@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: Google Appliance Proxy Stylesheet Remote Code Execution
• (1) CRITICAL: Microsoft Internet Explorer JavaScript Vulnerability

Exploits

• (2) HIGH: Novell NetMail IMAPD Remote Buffer Overflow
• (3) MODERATE: Cisco 7920 Remote Configuration and Information Disclosure
• (4) MODERATE: MailEnable Remote Code Execution

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 05.47.1 - Microsoft Windows Plug and Play Denial of Service

Third Party Windows Apps

• 05.47.2 - FTGate IMAP Server Buffer Overflow
• 05.47.3 - freeFTPd Multiple Buffer Overflow Vulnerabilities
• 05.47.4 - Qualcomm Worldmail Server Directory Traversal
• 05.47.5 - MailEnable IMAP Mailbox Name Buffer Overflow
• 05.47.6 - Magic Winmail Server Multiple Input Validation Issues
• 05.47.7 - MailEnable IMAP Command Directory Traversal

HP-UX

• 05.47.8 - HP-UX IKE Exchange Denial of Service

Unix

• 05.47.9 - SCO OpenServer Release 5.0.7 Maintenance Pack 4

Novell

• 05.47.10 - Novell NetMail IMAP Unspecified Buffer Overflow

Cross Platform

• 05.47.11 - Multiple Vendor TCP Acknowledgements Remote Denial of Service
• 05.47.12 - Opera HTML Form Status Bar Misrepresentation
• 05.47.13 - yaSSL Certificate Chain Processing Issue
• 05.47.14 - GNU gnump3d CGI and Cookie Parameter Directory Traversal
• 05.47.15 - Hitachi Groupmax Mail Unspecified Malformed Email Message Denial of Service
• 05.47.16 - Exponent CMS Multiple Improper File Permissions

Web Application

• 05.47.17 - PHP GEN Unspecified Cross-Site Scripting Vulnerabilities
• 05.47.18 - Mambo Open Source Remote File Include
• 05.47.19 - phpWebThings MSG Parameter SQL Injection
• 05.47.20 - Unclassified NewsBoard SQL Injection
• 05.47.21 - Arki-DB Index.PHP SQL Injection
• 05.47.22 - Uresk Links Admin Index.PHP Authentication Bypass
• 05.47.23 - PHP Easy Download Edit.PHP Authentication Bypass
• 05.47.24 - Pmachine Pro Email This Entry Mail_autocheck.PHP Remote File Include
• 05.47.25 - ArticleLive NX Search Module SQL Injection
• 05.47.26 - Revize CMS Query_results.JSP SQL Injection
• 05.47.27 - Revize CMS Revize.XML Information Disclosure
• 05.47.28 - WHM AutoPilot Account Cancellation Access Validation
• 05.47.29 - LiteSpeed ConfMgr.php Cross-Site Scripting
• 05.47.30 - Revize CMS HTTPTranslatorServlet Cross-Site Scripting
• 05.47.31 - XMB Forum Member.PHP HTML Injection
• 05.47.32 - VP-ASP Shopping Cart Shopadmin.ASP HTML Injection
• 05.47.33 - Hitachi Products Multiple Cross-Site Scripting Vulnerabilities
• 05.47.34 - Hitachi Collaboration Schedule Unspecified Denial Of Service
• 05.47.35 - PHP-Fusion Options.php and Viewforum.php SQL Injection
• 05.47.36 - PHPMyFAQ Multiple Cross-Site Scripting Vulnerabilities
• 05.47.37 - Almond Classifieds Unauthorized Access
• 05.47.38 - Advanced Poll Popup.PHP Cross-Site Scripting
• 05.47.39 - SimplePoll Results.PHP SQL Injection
• 05.47.40 - PHPComasy Index.PHP SQL Injection

Network Device

• 05.47.41 - UTStarcom F1000 VoIP Wi-Fi Phone Multiple Remote Access Vulnerabilities
• 05.47.42 - Hitachi WirelessIP5000 Multiple Unauthorized Access Vulnerabilities
• 05.47.43 - Zyxel P-2000W v1 VoIP Wi-Fi Phone Information Disclosure
• 05.47.44 - Nortel Switched Firewall IKE Traffic Multiple Unspecified Vulnerabilities
• 05.47.45 - HP Jetdirect 635n IPv6/IPsec Print Server IKE Exchange Denial Of Service
• 05.47.46 - Senao SI-680H VoIP Wi-Fi Phone VxWorks Remote Debugger Access
• 05.47.47 - Check Point Firewall-1 and VPN-1 ISAKMP IKE Unspecified Denial of Service

