Known Issues with Target Devices and Vulnerability Scanning

Abstract
Description of systems that could potentially be adversely affected by scan traffic.

Author
Qualys Technical Support

Copyright
2013 Qualys, Inc. All rights reserved worldwide

Distribution: Status: Revision: Date:

Public Release Final 3 10 March 2013

Qualys, Inc. 1600 Bridge Parkway, Suite 201 Redwood Shores, CA 94065 Telephone: (650) 801-6100 Web: www.qualys.com

Copyright 2013 by Qualys, Inc. All Rights Reserved.

Table of Contents
1 1.1 2 Introduction ......................................................................................................................................... 5 Document Scope..............................................................................................................................................5 Qualified Reports ................................................................................................................................ 6

2.1 Applix TM1 ..................................................................................................................................................... 6 2.1.1 Applix TM1 Service Crash ....................................................................................................................... 6 2.2 Candle Roma ...................................................................................................................................................7 2.2.1 Candle Roma Memory Consumption Denial of Service ...........................................................................7 2.3 Cisco Products ................................................................................................................................................7 2.3.1 Cisco Secure ACS Memory Consumption Denial of Service ...................................................................7 2.3.2 CatOS 5.x, 6.x, 7.x, 8.x, 8.xGLX Denial of Service ..............................................................................8 2.3.3 Cisco CNS Network Registrar Multiple Vulnerabilities ...........................................................................9 2.3.4 Cisco Catalyst 6500 Host Crash .............................................................................................................. 10 2.3.5 Cisco Catalyst 3750X Denial of Service memory leak ........................................................................... 11 2.4 Citrix Secured Gateway Service .................................................................................................................. 11 2.4.1 Secured Gateway Service DOS/Service Crash ...................................................................................... 11 2.5 CODA Financials .......................................................................................................................................... 12 2.5.1 CODA Financials Denial of Service ..................................................................................................... 12 2.6 Computer Associates BrightStor Agent ...................................................................................................... 12 2.6.1 CA BrightStor Agent Denial of Service .................................................................................................. 12 2.7 Dell SAS RAID Storage Manager ............................................................................................................... 13 2.7.1 2.14.1 Dell SAS RAID Storage Manager Service Crash ........................................................................ 13 2.8 Hewlett-Packard Devices ............................................................................................................................. 13 2.8.1 HP LaserJet M2727NF Input-Validation ................................................................................................ 13 2.8.2 HP-UX Portmapper Denial of Service/Kernel Panic .............................................................................. 14 2.8.3 HP-UX Host Crash .................................................................................................................................. 14 2.9 IBM Products ................................................................................................................................................ 14 2.9.1 IBM BuildForge Agent Weakness Host Crash ...................................................................................... 14 2.9.2 IBM Distributed Computing Environment (DCE) Service Crash ........................................................... 15 2.9.3 IBM Lotus Domino Server Mail Loop Denial of Service ....................................................................... 15 2.10 Nortel Passport ............................................................................................................................................. 16 2.10.1 Nortel Passport 8600 Denial of Service .............................................................................................. 16 2.11 Novell NetWare ............................................................................................................................................. 17 2.11.1 NetWare Version 6.5 Abend in XNFS/XNFS.NLM ....................................................................... 17 2.11.2 NetWare Version 6.0 Abend in PKERNEL.NLM .............................................................................. 17 2.11.3 NetWare Version 5.1 Abend in PKERNEL.NLM ........................................................................... 19 2.12 Oracle Cluster Synchronization Services ................................................................................................... 19 2.12.1 Oracle Cluster Synchronization Services Denial of Service ........................................................... 19

Qualys Support

2.13 Oracle COREid Access Server .................................................................................................................... 20 2.13.1 Oracle COREid Access Server CPU Utilization Denial of Service ................................................ 20 2.14 Polycom SoundPoint .................................................................................................................................... 21 2.14.1 Polycom SoundPoint IP 330 SIP Denial of Service ........................................................................ 21 2.15 Sybase Adaptive Server Enterprise (ASE) ................................................................................................. 21 2.15.1 Sybase ASE - CPU Utilization Denial of Service .................................................................................. 21 2.16 TIDAL Agent ................................................................................................................................................ 22 2.16.1 TIDAL Agent Denial of Service ....................................................................................................... 22 3 Unqualified Reports .......................................................................................................................... 23

3.1 Blue Coat Director ........................................................................................................................................ 23 3.1.1 Blue Coat Director Host Crash............................................................................................................... 23 3.2 Brocade Fabric OS ....................................................................................................................................... 23 3.2.1 Brocade Fabric OS Memory Consumption Denial of Service ............................................................ 23 3.3 Cisco 3640 ...................................................................................................................................................... 24 3.3.1 Cisco 3640 Denial of Service ................................................................................................................ 24 3.4 Citrix .............................................................................................................................................................. 25 3.4.1 Citrix Access Gateway ............................................................................................................................... 25 3.5 EMC............................................................................................................................................................... 26 3.5.1 EMC EmailXtender Service Crash ....................................................................................................... 26 3.5.2 EMC Master Agent Service Crash ........................................................................................................ 26 3.6 IBM Remote Supervisor Adapter ............................................................................................................... 27 3.6.1 IBM Remote Supervisor Adapter Service Crash ................................................................................. 27 3.7 NEC projector LT265 .................................................................................................................................. 27 3.7.1 NEC projector LT265 Device becomes unresponsive ............................................................................ 27 3.8 Netopia Caymon 3546 .................................................................................................................................. 28 3.8.1 Netopia Caymon 3546 Host Crash........................................................................................................ 28 3.9 NetScaler ....................................................................................................................................................... 28 3.9.1 NetScaler Load Balancer Host Crash ................................................................................................... 28 3.10 Nortel Switches 4500 and 5500 Series ......................................................................................................... 29 3.10.1 Nortel Switch Host Crash .................................................................................................................. 29 3.11 Oracle Rdb .................................................................................................................................................... 29 3.11.1 Oracle Rdb Denial of Service ........................................................................................................... 29 3.12 Red Hat Enterprise Linux ........................................................................................................................... 30 3.12.1 RHEL Dual NIC Kernel Panic ............................................................................................................ 30 3.13 SAP Netweaver ............................................................................................................................................. 30 3.13.1 SAP Netweaver Service Crash .......................................................................................................... 30 3.14 Sun Applications ........................................................................................................................................... 31 3.14.1 Sun Forte Developer .............................................................................................................................. 31

