VARIoT IoT vulnerabilities database

In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism does not apply read protection, allowing for full read access of the RFID security mechanism data. Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) and Valleylab LS10 Energy Platform Contains an information disclosure vulnerability.Information may be obtained

For the printers listed a maliciously crafted print file might cause certain HP Inkjet printers to assert. Under certain circumstances, the printer produces a core dump to a local device. HP Inkjet The printer contains a vulnerability with reachable assertions.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. HP Inkjet printers is an Inkjet series printer from Hewlett-Packard (HP). There are security holes in HP Inkjet printers. The vulnerability originates from network system or product configuration errors during operation

In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator. Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) and Valleylab LS10 Energy Platform Contains an authentication vulnerability.Information may be tampered with. Medtronic Valleylab FT10 (VLFT10GEN) 2.1.0 and earlier, 2.0.3 and earlier and Valleylab LS10 Energy Platform (VLLS10GEN) 1.20.2 and earlier have an authorization vulnerability that an attacker can use to make an unreal instrument Connect to the generator

Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes. Medtronic Valleylab FT10 and Valleylab FX8 are both a power supply device for the medical industry from Medtronic

An issue was discovered on Intelbras WRN 150 1.0.17 devices. There is stored XSS in the Service Name tab of the WAN configuration screen, leading to a denial of service (inability to change the configuration). Intelbras WRN 150 The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Intelbras WRN 150 is a wireless router of Polish Intelbras company. Intelbras WRN 150 has a cross-site scripting vulnerability. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code