PART I Critical Vulnerabilities

Part I is compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 47, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4669 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 05.47.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows Plug and Play Denial of Service
• Description: Microsoft Windows Plug and Play (PnP) service is used by the operating system. It is prone to a denial of service vulnerability. Sending malformed data to the "upnp_getdevicelist" function of the Plug and Play service causes the system to consume excessive virtual memory and potentially stop responding to all requests. This issue affects various Windows versions. Please check the attached link for details.
• Ref: http://www.microsoft.com/technet/security/advisory/911052.mspx

• 05.47.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: FTGate IMAP Server Buffer Overflow
• Description: FTGate is a family of email server software. It is vulnerable to a remotely exploitable buffer overflow issue in the IMAP server when receiving excessive data on TCP port 143. Floosietek FTGate version 4.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/15449/info

• 05.47.3 - CVE: CVE-2005-3684
• Platform: Third Party Windows Apps
• Title: freeFTPd Multiple Buffer Overflow Vulnerabilities
• Description: freeFTPd is a free ftp/sftp server for various Microsoft Windows platforms. freeFTPd is prone to multiple buffer overflow vulnerabilities. Sending excessive data to the application will cause the application to crash, denying service to legitimate users. An attacker may also be able to exploit this vulnerability to execute arbitrary code in the context of the service. Code execution would most likely occur with SYSTEM privileges. Versions of the software from 1.0 through 1.0.8 are vulnerable.
• Ref: http://www.securityfocus.com/bid/154816

• 05.47.4 - CVE: CAN-2005-3189
• Platform: Third Party Windows Apps
• Title: Qualcomm Worldmail Server Directory Traversal
• Description: Qualcomm Worldmail server is a mail server application. It is prone to a directory traversal vulnerability due to an input validation error in which a malicious user may employ directory traversal strings "../" to exploit this vulnerability. Worldmail server version 3.0 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/15488/exploit

• 05.47.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: MailEnable IMAP Mailbox Name Buffer Overflow
• Description: MailEnable is a commercially available mail server. It is vulnerable to stack-based buffer overflow in multiple IMAP commands. This issue is reported to affect MailEnable Professional versions 1.6 and earlier.
• Ref: http://www.mailenable.com/hotfix/

• 05.47.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Magic Winmail Server Multiple Input Validation Issues
• Description: Magic Winmail Server is a e-mail server. It is prone to multiple input validation issues including directory traversal and cross-site scripting issues due to a failure in the application to properly sanitize user-supplied input. An attacker could exploit these issues to steal cookie-based authentication credentials and perform other attacks. Magic Winmail Server version 4.2 (Build 0824) is vulnerable.
• Ref: http://secunia.com/secunia_research/2005-58/advisory/

• 05.47.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: MailEnable IMAP Command Directory Traversal
• Description: MailEnable is a mail server. It is prone to a directory traversal vulnerability when processing certain IMAP commands. Specifically, directory traversal characters such as "../" are not sanitized from the mailbox name passed to the "create" and "rename" IMAP commands. MailEnable Professional 1.6 and MailEnable Enterprise Edition 1.1 are reported to be affected.
• Ref: http://www.securityfocus.com/bid/15494/discuss

• 05.47.8 - CVE: Not Available
• Platform: HP-UX
• Title: HP-UX IKE Exchange Denial of Service
• Description: HP-UX is affected by a denial of service issue due to security flaws in HP's IPSec implementation. These vulnerabilities may be triggered by malformed IKE traffic. HP-UX versions B.11.23 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/15474/info

• 05.47.9 - CVE: Not Available
• Platform: Unix
• Title: SCO OpenServer Release 5.0.7 Maintenance Pack 4
• Description: SCO OpenServer Mozilla Web browser updates have been released, addressing multiple security issues in Mozilla, zip, libpng, zlib, libtiff, bzip2, openssh, php, perl, gzip, CUPS, wu-ftpd, cdrecord and squid. This maintenance pack is for SCO Open Server version 5.0.7.
• Ref: http://www.securityfocus.com/advisories/9730

