|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 4216 CVE : CVE-2008-2441 CWE : CWE-399 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : No Credit : Laurent Butti Published : 06.09.2008
Advisory Content : Title: ------ * Cisco Secure ACS does not correctly parse the length of EAP-Response packets which allows remote attackers to cause a denial of service and possibly execute arbitrary code Summary: -------- * A remote attacker (acting as a RADIUS client) could send a specially crafted EAP Response packet against a Cisco Secure ACS server in such a way as to cause the CSRadius service to crash (reliable). This bug may be triggered if the length field of an EAP-Response packet has a certain big value, greater than the real packet length. Any EAP-Response can trigger this bug: EAP-Response/Identity, EAP-Response/MD5, EAP-Response/TLS... Affected Products: ------------------ * All versions of Cisco Secure ACS that support EAP, to be more precise, check the Cisco Advisory cisco-sr-20080903-csacs Assigned CVE: ------------- * CVE-2008-2441 Details: -------- * An EAP packet is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Identity... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * For example, the following packet will trigger the vulnerability and crash CSRadius.exe: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2 | 0 | 0xdddd | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1 | abcd +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attack Impact: -------------- * Denial-of-service and possibly remote arbitrary code execution Attack Vector: -------------- * Have access as a RADIUS client (knowing or guessing the RADIUS shared secret) or from an unauthenticated wireless device if the access point relays malformed EAP frames Timeline: --------- * 2008-05-05 - Vulnerability reported to Cisco * 2008-05-05 - Cisco acknowledged the notification * 2008-05-05 - PoC sent to Cisco * 2008-05-13 - Cisco confirmed the issue * 2008-09-03 - Coordinated public release of advisory Credits: -------- * This vulnerability was discovered by Gabriel Campana and Laurent Butti from France Telecom / Orange References : http://www.securityfocus.com/archive/1/archive/1/495937/100/0/threaded  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |