3com Inc

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Actelis Networks

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel-Lucent

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Allied Telesis

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alvarion

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

amx

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Aperto Networks

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ARRIS

Notified:  June 18, 2010 Updated: January 20, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The following products have been reported to be affected: ARRIS C3™ Cable Modem Termination System Firmware Release <=4.4.4.13

Avaya, Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Broadcom

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Brocade

Notified:  August 03, 2010 Updated: August 03, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Canon

Notified:  June 18, 2010 Updated: August 17, 2010

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ceragon Networks Inc

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cisco Systems, Inc.

Notified:  June 14, 2010 Updated: June 23, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml

Dell Computer Corporation, Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Digicom

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-Link Systems, Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DrayTek Corporation

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Enablence

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Enterasys Networks

Notified:  June 18, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Epson America, Inc.

Notified:  June 18, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fluke Networks

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Foundry Networks, Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gilat Network Systems

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Guangzhou Gaoke Communications

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Huawei Technoligies

Notified:  June 18, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation

Notified:  July 02, 2010 Updated: July 27, 2010

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IWATSU Voice Networks

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Keda Communications

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Knovative Inc

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lenovo

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lutron Electronics

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Maipu Communication Technology

Notified:  June 29, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mitel Networks, Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Motorola, Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Netgear, Inc.

Notified:  June 18, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  June 18, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Polycom

Notified:  June 14, 2010 Updated: December 07, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The release notes for SoundPoint IP/SoundStation IP SIP software states that version 3.1.2 has closed the debug port. "47450: Port 17185 is open, presenting a security risk" http://downloads.polycom.com/voice/voip/relnotes/spip_ssip_v3_1_6_Legacy_release_notes.pdf

Proxim, Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Rad Vision, Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ricoh Company Ltd.

Notified:  June 14, 2010 Updated: August 06, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Rockwell Automation

Notified:  June 15, 2010 Updated: July 30, 2010

Statement Date:   June 29, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Rockwell Automation 1756-ENBT series A running firmware versions 3.2.6 and 3.6.1 are vulnerable. Please see Rockwell Automation Technote 69735 for more information.

Vendor References

http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=69735

Schneider Electric

Updated:  January 18, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The Modicon M340 with firmware version 2.5 was reported to run VxWorks 6.4 and have the debug port enabled.

SFR

Updated:  September 01, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

newsoft reports that the SFR (formerly Neuf Cegetel and Neuf Telecom) Trio3C has the debug service enabled.

Shoretel Communications, Inc.

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Siemens

Notified:  June 14, 2010 Updated: April 29, 2011

Status

  Affected

Vendor Statement

Security Advisory Report - OBSO-1010-01 Enabled VxWorks debug service Creation Date: 2010-10-15 Last Update: 2010-10-15 Summary A security researcher has identified a large number of products based on the VxWorks platform provided by Wind River Systems with a debug service enabled by default at port 17185/udp. Vulnerability Details The debug service provides full access to the memory of an affected device and allows for memory to be written as well as functions to be called. Of the various products based on VxWorks, the following are not affected by this vulnerability: HiPath Wireless Convergence, RG 8700, optiPoint 410/420 SIP and HFA (V5). Affected Products HiPath 3000 (HG 1500 Gateway) HiPath 4000 (HG 35xx Gateway) optiPoint 410/420 HFA, versions before V5 optiPoint 600 office Recommended Actions In general, it is recommended not to attach the mentioned systems directly at the internet. Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp). The problem is solved in the following versions; an update to these or higher versions is highly recommended: HiPath 3000 V8: V8 R5.2.0 HiPath 4000 V4: V4 R4.1.12 HiPath 4000 V5: V5 R1.2.4 Please note: HiPath 3000 V7: You need to upgrade the HG 1500 gateway only. Please use V8 R5.2.0 for this. You may keep the system itself in V7. HiPath 3000 V6 and earlier have reached end of SW support; please consider an upgrade to V7 or V8 HiPath 4000 V3 and earlier have reached end of SW support; please consider an upgrade to V4 or higher. Some older, unsupported versions of optiPoint 410/420 HFA IP phones are also vulnerable. Please ensure, that V5 is installed on all phones. optiPoint 600 office has reached end of life since a few years already; an update is unfortunately not available References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2965 http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html http://www.kb.cert.org/vuls/id/362332 Revision History 2010-10-15 Initial release Contact and Disclaimer OpenScale Baseline Security Office obso@siemens-enterprise.com © Siemens Enterprise Communications GmbH & Co KG 2010 Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG The information provided in this document is subject to change without notice. Siemens Enterpise Communications GmbH & Co KG (SEN) assumes no responsibility for any errors that may appear in this document, and it does not affect your current support agreements with SEN. Any trademarks referenced in this document are the property of their respective owners. ---End Vendor Statement-------------------------------------------------------------------

Vendor Information

The vendor provided the above advisory information for their affected products.

SMC Networks, Inc.

Notified:  June 18, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TRENDnet

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Tut Systems, Inc.

Notified:  June 18, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  June 14, 2010 Updated: August 02, 2010

Status

  Affected

Vendor Statement

Wind River has analyzed VU#362332, and determined that all versions of VxWorks could be vulnerable if the WDB agent is left enabled in production systems and the system is network attached. VxWorks has a very strong track record of offering secure products and Wind River is committed to active threat monitoring, rapid assessment, threat prioritization, expedited remediation, response and proactive customer contact. Customers are encouraged to follow the remediation actions outlined in the SOLUTION section of the vulnerability post. Registered users can access Wind River's online support for more information by following this link: https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=033708 Or contact Wind River technical support for more information: http://windriver.com/support/

Vendor Information

Within the VxWorks Kernel programmers guide it states: “For production systems, you will want to reconfigure VxWorks with only those components needed for deployed operation, and to build it as the appropriate type of system image. You will likely want to remove components required for host development support, such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG), as well as to remove any other operating system components not required to support your application. Other considerations may include reducing the memory requirements of the system, speeding up boot time, and security issues.”

Xerox

Notified:  June 14, 2010 Updated: July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.