Next Page >>
port
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 4
HPSBUX02351 SSRT080058 rev.4 - HP-UX Running BIND, Remote DNS Cache Poisoning
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 5
HPSBUX02351 SSRT080058 rev.5 - HP-UX Running BIND, Remote DNS Cache Poisoning
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 6
HPSBUX02351 SSRT080058 rev.6 - HP-UX Running BIND, Remote DNS Cache Poisoning
XE Software are affected when configured to use any of the following
features within Cisco IOS:
* Airline Product Set (ALPS)
* Serial Tunnel Code (STUN) and Block Serial Tunnel Code (BSTUN)
* Native Client Interface Architecture support (NCIA)
* Data-link switching (DLSw)
* Remote Source-Route Bridging (RSRB)
* Point to Point Tunneling Protocol (PPTP)
* X.25 for Record Boundary Preservation (RBP)
* X.25 over TCP (XOT)
Details
=======
Cisco 10000, uBR10012 and uBR7200 series devices use a UDP-based IPC
channel. This channel uses addresses from the 127.0.0.0/8 range and
UDP port 1975. Cisco 10000, uBR10012 and uBR7200 series devices that
are running an affected version of Cisco IOS will process IPC
messages that are sent to UDP port 1975 from outside of the device.
This behavior may be exploited by an attacker to cause a reload of
the device, linecards, or both, resulting in a DoS condition.
src/remote/server.cpp:
...
3584 case op_connect_request:
3585 aux_request(port, &receive->p_req, sendL);
3586 break;
- -----------/
After calling 'aux_request()' function and executing the 'break'
Vulnerable Products
+------------------
Only Cisco IOS software releases that have IPv6 enabled are affected
by this vulnerability. In order to be vulnerable both support for
IPv6 protocol and IPv4 UDP-based services must be enabled on the
device. The IPv6 is not enabled by default in Cisco IOS software.
To determine the software running on a Cisco IOS product, log in to
the device and issue the show version command to display the system
=======
The Cisco IOS IP Service Level Agreement (IP SLA) feature contains a
denial of service (DoS) vulnerability. The vulnerability is triggered
when malformed UDP packets are sent to a vulnerable device. The
vulnerable UDP port numbers depend on the device configuration.
Default ports are not used for the vulnerable UDP IP SLA operation or
for the UDP responder ports.
Cisco has released free software updates that address this
vulnerability.
affected by this vulnerability. Only devices configured as EZVPN
servers are vulnerable.
To configure the cTCP encapsulation feature for Easy VPN, use the
crypto ctcp command in global configuration mode. You can optionally
specify the port number that the device will listen to with the
crypto ctcp port <port> command. Up to ten numbers can be configured
and the port value can be from 1 through 65535. If the port keyword
is not configured, the default port number is 10000. In the following
example, the Cisco IOS device is configured to listen for cTCP
messages on port 10000.
Vulnerability Scan Denial of Service
+-----------------------------------
Cisco ASA and Cisco PIX devices are affected by a vulnerability
(port) scan denial of service vulnerability if the device is running
software versions prior to 7.2(3)2 on the 7.2.x release or 8.0(2)17
on the 8.0.x release. Cisco ASA and Cisco PIX devices running
software versions 7.0.x, 7.1.x, or 8.1.x are not vulnerable.
Control-plane Access Control List Vulnerability
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
This update changes Debian's BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.
Note that this security update changes BIND network behavior in a
Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage
servers in remote locations where no administrative IT staff exists. It
provides lights out management with continuous video that provides a
graphical console regardless of the server's state and requires no
operating system services or drivers. Virtual media support provides the
server access to networked CD, floppy, and USB drives for server
installation and updates (origin: Dell USA). The remote management is
possible e.g. via web interface or via the provided integrated SSH daemon
(running at port 22/TCP) based on Mocana SSH.
Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage
servers in remote locations where no administrative IT staff exists. It
provides lights out management with continuous video that provides a
graphical console regardless of the server's state and requires no
operating system services or drivers. Virtual media support provides the
server access to networked CD, floppy, and USB drives for server
installation and updates (origin: Dell USA). The remote management is
possible e.g. via web interface or via the provided integrated SSH daemon
(running at port 22/TCP) based on Mocana SSH.
Folks,
Our document "Recommendations for Transport-Protocol Port
Randomization" has finally been published as RFC 6056.
Its abstract is:
---- cut here ----
During the last few years, awareness has been raised about a number
of "blind" attacks that can be performed against the Transmission
Control Protocol (TCP) and similar protocols. The consequences of
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service
Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service
Vulnerability
* Crafted TCP Segment Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service
Vulnerability
* NT LAN Manager version 1 (NTLMv1) Authentication Bypass
> ---- --------------- -------- -----------
> HOSTNAME pwned.example.com yes Hostname to hijack
> NEWADDR 1.3.3.7 yes New address for hostname
> RECONS 208.67.222.222 yes Nameserver used for reconnaissance
> RHOST yes The target address
> SRCPORT yes The target server's source query port (0 for automatic)
> XIDS 10 yes Number of XIDs to try for each query
>
> msf auxiliary(bailiwicked_host) > set RHOST A.B.C.D
> RHOST => A.B.C.D
>
---- --------------- -------- -----------
HOSTNAME pwned.example.com yes Hostname to hijack
NEWADDR 1.3.3.7 yes New address for hostname
RECONS 208.67.222.222 yes Nameserver used for reconnaissance
RHOST yes The target address
SRCPORT yes The target server's source query port (0 for automatic)
XIDS 10 yes Number of XIDs to try for each query
msf auxiliary(bailiwicked_host) > set RHOST A.B.C.D
RHOST => A.B.C.D
"Marcello Barnaba (void)" <vjt@openssl.it> wrote:
> Tried on QuickTime 7.3.10 running on OSX 10.5.1, and the player doesn't
> try to connect to port 80 if 554 is closed.
> ...
> yea i second that i tested on Vista and it doesnt attempt to redirect
> to the port 80 there must be another condition that u have specified
> that allows for redirection
Uhmmm I imagine you are the same Marcello of yesterday, right?
Who else could be?
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Communications Manager version 5.1(3). The vulnerability is
documented in Cisco Bug ID CSCsj80609 and has been assigned the
CVE identifier CVE-2008-1742.
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Communications Manager version 5.1(3). The vulnerability is
documented in Cisco Bug ID CSCsj80609 and has been assigned the
CVE identifier CVE-2008-1742.
Unified Communications Manager Administration interface. The software
version can also be determined by running the "show version active"
command via the command-line interface.
A SIP trunk must be configured for the Cisco Unified CallManager
server to begin listening for SIP messages on TCP and UDP port 5060
and TCP/5061. However, in Cisco Unified Communications Manager
versions 5.x and later, the use of SIP as a call signaling protocol
is enabled by default and cannot be disabled.
Cisco IOS Software is also affected by this vulnerability, but it is
Cisco ASA 5500 Series Adaptive Security Appliances are affected by
multiple vulnerabilities as follows:
* Three SunRPC Inspection Denial of Service Vulnerabilities
* Three Transport Layer Security (TLS) Denial of Service
Vulnerabilities
* Session Initiation Protocol (SIP) Inspection Denial of Service
Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service
Vulnerability
session-based services providing protocol interworking, security, and
admission control and management. The SBC is a multimedia device that
sits on the border of a network and controls call admission to that
network. A vulnerability exists in the Cisco SBC where an
unauthenticated attacker may cause the Cisco SBC card to reload by
sending crafted TCP packets over port 2000. Repeated exploitation
could result in a sustained DoS condition.
Note: Only the Cisco SBC module reloads after successful
exploitation. The Cisco 7600 series router does not reload and it is
not affected by this vulnerability.