• 05.47.10 - CVE: CVE-2005-3314
• Platform: Novell
• Title: Novell NetMail IMAP Unspecified Buffer Overflow
• Description: Novell NetMail is an email and calendaring system that supports standard messaging protocols such as IMAP. It is affected by a buffer overflow issue in an IMAP command. NetMail version 3.52D is affected.
• Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972665.htm

• 05.47.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Vendor TCP Acknowledgements Remote Denial of Service
• Description: Multiple vendors implement RFC 793 (Transmission Control Protocol) in devices and operating systems. Multiple vendors are susceptible to a remote TCP acknowledgement denial of service vulnerability. This issue presents itself when the remote peer forges acknowledgement packets prior to actually receiving packets from the sending host. Please refer to the referenced U. Maryland technical report for further details.
• Ref: http://www.cs.umd.edu/~capveg/optack/optack-extended.pdf

• 05.47.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera HTML Form Status Bar Misrepresentation
• Description: Opera is a Web browser. It is vulnerable to a Form Status Bar Misrepresentation when an HTML form with the submit "href" or "title" properties set to a legitimate site and the "action" property set to the attacker-specified site. Opera Software Opera Web Browser versions 8.50 and ealier are vulnerable.
• Ref: http://secunia.com/advisories/17571/

• 05.47.13 - CVE: Not Available
• Platform: Cross Platform
• Title: yaSSL Certificate Chain Processing Issue
• Description: yaSSL (Yet Another SSL) is an open source SSL library. It is vulnerable to an unspecified certificate chain processing issue. yaSSL versions 1.0.5 and earlier are reported to be vulnerable.
• Ref: http://yassl.com/release.html

• 05.47.14 - CVE: CVE-2005-3355
• Platform: Cross Platform
• Title: GNU gnump3d CGI and Cookie Parameter Directory Traversal
• Description: GNU gnump3d is a streaming server for MP3 and OGG vorbis files that runs on multiple platforms. GNU gnump3d is prone to a directory traversal vulnerability. The vendor has addressed this issue in gnump3d version 2.9.8.
• Ref: http://www.gnu.org/software/gnump3d/

• 05.47.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi Groupmax Mail Unspecified Malformed Email Message Denial of Service
• Description: Hitachi Groupmax is a commercially available collaboration server that includes email functionality. It is prone to an unspecified denial of service vulnerability while processing malformed email. Please visit the reference link for a list of vulnerable versions.
• Ref: http://www.hitachi-support.com/security_e/vuls_e/HS05-024_e/01-e.html

• 05.47.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Exponent CMS Multiple Improper File Permissions
• Description: Exponent Content Management System is a content management application. It is vulnerable to multiple improper file permission issues such as uploaded files that have execute permissions set. Exponent versions 0.96.4 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/417218

• 05.47.17 - CVE: Not Available
• Platform: Web Application
• Title: PHP GEN Unspecified Cross-Site Scripting Vulnerabilities
• Description: PHP GEN is an automated tool for creating PHP scripts. It is vulnerable to an unspecified cross-site scripting issue due to insufficient sanitization of user-supplied input. PHP GEN versions 1.2 and earlier are vulnerable.
• Ref: http://www.eyce.be/php_gen/NEWS

• 05.47.18 - CVE: Not Available
• Platform: Web Application
• Title: Mambo Open Source Remote File Include
• Description: Mambo is a web-based content management system written in PHP. It is prone to a remote file include vulnerability due to improper sanitization of user-supplied input. If "register_globals" is off, a remote attacker can supply arbitrary values to multiple "GLOBALS" parameters of the "global.php" script. This permits attackers to specify remotely-hosted script files to be executed in the context of the Web server hosting the vulnerable software. Please visit the reference link for a list of vulnerable versions.
• Ref: http://www.securityfocus.com/bid/15461

• 05.47.19 - CVE: Not Available
• Platform: Web Application
• Title: phpWebThings MSG Parameter SQL Injection
• Description: phpWebThings is a web portal management application. Insufficient sanitization of the "msg" parameter in the "forum.php" script exposes the application to an SQL injection issue. phpWebThings version 1.4 is affected.
• Ref: http://www.securityfocus.com/bid/15474/info

• 05.47.20 - CVE: Not Available
• Platform: Web Application
• Title: Unclassified NewsBoard SQL Injection
• Description: Unclassified NewsBoard is a Web-based message board application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "Datefrom" parameter of the "forum.php" script. Unclassified NewsBoard versions 1.5.3a and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/15466

• 05.47.21 - CVE: Not Available
• Platform: Web Application
• Title: Arki-DB Index.PHP SQL Injection
• Description: Arki-DB is a database driven file upload and download manager. Arki-DB is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "catid" parameter of the "index.php" script before using it in an SQL query. Arki-DB 2.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/15467/exploit

• 05.47.22 - CVE: Not Available
• Platform: Web Application
• Title: Uresk Links Admin Index.PHP Authentication Bypass
• Description: Uresk Links is a link tracking application. It is prone to an authentication bypass vulnerability due to lack of an authentication mechanism. A remote attacker can directly access the administrative functions of "admin/index.php" without requiring authentication. Uresk Links version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/15469

• 05.47.23 - CVE: Not Available
• Platform: Web Application
• Title: PHP Easy Download Edit.PHP Authentication Bypass
• Description: PHP Easy Download is affected by an authentication bypass issue. A remote attacker can directly access the administrative functions of "admin/edit.php" without requiring authentication. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/15470/info

• 05.47.24 - CVE: CVE-2005-0513
• Platform: Web Application
• Title: Pmachine Pro Email This Entry Mail_autocheck.PHP Remote File Include
• Description: Email This Entry is an email script written in PHP and is prone to a remote file include vulnerability. Attackers may specify remotely-hosted script files thru the "pm_path" parameter of the "mail_autocheck.php" script which are executed in the context of the Web server hosting the vulnerable software. PMachine Pro version 2.4 is affected.
• Ref: http://www.securityfocus.com/bid/15473

• 05.47.25 - CVE: CVE-2005-1483
• Platform: Web Application
• Title: ArticleLive NX Search Module SQL Injection
• Description: Interspire ArticleLive NX is a Web content management application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "query" parameter of the search module. Interspire ArticleLive NX versions 0.3 and earlier are vulnerable.
• Ref: http://www.interspire.com/forum/showthread.php?t=6625

• 05.47.26 - CVE: Not Available
• Platform: Web Application
• Title: Revize CMS Query_results.JSP SQL Injection
• Description: Revize CMS is a Web content management application. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "query" parameter of the "query_results.jsp" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/15481/exploit

• 05.47.27 - CVE: CVE-2005-3728
• Platform: Web Application
• Title: Revize CMS Revize.XML Information Disclosure
• Description: Revize CMS is a content management application written for the JavaServer technology. It is prone to an information disclosure vulnerability due to a failure in the application to restrict access to sensitive files. An attacker can exploit this vulnerability to retrieve sensitive information from the "revize.xml" file in the "/revize/conf" directory.
• Ref: http://lostmon.blogspot.com/2005/11/revizer-cms-sql-information-disclosure.html

• 05.47.28 - CVE: Not Available
• Platform: Web Application
• Title: WHM AutoPilot Account Cancellation Access Validation
• Description: WHM AutoPilot is a commercial script designed to aid in the administration of web-hosting environments. It is susceptible to an account cancellation access validation vulnerability due to a failure of the application to ensure that cancellation requests from users are performed only by authorized users. Versions 2.5.20 and prior are affected by this issue.
• Ref: http://www.securityfocus.com/bid/15483

• 05.47.29 - CVE: Not Available
• Platform: Web Application
• Title: LiteSpeed ConfMgr.php Cross-Site Scripting
• Description: LiteSpeed web server is affected by a cross-site scripting issue due to insufficient sanitization of the "m" parameter in the "confMgr.php" script. LiteSpeed web server version 2.1.5 is affected.
• Ref: http://www.securityfocus.com/bid/15485/info

• 05.47.30 - CVE: Not Available
• Platform: Web Application
• Title: Revize CMS HTTPTranslatorServlet Cross-Site Scripting
• Description: Revize CMS is a content management application. It is vulnerable to a cross-site scripting issue due to a lack of proper sanitization of user-supplied input to the "redirect" parameter of the "HTTPTranslatorServlet" script.
• Ref: http://lostmon.blogspot.com/2005/11/revizer-cms-sql-information-disclosure.html

