A denial of service (DoS) vulnerability exists in JBoss Remoting due to the way RemoteMessageChannel, introduced in version 3.3.10.Final-redhat-1, reads from an empty buffer. An unauthenticated, remote attacker can exploit this issue, via a specially crafted message, to cause the JBoss Remoting service running in an infinite loop resulting in high CPU usage.

The Palo Alto Networks PAN-OS running on the remote host is affected by a NULL pointer dereference flaw in the web management interface, specifically in the parseRange() function within file rx.c, when handling HTTP requests involving a Range header with an empty value.
An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause the Appweb process for the management interface to terminate, resulting in a denial of service condition.

Note that PAN-OS is reportedly affected by other vulnerabilities as well; however, Nessus has not tested for these.

The Palo Alto Networks PAN-OS running on the remote host is affected by a denial of service vulnerability in the API hosted on the management interface, specifically in the panUserLogin() function within panmodule.so, due to improper validation of user-supplied input to the 'username' and 'password' parameters. An unauthenticated, remote attacker can exploit this, via a crafted request, to cause the process to terminate.

Note that PAN-OS is reportedly affected by other vulnerabilities as well; however, Nessus has not tested for these.

The remote libssh server contains a double-free memory flaw in the ssh_packet_kexinit() function in kex.c. A remote attacker, with a specially crafted SSH_MSG_KEXINIT packet, can cause a denial of service.

The remote web application appears to use Struts, a web application framework. The version of Struts in use contains a flaw that allows the manipulation of the ClassLoader via the 'class' parameter of an ActionForm object that results a denial of service.

Note that this vulnerability may be exploited to execute arbitrary remote code in certain application servers with specific configurations; however, Nessus has not tested for this issue.

Additionally, note that this plugin will only report the first vulnerable instance of a Struts application.

The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. The version of Struts 2 in use is affected by a security bypass vulnerability, possibly due to an incomplete fix for ClassLoader manipulation implemented in version 2.3.16.1.

Note that this plugin will only report the first vulnerable instance of a Struts 2 application.

According to its version number, the Splunk Enterprise hosted on the remote web server may be affected by a denial of service vulnerability that is triggered by malformed network input, resulting in the Splunk server becoming unavailable.

Note that this only affects Splunk Enterprise 6.0 components configured as data 'receivers' on the listening or receiving port(s), and it impacts Splunk Enterprise instances configured as indexers as well as any forwarders configured as intermediate forwarders.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its banner, a version of OpenSSH earlier than version 6.2 is listening on this port.  The default configuration of OpenSSH installs before 6.2 could allow a remote attacker to bypass the LoginGraceTime and MaxStartups thresholds by periodically making a large number of new TCP connections and thereby prevent legitimate users from gaining access to the service. 

Note that this plugin has not tried to exploit the issue or detect whether the remote service uses a vulnerable configuration.  Instead, it has simply checked the version of OpenSSH running on the remote host.

According to the version in its SIP banner, the installed version of Ekiga on the remote host is earlier than 4.0.1 and thus contains a version of the ptlib library that fails to conduct proper length checks during XML expansion.  A remote, unauthenticated attacker could exploit this issue to consume extreme amounts of CPU and memory through the use of a specially crafted XML document.

According to the version in its SIP banner, the version of Ekiga running on the remote host is potentially affected by a vulnerability that could allow a remote, unauthenticated attacker to cause a denial of service via invalid UTF-8 characters in the remote user's connection data.

According to the version in its SIP banner, the version of Asterisk running on the remote host can be crashed remotely by an authenticated user when parsing an invalid SIP URI.