Qualys Support

3.15 VMWare ESX Server ................................................................................................................................... 31 3.15.1 VMWare ESX Server Service Crash ................................................................................................ 31 3.16 Websense ....................................................................................................................................................... 32 3.16.1 Websense Reporter Service Crash .................................................................................................... 32 3.17 Xerox DC405 Printer ................................................................................................................................... 32 3.17.1 Xerox DC405 Printer Excessive Network Traffic ........................................................................... 32

Qualys Support

1 Introduction
Scanning for security vulnerabilities on your network can cause potential impact to select systems and configurations. Qualys would like to bring to your attention a few known issues on certain target systems. For each issue, there is current information and a resolution when available. If you have any of these systems on your network, be sure to check the vendor references provided for the latest information. For the latest version of this document please visit Qualys Community Help Center at https://community.qualys.com/community/help. Qualys Support makes every effort to keep this document up-to-date, incorporating the latest information from our customers on a regular basis. We encourage our customers to visit the community and contribute to the content of this document.

1.1 Document Scope

The specific scope of this document is to call out those issues Qualys has uncovered which cannot be resolved with an adjustment to the Qualys scanning engine. A high majority of the time, Qualys is able to avoid such issues and hence they would not appear on our list as systemic problems. Accordingly, the scope of this document is not a comprehensive list of all possible issues a customer could face, but rather a list of issues of which Qualys is currently aware. Qualys customers scan millions of hosts each month, and there is a wide variance of the age and maintenance of systems. This naturally means new vulnerabilities are discovered on an ongoing basis. A small percentage of these scans uncover previously unknown vulnerabilities, which are typically triggered by a specific sequence of probes sent from the scanner. Though Qualys may be able to take steps to mitigate the impact, the vulnerability will still exist. As such, a true fix must come from the product vendor. When such issues arise, Qualys Supports express goal is to work closely with you, your internal constituents, and your product vendor to reach resolution. The following is a list of the known issues we are currently aware of. They are split into two categories. Qualified Reports are issues which Qualys has been able to investigate and determine a root cause. Unqualified Reports are issues which Qualys has not had the opportunity to investigate fully, but have been observed and reported by our customers.

Qualys Support

2 Qualified Reports

2.1 Applix TM1

Applix TM1 is a complete application that supports business performance management and operational performance management, including budgeting, forecasting, planning, reporting and analytics.

2.1.1
Issue Date

Applix TM1 Service Crash

Applix TM1 4 Nov 2005 Applix TM1 Server, TM1 Admin Server, and the axnet service by default listen on TCP ports 12345, 5495 and 5492, respectively. A remote user may crash these services by connecting to listening ports and sending specific data. Once crashed, the services must be manually restarted in order to regain their normal functionalities. Applix TM1 version 8.4.3 running on Windows 2003 with Service Pack 1 and on Windows XP with Service Pack 2. Note: We have only tested the above version on the above operating systems. Other Applix TM1 versions for the above and other operating systems may also be affected.

Description

Products affected

Resolution Vendor Reference

The vendor has fixed the issues in the latest builds. The vendor did not provide Qualys with a reference number. Details on obtaining updates to the Applix TM1 product are available on the Applix web site at the following URL: http://www.applix.com/

Qualys Support

2.2 Candle Roma

Candle Roma is a suite of open message-based computing solutions that support the development, connectivity, and integration of e-business applications. 2.2.1
Issue Date Description

Candle Roma Memory Consumption Denial of Service

Candle Roma 12 Dec 2004 Memory consumption in Candle Roma during a scan consumes 100% resources. Specially, the problem occurs in the common CT component code and affects the krusserv.exe and kbxapipe.exe services. This is due to missing packet exception handlers in the Candle application. Candle Roma V3.00 is affected. Candle Roma V3.00 support has ended, and the vendor does not plan to provide any updates/fixes for this version. The problem is fixed in subsequent releases. These releases are not affected: eBP V3.10 (CASP1.0), CASP2.0. Its recommended that you upgrade to the latest release, which is CASP2.0. Please contact IBM/Candle for the latest information by phone at 800-426-7378, or visit the IBM Tivoli support site at this URL: http://www306.ibm.com/software/sysmgmt/products/support/

Products affected Resolution

Vendor Reference

2.3 Cisco Products

2.3.1
Issue Date Description

Cisco Secure ACS Memory Consumption Denial of Service

Cisco Secure ACS 16 Aug 2005 Cisco Secure ACS 4.0 has multiple components listening on different TCP ports. Among these, CSAuth listens on TCP port 2000 and CSLog listens on port 2001. These two components do not release resources allocated for TCP connections already terminated by their clients, resulting in handle and memory leaks.

Qualys Support

Products affected

Cisco Secure ACS 4.0 running on Windows Server 2003 with Service Pack 1. Note: We have only tested the above version on the above operating system. Other Cisco Secure ACS versions or configurations may also be affected.

