address I came up with the following:
(OOPS), and possibly have unspecified other impact by specifying a
node that is not part of the kernel's node set. (CVE-2010-0415)
drivers/net/e1000e/netdev.c in the e1000e driver in the Linux
kernel 2.6.32.3 and earlier does not properly check the size of an
Ethernet frame that exceeds the MTU, which allows remote attackers
to have an unspecified impact via crafted packets, a related issue
to CVE-2009-4537. (CVE-2009-4538)
The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel
before 2.6.32.8 on the x86_64 platform does not ensure that the
CVE-2009-4536 & CVE-2009-4538
Fabian Yamaguchi reported issues in the e1000 and e1000e drivers
for Intel gigabit network adapters which allow remote users to
bypass packet filters using specially crafted ethernet frames.
CVE-2010-0003
Andi Kleen reported a defect which allows local users to gain read
access to memory reachable by the kernel when the
[vendor product description]
The DI-604 combines the latest advancements in chip technology,
low-cost design and manufacturing with new, feature-rich firewall and
network management controls to give you quite possibly the most
advanced, yet affordable Ethernet router to date.
[Bug Description]
'Ping tools' web interface does not validate the ip textfield size
leading to a Denial Of Service flaw by changing its size and sending
As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is almost impossible.
My idea for modification of this attack needs:
- two stations to attack by mitm (A and B)
- two or more switches with STP protocol
- two attacking stations connected to two different switches in way beetween attacked stations (C and D)
From: xperience@interia.pl [mailto:xperience@interia.pl]
Sent: Tuesday, April 27, 2010 8:55 PM
To: bugtraq@securityfocus.com
Subject: STP mitm attack idea
As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is almost impossible.
My idea for modification of this attack needs:
may lead to a denial of service or privilege escalation. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2009-4537
Fabian Yamaguchi reported a missing check for Ethernet frames larger
than the MTU in the r8169 driver. This may allow users on the local
network to crash a system, resulting in a denial of service.
CVE-2010-0727
possible arbitrary code execution. (CVE-2009-0692)
Christoph Biedl discovered that the DHCP server may terminate when
receiving certain well-formed DHCP requests, provided that the server
configuration mixes host definitions using "dhcp-client-identifier"
and "hardware ethernet". This vulnerability only affects the lenny
versions of dhcp3-server and dhcp3-server-ldap. (CVE-2009-1892)
For the stable distribution (lenny), this problem has been fixed in
version 3.1.1-6+lenny3.
Integer underflow in the e1000_clean_rx_irq function in
drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux
kernel before
2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired
Ethernet
(aka e1000) before 7.5.5 allows remote attackers to cause a denial
of service
(panic) via a crafted frame size. (CVE-2009-1385)
Multiple buffer overflows in the cifs subsystem in the Linux kernel
a 32-bit application on a 64-bit kernel. A local attacker could
exploit this to cause a denial of service. (Only affected Ubuntu 6.06
LTS.) (CVE-2009-4271)
It was discovered that the r8169 network driver did not correctly check
the size of Ethernet frames. A remote attacker could send specially
crafted traffic to crash the system, leading to a denial of service.
(CVE-2009-4537)
Wei Yongjun discovered that SCTP did not correctly validate certain
chunks. A remote attacker could send specially crafted traffic to
that allows to share and stream media to hundreds of popular consumer
electronics devices. It is available for Windows, Linux, Macintosh and
for various different architectures.
TwonkyMedia Server is bundled on a variety of CE and NAS devices from
leading manufacturers, including: Buffalo LinkStation, HP Media Vault,
LaCie Ethernet Disk, Philips Streamium music players, Western Digital
Share Space.
2. DESCRIPTION:
TwonkyMedia Server contains multiple Cross-Site Scripting (XSS)
CVE-2009-4536 & CVE-2009-4538
Fabian Yamaguchi reported issues in the e1000 and e1000e drivers
for Intel gigabit network adapters which allow remote users to
bypass packet filters using specially crafted Ethernet frames.
CVE-2010-0003
Andi Kleen reported a defect which allows local users to gain read
access to memory reachable by the kernel when the
CVE-2009-4536
Fabian Yamaguchi reported an issue in the e1000 driver for Intel
gigabit network adapters which allow remote users to bypass packet
filters using specially crafted ethernet frames.
CVE-2010-0007
Florian Westphal reported a lack of capability checking in the
ebtables netfilter subsystem. If the ebtables module is loaded,
Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide
wireless LAN functions, such as security policies, intrusion
prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP).
This security advisory describes multiple distinct vulnerabilities in
the WLC family of devices.
A vulnerability has been found and corrected in ISC DHCP:
ISC DHCP Server is vulnerable to a denial of service, caused by the
improper handling of DHCP requests. If the host definitions are mixed
using dhcp-client-identifier and hardware ethernet, a remote attacker
could send specially-crafted DHCP requests to cause the server to
stop responding (CVE-2009-1892).
This update provides fixes for this vulnerability.
_______________________________________________________________________
1. ASMAX 804 gu router is a SOHO class device. It provides ADSL / WiFi / Ethernet interfaces.
2. There is an *unauthenticated* maintenance script (named 'script') in /cgi-bin/ directory of the web management interface.
3. When 'system' paramether is passed to the script it allows running OS shell commands (as root).
4. PoC:
GET request to:
http://192.168.1.1/cgi-bin/script?system%20whoami
A vulnerability in the virtual networking stack of VMware hosted
products could allow host information disclosure.
A guest operating system could send memory from the host vmware-vmx
process to the virtual network adapter and potentially to the
host's physical Ethernet wire.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2010-1138 to this issue.
VMware would like to thank Johann MacDonagh for reporting this
A vulnerability in the virtual networking stack of VMware hosted
products could allow host information disclosure.
A guest operating system could send memory from the host vmware-vmx
process to the virtual network adapter and potentially to the
host's physical Ethernet wire.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2010-1138 to this issue.
VMware would like to thank Johann MacDonagh for reporting this
Description
===========
Christoph Biedl discovered that dhcpd does not properly handle certain
DHCP requests when configured both using "dhcp-client-identifier" and
"hardware ethernet".
Impact
======
A remote attacker might send a specially crafted request to dhcpd,
possible arbitrary code execution. (CVE-2009-0692)
Christoph Biedl discovered that the DHCP server may terminate when
receiving certain well-formed DHCP requests, provided that the server
configuration mixes host definitions using "dhcp-client-identifier"
and "hardware ethernet". This vulnerability only affects the lenny
versions of dhcp3-server and dhcp3-server-ldap. (CVE-2009-1892)
For the old stable distribution (etch), these problems have been fixed
in version 3.0.4-13+etch2.
Next Page>>
|