According to its banner, the version of OpenSSH running on the remote host is prior to version 5.9. Such versions are affected by multiple denial of service vulnerabilities :

  - A denial of service vulnerability exists in the     gss-serv.c 'ssh_gssapi_parse_ename' function.  A remote     attacker may be able to trigger this vulnerability if     gssapi-with-mic is enabled to create a denial of service     condition via a large value in a certain length field.
    (CVE-2011-5000)

  - On FreeBSD, NetBSD, OpenBSD, and other products, a     remote, authenticated attacker could exploit the     remote_glob() and process_put() functions to cause a     denial of service (CPU and memory consumption).
    (CVE-2010-4755)

According to its banner, the version of OpenSSH running on the remote host is ealier than 3.6.1p2.  When compiled for the AIX operating system with a compiler other than that of the native AIX compiler, an error exists that can allow dynamic libraries in the current directory to be loaded before dynamic libraries in the system paths.  This behavior can allow local users to escalate privileges by creating, loading and executing their own malicious replacement libraries.

According to its banner, the version of OpenSSH running on the remote host is affected by a remote denial of service vulnerability. When used with OpenPAM, OpenSSH does not properly handle when a forked child process ends during PAM authentication. This could allow a remote attacker to cause a denial of service by connecting several times to the SSH server, waiting for the password prompt and then disconnecting.

According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by multiple denial of service vulnerabilities :

  - If a remote user sends a SIP packet with a NULL,     Asterisk reads data past the NULL even though the     buffer is actually truncated when copied, which     could lead to an application crash. (AST-2011-008)

  - A remote user sending a SIP packet containing a Contact     header with a missing left angle bracket causes Asterisk     to access a NULL pointer, which could cause the     application to crash. (AST-2011-009)

  - A memory address can be inadvertently transmitted over     the network via IAX2 via an option control frame, which     would cause the remote party to try to access it.
    (AST-2011-010)

According to the version in its SIP banner, the version of Asterisk running on the remote host is 1.8.x prior to 1.8.4.2. It, therefore, could be affected by a denial of service vulnerability.

If a remote attacker initiates a SIP call and the recipient picks up, the remote user can reply with a malformed Contact header that will cause Asterisk to crash.

According to the version in its SIP banner, the version of Asterisk running on the remote host may be affected by multiple denial of service vulnerabilities :

  - On systems that have the Asterisk Manager interface,     Skinny, SIP over TCP, or the built-in HTTP server     enabled, it is possible for an attacker to open an     unlimited number of connections to Asterisk, which would     cause Asterisk to run out of available file descriptors     and stop processing any new calls. (AST-2011-005)

  - It is possible to bypass a security check and execute     shell commands when they should not have that ability.
    Note that only users with the 'system' privilege should     be able to do this. (AST-2011-006)

According to the version in its SIP banner, the version of Asterisk running on the remote host may be affected by multiple denial of service vulnerabilities :

  - A resource exhaustion issue exists in the Asterisk     manager interface.

  - A NULL pointer dereference issue exists in the     TCP/TLS server.

The version of memcached on the remote host has a denial of service vulnerability.  When processing a client request, the service continually reads in new data, reallocating its input buffer until a newline character is received.  This could result in excessive memory consumption.

A remote attacker could exploit this to crash memcached.

The remote host is running eDirectory, a directory service software from Novell. 

The installed version of eDirectory is affected by a denial of service issue. By sending a search request with an undefined BaseDN, it may be possible for an attacker to make the directory server unresponsive.

The version of Asterisk running on the remote host appears to be using an older implementation of the IAX2 protocol that does not support call token validation.  Due to a design flaw in the protocol, a remote attacker could send a large number of messages, exhausting all available call numbers in the process.  This would result in a denial of service to legitimate users.

The remote host is running the Sun Java System Directory Server, an LDAP server from Sun Microsystems.  

The installed version is older than 6.3.1, and the proxy server included with such versions is reportedly affected by a denial of service vulnerability.  By sending a specially crafted request to the JDBC backend through the proxy server, an unauthenticated, remote attacker may be able to trigger a denial of service condition.

The IMAP server bundled with the version of MailEnable installed on the remote host reportedly may crash under load when there are multiple connections to the same folders.

