VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202001-0498 CVE-2019-16273 DTEN D5 and D7 Authentication vulnerabilities in devices CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
DTEN D5 and D7 before 1.3.4 devices allow unauthenticated root shell access through Android Debug Bridge (adb), leading to arbitrary code execution and system administration. Also, this provides a covert ability to capture screen data from the Zoom Client on Windows by executing commands on the Android OS. DTEN D5 and D7 The device contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. DTEN D5 and DTEN D7 are both a stylus from DTEN. DTEN D5 and D7 security vulnerabilities in versions prior to 1.3.4. An attacker could use this vulnerability to perform system management and execute arbitrary code to obtain the data displayed by the Zoom Client
VAR-202001-0496 CVE-2019-16271 DTEN D5 and D7 Lack of authentication for critical features on device vulnerabilities CVSS V2: 5.0
CVSS V3: 5.3
Severity: MEDIUM
DTEN D5 and D7 before 1.3.2 devices allows remote attackers to read saved whiteboard image PDF documents via storage/emulated/0/Notes/PDF on TCP port 8080 without authentication. DTEN D5 and D7 The device is vulnerable to a lack of authentication for critical functions.Information may be obtained. DTEN D5 and DTEN D7 are both a stylus from DTEN. An attacker could use this vulnerability to read the stored electronic whiteboard image (PDF document) using the storage / emulated / 0 / Notes / PDF file system path
VAR-202001-1606 CVE-2020-5204 uftpd Vulnerable to classical buffer overflow CVSS V2: 6.5
CVSS V3: 8.8
Severity: HIGH
In uftpd before 2.11, there is a buffer overflow vulnerability in handle_PORT in ftpcmd.c that is caused by a buffer that is 16 bytes large being filled via sprintf() with user input based on the format specifier string %d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (len('255.255.255.255') == 16), but the format specifier %d allows more than 3 digits. This has been fixed in version 2.11. uftpd Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state
VAR-202001-0302 CVE-2019-18842 USR-WIFI232-S/T/G2/H Low Power WiFi Module Vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: 6.1
Severity: MEDIUM
A cross-site scripting (XSS) vulnerability in the configuration web interface of the Jinan USR IOT USR-WIFI232-S/T/G2/H Low Power WiFi Module with web version 1.2.2 allows attackers to leak credentials of the Wi-Fi access point the module is logged into, and the web interface login credentials, by opening a Wi-Fi access point nearby with a malicious SSID. USR-WIFI232-S/T/G2/H Low Power WiFi Module Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. USR IOT USR-WIFI232-S, etc. are all low-power serial wireless WIFI modules of China's U-Tech Internet of Things (USR IOT) company. The vulnerability stems from the lack of correct verification of client data in the WEB application. An attacker can use this vulnerability to execute client code. The following products and versions are affected: USR IOT USR-WIFI232-S using firmware version 1.2.2; USR IOT USR-WIFI232-T using firmware version 1.2.2; USR IOT USR-WIFI232- using firmware version 1.2.2 G2; USR IOT USR-WIFI232-H using firmware version 1.2.2
VAR-202001-0279 CVE-2019-17095 Bitdefender BOX 2  In  OS  Command injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability. ________________________________________________________________________ From the low-hanging-fruit-department Bitdefender Generic Malformed Archive Bypass (BZ2) ________________________________________________________________________ Release mode : Forced Disclosure Ref : [TZO-04-2019] - Bitdefender Malformed Archive bypass (BZ2) Vendor : Bitdefender Status : Patched (amsiscan.dll >24.0.14.74) CVE : Issued 3 CVEs then pulled them back (although patching) Dislosure Policy: https://caravelahq.com/b/policy/20949 Blog : https://blog.zoller.lu/p/tzo-04-2019-bitdefender-malformed.html Vendor Advisory : No Advisory issued Patch release : https://www.bitdefender.com/consumer/support/answer/10690/ Affected Products ================= All Bitdefender Products and Vendors that have licensed the Engine before