Resolution Vendor Reference

There is no known fix for this issue. Please visit the Cisco Systems web site for updates to the Cisco Secure ACS product at the following URL: http://www.cisco.com/

2.3.2 CatOS 5.x, 6.x, 7.x, 8.x, 8.xGLX Denial of Service

Issue Date Description Cisco CatOS 19 Jun 2004 Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on the Telnet, HTTP and SSH service. If exploited, the vulnerability causes the Cisco CatOS running device to stop functioning and reload. A TCP-ACK DoS attack is conducted by not sending the regular final ACK required for a 3-way TCP handshake to complete, and instead sending an invalid response to move the connection to an invalid TCP state. This attack can be initiated from a remote spoofed source. This vulnerability is currently known to be exploitable only if you have the Telnet, HTTP or SSH service configured on a device which is running Cisco CatOS. Software affected Products affected Cisco CatOS of the following versions are affected: 5.x, 6.x, 7.x, 8.x and 8.xGLX Cisco Catalyst series switches, based on CatOS, of the following series are affected: 29xx, 4xxx, 45xx, 5xxx, 6xxx Note: Cisco Catalyst series switches that do not use the CatOS are not affected, including but not limited to 1xxx, 3xxx, 8xxx Resolution It is recommended that you upgrade to the one of the following CatOS versions or later, depending on your switch series: 5.5 (20), 6.4 (9), 7.6 (6), 8.2 (2), 8.3 (2)GLX

Qualys Support

Workaround

For tested workarounds to this issue, please reference the Cisco security advisory, available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa20040609-catos.shtml

Vendor Reference

Cisco bug IDs: CSCec42751, CSCed45576, and CSCed48590. Cisco security advisory is posted at the following URL: http://www.cisco.com/warp/public/707/cisco-sa20040609-catos.shtml

2.3.3
Issue Date

Cisco CNS Network Registrar Multiple Vulnerabilities

Cisco CNS Network Registrar 02 Dec 2004 Normally Cisco CNS Network Register will not crash during a scan, but it might happen after Cisco CNS Network Register is manually restarted a few times without rebooting the host. Cisco CNS Network Registrar DNS/DHCP server for Windows server platforms is vulnerable to a denial of service attack when a specific packet sequence is sent to the server. The referenced Cisco Security Advisory reports two vulnerabilities: CSCeg27625 The CNS Network Registrar CCM server may consume almost 100% of CPU when a remote user sends a certain sequence of packets and then ends the session. CSCeg27614 The CNS Network Registrar lock manager process may crash when the system receives an unexpected packet sequence, causing the CCM server to fail.

Description

Products affected

Cisco CNS Network Registrar Versions for Windows NT server and Windows 2000 are affected. For Cisco CSCeg27625, CNS Network Registrar Versions 6.0 through 6.1.1.3 are affected. For Cisco CSCeg27614, all CNS Network Registrar Versions up to and including Version 6.1.1.3 are affected. Vendor has released CNS Network Registrar Version 6.1.1.4 which addresses these issues. Cisco has made free software available to address this vulnerability for all affected customers.

Resolution

Qualys Support

Vendor Reference

Cisco security advisory is available at this URL: http://www.cisco.com/warp/public/707/cisco-sa20041202-cnr.shtml

2.3.4
Issue Date

Cisco Catalyst 6500 Host Crash

Cisco Catalyst 6500 Series switches and routers 07 Oct 2004 Packets sent to the Cisco Catalyst 6500 switch/router on UDP port 500 are not properly handled, leading to memory corruption that sometimes results in crashing the switch/router. Enabling the ISAKMP protocol (UDP port 500) on the switch/router makes it vulnerable to this issue. Cisco IOS 12.1. Its likely that other versions are vulnerable. Cisco Catalyst 6500 Series. Other versions might be vulnerable. Disable ISAKMP (UDP port 500) on the switch/router. To do this, enter no crypto isakmp enable from the config mode. As a workaround, you can disable scanning UDP port 500 in QualysGuard using the profile feature. First create a profile that disables scanning UDP port 500. The easiest method for doing this differs depending on whether the profile will be used for scans, maps or both. Apply the custom profile to each scan or map on demand or scheduled. (See the online help for complete information on profiles.) For scans, the easiest method is to block port 500 in the Advanced options. Select Blocked Resources, Custom port list, and enter 500 in the field provided. For maps, provide custom UDP port lists in the Advanced options and the Map options. In the Advanced options, configure a custom UDP port list used during host discovery. And in the Map options, use the Additional field to enter a custom UDP port list used for information gathering.

Description

Software affected Products affected Resolution

Vendor Reference

Cisco bug ID: CSCef59484. For the latest information, log into your CCO account, and use the BugNavigator tool to find the bug details.

Qualys Support

10

2.3.5
Issue Date

Cisco Catalyst 3750X Denial of Service memory leak

Cisco Catalyst 3750X memory leak 28 March 2012 Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786. Devices configured as a Smart Install client or director are affected by this vulnerability. Cisco Catalyst switches configured as Smart Install client/director. Refer to Cisco Advisory ID: cisco-sa-20120328smartinstall http://tools.cisco.com/security/center/content/Cisco SecurityAdvisory/cisco-sa-20120328-smartinstall Cisco has released free software updates that address this vulnerability. A workaround may be available in some versions of Cisco IOS Software if the Smart Install feature is not needed.

Description

Software affected Products affected Resolution

Vendor Reference

Advisory ID: cisco-sa-20120328-smartinstall

2.4 Citrix Secured Gateway Service

2.4.1 Secured Gateway Service DOS/Service Crash
Issue Date / Qualys Reference Description Citrix Secured Gateway DOS/service crashes when scanned 28 Jan 2009 / BID 64993 A vulnerability has been identified in Citrix Secured Gateway Service that could result in a denial of service.

Products affected

This vulnerability is present in all versions of Citrix Secured Gateway up to and including version 3.1. Please note that the Citrix Access Gateway appliance is not affected by this vulnerability when configured to act as a Citrix Secure Gateway.