The version of Asterisk running on the remote host consumes an IAX2 call number while waiting for an ACK packet in response to a PONG packet.  By flooding the affected service with POKE requests, an unauthenticated, remote attacker can leverage this issue to exhaust all available call numbers and prevent legitimate IAX2 calls from getting through.

The firmware download protocol implemented in the version of Asterisk running on the remote host does not initiate a handshake.  By spoofing an IAX2 FWDOWNL request, an unauthenticated, remote attacker may be able to leverage this issue to flood a third-party host with unwanted firmware packets from the affected host.

The version of Asterisk running on the remote host does not properly validate an IAX2 handshake.  By spoofing NEW and ACK messages, an unauthenticated, remote attacker may be able to leverage this issue to flood a third-party host with packets from the affected host containing audio data.

The remote host is running eDirectory, a directory service software from Novell. 

The installed version of eDirectory is affected by a denial of service issue. By sending an HTTP request with a specially crafted 'Connection' header to the server, an unauthenticated attacker may be able to trigger a denial of service condition causing dhost.exe to consume 100% of the CPU and crash the system.

Veritas Storage Foundation, a storage management solution from Symantec is installed on the remote host.

The installed version is reportedly affected by a denial of service vulnerability. By sending specially crafted IP packets to TCP port 4888, an unauthenticated attacker may be able to cause a denial of service condition and crash the scheduler service.

In addition the Administration service may also be affected by a heap overflow vulnerability.

The remote host is running Openfire / Wildfire, an instant messaging server supporting the XMPP protocol.

According to its version, the installation of Openfire or Wildfire on the remote host suffers from a denial of service vulnerability that could bring the server down because it has no limit on a client session's send buffer and can not handle clients that fail to read messages.

The remote host appears to be running a version of Solaris 10 that contains a vulnerability in its ICMP handling process that can be leveraged by an unauthenticated remote attacker to panic the affected host.

The version of Lotus Domino on the remote host appears to be older than 7.0.2 FP3.  According to IBM, such versions are potentially affected by an unspecified denial of service issue (SPR #WRAY6WHTCC).

The remote host appears to be running Rendezvous, a commercial messaging software product used for building distributed applications

According to its banner, Rendezvous' rvd daemon fails to properly validate input in incoming packets before using it to allocate memory. By sending a specially crafted packet with a length field of 0, an unauthenticated, remote attacker may be able to leak memory and eventually exhaust memory on the affected system.

There is a flaw in the SCTP code included in Linux kernel versions before 2.6.21.4 that results in a kernel panic when an SCTP packet with an unknown chunk type is received. An attacker can leverage this flaw to crash the remote host with a single, possibly forged, packet.

The remote host is running a version a F-Secure Policy Manager Server that is vulnerable to a denial of service. 

A malicious user can forge a request to query a MS-DOS device name through the 'fsmsh.dll' CGI module, which will prevent legitimate users from accessing the service using the Manager Console.

The remote host is running Kerio MailServer, a commercial mail server available for Windows, Linux, and Mac OS X platforms. 

According to its banner, the LDAP service associated with the installed version of Kerio MailServer terminates abnormally when it receives certain malformed LDAP search requests.  An unauthenticated, remote attacker can exploit this issue to deny access to legitimate users.

The remote host appears to be running OpenLDAP, an open source LDAP directory implementation. 

The version of OpenLDAP installed on the remote host fails to handle malformed SASL bind requests.  An unauthenticated attacker can leverage this issue to crash the LDAP server on the affected host.

The ISC DHCP server running on the remote host is affected by a denial of service vulnerability in the supersede_lease() function within file memory.c due to improper handling of DHCPDISCOVER packets that have a client-identifier option that is exactly 32 bytes long. An unauthenticated, remote attacker can exploit this to cause the server to exit unexpectedly.

There is a flaw in the SCTP code included in Linux kernel versions 2.6.16.x that results in a kernel panic when an SCTP packet with an unexpected ECNE chunk is received in a CLOSED state. An attacker can leverage this flaw to crash the remote host with a single, possibly forged, packet.

