VARIoT IoT vulnerabilities database

Some Huawei products have an insufficient verification of data authenticity vulnerability. A remote, unauthenticated attacker has to intercept specific packets between two devices, modify the packets, and send the modified packets to the peer device. Due to insufficient verification of some fields in the packets, an attacker may exploit the vulnerability to cause the target device to be abnormal. plural Huawei The product is vulnerable to insufficient validation of data reliability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei AR1200, etc. are all enterprise routers from China's Huawei

D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to the value stored in the device's /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function. D-Link DAP-1860 The device contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-Link DAP-1860 is a WiFi range extender from Taiwan D-Link. D-Link DAP-1860 has an authorization issue vulnerability

There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant. plural Huawei An authentication vulnerability exists in smartphone products.Information may be obtained and information may be altered. Huawei Y9 and other smartphones from China's Huawei. A number of Huawei products have authorization issue vulnerabilities

admincgi-bin/service.fcgi on Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allows action=download&filename= Directory Traversal. The vulnerability stems from a network system or product's failure to properly filter special elements in a resource or file path. An attacker could use this vulnerability to access locations outside the restricted directory. SEC Consult Vulnerability Lab Security Advisory < 20191203-0 > ======================================================================= title: Multiple vulnerabilites product: Fronius Solar Inverter Series vulnerable version: SW Version <3.14.1 (HM 1.12.1) fixed version: >=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution section below CVE number: CVE-2019-19228, CVE-2019-19229 impact: High homepage: https://www.fronius.com found: 2018-10-31 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "A passion for new technologies, intensive research and revolutionary solutions have been shaping the Fronius brand since 1945. As the technology leader, we find, develop and implement innovative methods to monitor and control energy for welding technology, photovoltaics and battery charging. We forge new paths, try something difficult and succeed where others have failed in achieving what seems to be impossible. [...]" Source: http://www.fronius.com/en/about-fronius/company-values Business recommendation: ------------------------ The vendor automatically performed a fleet update of the solar inverters in the field in order to patch them. Nevertheless, as not all devices could be reached through such an update, all remaining users are advised to install the patches provided by the vendor immediately. Vulnerability overview/description: ----------------------------------- 1) Unencrypted Communication The whole communication is handled over HTTP. There is no possibility to activate an HTTPS web service. 2) Authenticated Path Traversal (CVE-2019-19229) A path traversal attack for authenticated users is possible. This allows getting access to the operating system of the device and access information like network configurations and connections to other hosts or potentially other sensitive information. This vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5). The web server runs with "nobody" privileges, but nearly all files on the file system are world-readable and can be extracted. 3) Backdoor Account (CVE-2019-19228) The web interface has a backdoor user account with the username "today". This user account has all permissions of all other users ("service", "admin" and "user") together. As its name suggests, the password for the user "today" changes every day and seems to be different to other devices with the same firmware. This means that some device-specific strings (e.g. the public device-ID) is mixed up every day to generate a new password. This account is being used by Fronius support in order to access the device upon request from the user. The fix for this issue has been split in two parts. The "password reset" part has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing the support account needs an architectural rework which will be fixed in a future version (planned for 3.15.1 (HM 1.15.1)). The passwords for all users of the web interface are stored in plain-text. This can be seen as another vulnerability and it has been fixed in version 3.14.1 (HM 1.12.1). 