Qualys Support

11

Resolution

Citrix has an update available that addresses this issue: http://support.citrix.com/article/CTX121172

Vendor Reference

For more information and available fixes, please see: http://support.citrix.com/article/CTX121172

2.5 CODA Financials

CODA Financials is a financial management software package. 2.5.1 CODA Financials Denial of Service
Issue Date / Qualys Reference Description Products affected Resolution Vendor Reference CODA Financials Denial of Service vulnerability 17 Apr 2008 / BID 54181 CODA Financials crashes when scanned. CODA Financials v70040418; other versions are possibly affected. Contact CODA support for resolution. N/A

2.6 Computer Associates BrightStor Agent

2.6.1
Issue Date Description

CA BrightStor Agent Denial of Service

CA BrightStor Agent 11 Jan 2006 CA BrightStor's caagentd process listens on TCP port 6051. It is vulnerable to a remote denial of service issue. It can be made unresponsive after a remote user establishes a TCP session to port 6051, sends 7 bytes or less of random data, and terminates the session. Once the process is triggered into a denial of service condition, it has to be manually restarted in order to regain its normal functionality.

Qualys Support

12

Products affected

CA BrightStor version 11.1 running on RedHat 9 with Linux Kernel 2.4.20-8. Note: We have only tested the above version running on the above operating system. Other CA BrightStor versions and configurations may also be affected.

Resolution Vendor Reference

There is no known fix for this issue. Please visit the Computer Associates web site for updates to the BrightStor product at this URL: http://www.ca.com/

2.7 Dell SAS RAID Storage Manager

2.7.1
Issue Date / Qualys Reference Description

2.14.1 Dell SAS RAID Storage Manager Service Crash

Dell SAS RAID Storage Manager (popup.exe) 11 Nov 2007 / BID 48813 A component of the Dell SAS RAID Storage Manager popup.exe crashes when subjected to a simple SYN scan. popup.exe version 1.0016 Other versions may be vulnerable as well. Contact Dell with regards to this issue. Qualys is not aware of the vendors intention to supply a fix for this vulnerability. N/A

Products affected Resolution

Vendor Reference

2.8 Hewlett-Packard Devices

2.8.1
Issue Date / Qualys Reference Description

HP LaserJet M2727NF Input-Validation

HP LaserJet input-validation vulnerability 24 Jun 2008 / BID 56759 It has been reported that the HP LaserJet M2727NF prints out several pages of gibberish when scanned. This seems to be due to a lack of inputvalidation. Anything sent to ports 8888 and 9999 will be printed out.

Qualys Support

13

Products affected Resolution Vendor Reference

HP LaserJet M2727NF multi-function devices; similar devices also likely to be affected. Contact HP support for resolution. N/A

2.8.2
Issue

HP-UX Portmapper Denial of Service/Kernel Panic

HP-UX Portmapper Denial of Service vulnerability 08 Aug 2008 / BID 58709 It has been reported that some versions of the Portmapper service (which typically resides on UDP/111) on HP-UX will crash when UDP probes are sent to it. HP-UX 11.31; other versions are possibly affected. HP suggests to update to version B.11.31.08. HP-UX CRID reference QXR1000886293

Date / Qualys Reference Description

Products affected Resolution Vendor Reference

2.8.3
Issue

HP-UX Host Crash

HP-UX will experience a host crash 21 April 2010 / BID 81388 It has been reported that certain versions of HP-UX below B.11.31.08 may experience a kernel panic during a UDP port scan. Unspecified versions of HP-UX below B.11.31.08. This issue is resolved in HP-UX version B.11.31.08. N/A

Date / Qualys Reference Description

Products affected Resolution Vendor Reference

2.9 IBM Products

2.9.1 IBM BuildForge Agent Weakness Host Crash
Issue Date / Qualys Reference Description IBM BuildForge Agent crashes/exhibits DOS behavior when scanned. 20 Feb 2009 / BID 66088 The agent will continuously spawn infinite-looping threads, spiking the CPU and eventually DOSing / crashing the system.

Qualys Support

14

Products affected Resolution Vendor Reference

BuildForge Agent version 7.0.2 IBM has and update available that address this issue. Refer to Vendor Reference. For more information and available fixes please go to: http://www01.ibm.com/support/docview.wss?uid=swg21303877

2.9.2
Issue

IBM Distributed Computing Environment (DCE) Service Crash

DCED.exe service crash 03 Dec 2007 / BID 49690 IBM's DCE components are installed with various IBM products (e.g., in IBM branded laptops). The DCED.exe service crashes when it receives a particular probe. DCED.exe v.2.2.0.6 Contact IBM support for resolution. N/A

Date / Qualys Reference Description

Products affected Resolution Vendor Reference

2.9.3
Issue Date

IBM Lotus Domino Server Mail Loop Denial of Service

IBM Lotus Domino Mail Server 12 Dec 2004 IBM Lotus Domino Mail Server may bounce messages that are generated by mail relay tests and may generate high load/loops in Domino. Its possible for this condition to cause the Lotus Domino Loop Denial of Service vulnerability. For more information, refer to this SecuriTeam advisory: http://www.securiteam.com/securitynews/5EP0Y005 5Y.html

Description

Products affected

IBM Lotus Domino Server versions 5.0.8 and earlier are affected.

Qualys Support

15

Resolution

Upgrade to Lotus Domino Server version 5.0.9 or greater. Or configure Domino rules to not reply to Qualys mail relay tests and drop them directly. Qualys mail relay tests always use in the source email address the qgmrfrom user and qgmrtest user. The QualysGuard external scanner IP ranges are listed in your QualysGuard account, under Help-> About.