• 05.47.31 - CVE: CVE-2005-3688
• Platform: Web Application
• Title: XMB Forum Member.PHP HTML Injection
• Description: XMB Forum is a web-based message board application implemented in PHP. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input to the "Your Current Mood" field of the "member.php" script. XMB Forum versions 1.9.2 and 1.9.3 are vulnerable.
• Ref: http://irannetjob.com/content/view/163/28/

• 05.47.32 - CVE: Not Available
• Platform: Web Application
• Title: VP-ASP Shopping Cart Shopadmin.ASP HTML Injection
• Description: VP-ASP Shopping Cart is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to the "UserName" parameter of the "shopadmin.asp" script.
• Ref: http://www.securityfocus.com/bid/15490

• 05.47.33 - CVE: Not Available
• Platform: Web Application
• Title: Hitachi Products Multiple Cross-Site Scripting Vulnerabilities
• Description: Hitachi Collaboration Schedule and Calendar are web-based applications. They are affected by multiple cross-site scripting issues due to insufficient sanitization of user-supplied data. Multiple versions are affected. Please see the link below for details.
• Ref: http://www.hitachi-support.com/security_e/vuls_e/HS05-023_e/01-e.html

• 05.47.34 - CVE: Not Available
• Platform: Web Application
• Title: Hitachi Collaboration Schedule Unspecified Denial Of Service
• Description: Hitachi Collaboration Schedule is a web-based scheduling application. It is vulnerable to a denial of service issue which may be triggered by multiple invalid requests sent to the schedule. Please refer to the link below for a list of vulnerable versions.
• Ref: http://www.securityfocus.com/bid/15500/info

• 05.47.35 - CVE: Not Available
• Platform: Web Application
• Title: PHP-Fusion Options.php and Viewforum.php SQL Injection
• Description: PHP-Fusion is a content management system. It is prone to SQL injection vulnerabilities in multiple PHP scripts due to improper sanitization of user-supplied input. The "forum_id" parameter of the "options.php" script and the "new_posts" parameter of the "viewforum.php" script are not properly sanitized before being used in SQL queries. PHP-Fusion versions 6.0.204 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/417174

• 05.47.36 - CVE: Not Available
• Platform: Web Application
• Title: PHPMyFAQ Multiple Cross-Site Scripting Vulnerabilities
• Description: PHPMyFAQ is an Open Source FAQ manager web-application. PHPMyFAQ is prone to multiple cross-site scripting vulnerabilities in various parameters of the Add Content page. The affected parameters are "username", "usermail", and "thema". PHPMyFAQ versions 1.5.3 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/417219

• 05.47.37 - CVE: Not Available
• Platform: Web Application
• Title: Almond Classifieds Unauthorized Access
• Description: Almond Classifieds is Web software for displaying user-supplied classified ads. It is prone to an unauthorized access vulnerability due to improper verification of the password supplied to the "editform".
• Ref: http://www.securityfocus.com/bid/15505

• 05.47.38 - CVE: Not Available
• Platform: Web Application
• Title: Advanced Poll Popup.PHP Cross-Site Scripting
• Description: Advanced Poll is affected by a cross-site scripting issue due to insufficient sanitization of the "poll_ident" parameter in the "popup.php" script. Advanced Poll versions 2.0.3 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/15506

• 05.47.39 - CVE: Not Available
• Platform: Web Application
• Title: SimplePoll Results.PHP SQL Injection
• Description: SimplePoll is a web-based poll administration application. It is prone to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "pollid" parameter of the "results.php" script before using it in an SQL query. All current versions are vulnerable.
• Ref: http://www.securityfocus.com/bid/15508/info

• 05.47.40 - CVE: Not Available
• Platform: Web Application
• Title: PHPComasy Index.PHP SQL Injection
• Description: PHPComasy is a free content management application. It is prone to an SQL injection vulnerability due to a failure in the application to properly sanitize user-supplied input to the "id" parameter of the "index.php" script before using it in an SQL query. PHPCompasy versions 0.7.5 and 0.7.4 are affected.
• Ref: http://pridels.blogspot.com/2005/11/phpcomasy-id-sql-injection.html