The Sec Consult Security Lab reported an information disclosure vulnerability in MF910S product to ZTE PSIRT in October 2019. Through the analysis of related product team, the information disclosure vulnerability is confirmed. The MF910S product's one-click upgrade tool can obtain the Telnet remote login password in the reverse way. If Telnet is opened, the attacker can remotely log in to the device through the cracked password, resulting in information leakage. The MF910S was end of service on October 23, 2019, ZTE recommends users to choose new products for the purpose of better security. MF910S Contains an information disclosure vulnerability.Information may be obtained. ZTE MF910S is a portable 4G wireless router from ZTE Corporation of China. The vulnerability stems from a configuration error in the network system or product during operation. Unauthorized attackers can use vulnerabilities to obtain sensitive information about affected components. SEC Consult Vulnerability Lab Security Advisory < 20200827-0 > ======================================================================= title: Multiple Vulnerabilities product: ZTE mobile Hotspot MS910S vulnerable version: DL_MF910S_CN_EUV1.00.01 fixed version: - CVE number: CVE-2019-3422 impact: High homepage: https://www.zte.com.cn found: 2019-09-25 by: Ying Shen T. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing integrated end-to-end innovations to deliver excellence and value to consumers, carriers, businesses and public sector customers from over 160 countries around the world to enable increased connectivity and productivity." Source: https://www.zte.com.cn/global/about/corporate_information Business recommendation: ------------------------ The vendor recommends to change the hardware and use a newer product. SEC Consult recommends to remove the device from productive environments. Vulnerability overview/description: ----------------------------------- 1) Hard-coded Administrator Password The hard-coded administrator password was found in the ZTE mobile hotspot MS910S firmware version "CN_EUV1.00.01", which is available at. http://devicedownload.zte.com.cn/support/product/201701161506340/soft/20170116151106465.zip 2) Known BusyBox Vulnerabilities The used BusyBox toolkit in version 1.15.0 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA scalable firmware run-time. 3) Known Backdoor in GoAhead Webserver An unusual "telnetd" port was identified on an emulated device which led to the assumption that a backdoor can be opened via the GoAhead web-server. This conclusion was done because of a blog post from another researcher: http://blog.asiantuntijakaveri.fi/2017/03/backdoor-and-root-shell-on-zte-mf286.html By partially reverse engineering the binaries of the GoAhead webserver, the functionality described in the corresponding blog post can be underpinned. Proof of concept: ----------------- 1) Hard-coded Administrator Password The firmware file (ZTE_MF910SV1.0.1B09.bin) is using the JFFS2 filesystem which was extracted. The hardcoded password can be found in the /etc/shadow file within the firmware: /_DL_MF910S_CN_EUV1.00.01.exe.extracted/Data/version/_ZTE_MF910SV1.0.1B09.bin.extracted/jffs2-root/fs_1/etc/shadow The file content is shown below: ------------------------------------------------------------------------------- root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: nobody::10933:0:99999:7::: ap71::10933:0:99999:7::: ------------------------------------------------------------------------------- Both the user "root" and "admin" are using the same weak hardcoded password "5up". 2) Known BusyBox Vulnerabilities BusyBox version 1.12.0 contains multiple CVEs like: CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, CVE-2015-9261, CVE-2016-2147 and more. The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on an emulated device. A file with the name "\ectest\n\e]55;test.txt\a" was crea- ted to trigger the vulnerability. ------------------------------------------------------------------------------- # ls "pressing <TAB>" test ]55;test.txt # ------------------------------------------------------------------------------- 3) Known Backdoor in GoAhead Webserver Starting the telnet daemon on the emulated device leads to a listener on a very unusual port: [...] # telnetd #netstat -tulen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:4719 0.0.0.0:* LISTEN [...] Because this seems to be not configured on the system by any file, the BusyBox binary was inspected. The pseudocode snippet of BusyBox' telnetd function that was generated by Hex- Rays ARM Decompiler, indicated that this port was hard-coded: <snip> dword_788DC = (int)"/bin/login"; dword_788E0 = (int)"/etc/issue.net"; v3 = sub_5DBFC(a2, "f:l:Kip:b:F", &dword_788E0, &dword_788DC, &v76, &v75); v4 = v3 & 8; v5 = v3; if ( !(v3 & 8) && !(v3 & 0x40) ) sub_64A10(v3 & 8); if ( (v5 & 0x48) != 64 ) { openlog((const char *)dword_798DC, 1, 24); dword_78630 = 2; } if ( v5 & 0x10 ) v6 = sub_64FF8(v76); else v6 = 4719; <------------------------------------- Port "4719" if ( !v4 ) { v2 = sub_65578(v75, v6); sub_E394(v2, 1); sub_D9B0(v2); goto LABEL_13; } dword_788D8 = (int)sub_1C480(0); if ( dword_788D8 ) { <snip> This led to the assumption that the GoAhead webserver was modified like described in the following blog post: http://blog.asiantuntijakaveri.fi/2017/03/backdoor-and-root-shell-on-zte-mf286.html Inspecting the GoAhead webserver binary reinforces this assumption. The pseudocode was generated with Hex-Rays ARM Decompiler, like for the prior BusyBox binary: <snip> int __fastcall sub_21D48(int a1) { int v1; // r5 const char *v2; // r4 v1 = a1; cfg_get("debug_level"); v2 = (const char *)sub_17DF0(v1, "change_mode", ""); cfg_set("login_9527", "1"); if ( !strcmp("1", v2) ) { cfg_set("change_mode", "1"); cfg_get("debug_level"); system("mode_change 1"); } else if ( !strcmp("2", v2) ) <--- change mode "2" { cfg_get("debug_level"); system("telnetd &"); <--------- telnet daemon started } else if ( !strcmp("3", v2) ) { cfg_get("debug_level"); system("rem_start.sh &"); } else if ( !strcmp("4", v2) ) { cfg_get("debug_level"); system("rem_kill.sh &"); } else { cfg_set("change_mode", "0"); cfg_get("debug_level"); system("mode_change 0"); } return sub_34374(v1, "success"); } <snip> Other scripts could also be started via the webserver, like "rem_start.sh". This script contains the following lines: #!/bin/sh if ps|grep remserial then echo "remserial is running.." else remserial -p 10005 -r 192.168.1.10 -s "115200 raw" /dev/ttyUSB0 & fi That means, that a serial console with the speed of 115200 Baud on port 10005 is started. Vulnerable / tested versions: ----------------------------- The following firmware has been tested, which was the latest version available during the time of the test: * DL_MF910S_CN_EUV1.00.01 Vendor contact timeline: ------------------------ 2019-09-30: Contacting vendor through psirt@zte.com.cn 2019-10-10: Vendor provides initial contact. 2019-10-14: Vendor confirmed receive of the advisory. 2019-10-15: ZTE confirmed the hard-coded administrator password issue. The GoAhead webserver backdoor is still analyzed. 2019-11-05: ZTE released a Security Bullentin that the product MF910S is end-of-service*. 2020-08-27: Release of security advisory. * http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1011722 Solution: --------- Upgrade to new hardware. Workaround: ----------- None. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Thomas Weber / @2020

Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device. Medtronic Valleylab FT10 and Valleylab FX8 are both a power supply device for the medical industry from Medtronic

In Tasy EMR, Tasy WebPortal Versions 3.02.1757 and prior, there is an information exposure vulnerability which may allow a remote attacker to access system and configuration information. Tasy EMR and Tasy WebPortal Contains an information disclosure vulnerability.Information may be obtained. Both Philips Tasy EMR and Tasy WebPortal are products of Philips Europe. Tasy WebPortal is a web-based portal system. This vulnerability is caused by a configuration error such as a network system or product running, and an unauthorized attacker can exploit the vulnerability. Sensitive information of affected components

In Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU: serial number 21081 and prior, Q04/06/13/26UDPVCPU: serial number 21081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 21081 and prior, MELSEC-L Series L02/06/26CPU, L26CPU-BT: serial number 21101 and prior, L02/06/26CPU-P, L26CPU-PBT: serial number 21101 and prior, and L02/06/26CPU-CM, L26CPU-BT-CM: serial number 21101 and prior, a remote attacker can cause the FTP service to enter a denial-of-service condition dependent on the timing at which a remote attacker connects to the FTP server on the above CPU modules. Provided by Mitsubishi Electric Corporation MELSEC-Q series CPU Unit and MELSEC-L series CPU Unit FTP The server function has a resource exhaustion vulnerability (CWE-400) Exists. Of the product FTP Server function interferes with service operation (DoS) It may be in a state. This vulnerability information is used by developers for the purpose of disseminating to product users. JPCERT/CC To report to JPCERT/CC Coordinated with the developer.Of the product FTP Server function interferes with service operation (DoS) By becoming a state, FTP The client FTP You will not be able to connect to the server. According to the developer, the vulnerability affects FTP It is only a server function. The Mitsubishi Electric MELSEC-Q Series is a MELSEC-Q series programmable logic controller from Mitsubishi Electric Corporation of Japan. The Mitsubishi MELSEC-L Series is a MELSEC-L series programmable logic controller from Mitsubishi Corporation of Japan

A vulnerability in the web-based management interface of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script or HTML code in the context of the interface, which could allow the attacker to gain access to sensitive, browser-based information. The device provides SaaS-based access control, real-time network reporting and tracking, and formulating security policies. The vulnerability stems from the program's failure to fully verify the input submitted by the user

A vulnerability in the web interface of Cisco Wireless LAN Controller Software could allow a low-privileged, authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability exists due to a failure of the HTTP parsing engine to handle specially crafted URLs. An attacker could exploit this vulnerability by authenticating with low privileges to an affected controller and submitting the crafted URL to the web interface of the affected device. Conversely, an unauthenticated attacker could exploit this vulnerability by persuading a user of the web interface to click the crafted URL. A successful exploit could allow the attacker to cause an unexpected restart of the device, resulting in a DoS condition

A vulnerability in the web management interface of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform an unauthorized system reset on an affected device. The vulnerability is due to improper authorization controls for a specific URL in the web management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could have a twofold impact: the attacker could either change the administrator password, gaining privileged access, or reset the network configuration details, causing a denial of service (DoS) condition. In both scenarios, manual intervention is required to restore normal operations. The appliance provides SaaS-based access control, real-time network reporting and tracking, and security policy formulation. AsyncOS Software is an operating system used in it. AsyncOS Software in Cisco WSA has an access control error vulnerability

