Next Page >>
remote access
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in
Cisco PIX and Cisco ASA
Advisory ID: cisco-sa-20080903-asa
Revision 1.0
+----------------------------------------------------
Because of a Microsoft Windows NT Domain authentication issue the Cisco
ASA and Cisco PIX devices may be susceptible to a VPN authentication
bypass vulnerability. Cisco ASA or Cisco PIX security appliances that
are configured for IPSec or SSL-based remote access VPN using Microsoft
Windows NT Domain authentication may be vulnerable. Devices that are
using any other type of external authentication (that is, LDAP, RADIUS,
TACACS+, SDI, or local database) are not affected by this vulnerability.
The following example demonstrates how Windows NT domain authentication
SEC Consult Vulnerability Lab Security Advisory < 20111012-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Microsoft Forefront Unified Access Gateway Remote
Access Agent (signed Java applet)
vulnerable version: 4.0.0.1
fixed version:
CVE number: CVE-2011-1969
impact: critical
homepage:
Advisory # 1:
TITLE
OS Command Injection Vulnerability in Aruba Remote Access Point
Diagnostic Web Interface.
SUMMARY
An OS command injection vulnerability has been discovered in the Aruba
BACKGROUND
==========
Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage
servers in remote locations where no administrative IT staff exists. It
provides lights out management with continuous video that provides a
graphical console regardless of the server's state and requires no
operating system services or drivers. Virtual media support provides the
server access to networked CD, floppy, and USB drives for server
VPN Authentication Bypass Vulnerability
+--------------------------------------
Cisco ASA or Cisco PIX security appliances that are configured for IPsec
or SSL-based remote access VPN and have the Override Account Disabled
feature enabled are affected by this vulnerability.
Note: The Override Account Disabled feature was introduced in Cisco
ASA software version 7.1(1). Cisco ASA and PIX software versions 7.1,
7.2, 8.0, and 8.1 are affected by this vulnerability. This feature is
manipulation in vulnerable modules or bound application sections. Exploitation requires low user inter action & a privileged
application account.
Vulnerable Module(s):
[+] Users - [Configure -> Accounts -> Users] - > Remote Access > L2TP / PPTP > Remote Password
[+] Users - [Configure -> Accounts -> Users] - > Mobile IPSEC > Modify & ASCII > Pre-shared Secret
[+] VPN Certificate - Input & Listing
Picture(s):
vulnerability that may cause all IPsec tunnels terminating on
the appliance to be torn down and prevent new tunnels from being
established. The tunnels are not torn down immediately; IPsec traffic
will continue to flow until the next rekey, at which time the rekey
will fail and the tunnels will be torn down. Both site-to-site and
remote access VPN tunnels are affected. The vulnerability is triggered
when the appliance processes a malformed IKE message on port UDP 4500
that traverses an existing IPsec tunnel. The only way to recover and
re-establish IPsec VPN tunnels is to reload the appliance.
When this vulnerability is exploited, the security appliance will
BACKGROUND
==========
Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage
servers in remote locations where no administrative IT staff exists. It
provides lights out management with continuous video that provides a
graphical console regardless of the server's state and requires no
operating system services or drivers. Virtual media support provides the
server access to networked CD, floppy, and USB drives for server
web context manipulation in vulnerable modules or bound application sections. Exploitation requires low or medium user inter action &
a low or medium privileged web application user/manager account.
Vulnerable Module(s):
[+] Users - [Configure -> Accounts -> Users] - > Remote Access > L2TP / PPTP > Remote Password
[+] Users - [Configure -> Accounts -> Users] - > Mobile IPSEC > Modify & ASCII > Pre-shared Secret
[+] VPN Certificate - Input & Listing
Video(s):
None
Severity
Medium
Remote Access
Yes
Local Access
NoAuthentication Required
Authorized network access normally requiredExploit publicly available
No
-----------------------------------------------
Release Date:
29-May-2009
Software:
SonicWALL - SSL-VPN Remote Access
http://www.sonicwall.com/
Description:
"SonicWALL SSL VPN appliances provide small and mid-size organizations an
easy-to-use, secure and affordable remote access solution that requires no
CVE-2010-1454: SpringSource tc Server unauthenticated remote access to JMX interface
Severity: Critical
Vendor:
SpringSource, a division of VMware
Versions Affected:
tc Server Runtime 6.0.19.A, 6.0.20.A, 6.0.20.B, 6.0.20.C, 6.0.25.A
Impact
======
Successful exploitation of this vulnerability may prevent some TCP
applications on Cisco IOS Software from accepting any new connections.
Exploitation could also prevent remote access to the affected system
via the vtys. Remote access to the affected device via out-of-band
connectivity to the console port should still be available.
Software Versions and Fixes
===========================
Unauthenticated remote access to D-Link DIR-645 devices
=======================================================
[ADVISORY INFORMATION]
Title: Unauthenticated remote access to D-Link DIR-645 devices
Discovery date: 20/02/2013
Release date: 27/02/2013
Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari)
[VULNERABILITY INFORMATION]
Symantec SYMTDI.SYS Device Driver Local Denial of Service
Revision History: None
Risk Impact: Low
Remote Access: No
Local Access: Yes
Authentication Required: Yes, to the local system
Exploit available: No
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01367453
Version: 1
HPSBUX02286 SSRT071466 rev.1 - HP-UX Running System Administration Manager (SAM), Unintended Remote Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-25
Last Updated: 2008-07-30
Several undocumented operating system user accounts exist on the appliance.
