VARIoT IoT vulnerabilities database

Insufficient checks in the finite state machine of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow a partial reset of cryptographic secrets to known values via crafted messages. Notably, this breaks the security of U2F for new server registrations and invalidates existing registrations. This vulnerability can be exploited by unauthenticated attackers and the interface is reachable via WebUSB. ShapeShift KeepKey hardware wallet Contains a vulnerability related to incomplete data integrity verification.Information may be tampered with. ShapeShift KeepKey is an e-wallet device for cryptocurrency storage. There is an unknown vulnerability in the ShapeShift KeepKey finite state machine, which is caused by the program not being fully verified. An attacker could use this vulnerability to reset a part of the encryption key to a known value using a specially crafted message

Yachtcontrol through 2019-10-06: It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}" page and parameter, where {COMMAND} will be executed and returning the results to the client. Affects Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's. Yachtcontrol Is OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

In SecureWorks Red Cloak Windows Agent before 2.0.7.9, a local user can bypass the generation of telemetry alerts by removing NT AUTHORITY\SYSTEM permissions from a file. This is limited in scope to the collection of process-execution telemetry, for executions against specific files where the SYSTEM user was denied access to the source file. SecureWorks Red Cloak Windows Agent Contains a vulnerability in improper retention of permissions.Information may be tampered with. A local attacker could exploit this vulnerability to bypass security protections

Dell Command Configure versions prior to 4.2.1 contain an uncontrolled search path vulnerability. A locally authenticated malicious user could exploit this vulnerability by creating a symlink to a target file, allowing the attacker to overwrite or corrupt a specified file on the system. Dell Command Configure is an application program of Dell, which can provide configuration functions for business client platforms. The program includes a command-line interface and a graphical user interface for configuring various BIOS functions

SROS 2 0.8.1 (after CVE-2019-19625 is mitigated) leaks ROS 2 node-related information regardless of the rtps_protection_kind configuration. (SROS2 provides the tools to generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2.). SROS 2 Contains an information disclosure vulnerability.Information may be obtained

SROS 2 0.8.1 (which provides the tools that generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2) leaks node information due to a leaky default configuration as indicated in the policy/defaults/dds/governance.xml document. SROS 2 Contains an information disclosure vulnerability.Information may be obtained

IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883. IBM DataPower Gateway Contains a vulnerability in the initialization of unsafe default values for resources. Vendors have confirmed this vulnerability IBM X-Force ID: 168883 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. IBM DataPower Gateway is a security and integration platform specially designed for mobile, cloud, application programming interface (API), network, service-oriented architecture (SOA), B2B and cloud workloads. The platform secures, integrates and optimizes access across channels with a dedicated gateway platform. There is a security vulnerability in IBM DataPower Gateway 2018.4.1.0 to 2018.4.1.5 and 7.6.0.0 to 7.6.0.14

An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Authentication Information used in a cookie is predictable and can lead to admin password compromise when captured on the network. Weidmueller IE-SW-VL05M , IE-SW-VL08MT , IE-SW-PL10M The device contains a vulnerability in transmitting sensitive information in the clear.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Weidmueller IE-SW-VL05M-5TX is an industrial Ethernet switch from Germany's Weidmueller company. An information disclosure vulnerability exists in several Weidmueller products. Attackers can use this vulnerability to guess the authentication information in cookies

An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Sensitive Credentials data is transmitted in cleartext. Weidmueller IE-SW-VL05M , IE-SW-VL08MT , IE-SW-PL10M Contains a vulnerability related to the lack of encryption of critical data.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Weidmueller IE-SW-VL05M-5TX is an industrial Ethernet switch from Germany's Weidmueller company. An information disclosure vulnerability exists in several Weidmueller products. An attacker could use this vulnerability to obtain credential data

An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. The Authentication mechanism has no brute-force prevention. Weidmueller IE-SW-VL05M , IE-SW-VL08MT , IE-SW-PL10M The device is vulnerable to improper restriction of excessive authentication attempts.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Weidmueller IE-SW-VL05M-5TX is an industrial Ethernet switch from Germany's Weidmueller company. There are security vulnerabilities in several Weidmueller products. The vulnerability stems from the failure of the authentication mechanism to protect against brute force attacks. Attackers can use this vulnerability to implement brute force attacks

Intelbras IWR 3000N 1.8.7 devices allow disclosure of the administrator login name and password because v1/system/user is mishandled, a related issue to CVE-2019-17600. Intelbras IWR 3000N The device contains a vulnerability related to information disclosure from the cache. This vulnerability CVE-2019-17600 Vulnerability associated with.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Intelbras IWR 3000N is a wireless router of Polish Intelbras company. There is an unknown vulnerability in Intelbras IWR 3000N, which is caused by the program not handling v1/system/user correctly