4) Outdated and Vulnerable Software Components Outdated and vulnerable software components were found on the device during a quick examination. Not all of the outdated components can be fixed by the vendor in the current solar inverter generation, see the workaround section below. Proof of concept: ----------------- 1) Unencrypted Communication By using an interceptor proxy this vulnerability can be verified in a simple way. 2) Authenticated Path Traversal (CVE-2019-19229) By sending the following request to the following endpoint, a path traversal vulnerability can be triggered: http://<IP-Address>/admincgi-bin/service.fcgi Request to read the "/etc/shadow" password file: ┌────────────────────────────────────────────────────────────────────────────── |GET /admincgi-bin/service.fcgi?action=download&filename=../../../../../etc/shadow └────────────────────────────────────────────────────────────────────────────── As response, the file is returned without line breaks. In this example the line breaks are added for better readability: ┌────────────────────────────────────────────────────────────────────────────── |HTTP/1.1 200 OK |Content-Type: application/force-download |Content-Disposition: attachment; filename=../../../../../etc/shadow |Connection: close |Date: Sun, 28 Oct 2018 08:20:27 GMT |Server: webserver | |root:$1$6MNb1Vq3$oU4TaPqQ782Y2ybdWLICh1:0:1:99999:7::: |nobody:*:10897:0:99999:7::: |messagebus:$1$6JrvtnWp$T.JvjxjbGTCD.jF7.hhb3.:15638:0:99999:7::: └────────────────────────────────────────────────────────────────────────────── By retrieving the file "/etc/issue" an easter-egg was found: ┌────────────────────────────────────────────────────────────────────────────── | __ ___ _ _ _ _ __ ___ _ __ __ _ |\\ \\ / (_|_|_|_) |_ __ __ _ __ _ __ _ / / | \\| | \\ \\ / /___| |__ | \\ \\/\\/ /| | | | | | ' \\/ _` / _` / _` | / / | |) | |__ \\ \\/\\/ // -_) '_ \\ | \\_/ \\_/ |_|_|_|_|_|_|_|_\\__,_\\__,_\\__,_| /_/ |___/|____| \\_/ \\_/\\___|_.__/ |Congratulations to all non Fronius employees which have come so far :) └────────────────────────────────────────────────────────────────────────────── 3) Backdoor Account (CVE-2019-19228) The passwords of the web interface of the affected versions are stored in the file "/tmp/web_users.conf" in clear text: ┌────────────────────────────────────────────────────────────────────────────── |admin:<user-password> |service:<user-password> |today:<40-bit hash-value> └────────────────────────────────────────────────────────────────────────────── The password for "today", which is generated by some algorithm, is suspected to be a sha1-hash which includes the system-time. A detailed firmware analysis can reveal the algorithm but has not been performed for this advisory. 4) Outdated and Vulnerable Software Components By using the path traversal vulnerability (2) a lot of components are found to be outdated: * Busybox 1.22.1 (December 23, 2014) multiple CVEs * Lighttpd 1.4.33 (September 27, 2013) multiple CVEs * Linux kernel 4.1.39 (March 13, 2017) multiple CVEs The used SDK is based on the OSELAS toolchain from 2011 and U-Boot from 2012: * gcc version 4.6.2 (OSELAS.Toolchain-2011.11.1) * U-Boot 2012.07-3 Vulnerable / tested versions: ----------------------------- The Fronius Symo 10.0-3-M (1) SWVersion 3.10.3-1 (HM 1.9.2) was tested but more solar inverters from Fronius share this firmware. The following list has been provided by the vendor: Symo Hybrid 3.0-3-M Symo Hybrid 4.0-3-M Symo Hybrid 5.0-3-M Datamanager Box 2.0 Symo 3.0-3-M *) Symo 3.0-3-S *) Symo 3.7-3-M *) Symo 3.7-3-S *) Symo 4.5-3-M *) Symo 4.5-3-S *) Symo 5.0-3-M *) Symo 6.0-3-M *) Symo 7.0-3-M *) Symo 8.2-3-M *) Symo 10.0-3-M *) (tested) Symo 10.0-3-M-OS *) Symo 12.5-3-M *) Symo 15.0-3-M *) Symo 17.5-3-M *) Symo 20.0-3-M *) Galvo 1.5-1 *) Galvo 2.0-1 *) Galvo 2.5-1 *) Galvo 3.0-1 *) Galvo 3.1-1 *) Galvo 1.5-1 208-240 *) Galvo 2.0-1 208-240 *) Galvo 2.5-1 208-240 *) Galvo 3.1-1 208-240 *) Primo 3.0-1 *) Primo 3.5-1 *) Primo 3.6-1 *) Primo 4.0-1 *) Primo 4.6-1 *) Primo 5.0-1 *) Primo 5.0-1 AUS *) Primo 5.0-1 SC *) Primo 6.0-1 *) Primo 8.2-1 *) Primo 3.8-1 208-240 *) Primo 5.0-1 208-240 *) Primo 6.0-1 208-240 *) Primo 7.6-1 208-240 *) Primo 8.2-1 208-240 *) Primo 10.0-1 208-240 *) Primo 11.4-1 208-240 *) Primo 12.5-1 208-240 *) Primo 15.0-1 208-240 *) Symo 10.0-3 208-240 *) Symo 10.0-3 480 *) Symo 12.0-3 208-240 *) Symo 12.5-3 480 *) Symo 15.0-3 107 *) Symo 15.0-3 480 *) Symo 17.5-3 480 *) Symo 20.0-3 480 *) Symo 22.7-3 480 *) Symo 24.0-3 480 *) Eco 25.0-3-S *) Eco 27.0-3-S *) Symo Advanced 10.0-3 208-240 *) Symo Advanced 12.0-3 208-240 *) Symo Advanced 15.0-3 480 *) Symo Advanced 20.0-3 480 *) Symo Advanced 22.7-3 480 *) Symo Advanced 24.0-3 480 *) *) only with Datamanager card/box Vendor contact timeline: ------------------------ 2018-11-05: Contacting vendor through contact@fronius.com, requesting security contact 2018-11-06: Vendor replies and confirms security issues 2018-12-03: Meeting with vendor to discuss security issues 2019-01 - 2019-11: Multiple telcos discussing Fronius' rollout plan and fixes 2019-03-18: Release of version 3.12.5 (HM 1.10.5) which fixes the path traversal vulnerability 2019-07-30: Release of version 3.14.1 (HM 1.12.1) which fixes many of the other reported issues 2019-08 - 2019-11: Testing & Fleet update to version 3.14.1 (HM 1.12.1) 2019-12-03: Coordinated release of security advisory Solution: --------- The vendor provides a patched firmware via their download portal. Visit the download page and search for "firmware update" and choose the "Fronius Solar.update Datamanager V3.14.1-10" firmware. The new version v3.14.1 (HM 1.12.1) which contains most of the security fixes can be downloaded directly as well: https://www.fronius.com/~/downloads/Solar%20Energy/Firmware/SE_FW_Fronius_Solar.update_Datamanager_EN.zip Some of the identified vulnerabilities (e.g. issue 1 and parts of 4) cannot be fixed in the current solar inverter product/software generation. Workaround: ----------- Restrict network access to the device as much as possible and disable port forwarding from the Internet. Fronius Solar.Web access is still possible. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF T. Weber / @2019