They can be used to gain access to the appliance via the terminal but also
via SSH. (see 2)
These accounts are undocumented and can _not_ be disabled!
2) Remote access via SSH
An SSH daemon runs on the appliance, but network filtering (iptables) is used
to only allow access from whitelisted IP ranges (private and public).
The public ranges include servers run by Barracuda Networks Inc. but also
servers from other, unaffiliated entities - all of whom can access SSH on all
Hard-Coded Credentials in Cisco UVC Products
+-------------------------------------------
The Linux shell contains three hard-coded usernames and passwords.
The passwords cannot be changed, and the accounts cannot be deleted.
Attackers could leverage these accounts to obtain remote access to a
device by using permitted remote access protocols.
This vulnerability only affects Linux-based operating system Cisco
UVC products.
4. Static Passwords for Privileged User Accounts
The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. It is possible to crack these passwords and gain access to any Accellion system with the secure shell daemon exposed. The scope of our research did not provide time to crack these passwords, but it's a just a question of resource allocation. These accounts include "soggycat","sdadmin", and the "root" user account itself.
5. Remote Access via Stale SSH Authorized Keys
The "soggycat" user account has a static password, as mentioned previously, but also has two SSH keys configured for passwordless login. These keys were generated over eight years ago and should have been changed to reduce the risk of exposure. The comments of these two keys are worrying as well:
[root@fta soggycat]# grep -i comment .ssh2/*.pub
.ssh2/theone.pub:Comment: "i am going to kiiiiiiiiiiiiill you"
Unauthenticated remote access to D-Link DCS cameras
===================================================
[ADVISORY INFORMATION]
Title: Unauthenticated remote access to D-Link DCS cameras
Discovery date: 20/06/2012
Release date: 28/01/2013
Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari)
[VULNERABILITY INFORMATION]
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 01, 2011
I. BACKGROUND
Cisco's AnyConnect VPN solution provides remote access to customers via
the Web browser. This is accomplished through the use of an ActiveX
control. The control itself is provided by the server upon connecting.
Cisco states that AnyConnect VPN supports all Adaptive Security
Appliance (ASA) models. For more information, visit the following URL.
CSCsc19259 - "All privilege level users can SCP running config"
CVSS Base Score - 6.0
Access Vector - Remote
Access Complexity - Low
Authentication - Required
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
Impact Bias - Normal
vulnerabilities.
Details
=======
The Cisco SSLVPN feature provides remote access to enterprise sites
by users from anywhere on the Internet. The SSLVPN provides users
with secure access to specific enterprise applications, such as
e-mail and web browsing, without requiring them to have VPN client
software installed on their end-user devices.
corporate applications using a technology that everyone understands: a web
browser. Users can have secure access from anywhere they have an Internet
connection, while FirePass ensures that connected computers are fully patched
and protected."
"FirePass provides robust, secure SSL VPN remote access to business
applications from a wide range of client devices, including Apple iPhone and
Windows Mobile devices. Using full-tunnel SSL technology and client access
policies defined by system administrators, remote clients can log on to
corporate business applications under pre-defined access permissions and
client directory control."
-------------------
From [1]:
"Citrix(R) Access Gateway(TM) is a secure application access solution that
provides administrators granular application-level control while
empowering users with remote access from anywhere. It gives IT
administrators a single point to manage access control and limit actions
within sessions based on both user identity and the endpoint device,
providing better application security, data protection, and compliance
management."
Details
=======
Secure shell (SSH) was developed as a secure replacement for the
telnet, ftp, rlogin, rsh, and rcp protocols, which allow for the
remote access of devices. The main difference between SSH and older
protocols is that SSH provides strong authentication, guarantees
confidentiality, and uses encrypted transactions.
The server side of the SSH implementation in Cisco IOS contains
multiple vulnerabilities that allow an unauthenticated user to
Vendor description:
-------------------
The SonicWALL Global VPN Client offers an easy-to-use, easy-to-manage
Virtual Private Network (VPN) solution that provides users at
distributed locations with secure, reliable remote access via broadband,
wireless and dial-up connections.
[source: http://www.sonicwall.com/downloads/Global_VPN_DS_US.pdf]
> can intercept, monitor and change all internet traffic of the modem
> user.
>
> The security flaw deals with the way:
> * account(s) are created
> * default settings for remote access to the modem are set
> * mechanism in which the passwords are protected/displayed to the user
> * the way in which the password(s) are created/set for each modem
>
> Due to the serious nature of the flaw, I would not like to divulge
> more details to this broad list of people I have emailed. I will be more than
Vendor description:
---------------
SonicWALL SSL-VPN solutions can be configured to provide users with
easy-to-use, secure and clientless remote access to a broad range of
resources on the corporate network.
Vulnerabilty overview:
---------------
Next Page>>
|