Dec 12 2019. Exact version is unknown as Bitdefender has not made this public. Quoting Bitdefender : "All Bitdefender endpoint solutions (including but not limited to Bitdefender Total Security, Bitdefender Antivirus Free Edition, Bitdefender GravityZone) as well as all products using our engines." Consumer: Bitdefender Premium Security Bitdefender Total Security 2020 Bitdefender Internet Security 2020 Bitdefender Antivirus Plus 2020 Bitdefender Family Pack 2020 Bitdefender Antivirus for Mac Bitdefender Mobile Security for Android Bitdefender Mobile Security for iOS Enterprise: Bitdefender Small Office Security GravityZone Business Security GravityZone Advanced Business Security Bitdefender Security for AWS GravityZone Ultra Security GravityZone Managed EDR GravityZone Elite Security GravityZone Enterprise Security Security for Virtualized Environments Security for Endpoints Security for Mobiles Security for Exchange GravityZone Security for Storage Vulnerable OEM Partners (According to AV-TEST): Adaware Bullguard Vipr Total360 eScan emiSoft G-DATA Qihoo 360 Quick Heal TotalDefense Tencent I. Background ================= "Since 2001, Bitdefender innovation has consistently delivered award-winning security products and threat intelligence for people, homes, businesses and their devices, networks and cloud services. Today, Bitdefender is also the provider of choice, used in over 38% of the world’s security solutions. Recognized by industry, respected by vendors and evangelized by our customers, Bitdefender is the cybersecurity company you can trust and rely on." II. Description ================= The parsing engine supports the BZIP archive format. The parsing engine can be bypassed by specifically manipulating an BZIP Archive so that it can be accessed by an end-user but not the Anti-Virus software. The AV engine is unable to scan the archive and issues the file a "clean" rating. I may release further details after all known vulnerable vendors have patched their products. III. Impact ================= Impacts depends on the contextual use of the product and engine within the organisation of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the file through unscanned and give it a clean bill of health. Server side AV software will not be able to discover any code or sample contained within this ISO file and it will not raise suspicion even if you know exactly what you are looking for (Which is for example great to hide your implants or Exfiltration/Pivot Server). There is a lot more to be said about this bug class, so rather than bore you with it in this advisory I provide a link to my 2009 blog post http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. Patch / Advisory ================= If you are an enterprise customer I would suggest to reach out to Bitdefender to discuss how you can be notified about patched vulnerabilities within their products. Some releases may requires binary updates that cant be pulled from the auto-update. amsiscan.dll >24.0.14.74 For Users of the OEM Partners (G-Data, Vipr, etc) I would suggest to get in contact to ensure these vulnerabilities are patched or not present in their offering. I would also suggest discussing how you can be made aware of future vulnerabilities. V. Disclosure Timeline ====================== See here : https://caravelahq.com/b/bitdefender/20876 18 OCT 2019 - Submission of a bypass over a bug bounty platform that requires submitters to agree to an NDA regardless of whether the vulnerability is recognised or not. 21 OCT 2019 - Bitdefender validated the report and assigned CVE-2019-17095 23 OCT 2019 "fix was also pushed via update. Can you please check?" OCT 2019 - Back and forth on whether this qualifies for a bug bounty. Bitdefender rep states "In my opinion, we should. It's not an usual engine bypass "undetected sample". It's exploiting a vulnerability to bypass the engines which, I see as something different. Will provide an official answer in the following days." - I continue submitting more Bitdefender bypasses 28 OCT 2019 - Bitdefender states "We're doing a review of this vector as a whole and putting the unpackers temporarily out of scope until we're done" 05 NOV 