D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header. D-Link DAP-1860 The device contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DAP-1860 is a WiFi range extender from Taiwan D-Link. D-Link DAP-1860 has a remote code execution vulnerability

Mate 20 Pro smartphones with versions earlier than 9.1.0.135(C00E133R3P1) have an improper authorization vulnerability. The software does not properly restrict certain operation of certain privilege, the attacker could trick the user into installing a malicious application before the user turns on student mode function. Successful exploit could allow the attacker to bypass the limit of student mode function. Mate 20 Pro Smartphones are vulnerable to unauthorized authentication.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei Mate 20 Pro is a smartphone from China's Huawei

Huawei S5700 and S6700 have a DoS security vulnerability. Attackers with certain permissions perform specific operations on affected devices. Because the pointer in the program is not processed properly, the vulnerability can be exploited to cause the device to be abnormal. Huawei S5700 and S6700 Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The Huawei S5700 and Huawei S6700 are both enterprise-class switch products from China's Huawei. A denial of service vulnerability exists in the Huawei S5700 and S6700

In Mcrouter prior to v0.41.0, the deprecated ASCII parser would allocate a buffer to a user-specified length with no maximum length enforced, allowing for resource exhaustion or denial of service. Mcrouter Contains a resource exhaustion vulnerability.Denial of service (DoS) May be in a state. Mcrouter is a memcached protocol router. Mcrouter v0.41.0 has a resource management error vulnerability. Attackers can use this vulnerability to exhaust resources or cause a denial of service. There is a security vulnerability in Mcrouter prior to v0.41.0