• 05.47.41 - CVE: Not Available
• Platform: Network Device
• Title: UTStarcom F1000 VoIP Wi-Fi Phone Multiple Remote Access Vulnerabilities
• Description: UTStarcom F1000 VoIP Wi-Fi Phone is prone to multiple remote access vulnerabilities. These issues allow remote attackers to gain remote administrative access to affected devices. The first issue is a fixed default SNMP community string vulnerability. The second issue is a default administrative credential vulnerability. The third issue is an unauthenticated remote administrative access vulnerability. UTStarcom F1000 VoIP Wi-Fi Phone with software version s2.0 and firmware version 5.5.1 is affected by these issues.
• Ref: http://www.securityfocus.com/bid/15476

• 05.47.42 - CVE: Not Available
• Platform: Network Device
• Title: Hitachi WirelessIP5000 Multiple Unauthorized Access Vulnerabilities
• Description: Hitachi WirelessIP5000 is a Wi-Fi VoIP phone. It is affected by multiple access control issues. An undocumented TCP port (3390) is open, permitting unauthenticated attackers access to the "Unidata Shell" of the phone remotely. The SNMP daemon can be accessed remotely using any credentials. The default configuration of the HTTP server does not require a password. The HTTP daemon default index page discloses privileged information about the device. The device also has a hardcoded password of "0000" when locally accessing the administrative functions. For a list of vulnerable versions, please visit the reference link provided below.
• Ref: http://www.securityfocus.com/bid/15477/info

• 05.47.43 - CVE: Not Available
• Platform: Network Device
• Title: Zyxel P-2000W v1 VoIP Wi-Fi Phone Information Disclosure
• Description: The Zyxel P-2000W v1 VoIP Wi-Fi Phone is a hardware device used for voice communications. It is vulnerable to an information disclosure issue through UDP port 9090 which can be exploited by a remote attacker. Zyxel P-2000W v1 VoIP Wi-Fi Phone is vulnerable.
• Ref: http://www.securityfocus.com/bid/15478/info

• 05.47.44 - CVE: Not Available
• Platform: Network Device
• Title: Nortel Switched Firewall IKE Traffic Multiple Unspecified Vulnerabilities
• Description: Nortel Switched Firewall is prone to multiple unspecified vulnerabilities in IKEv1. The reported issues include buffer overflows, format strings, and denial of service vulnerabilities. A remote attacker could exploit these issues to completely compromise the affected device.
• Ref: http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&
  DocumentOID=367651&RenditionID=

• 05.47.45 - CVE: Not Available
• Platform: Network Device
• Title: HP Jetdirect 635n IPv6/IPsec Print Server IKE Exchange Denial Of Service
• Description: HP Jetdirect 635n IPv6/IPsec Print Server is a print server component for supported HP printers. It is vulnerable to a denial of service issue due to a security flaw in HP's IPsec implementation. A remote attacker could exploit this issue through malformed IKE packets. Versions of HP Jetdirect 635n IPv6/IPsec Print Server (J7961A) earlier than V.31.08 are vulnerable.
• Ref: http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en

• 05.47.46 - CVE: Not Available
• Platform: Network Device
• Title: Senao SI-680H VoIP Wi-Fi Phone VxWorks Remote Debugger Access
• Description: Senao SI-680H VoIP Wi-Fi Phones provide Voice Over IP (VoIP) service through 802.11b wireless networks. It listens for connections from a remote VxWorks debugger on UDP port 17185. This could allow a remote attacker to connect to a device and obtain debugging information. Senao SI-680H VoIP Wi-Fi Phones running firmware version 0.3.0839 are prone to this issue.
• Ref: http://www.securityfocus.com/bid/15475/discuss

• 05.47.47 - CVE: Not Available
• Platform: Network Device
• Title: Check Point Firewall-1 and VPN-1 ISAKMP IKE Unspecified Denial of Service
• Description: Check Point Firewall-1 and VPN-1 are prone to denial of service attacks. These issues are due to security flaws in the IPsec implementation. The vulnerabilities may be triggered by malformed IKE traffic. Check Point Software VPN-1/Firewall-1 NG with AI R55W and earlier, Check Point Software FireWall-1 GX 3.0 and Check Point Software Express CI R57 are affected.
• Ref: http://www.securityfocus.com/bid/15479/discuss

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.