2019 - Bitdefender changes its mind "As a rule of thumb, this form of AV bypass (corrupting archive headers) is not and will not be rewardable." Discussion continue 26 NOV 2019 "Your reports are valid but they will not be treated as vulnerabilities or receive a generic fix at the moment (individual fixes may be implemented)." "PS: given that we won't be treating these as vulnerabilities, we're pulling back the 3 CVEs that may have been issued a bit too rashly." Editors Note: We qualified them as vulnerabilities and in scope of the bug bounty, now we changed our mind, they are valid yes, i.e they bypass the Engine, but they are not vulnerabilities. At this point the Terms I agreed to when signing up to the bug bounty platform would prevent me from disclosing or getting any sort of credit. Hence I decide to take my next report outside the platform and under my own terms that can be found here : https://caravelahq.com/b/policy/20949 OCT 30 2019 - Submitted new GZIP bypass report and sample over my ticketing system and under my terms, outside of the bug bounty platform. OCT 31 2019 - Bitdefender requests that I reupload the file as they accidently deleted it NOV 5 2019 - I continue to try to talk sense into this by sending a bunch of CVEs, reports, papers and presentations about this bug class. - I notify Bitdefender that "Also, I will stop reporting any further vulnerabilities to you under these condiions. I feel like you broke both contract and execution in good faith. When are you planning on notifying your customers?" NOV 5 2019 Bitdefender : "While this may change in the future. we're treating these types of AV evasion techniques as "won't fix", for now." NOV 14 2019 - Setting a temporary Disclosure data as per my Policy. - Asking to confirm the vulnerability or otherwise reply - No reply. NOV 21 2019 - Notifying Bitdefender that that in alignement to my policy, .i.e having received no updates that I will disclose without further coordination. NOV 26 2019 - Bitdefender issues a bounty for previous reports over the previously used bug bounty platform. DEC 2 2019 - Asking a second time for an upate (Bz2). No reply. DEC 6 2019 - Last attempt to contact them. Bz2) No reply. DEC 12 2019 Bitdefender silently fixes the vuln. "I noticed today the 12/12/2020 that you have deployed a fix for this. Do you have any statement or comment on why you choose to silently fix and give no credit whatsoever ?" DEC 12 2019 - Tweeted the Hash of the Report https://twitter.com/thierryzoller/status/1205115141832007680 DEC 13 2019 - Since I received no reply, I reached out to Bitdefender on an old thread on the previously used bug bounty platform. "Have you considered not paying a bounty but giving credit?" Bitdefender replies "This is literally the first time in 4 years of running the bug bounty program when we got "stuck" in a dispute of sorts with a researcher. I know what silent patching means and I'm fully aware (and against) this type of lack of transparency. And we also have a track record that shows we have absolutely no problem giving credit where credit was due. This is just a matter of you and us disagreeing on whether this is a vuln or not." N.B They clearly classified it as a vulnerability weeks before, multiple times. DEC 15 2019 - Reached out to Bitdefender again to ensure there is 0 excuse for miscommunication: "I'd like to make sure there are no misunderstandings if you recognize this bug class by either crediting or otherwise than I am happy to report any findings here, or outside. If you choose to continue to fix these silently and not even reply to my update requests I am not open in doing so. Let me know Bitdefenders' official position on this." DEC 16 2019 - "You shall be credited in our hall of fame and I'll post about this on Twitter." DEC 24 2019 - Release of this Advisory Note: The lenght you need to go through in 2019 to report vulnerabilities is astounding, it is also astounting to see how bug bounty platforms have the potential to be used to silence reports and/or researchers. Their terms and usages, introduces a new element and dynamic in the researcher / vendor relationship. Is it about time to push an FD culture again ?