There is a flaw in the Linux kernel on the remote host that causes a kernel panic when it receives an SCTP packet with a chunk data packet of length 0. An attacker can leverage this flaw to crash the remote host. Additionally, other types of crafted packets can cause a remote denial of service in various SCTP related functions.

Note that successful exploitation of this issue requires that the kernel support SCTP protocol connection tracking.

The remote host is running jabberd, an open source messaging system based on the Jabber protocol. 

The version of jabberd installed on the remote host suffers a segfault when a client sends a SASL 'response' stanza before a SASL 'auth' stanza.  An unauthenticated, remote attacker can leverage this flaw to crash the application's c2s component, thereby denying service to legitimate users.

The remote host is running Kerio MailServer, a commercial mail server available for Windows, Linux, and Mac OS X platforms. 

The installed version of Kerio MailServer terminates abnormally when it receives certain malformed IMAP LOGIN commands.  An unauthenticated, remote attacker can exploit this issue to deny access to legitimate users. 

Note that the application may not terminate immediately but only after an administrator acknowledges a console message.

The remote host is running Dropbear, a small, open source SSH server.

The version of Dropbear installed on the remote host, by default, has a limit of 30 connections in the authorization-pending state; subsequent connections are closed immediately. This issue can be exploited trivially by an unauthenticated attacker to deny service to legitimate users.

The NFS server on the remote host appears to be one from FreeBSD that causes a kernel panic when it receives a malformed NFS mount request via TCP. An unauthenticated remote attacker can leverage this flaw to crash the remote host.

A malicious user can cause a denial of service by sending malformed SRP packets to the BlackBerry Router on port 3101. 

Note that successful exploitation of this issue by a remote attacker is reportedly possible only through manipulation of DNS queries.

The remote host appears to be running IBM Tivoli Directory Server, an LDAP directory from IBM. 

The version of IBM Tivoli Directory Server fails to handle certain malformed search requests.  A user can leverage this issue to crash the LDAP server.

The LDAP server on the remote host appears to have crashed after being sent a malformed request.  The specific request used is known to crash the LDAP server in Lotus Domino 7.0.  By leveraging this flaw, an attacker may be able to deny service to legitimate users.

The remote host appears to be running Sun ONE Directory Server, an LDAP directory from Sun. 

The version of Sun ONE Directory Server fails to handle certain malformed search requests.  A user can leverage this issue to crash not just the LDAP server but also the entire application on the remote host.

The remote version of CA Message Queuing Service is vulnerable to two flaws that could lead to a denial of service :

  - Improper handling of specially crafted TCP packets on     port 4105 (CVE-2006-0529)

  - Failure to handle spoofed UDP CAM requests     (CVE-2006-0530)

The version of the Network Block Device (NBD) server installed on the remote host does not properly check the size of read requests before filling a dynamically-allocated buffer.  Using a specially crafted read request, an attacker can overwrite this buffer, which could crash the affected server or allow for the execution of arbitrary code.

The remote host appears to be using Flash Media Server.

The version of Flash Media Server installed on the remote host is affected by a flaw in its administration server that causes it to crash if it receives a single character. The administration server is used to remotely administer Flash Media Server, and this flaw can be used by an attacker to disable access to this service.

