Skip to main content

Posts

Showing posts from February, 2016

Oracle Application Testing Suite Directory Traversal Vulnerability

A Directory Traversal Vulnerability was identified in Oracle Enterprise Manager Application Testing Suite. The vulnerability can be exploited over the HTTP protocol. A remote, unauthenticated attacker can exploit this vulnerability to download arbitrary files from the target server. This vulnerability affects the following supported versions: - Oracle Application Testing Suite 12.4.0.2 - Oracle Application Testing Suite 12.5.0.2 The vulnerability has been patched by the vendor, please find the details here . (http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html) This vulnerability is referred by CVE as CVE-2016-0484. It is time to patch you Security Device to prevent this. Have a good time. (Be knowledgeable, pass it on then)

Microsoft NPS RADIUS DoS

Remote Authentication Dial In User Service (RADIUS), a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) services to connect network resources. Attacker can use crafted username which could lead to Denial of Service. To Authenticate and Authorize users, RADIUS server connects to Domain controller. Active Directory is queried for username upon incoming access request message. This involves establishing LDAP connection and passing LDAP query. LDAP filter tests the username for predefined special characters and normalize them except NUL character. If username string starts with NUL character it causes Active Directory Domain Controller server to return an error value. Multiple invalid requests cause RADIUS server to disassociated from Active Directory Domain controller. Causing Denial of further requests. So if you aware on this and haven't patch you IPS signature yet? Please update it quickly to prevent your network.