VAR-202001-0612 CVE-2019-20004 Intelbras IWR 3000N Device password management vulnerability CVSS V2: 4.3
CVSS V3: 8.8
Severity: HIGH
An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. When the administrator password is changed from a certain client IP address, administrative authorization remains available to any client at that IP address, leading to complete control of the router. Intelbras IWR 3000N The device contains a vulnerability related to the password management function.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Intelbras IWR 3000N is a wireless router made by Intelbras, Poland. There is a security vulnerability in Intelbras IWR 3000N 1.8.7 version. Attackers can use the vulnerability to control The router
VAR-202001-0784 CVE-2019-15984 Cisco Data Center Network Manager In SQL Injection vulnerability CVSS V2: 9.0
CVSS V3: 8.8
Severity: HIGH
Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getCpuStatDataLengthES endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. The vulnerability stems from insufficient input validation provided by the user to the API
VAR-202001-0646 CVE-2019-11994 plural HPE SimpliVity Product vulnerable to path traversal CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
A security vulnerability has been identified in HPE SimpliVity 380 Gen 9, HPE SimpliVity 380 Gen 10, HPE SimpliVity 380 Gen 10 G, HPE SimpliVity 2600 Gen 10, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for Lenovo and SimpliVity OmniStack for Dell nodes. An API is used to execute a command manifest file during upgrade does not correctly prevent directory traversal and so can be used to execute manifest files in arbitrary locations on the node. The API does not require user authentication and is accessible over the management network, resulting in the potential for unauthenticated remote execution of manifest files. For all customers running HPE OmniStack version 3.7.9 and earlier. HPE recommends upgrading the OmniStack software to version 3.7.10 or later, which contains a permanent resolution. Customers and partners who can upgrade to 3.7.10 should upgrade at the earliest convenience. For all customers and partners unable to upgrade their environments to the recommended version 3.7.10, HPE has created a Temporary Workaround https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=mmr_sf-EN_US000061901&withFrame for you to implement. All customer should upgrade to the recommended 3.7.10 or later version at the earliest convenience. plural HPE SimpliVity The product contains a path traversal vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. There are security holes in many HPE products
VAR-202001-0645 CVE-2019-11993 plural HPE SimpliVity Product vulnerabilities CVSS V2: 9.4
CVSS V3: 7.5
Severity: HIGH
A security vulnerability has been identified in HPE SimpliVity 380 Gen 9, HPE SimpliVity 380 Gen 10, HPE SimpliVity 380 Gen 10 G, HPE SimpliVity 2600 Gen 10, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for Lenovo and SimpliVity OmniStack for Dell nodes. Two now deprecated APIs run as root, accept a file name path, and can be used to create or delete arbitrary files on the nodes. These APIs do not require user authentication and are accessible over the management network, resulting in remote availability and integrity vulnerabilities For all customers running HPE OmniStack version 3.7.9 and earlier. HPE recommends upgrading the OmniStack software to version 3.7.10 or later, which contains a permanent resolution. Customers and partners who can upgrade to 3.7.10 should upgrade at the earliest convenience. For all customers and partners unable to upgrade their environments to the recommended version 3.7.10, HPE has created a Temporary Workaround https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=mmr_sf-EN_US000061675&withFrame for you to implement. All customer should upgrade to the recommended 3.7.10 or later version at the earliest convenience. plural HPE SimpliVity The product contains an unspecified vulnerability.Information may be altered. There are security holes in many HPE products
VAR-202001-0781 CVE-2019-15981 Cisco Data Center Network Manager Path traversal vulnerability CVSS V2: 9.0
CVSS V3: 7.2
Severity: MEDIUM
Multiple vulnerabilities in the REST and SOAP API endpoints and the Application Framework feature of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the SOAP storeConfigToFS endpoint of the WebAnalysisWSService/WebAnalysisWS path in the service. When parsing the arg0 parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM and to create a denial-of-service condition. The vulnerability stems from insufficient input validation provided by the user to the API. A remotely authenticated attacker with administrative rights can exploit this vulnerability by sending a specially crafted request to the API to read, write to any file, or execute any file in the system with full administrative rights. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions
VAR-202001-0780 CVE-2019-15980 Cisco Data Center Network Manager Path traversal vulnerability CVSS V2: 9.0
CVSS V3: 8.8
Severity: HIGH
Multiple vulnerabilities in the REST and SOAP API endpoints and the Application Framework feature of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the fm/fmrest/dbadmin/saveLicenseFileToServer path in the service. When parsing the fileNames parameter, the process does not properly validate a user-supplied path prior to using it in file operations. The vulnerability stems from insufficient input validation provided by the user to the API. A remotely authenticated attacker with administrative rights can exploit this vulnerability by sending a specially crafted request to the API to read, write to any file, or execute any file in the system with full administrative rights. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions
VAR-202001-0782 CVE-2019-15982 Cisco Data Center Network Manager Path traversal vulnerability CVSS V2: 9.0
CVSS V3: 7.2
Severity: HIGH