Vendor Reference

Please visit the IBM Lotus support site for the latest information at this URL: http://www306.ibm.com/software/lotus/support/centers.html

2.10 Nortel Passport

2.10.1 Nortel Passport 8600 Denial of Service
Issue Date Description Nortel Passport 8600 DoS 22 Nov 2005 Nortel Passport 8600 switches may be vulnerable to a denial of service issue. This issue can be triggered by starting several concurrent TCP connections to the Nortel Passport web interface (running RapidLogic web server) and sending an HTTP request. Once triggered into a denial of service condition, a switchs CPU usage jumps to 100% and the switch stops functioning. The switch must be power cycled to regain normal functionality. Nortel Passport 8600 switches may be affected as well as other Nortel Passport devices. The Qualys Research and Development Team has made updates to the QualysGuard scanner to avoid scanning Nortel Passports web interface so that this denial of service will not occur when a Nortel Passport 8600 switch is scanned. However, since we are not aware of the scope of the Nortel devices impacted by this issue, there may still be a potential issue when scanning Nortel devices. Nortel case number: Case 051026-32944

Products affected Resolution

Vendor Reference

Qualys Support

16

2.11 Novell NetWare

Novell NetWare has significant security and stability issues with the use of standard packet forms and protocols, which can cause abends. Novell has released patches for these issues, as referenced in this document. There are several issues regarding unpatched versions of Novell NetWare that are published on the Novell website as listed below. NetWare Version 4.1 note: It is a known issue that NetWare V4.1 is vulnerable to port canning. Support recommendation: Install the applicable patches from Novell, which have improved the Novell Netware system stability with regards to scanning. These patches are indicated below.

2.11.1 NetWare Version 6.5 Abend in XNFS/XNFS.NLM

Issue Date Description XNFS.NLM 15 Aug 2003 XNFS.NLM is the NFS Server daemon on NetWare 6.5. The enclosed XNFS.NLM is for use on NetWare 6.5, to prevent a potential abend when Nessus Port Scanner scans a NetWare 6.5 server. NetWare 6.5 http://support.novell.com/cgibin/search/searchtid.cgi?/2966741.htm

NetWare products affected Vendor Reference

Issue Date Description

XNFS 13 Jan 2004 XNFS Abend when accessing invalid ports. Abend in RPCWorker7 Process when Nessus Port Scanner scans a NetWare 6.5 server with invalid ports like: 1234. NetWare 6.5 http://support.novell.com/cgibin/search/searchtid.cgi?/10087844.htm

Novell products affected Vendor Reference

2.11.2 NetWare Version 6.0 Abend in PKERNEL.NLM

Issue Date Description PKERNEL.NLM 14 Nov 2003 Abend in PKERNEL.NLM when the server is scanned with Nessus. Abend in PKERNEL.NLM, when overflow packet is received. EIP in PKERNEL.NLM at code start +00002D12h.

Qualys Support

17

Novell products affected

NetWare 6.0 NetWare 5.1 Novell NFS Services 3.0 Novell Native File Access for UNIX (NFAU) http://support.novell.com/cgibin/search/searchtid.cgi?/10088719.htm

Vendor Reference

Issue Date Description

HTTPSTK.NLM 07 Jul 2003 Abend: EIP in HTTPSTK.NLM at code start +00004CFBh . Performing security scan of NetWare 6 Server causes server to abend in HTTPSTK.NLM. NetWare 6.0 Support Pack 2 NetWare 6.0 Support Pack 3 http://support.novell.com/cgibin/search/searchtid.cgi?/10084780.htm

Novell products affected Vendor Reference

Issue Date Description

HTTPSTK Vulnerability Fix - TID2966181 06 JUN 2003 HTTPSTK.NLM to address an Abend in the Netware HTTP Stack caused by a modified keep-alive packet. The Netware HTTP Stack running on Novell Netware 6 (SP3) server ABENDs (abnormal ends) when it receives a modified keep alive packet request on the same TCP connection, which can result in denial of service. NetWare 6.0 Service Pack 3 http://support.novell.com/cgibin/search/searchtid.cgi?/2966181.htm

Novell products affected Vendor Reference

Issue Date Description

BTCPCOM 11 Jul 2003 BTCPCOM CPU Hog ABEND Fix. There is a possibility of a CPU Hog Timeout ABEND in BTCPCOM.NLM when running a port scanning utility against a NetWare server. NetWare 6.0 NetWare 5.1 http://support.novell.com/cgibin/search/searchtid.cgi?/2966492.htm

Novell products affected Vendor Reference

Qualys Support

18

2.11.3 NetWare Version 5.1 Abend in PKERNEL.NLM

Issue Date Description PKERNEL.NLM 14 Nov 2003 1) Abend in PKERNEL.NLM when the server is scanned with Nessus, a security scanner tool. 2) Abend in PKERNEL.NLM, when overflow packet is received. 3) EIP in PKERNEL.NLM at code start +00002D12h. Novell products affected NetWare 6.0 NetWare 5.1 Novell NFS Services 3.0 Novell Native File Access for UNIX (NFAU) http://support.novell.com/cgibin/search/searchtid.cgi?/10088719.htm

Vendor Reference

Issue Date Description

BTCPCOM 11 Jul 2003 BTCPCOM CPU Hog ABEND Fix. There is a possibility of a CPU Hog Timeout ABEND in BTCPCOM.NLM when running a port scanning utility against a NetWare server. NetWare 6.0 NetWare 5.1 http://support.novell.com/cgibin/search/searchtid.cgi?/2966492.htm

Novell products affected Vendor Reference

2.12 Oracle Cluster Synchronization Services

Oracle Cluster Synchronization Services (OCSSD) is a component of Oracle Cluster Ready Services (CRS), which is included in Oracle10g.