A vulnerability in the REST API of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network Manager (EPNM) could allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the underlying operating system. The vulnerability is due to insufficient input validation during the initial High Availability (HA) configuration and registration process of an affected device. An attacker could exploit this vulnerability by uploading a malicious file during the HA registration period. A successful exploit could allow the attacker to execute arbitrary code with root-level privileges on the underlying operating system. Note: This vulnerability can only be exploited during the HA registration period. See the Details section for more information. Cisco Prime Infrastructure Software is a foundational network lifecycle management solution. The product integrates Cisco Prime LAN Management Solution (LMS) and Cisco Prime Network Control System (NCS). The following products and versions are affected: Cisco PI Software prior to 3.4.2, prior to 3.5.1, prior to 3.6.0 Update 02; Cisco EPNM prior to 3.0.2

A vulnerability in the Webex Network Recording Admin page of Cisco Webex Meetings could allow an authenticated, remote attacker to elevate privileges in the context of the affected page. To exploit this vulnerability, the attacker must be logged in as a low-level administrator. The vulnerability is due to insufficient access control validation. An attacker could exploit this vulnerability by submitting a crafted URL request to gain privileged access in the context of the affected page. A successful exploit could allow the attacker to elevate privileges in the Webex Recording Admin page, which could allow them to view or delete recordings that they would not normally be able to access. Cisco Webex Meetings Contains a privilege management vulnerability.Information may be obtained and information may be altered. Cisco Webex Meetings is a set of video conferencing solutions of Cisco (Cisco)

A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected application. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected application. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. The system implements automated management through visual operation of industrial Ethernet infrastructure

D-Link DIR-652, DIR-615, DIR-827, DIR-615, DIR-657, and DIR-825 are all D-Link wireless router products. Several D-Link products have security vulnerabilities. An attacker could use this vulnerability to cause the leakage of password information and obtain sensitive information that may lead to further attacks.

GE PLC IC695CPE330 is a programmable logic controller from General Electric. GE PLC IC695CPE330 has an authentication bypass vulnerability. Attackers can use this vulnerability to bypass permission verification and obtain all web content

D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter. D-Link DWL-2600AP To OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DWL-2600AP is a wireless access device. D-Link DWL-2600AP Upgrade Firmware has a command injection vulnerability. An attacker could use the vulnerability to execute arbitrary operating system commands on the device

Out of bound write in TZ while copying the secure dump structure on HLOS provided buffer as a part of memory dump in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8976, MSM8996, MSM8996AU, MSM8998, QCA8081, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, Snapdragon_High_Med_2016, SXR1130. plural Qualcomm The product contains a classic buffer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206 is a central processing unit (CPU) product from Qualcomm. QTEE in multiple Qualcomm products has a buffer overflow vulnerability. The vulnerability originates from a network system or product that incorrectly validates data boundaries when performing operations on memory, resulting in incorrect read and write operations to other associated memory locations. An attacker could use this vulnerability to cause a buffer overflow or heap overflow

Samsung Galaxy S8 plus (Android version: 8.0.0, Build Number: R16NW.G955USQU5CRG3, Baseband Vendor: Qualcomm Snapdragon 835, Baseband: G955USQU5CRG3), Samsung Galaxy S3 (Android version: 4.3, Build Number: JSS15J.I9300XXUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: I9300XXUGNA8), and Samsung Galaxy Note 2 (Android version: 4.3, Build Number: JSS15J.I9300XUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: N7100DDUFND1) devices allow attackers to send AT commands over Bluetooth, resulting in several Denial of Service (DoS) attacks. Samsung Galaxy S8 plus , Samsung Galaxy S3 , Samsung Galaxy Note 2 Devices have injection vulnerabilities.Service operation interruption (DoS) There is a possibility of being put into a state