Multiple vulnerabilities in the REST and SOAP API endpoints and the Application Framework feature of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the processing of requests to the upload endpoint. When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions. A path traversal vulnerability exists in the Application Framework functionality in Cisco DCNM releases prior to 11.3(1) due to insufficient validation of user input sent to Application Framework endpoints
VAR-202001-0777 CVE-2019-15977 Cisco Data Center Network Manager Vulnerabilities related to the use of hard-coded credentials CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco Data Center Network Manager (DCNM) Contains a vulnerability in the use of hard-coded credentials.Information may be obtained. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of web requests. The system contains a hard-coded administrator username and password that can be used to bypass authentication for some functions. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. A hardcoded encryption key allows any user who accesses the encrypted password for the database to obtain the plaintext password. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions. The web management interface in versions prior to Cisco DCNM 11.3(1) has a trust management issue vulnerability. A remote attacker could exploit this vulnerability by using static credentials to bypass authentication
VAR-202001-0783 CVE-2019-15983 Cisco Data Center Network Manager In XML External entity vulnerabilities CVSS V2: 4.0
CVSS V3: 7.5
Severity: HIGH
A vulnerability in the SOAP API of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. To exploit this vulnerability, an attacker would need administrative privileges on the DCNM application. The vulnerability exists because the SOAP API improperly handles XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by inserting malicious XML content in an API request. A successful exploit could allow the attacker to read arbitrary files from the affected device. Note: The severity of this vulnerability is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of requests to the getInventoryIslList SOAP endpoint of DashboardWSService/DashboardWS. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions
VAR-202001-0785 CVE-2019-15985 Cisco Data Center Network Manager In SQL Injection vulnerability CVSS V2: 9.0
CVSS V3: 7.2
Severity: HIGH
Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS service. When parsing the first parameter of the getEndPortConnectionsForStorageEnclosure endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. The vulnerability stems from insufficient input validation provided by the user to the API. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions
VAR-202001-0778 CVE-2019-15978 Cisco Data Center Network Manager In OS Command injection vulnerability CVSS V2: 9.0
CVSS V3: 7.2
Severity: HIGH
Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with administrative privileges on the DCNM application to inject arbitrary commands on the underlying operating system (OS). For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the processing of requests to the fabrics endpoint. When parsing the name parameter in the createLanFabric method, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. The vulnerability stems from insufficient input validation provided by the user to the API. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions
VAR-202001-0775 CVE-2019-15975 Cisco Data Center Network Manager Vulnerabilities related to the use of hard-coded credentials CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco Data Center Network Manager (DCNM) Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The issue results from trusting input that has been encrypted with a hard-coded and discoverable cryptographic key. An attacker can leverage this vulnerability to add new global admins to the system. The vulnerability stems from a static encryption key shared by all installations. A remote unauthenticated attacker could exploit this vulnerability by using a static key to create a valid session token to manage permissions and perform arbitrary operations through the REST API. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions
VAR-202001-0779 CVE-2019-15979 Cisco Data Center Network Manager In OS Command injection vulnerability CVSS V2: 9.0
CVSS V3: 7.2
Severity: HIGH
Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with administrative privileges on the DCNM application to inject arbitrary commands on the underlying operating system (OS). For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the processing of requests to the importTS endpoint of the SanWSService/SanWS service. When parsing the certFile parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. The vulnerability stems from insufficient input validation provided by the user to the API. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions
VAR-202001-0776 CVE-2019-15976 Cisco Data Center Network Manager Vulnerabilities related to the use of hard-coded credentials CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco Data Center Network Manager (DCNM) Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the validation of SSO tokens of SOAP packets. The issue results from the use of a hard-coded key to validate the message digest. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. The vulnerability stems from a static encryption key shared by all installations. A remote unauthenticated attacker could exploit this vulnerability by using a static key to create a valid session token to manage permissions and perform arbitrary operations through the REST API. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions. A trust management issue vulnerability existed in Cisco DCNM prior to 11.3(1) due to the presence of static credentials in the software
VAR-202001-1982 No CVE C2000-B2-SFE0101-BB1 Denial of Service Vulnerability in Serial Server CVSS V2: 4.9
CVSS V3: -
Severity: MEDIUM
C2000-B2-SIE0101-BB1 is an industrial-grade serial device networking server. A denial of service vulnerability exists in the C2000-B2-SFE0101-BB1 serial server. An attacker can use this vulnerability to cause the server to deny service.