2.12.1 Oracle Cluster Synchronization Services Denial of Service

Issue Date Oracle Cluster Synchronization Services 16 Nov 2005

Qualys Support

19

Description

The OCSSD process listens on a dynamic port. When a remote attacker connects to the OCSSD's listening port and sends 0, 1, 2, or 3 bytes of data before terminating the connection, the OCSSD process fails to free the socket it acquired for the connection. Since there is a limit on the number of file descriptors a process can own, the remote attacker may repeat the above process until OCSSD exhausts the maximum number of file descriptors and stops accepting new connections. Once triggered into this denial of service condition, the OCSSD process must be manually restarted to regain its normal functionality. Oracle Cluster Synchronization Services (OCSSD) in Oracle 10g (versions 10.1.0.4 and 10.1.0.3) running on Windows 2003 and RedHat AS3. Note: We have only tested the above versions on the above operating systems. Other Oracle OCSSD versions for the above and other operating systems may also be affected.

Products affected

Resolution Vendor Reference

There is no known fix for this issue. Please visit the Oracle web site for updates to Oracle's database products at the following URL: http://www.oracle.com/

2.13 Oracle COREid Access Server

Oracle COREid Access and Identity delivers critical functionality for access control, single sign- on, and user profile management.

2.13.1 Oracle COREid Access Server CPU Utilization Denial of Service

Issue Date Description Oracle COREid Access Server 15 Aug 2005 Oracle COREid Access Server listens on TCP port 6021. When a remote user connects to this port, sends specially crafted data, and keeps the connection alive, the COREid Access Server utilizes almost 100% CPU. Oracle COREid Access Server version 6.11.18 running on AIX 5.1. Note: We have only tested the above version on the above operating system. Other Oracle COREid Access Server versions or configurations may also be affected.

Products affected

Qualys Support

20

Resolution Vendor Reference

There is no known fix for this issue. Please visit the Oracle web site for updates to the COREid Access Server product at the following URL: http://www.oracle.com/

2.14 Polycom SoundPoint

The Polycom SoundPoint is a series of VoIP phones.

2.14.1 Polycom SoundPoint IP 330 SIP Denial of Service

Issue Date / Qualys Reference Description Polycom SoundPoint IP 330 SIP Denial of Service 16 July 2008 / BID 57777 The Polycom SoundPoint IP 330 VoIP phone is vulnerable to a Denial-of-Service condition. The device reboots when scanned. Products affected Resolution Vendor Reference Polycom SoundPoint IP 330 SIP; similar devices also likely to be affected. There is no known fix for this issue. N/A

2.15 Sybase Adaptive Server Enterprise (ASE)

Adaptive Server Enterprise (ASE) is Sybase Corporation's (Now SAP AG) flagship enterprise-class relational model database server product. ASE is predominantly used on the Unix platform but is also available for Windows.

2.15.1 Sybase ASE - CPU Utilization Denial of Service

Issue Date / Qualys Reference Description Sybase ASE crash 1 January 2011 / BID 98402 Sybase ASE server crashes due to high CPU utilization. Sybase ASE versions 12.5.3 and 12.5.4 on SunOS Sybase recommends excluding ASE ports from scanning. Sybase CR 635047.

Products affected Resolution Vendor Reference

Qualys Support

21

2.16 TIDAL Agent

TIDAL Agent is enterprise software provided by TIDAL Software, a provider of enterprise management and automation tools for the enterprise.

2.16.1 TIDAL Agent Denial of Service

Issue Date Description TIDAL Agent (Agent.exe, file version 2.0.0.8) 09 Sep 2005 TIDAL Agent is vulnerable to a Denial of Service condition. TIDAL Agents listen on user-configurable TCP ports. By default, the first TIDAL Agent listens on TCP port 5912, the second on TCP port 5913, and so on. When a remote user connects to a TIDAL Agent's listening port, sends a few (e.g. 3) bytes of random data, terminates the connection, and then repeats this process for five additional times, this TIDAL Agent stops responding to any new connection requests. Once triggered into this denial of service condition, it does not seem possible to restart the TIDAL Agent without rebooting the host. Products affected TIDAL Agent (Agent.exe, file version 2.0.0.8) running on Windows 2000 with Service Pack 4. Its likely that other operating systems are affected. TIDAL software is aware of this issue. Please contact TIDAL Software for the latest information and updates: http://www.tidalsoft.com/ Vendor Reference The TIDAL Software reference ID for this issue is SR#26028.

Resolution

Qualys Support

22

3 Unqualified Reports

3.1 Blue Coat Director

Blue Coat Director enables you to centrally manage network policies and devices from a single, easy-to-use Web interface. With Director, IT administrators can automatically deploy hundreds of appliances, monitor and enforce security policies and respond to emergencies with the click of a button. Director also allows you to automatically respond to sudden changes in the network, including disasters and outages, so you can fix them before they impact the end user.

3.1.1 Blue Coat Director Host Crash

Issue Date / Qualys Bug ID Description Blue Coat Director host crash 27 May 2009 / BID 71096 Blue Coat Director server caused the system to crash when scanning. Issue has been isolated to HTTP traffic being sent to the device during a scan. Blue Coat Director versions 4.2.2.2 A mitigation option of placing the director behind a firewall and blocking HTTP traffic. Update to a later version of Blue Coat Director. Vendor Reference N/A

Products affected Resolution

3.2 Brocade Fabric OS

Brocade Fabric OS is operating system firmware that provides core infrastructure for deploying Storage Area Networks (SANS) in enterprise environments. Fabric OS is embedded in Brocade Silkworm switches as well as switches manufactured by third party vendors.

3.2.1 Brocade Fabric OS Memory Consumption Denial of Service

Issue Date Description Brocade Fabric Series 2 and 3 OS firmware 24 May 2004 There are issues with security and management software that polls switches embedded with Brocade Fabric OS. Reportedly, requests are accumulated and not cleaned up properly in the switch memory, and there are a few memory leak issues. The latest firmware resolves these issues.

Qualys Support

23

Products affected

Switches based on Brocade Fabric OS Version 3.0.2f and earlier are affected, such as Brocade Silkworm switches and EMC Connectrix DS-16B2. Some Silkworm V2.x and V3.x switches are affected. Note: Silkworm switches using Fabric OS V4.x are not affected, including SW3900, SW12000, SW24000, SW3250, and SW3850.