The following Python script is a proof of concept of the
vulnerability, and will crash the Novell iManager instance specified
via command-line arguments:
/-----
#Usage: $ python poc.py <iManager_IP> <iManager_Port>
#E.g: $ python poc.py 192.168.0.1 48080
import socket
import sys
import time
Two crafted packet vulnerabilities exist in the Cisco PIX 500 Series
Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security
Appliance (ASA) that may result in a reload of the device. These
vulnerabilities are triggered during processing of Media Gateway
Control Protocol (MGCP) packets, or during processing of Transport
Layer Security (TLS) traffic that terminates on the PIX or ASA security
appliance.
Note: These vulnerabilities are independent of each other; a device may
be affected by one and not by the other.
Vulnerable Products
+------------------
Cisco devices that are running Cisco IOS Software are vulnerable when
they are configured for NAT and contain support for one or more of
the following features:
* NetMeeting Directory NAT (LDAP on TCP port 389)
* NAT for Session Initiation Protocol (SIP)
* NAT for H.323
The next example shows a product running Cisco IOS Software Release
12.3(11)T3 with an image name of C3845-ADVIPSERVICESK9-M:
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T3, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Additional information about Cisco IOS release naming can be found at
http://www.cisco.com/warp/public/620/1.html.
The FTP proxy used in Apple's Airport Express, Airport Extreme, Time Capsule and possibly elsewhere doesn't check the client provided address and port given by the FTP PORT command against the IP address of the connecting client, or against the use of privileged ports. (The FTP PORT command is used by a FTP client to tell an FTP server which address and data port to initiate the data connection on.) The FTP proxy is used to provide assistance to clients operating in NAT environments served by the Apple products. FTP servers running behind a NAT with this assistance can have addresses in the command channel rewritten for them so that external clients can reach them when operating in passive mode. The ALG operates as a proxy server, assuming responsibility for connections to the FTP server, and must therefore also handle and modify rewriting of the PORT command. It looks like it might be ftp-proxy from PF.
The effect of this problem is to allow anybody with access to the FTP port forwarded on the exterior side of an Apple Airport product that offers NAT to internal clients, which for a publicly-accessible FTP server is the big bad world, to induce an FTP server operating behind a NAT to send data to arbitrary addresses and ports. This is true even if the FTP server is configured to operate more securely, since it sees connections from the NAT's exterior interface, not the connecting client. This is useful for bouncing anonymous port scans off the victim NAT, or if data is available or can be written to and then read from the FTP server, potentially for anonymous attacks, spam, news floods, and other such badness. Any trust relationship and/or security implied or assumed by a NAT is also gone, since the PORT command can also specify private addresses, inside the NAT, for victimisation. Best of all, the gateway itself makes no log entry concerning FTP connections that have been run through the proxy.
Workarounds: do not use FTP; do not trigger the use of the ALG (FTP proxy) by explicitly using ports other than 21 on the inbound port mapping. If you can't do those things, you can avoid the worst effects of this attack by disabling FTP uploads that can later be downloaded by anonymous users.
Apple likes to keep secrets for the protection of its customers. Since the reasonable release of this advisory removes that protection, confidential information vouchsafed to me can be safely disclosed with no ill effects. Apple has a fix, and according to its last seemingly automatic template message, they are still testing it and do not know precisely when it will be released. This is confidential information. DO NOT DISCLOSE!
Advisory history:
* HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP
firmware contain a DoS vulnerability in their internal HTTP
server. By sending a specially crafted HTTP request to TCP port
80 on a vulnerable phone, it may be possible to cause the phone
to reboot. It is possible to workaround this issue by disabling
the internal HTTP server on vulnerable phones. The internal HTTP
server only listens to TCP port 80. This vulnerability is
corrected in SCCP firmware version 3.2(17) for 7935 devices and
C2800NM-ENTSERVICES-M:
Router#show version
Cisco IOS Software, 2800 Software (C2800NM-ENTSERVICES-M), Version 15.1(2)T,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Mon 19-Jul-10 16:38 by prod_rel_team
<output truncated>
Next Page>>
|