ID	Name	Severity
121515	JBoss Remoting RemoteMessageChannel DoS (intrusive check)	Medium
96314	Palo Alto Networks PAN-OS Management Interface Remote DoS (PAN-SA-2016-0027)	Medium
91958	Palo Alto Networks PAN-OS Management Interface API Remote DoS (PAN-SA-2016-0008)	Medium
80556	Libssh ssh_packet_kexinit() Double-free Memory DoS	Medium
73919	Apache Struts ClassLoader Manipulation	High
73763	Apache Struts 2 ClassLoader Manipulation Incomplete Fix for Security Bypass	Medium
71784	Splunk Enterprise 6.x < 6.0.1 Malformed Packet DoS	High
67140	OpenSSH LoginGraceTime / MaxStartups DoS	Medium
66033	Ekiga < 4.0.1 ptlib XML Expansion Recursion DoS	Medium
64458	Ekiga < 4.0.0 Invalid UTF-8 Character Connection Data Parsing DoS	Medium
56922	Asterisk SIP Channel Driver Uninitialized Variable Request Parsing DoS (AST-2011-012)	Medium
17703	OpenSSH < 5.9 Multiple DoS	Medium
17702	OpenSSH < 3.6.1p2 Multiple Vulnerabilities	High
44073	OpenSSH With OpenPAM DoS	Medium
55457	Asterisk Multiple Channel Drivers Denial of Service (AST-2011-008 / AST-2011-009 / AST-2011-010)	Medium
54971	Asterisk SIP Channel Driver Denial of Service (AST-2011-007)	Low
53544	Asterisk Multiple Vulnerabilities (AST-2011-005 / AST-2011-006)	Medium
52714	Asterisk Multiple Denial of Service Vulnerabilities (AST-2011-003 / AST-2011-004)	Medium
45579	memcached No Newline Memory Consumption DoS	Medium
42412	Novell eDirectory < 8.8.5 ftf1/8.7.3.10 ftf2 NULL Base DN DoS	Medium
40885	Asterisk IAX2 Call Number Exhaustion DoS	Medium
35688	Sun Java System Directory Server 6.x < 6.3.1 LDAP JDBC Backend DoS	Medium
33810	MailEnable IMAP Connection Saturation Remote DoS (ME-10042)	Medium
33576	Asterisk IAX2 (IAX) POKE Request Saturation Resource Exhaustion Remote DoS	Medium
33564	Asterisk IAX2 FWDOWNL Request Spoofing Remote DoS	Medium
32132	Asterisk IAX2 Multiple Method Handshake Spoofing DoS	Medium
31863	Novell eDirectory Host Environment Service (dhost.exe) HTTP Connection Header DoS	High
31862	Veritas Storage Foundation Multiple Service Remote DoS (SYM08-004)	Low
31855	Openfire < 3.5.0 ConnectionManagerImpl.java Queue Handling Remote DoS	High
29980	Solaris 10 ICMP Packet Handling DoS	High
29925	IBM Lotus Domino < 7.0.2 FP3 Unspecified DoS	High
28376	Rendezvous < 8.0.0 Crafted Packet Remote DoS	High
25483	Linux Kernel Netfilter *_conntrack_proto_sctp.c sctp_new Function Unknown Chunk Type Remote DoS	Medium
25402	F-Secure Policy Manager Server fsmsh.dll module DoS	Medium
23868	Kerio MailServer < 6.3.1 Long LDAP Query DoS	Medium
23625	OpenLDAP SASL authcid Name BIND Request DoS	Medium
22159	ISC DHCP Server supersede_lease() Function DHCPDISCOVER Packet DoS	Medium
21560	Linux SCTP ECNE Chunk Handling Remote DoS	High
21333	Linux SCTP Functionality Multiple Remote DoS	High
21120	Jabber Studio jabberd SASL Negotiation Remote DoS	Medium
21050	Kerio MailServer IMAP Server Crafted LOGIN Command DoS	High
21023	Dropbear SSH Authorization-pending Connection Saturation DoS	Medium
20989	FreeBSD nfsd Malformed NFS Mount Request Remote DoS	High
20983	BlackBerry Enterprise Server Crafted SRP Packet Remote DoS	High
20903	IBM Tivoli Directory Server LDAP Packet Handling DoS	Medium
20890	Lotus Domino LDAP Server Crafted Packet Remote DoS	Medium
20888	Sun ONE Directory Server LDAP Malformed Packet DoS	Medium
20840	CA Multiple Products Message Queuing Multiple Remote DoS	Medium
20341	Network Block Device (NBD) Server Request Handling Remote Overflow	High
20302	Macromedia Flash Media Server Administration Service Crafted Packet Remote DoS	High

Denial of Service Family for Nessus