Resolution

It is recommended that you upgrade to the latest firmware level, which fixes several memory leak issues. For Silkworm V2.x switches, upgrade to Fabric OS V2.6.2 or later. For Silkworm V3.x switches using Fabric OS V3.x, upgrade to Fabric OS V3.1.2 or later.

Vendor Reference

For more information on this known issue, customers can obtain Release Notes Revision 3.1.2 from the equipment provider.

3.3 Cisco 3640

The Cisco 3640 modular access routers are based on the Cisco 3600 multifunction platform which supports hybrid dial applications, LAN-to-LAN or routing applications, and multiservice applications. The Cisco 3640 router is equipped with four network module slots, allowing integration with over 70 network modules and interfaces.

3.3.1 Cisco 3640 Denial of Service

Issue Date Description Software affected Cisco 3640 router 17 May 2004 Scanning a C class network with more than 30 hosts behind it will bounce the Cisco 3640 router interface. Cisco Internetwork Operation System Software IOS 3600 Software (C3640-IK9S-M), Version 12.2(16f), RELEASE SOFTWARE (fc1) Copyright 1986-2004 by Cisco Systems, Inc.

Qualys Support

24

Products affected

Cisco 3640 (R4700) processor (revision 0x00) with 98304K/32768K bytes of memory. Processor board ID 27612296 R4700 CPU at 100Mhz, Implementation 33, Rev 1.0 Bridging software. X.25 software, Version 3.0.0. SuperLAT software ( 1990 by Meridian Technology Corp). 4 Ethernet/IEEE 802.3 interface(s) 2 FastEthernet/IEEE 802.3 interface(s) 1 Serial network interface(s) DRAM configuration is 64 bits wide with parity disabled. 125K bytes of non-volatile configuration memory. 32768K bytes of processor board System flash (Read/Write) ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) ROM: 3600 Software (C3640-IK9S-M), Version 12.2(16b), RELEASE SOFTWARE (fc1) System image file is "flash:c3640-ik9s-mz.12216f.bin"

Resolution Vendor Reference

Do not scan an entire class C. Scan router by itself. N/A

3.4 Citrix
3.4.1 Citrix Access Gateway
Issue Date / Qualys Reference Description Service Crash 12 Oct 2009 / BID 75820 It has been reported that Citrix Access Gateway Standard Edition 4.5.5 build 45 may crash when being scanned. Qualys has narrowed the cause down to a particular request. ---[code]--GET ftp://89.167.157.104/~<img%20src=test% 20onclick=alert(XSS)> HTTP/1.0\r\n\r\n ---[code]--Citrix Access Gateway Standard Edition 4.5.5 build 45 (others may be affected as well)

Products affected

Qualys Support

25

Resolution

Qualys has implemented a modification to avoid service impact. Qualys is not aware of a vendor fix to this vulnerability. N/A

Vendor Reference

3.5 EMC
3.5.1 EMC EmailXtender Service Crash
Issue Date / Qualys Reference Description Multiple service crash 03 Dec 2007 / BID 49671 Multiple services related to EMC EmailXtender appear to lack robust error handling when accepting data from a remote host. It is possible to crash the following services remotely: exHealthCheck.exe, exQuery.exe, exMail.exe, and exAdmin.exe. EMC EmailXtender 4.8 Patch 266. Other versions may be vulnerable as well. Qualys is unaware of a vendor patch. N/A

Products affected Resolution Vendor Reference

3.5.2
Issue

EMC Master Agent Service Crash

MNRAgent.exe service crash 14 Nov 2007 / BID 49665 MNRAgent.exe the EMC Master Agent crashes when scanned. EMC Master Agent (MNRAgent.exe) version unknown. It has been reported that the newest versions don't crash. Please contact the vendor for further information. N/A

Date / Qualys Reference Description Products affected Resolution

Vendor Reference

Qualys Support

26

3.6 IBM Remote Supervisor Adapter

3.6.1
Issue Date / Qualys Reference Description Products affected Resolution

IBM Remote Supervisor Adapter Service Crash

IBM RSA multiple service crash 08 Feb 2007 / BID 41551 IBM Remote Supervisor Adapters contain web and telnet services that crash when scanned. IBM RSAs version unknown It has been reported that the newest versions don't crash. Please contact the vendor for further information. N/A

Vendor Reference

3.7 NEC projector LT265

3.7.1
Issue Date / Qualys Reference Description

NEC projector LT265 Device becomes unresponsive

NEC projector LT265 series becomes unresponsive scan. 01 Aug 2008 / BID 69533 Device does not respond to remote control, and buttons on front of device also become unresponsive when scanned. NEC projector LT265 series Qualys is unaware of a vendor patch. N/A

Products affected Resolution Vendor Reference

Qualys Support

27

3.8 Netopia Caymon 3546

Netopia Caymon 3546 ADSL Gateway combines an ADSL modem and router with a 10/100Base-TX switch to enable broadband connection for SOHO and small business networks.

3.8.1
Issue Date

Netopia Caymon 3546 Host Crash

Netopia Caymon 3546 host crash 28 Feb 2005 Netopia Caymon 3546 router crashes during a scan. Netopia Caymon 3546 router with firmware 6.4.0.R2. Earlier firmware versions may be affected as well. There will be no further upgrades to Netopia Caymon 3546. Vendor recommends upgrading to Netopia Caymon 3346N router and enabling Stateful Inspection. Read about Stateful Inspection in the 3300 Series User Guide version 7.4, which is available from this URL: http://netopia.com/enus/equipment/tech/doc_center.html

Description Products affected Resolution

Vendor Reference

3.9 NetScaler
NetScaler Application Delivery Systems provide a solution for optimized delivery of applications, while ensuring continuous availability of applications and content.