There is an out-of-bounds read vulnerability in the Advanced Packages feature of the Gauss100 OLTP database in CampusInsight before V100R019C00SPC200. Attackers who gain the specific permission can use this vulnerability by sending elaborate SQL statements to the database. Successful exploit of this vulnerability may cause the database to crash. CampusInsight Contains an out-of-bounds vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The following products and versions are affected: CampusInsight V100R019C00

Advantech WebAccess is a set of HMI / SCADA software based on browser architecture by Advantech. The software supports dynamic graphic display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess 8.4.2 has an arbitrary file deletion vulnerability. An attacker can use this vulnerability to delete arbitrary files on the target host

KingSCADA is a SCADA product for the middle and high-end markets. It features integrated management, modular development, visual operation, intelligent diagnosis and control. KingSCADA has a buffer overflow vulnerability that could be exploited by an attacker to cause a program to deny service

Schneider Electric TM218LDAE24DRHN is a programmable controller product of Schneider Electric (France). Schneider Electric TM218LDAE24DRHN has a denial of service vulnerability. An attacker can use the vulnerability to send specific protocol packets, causing a denial of service attack

Privilege escalation vulnerability in Multiple MOTEX products (LanScope Cat client program (MR) and LanScope Cat client program (MR)LanScope Cat detection agent (DA) prior to Ver.9.2.1.0, LanScope Cat server monitoring agent (SA, SAE) prior to Ver.9.2.2.0, LanScope An prior to Ver 2.7.7.0 (LanScope An 2 series), and LanScope An prior to Ver 3.0.8.1 (LanScope An 3 series)) allow authenticated attackers to obtain unauthorized privileges and execute arbitrary code. LanScope Cat and LanScope An provided by MOTEX Inc. contain a privilege escalation vulnerability. Mitsuaki (Mitch) Shiraishi of Secureworks Japan and Yoshimasa Obana reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An user who can login to the PC where the vulnerable product is installed may obtain unauthorized privileges and execute arbitrary code. OTEX LanScope Cat and LanScope An are products of Japanese MOTEX company. LanScope Cat is a set of asset monitoring and management software. LanScope An is a smart device management tool. There are security holes in MOTEX LanScope An and LanScope Cat. An attacker could use this vulnerability to gain unauthorized permissions and execute arbitrary code

Dell Command Update versions prior to 3.1 contain an Arbitrary File Deletion Vulnerability. A local authenticated malicious user with low privileges potentially could exploit this vulnerability to delete arbitrary files by creating a symlink from the "Temp\IC\ICDebugLog.txt" to any targeted file. This issue occurs because of insecure handling of Temp directory permissions that were set incorrectly

Dell Command Update versions prior to 3.1 contain an Arbitrary File Deletion Vulnerability. A local authenticated malicious user with low privileges potentially could exploit this vulnerability to delete arbitrary files by creating a symlink from the "Temp\ICProgress\Dell_InventoryCollector_Progress.xml" to any targeted file. This issue occurs because permissions on the Temp directory were set incorrectly

A denial-of-service vulnerability exists in the processing of multi-part/form-data requests in the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server. GoAhead web Server applications contain an infinite loop vulnerability.Service operation interruption (DoS) It may be in a state. Embedthis Software GoAhead is an embedded Web server of American Embedthis Software company

Anviz access control devices perform cleartext transmission of sensitive information (passwords/pins and names) when replying to query on port tcp/5010. Anviz access control The device contains an information disclosure vulnerability.Information may be obtained

Anviz access control devices expose credentials (names and passwords) by allowing remote attackers to query this information without credentials via port tcp/5010. Anviz access control The device contains an information disclosure vulnerability.Information may be obtained. A remote attacker could exploit this vulnerability with a specially crafted request to obtain user credentials

Anviz access control devices expose private Information (pin code and name) by allowing remote attackers to query this information without credentials via port tcp/5010. Anviz access control The device contains an information disclosure vulnerability.Information may be obtained

Anviz access control devices allow remote attackers to issue commands without a password. Anviz access control The device contains an incorrect authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. There are security holes in Anviz access control device