An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Remote authenticated users can crash a device with a special packet because of Uncontrolled Resource Consumption. Weidmueller IE-SW-VL05M , IE-SW-VL08MT , IE-SW-PL10M The device contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Weidmueller IE-SW-VL05M-5TX is an industrial Ethernet switch from Germany's Weidmueller company

An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Passwords are stored in cleartext and can be read by anyone with access to the device. Weidmueller IE-SW-VL05M , IE-SW-VL08MT , IE-SW-PL10M The device contains a vulnerability related to information disclosure from the cache.Information may be obtained. Weidmueller IE-SW-VL05M-5TX is an industrial Ethernet switch from Germany's Weidmueller company. An insecure credential storage vulnerability exists in several Weidmueller products. The vulnerability stems from programs storing passwords in plain text, which can be used by attackers to read passwords

The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives. Note: It has been argued that "The vulnerability reported in PDF Embedder Plugin is not valid as the plugin itself doesn't control or manage the file upload process. It only serves the uploaded PDF files and the responsibility of uploading PDF file remains with the Site owner of Wordpress installation, the upload of PDF file is managed by Wordpress core and not by PDF Embedder Plugin. Control & block of polyglot file is required to be taken care at the time of upload, not on showing the file. Moreover, the reference mentions retrieving the files from the browser cache and manually renaming it to jar for executing the file. That refers to a two step non-connected steps which has nothing to do with PDF Embedder. WordPress for Lever PDF Embedder The plug-in contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. Lever PDF Embedder is a PDF viewing plug-in used in it. A security vulnerability exists in WordPress Lever PDF Embedder version 4.4. An attacker could exploit this vulnerability to transmit and execute malicious code

In Mcrouter prior to v0.41.0, a large struct input provided to the Carbon protocol reader could result in stack exhaustion and denial of service. Mcrouter Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Mcrouter is a memcached protocol router. There is a security vulnerability in versions prior to Mcrouter v0.41.0. An attacker could exploit this vulnerability to exhaust the stack and cause a denial of service

E5572-855 with versions earlier than 8.0.1.3(H335SP1C233) has an improper authentication vulnerability. The device does not perform a sufficient authentication when doing certain operations, successful exploit could allow an attacker to cause the device to reboot after launch a man in the middle attack. E5572-855 Contains an authentication vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei E5572-855 is a portable wireless router device from China's Huawei

CloudEngine 12800 has a DoS vulnerability. An attacker of a neighboring device sends a large number of specific packets. As a result, a memory leak occurs after the device uses the specific packet. As a result, the attacker can exploit this vulnerability to cause DoS attacks on the target device. CloudEngine 12800 Is vulnerable to a lack of resource release after a valid lifetime.Denial of service (DoS) May be in a state. Huawei CloudEngine 12800 is a 12800 series data center switch from Huawei of China. A denial of service vulnerability exists in Huawei CloudEngine 12800

There is a path traversal vulnerability in several Huawei smartphones. The system does not sufficiently validate certain pathnames from the application. An attacker could trick the user into installing, backing up and restoring a malicious application. Successful exploit could cause information disclosure. plural Huawei Smartphone products contain a paste traversal vulnerability.Information may be obtained. Huawei P30 and other products are products of China's Huawei. The Huawei P30 is a smartphone. Huawei P30 Pro is a smartphone. Huawei M6 is a tablet. The vulnerability stems from the system's failure to adequately verify the path name from an application. information

Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allow attackers to bypass authentication because the password for the today account is stored in the /tmp/web_users.conf file. plural Fronius Solar Inverter The device contains a vulnerability regarding the storage of important information in the clear.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Fronius Solar Inverter is a photovoltaic inverter equipment of Fronius Company in Austria. Fronius Solar Inverter 3.14.1 (HM 1.12.1) has a security vulnerability in the previous version. The vulnerability originates from the program storing the password of the ‘today’ account in the /tmp/web_users.conf file. An attacker can use this vulnerability to bypass authentication. SEC Consult Vulnerability Lab Security Advisory < 20191203-0 > ======================================================================= title: Multiple vulnerabilites product: Fronius Solar Inverter Series vulnerable version: SW Version <3.14.1 (HM 1.12.1) fixed version: >=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution section below CVE number: CVE-2019-19228, CVE-2019-19229 impact: High homepage: https://www.fronius.com found: 2018-10-31 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "A passion for new technologies, intensive research and revolutionary solutions have been shaping the Fronius brand since 1945. As the technology leader, we find, develop and implement innovative methods to monitor and control energy for welding technology, photovoltaics and battery charging. We forge new paths, try something difficult and succeed where others have failed in achieving what seems to be impossible. [...]" Source: http://www.fronius.com/en/about-fronius/company-values Business recommendation: ------------------------ The vendor automatically performed a fleet update of the solar inverters in the field in order to patch them. Nevertheless, as not all devices could be reached through such an update, all remaining users are advised to install the patches provided by the vendor immediately. Vulnerability overview/description: ----------------------------------- 1) Unencrypted Communication The whole communication is handled over HTTP. There is no possibility to activate an HTTPS web service. 2) Authenticated Path Traversal (CVE-2019-19229) A path traversal attack for authenticated users is possible. This allows getting access to the operating system of the device and access information like network configurations and connections to other hosts or potentially other sensitive information. This vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5). The web server runs with "nobody" privileges, but nearly all files on the file system are world-readable and can be extracted. 3) Backdoor Account (CVE-2019-19228) The web interface has a backdoor user account with the username "today". This user account has all permissions of all other users ("service", "admin" and "user") together. As its name suggests, the password for the user "today" changes every day and seems to be different to other devices with the same firmware. This means that some device-specific strings (e.g. the public device-ID) is mixed up every day to generate a new password. This account is being used by Fronius support in order to access the device upon request from the user. The fix for this issue has been split in two parts. The "password reset" part has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing the support account needs an architectural rework which will be fixed in a future version (planned for 3.15.1 (HM 1.15.1)). The passwords for all users of the web interface are stored in plain-text. 4) Outdated and Vulnerable Software Components Outdated and vulnerable software components were found on the device during a quick examination. Not all of the outdated components can be fixed by the vendor in the current solar inverter generation, see the workaround section below. Proof of concept: ----------------- 1) Unencrypted Communication By using an interceptor proxy this vulnerability can be verified in a simple way. 2) Authenticated Path Traversal (CVE-2019-19229) By sending the following request to the following endpoint, a path traversal vulnerability can be triggered: http://<IP-Address>/admincgi-bin/service.fcgi Request to read the "/etc/shadow" password file: ┌────────────────────────────────────────────────────────────────────────────── |GET /admincgi-bin/service.fcgi?action=download&filename=../../../../../etc/shadow └────────────────────────────────────────────────────────────────────────────── As response, the file is returned without line breaks. In this example the line breaks are added for better readability: ┌────────────────────────────────────────────────────────────────────────────── |HTTP/1.1 200 OK |Content-Type: application/force-download |Content-Disposition: attachment; filename=../../../../../etc/shadow |Connection: close |Date: Sun, 28 Oct 2018 08:20:27 GMT |Server: webserver | |root:$1$6MNb1Vq3$oU4TaPqQ782Y2ybdWLICh1:0:1:99999:7::: |nobody:*:10897:0:99999:7::: |messagebus:$1$6JrvtnWp$T.JvjxjbGTCD.jF7.hhb3.:15638:0:99999:7::: └────────────────────────────────────────────────────────────────────────────── By retrieving the file "/etc/issue" an easter-egg was found: ┌────────────────────────────────────────────────────────────────────────────── | __ ___ _ _ _ _ __ ___ _ __ __ _ |\\ \\ / (_|_|_|_) |_ __ __ _ __ _ __ _ / / | \\| | \\ \\ / /___| |__ | \\ \\/\\/ /| | | | | | ' \\/ _` / _` / _` | / / | |) | |__ \\ \\/\\/ // -_) '_ \\ | \\_/ \\_/ |_|_|_|_|_|_|_|_\\__,_\\__,_\\__,_| /_/ |___/|____| \\_/ \\_/\\___|_.