3.9.1 NetScaler Load Balancer Host Crash

Issue Date Description Products affected NetScaler Load Balancer host crash 10 Jun 2004 NetScaler Load Balancer crashes during a scan. NetScaler Load Balancer versions 5.2.50.8 and earlier as well as versions 6.0.47.6 and earlier are affected. Vendor has addressed this issue in NetScaler versions 5.2.50.9 and 6.0.47.7. If you are running an affected version, upgrade to the latest version. For more information, contact NetScaler Technical Support by phone at 1-866-NETSCALER or via email at support@netscaler.com. N/A

Resolution

Vendor Reference

Qualys Support

28

3.10 Nortel Switches 4500 and 5500 Series

3.10.1 Nortel Switch Host Crash
Issue Date / Qualys Reference Description Products affected Nortel 4500 and 5500 series switches crash when scanned 06 Mar 2009 / BID 66802 Nortel switch device actually reboots when scanned. Nortel 4550T PWR, 5510-48T, 5520-24T-PWR. Other versions may be vulnerable as well.

Resolution

Qualys is unaware of a vendor patch.

Vendor Reference

N/A

3.11 Oracle Rdb

The Oracle Rdb product family includes Oracle Rdb Enterprise Edition, Oracle CODASYL DBMS, Oracle CDD/Repository, Oracle SQL/Services, OCI Services for Oracle Rdb, Oracle Trace for Rdb, Replication Option for Rdb, Oracle Rdb ODBC Driver, and Oracle Rdb JDBC Drivers. For more information, visit http://www.oracle.com/rdb.

3.11.1 Oracle Rdb Denial of Service

Issue Date Description Products affected Unknown DoS condition N/A The Oracle Rdb database server is vulnerable to a Denial of Service condition Oracle Rdb 7.0 and 7.1 running under OpenVMS. Note that this is not the Oracle RDBMS system, but the former DEC Rdb that is affected. This issue has been fixed in Oracle Rdb version 7.2, current version is 7.2.1 N/A

Resolution Vendor Reference

Qualys Support

29

3.12 Red Hat Enterprise Linux

Red Hat Enterprise Linux (RHEL) is a Linux-based operating system developed by Red Hat and targeted toward the commercial market. For more info visit http://www.redhat.com/products/enterprise-linux/server/

3.12.1 RHEL Dual NIC Kernel Panic

Issue Date / Qualys Reference Description Kernel panic causes server reboot 01 Jan 2013 / CRM 717811 The issue is caused by skb_gro_header_slow parameter which unconditionally resets frag0 and frag0_len in the configured network device. However when this skb can't be pulled on, this leaves the GRO fields in an inconsistent state. When NAPI_GRO_CB(skb)->frag0 is dereferenced, the kernel panics with a NULL pointer dereference. Dual NIC Server using RHEL 5.6 kernel 2.6.18238.9.1 and RHEL 5.5 kernel 2.6.18-194.11.4 Customer reported this RHEL Bug 726552 https://bugzilla.redhat.com/show_bug.cgi?format=multipl e&id=726552

Products affected Resolution Vendor Reference

3.13 SAP Netweaver

3.13.1 SAP Netweaver Service Crash
Issue Date / Qualys Reference Description icman service crash 07 Dec 2007 / BID 49878 The Internet Communication Manager (icman) component of SAP Netweaver appears to lack robust error handling when accepting data from a remote host. It is possible to crash the service remotely. SAP NetWeaver 7.0 patch level 94 Other versions may be vulnerable as well. Qualys is unaware of a vendor patch. N/A

Products affected Resolution Vendor Reference

Qualys Support

30

3.14 Sun Applications

3.14.1 Sun Forte Developer
Issue Date / Qualys Reference Description Products affected Resolution Sun Forte Developer service crash 12 Jan 2010 / BID 77546 It has been reported that Sun Forte Developer 5.2.34 may crash during a scan. Sun Forte Developer 5.2.34 (other versions may be affected as well) Qualys is not aware of a vendor solution, however, Sun Forte Developer has deprecated in favor of Sun ONE studio. Please contact the vendor for specific information surrounding Sun ONE. N/A

Vendor Reference

3.15 VMWare ESX Server

3.15.1 VMWare ESX Server Service Crash
Issue Date / Qualys Reference Description Products affected Resolution VMware ESX hostd crash 01 Feb 2008 / BID 51339 The hostd service in VMware ESX server crashes when scanned. VMware ESX Server v.3.01 and 3.02 VMware fixed the 3.01 crash with the release of 3.02. 3.02 is still vulnerable, but a workaround in the QualysGuard scan engine mitigates the crash. N/A

Vendor Reference

Qualys Support

31

3.16 Websense
3.16.1 Websense Reporter Service Crash
Issue Date Description Products affected ExplorerServer.exe service crash 03 Jan 2008 ExplorerServer.exe, the web-server interface to the Websense reporting engine, crashes when scanned. Websense Reporter v.5.5; ExplorerServer.exe v.5.5.0.161 Other versions may be vulnerable as well. Websense has reportedly fixed this vulnerability in a later version. N/A

Resolution Vendor Reference

3.17 Xerox DC405 Printer

3.17.1 Xerox DC405 Printer Excessive Network Traffic
Issue Date / Qualys Reference Description Unknown DoS condition 26 Nov 2007 / BID 49349 Scanning this device may cause it to enter into a partially functional state. In this state, the printer will reportedly continue sending ACKs to the QualysGuard scanner, even after the scan has completed. In maintaining RFC compliance, the QualysGuard scanner will send RST packets for every unsolicited ACK. The net effect may lead to a network level denial of service. Xerox DC405 printers. Other models may be affected as well. Qualys is unaware of a vendor patch. N/A

Products affected Resolution Vendor Reference

Qualys Support

32