__/ |Congratulations to all non Fronius employees which have come so far :) └────────────────────────────────────────────────────────────────────────────── 3) Backdoor Account (CVE-2019-19228) The passwords of the web interface of the affected versions are stored in the file "/tmp/web_users.conf" in clear text: ┌────────────────────────────────────────────────────────────────────────────── |admin:<user-password> |service:<user-password> |today:<40-bit hash-value> └────────────────────────────────────────────────────────────────────────────── The password for "today", which is generated by some algorithm, is suspected to be a sha1-hash which includes the system-time. A detailed firmware analysis can reveal the algorithm but has not been performed for this advisory. 4) Outdated and Vulnerable Software Components By using the path traversal vulnerability (2) a lot of components are found to be outdated: * Busybox 1.22.1 (December 23, 2014) multiple CVEs * Lighttpd 1.4.33 (September 27, 2013) multiple CVEs * Linux kernel 4.1.39 (March 13, 2017) multiple CVEs The used SDK is based on the OSELAS toolchain from 2011 and U-Boot from 2012: * gcc version 4.6.2 (OSELAS.Toolchain-2011.11.1) * U-Boot 2012.07-3 Vulnerable / tested versions: ----------------------------- The Fronius Symo 10.0-3-M (1) SWVersion 3.10.3-1 (HM 1.9.2) was tested but more solar inverters from Fronius share this firmware. The following list has been provided by the vendor: Symo Hybrid 3.0-3-M Symo Hybrid 4.0-3-M Symo Hybrid 5.0-3-M Datamanager Box 2.0 Symo 3.0-3-M *) Symo 3.0-3-S *) Symo 3.7-3-M *) Symo 3.7-3-S *) Symo 4.5-3-M *) Symo 4.5-3-S *) Symo 5.0-3-M *) Symo 6.0-3-M *) Symo 7.0-3-M *) Symo 8.2-3-M *) Symo 10.0-3-M *) (tested) Symo 10.0-3-M-OS *) Symo 12.5-3-M *) Symo 15.0-3-M *) Symo 17.5-3-M *) Symo 20.0-3-M *) Galvo 1.5-1 *) Galvo 2.0-1 *) Galvo 2.5-1 *) Galvo 3.0-1 *) Galvo 3.1-1 *) Galvo 1.5-1 208-240 *) Galvo 2.0-1 208-240 *) Galvo 2.5-1 208-240 *) Galvo 3.1-1 208-240 *) Primo 3.0-1 *) Primo 3.5-1 *) Primo 3.6-1 *) Primo 4.0-1 *) Primo 4.6-1 *) Primo 5.0-1 *) Primo 5.0-1 AUS *) Primo 5.0-1 SC *) Primo 6.0-1 *) Primo 8.2-1 *) Primo 3.8-1 208-240 *) Primo 5.0-1 208-240 *) Primo 6.0-1 208-240 *) Primo 7.6-1 208-240 *) Primo 8.2-1 208-240 *) Primo 10.0-1 208-240 *) Primo 11.4-1 208-240 *) Primo 12.5-1 208-240 *) Primo 15.0-1 208-240 *) Symo 10.0-3 208-240 *) Symo 10.0-3 480 *) Symo 12.0-3 208-240 *) Symo 12.5-3 480 *) Symo 15.0-3 107 *) Symo 15.0-3 480 *) Symo 17.5-3 480 *) Symo 20.0-3 480 *) Symo 22.7-3 480 *) Symo 24.0-3 480 *) Eco 25.0-3-S *) Eco 27.0-3-S *) Symo Advanced 10.0-3 208-240 *) Symo Advanced 12.0-3 208-240 *) Symo Advanced 15.0-3 480 *) Symo Advanced 20.0-3 480 *) Symo Advanced 22.7-3 480 *) Symo Advanced 24.0-3 480 *) *) only with Datamanager card/box Vendor contact timeline: ------------------------ 2018-11-05: Contacting vendor through contact@fronius.com, requesting security contact 2018-11-06: Vendor replies and confirms security issues 2018-12-03: Meeting with vendor to discuss security issues 2019-01 - 2019-11: Multiple telcos discussing Fronius' rollout plan and fixes 2019-03-18: Release of version 3.12.5 (HM 1.10.5) which fixes the path traversal vulnerability 2019-07-30: Release of version 3.14.1 (HM 1.12.1) which fixes many of the other reported issues 2019-08 - 2019-11: Testing & Fleet update to version 3.14.1 (HM 1.12.1) 2019-12-03: Coordinated release of security advisory Solution: --------- The vendor provides a patched firmware via their download portal. Visit the download page and search for "firmware update" and choose the "Fronius Solar.update Datamanager V3.14.1-10" firmware. The new version v3.14.1 (HM 1.12.1) which contains most of the security fixes can be downloaded directly as well: https://www.fronius.com/~/downloads/Solar%20Energy/Firmware/SE_FW_Fronius_Solar.update_Datamanager_EN.zip Some of the identified vulnerabilities (e.g. issue 1 and parts of 4) cannot be fixed in the current solar inverter product/software generation. Issue 2 (path traversal) has been fixed in version 3.12.5 (HM 1.10.5). Workaround: ----------- Restrict network access to the device as much as possible and disable port forwarding from the Internet. Fronius Solar.Web access is still possible. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF T. Weber / @2019

There is a weak algorithm vulnerability in some Huawei products. The affected products use weak algorithms by default. Attackers may exploit the vulnerability to cause information leaks. plural Huawei The product contains a vulnerability related to the use of cryptographic algorithms.Information may be obtained. Huawei S12700, etc. are all enterprise-class switch products from Huawei. A number of Huawei products have encryption problem vulnerabilities