VARIoT IoT vulnerabilities database

An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to an Uninitialized Pointer and remote code execution. The attacker needs to get access to an original PC Worx or Config+ project file to be able to manipulate it. After manipulation, the attacker needs to exchange the original file with the manipulated one on the application programming workstation. PHOENIX CONTACT PC Worx , PC Worx Express , Config+ Contains a vulnerability in uninitialized pointer access.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Phoenix Contact Automationworx. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of BCP files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. The Automation Worx Software Suite is an automation package from Phoenix Contact. Failed exploit attempts will likely cause a denial-of-service condition

An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to an Out-Of-Bounds Read, Information Disclosure, and remote code execution. The attacker needs to get access to an original PC Worx or Config+ project file to be able to manipulate it. After manipulation, the attacker needs to exchange the original file with the manipulated one on the application programming workstation. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Phoenix Contact Automationworx. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of BCP files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. The Automation Worx Software Suite is an automation package from Phoenix Contact. Failed exploit attempts will likely cause a denial-of-service condition

A vulnerability in the configuration import utility of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to have write access and upload arbitrary data to the filesystem. The vulnerability is due to a failure to delete temporarily uploaded files. An attacker could exploit this vulnerability by crafting a malicious file and uploading it to the affected device. An exploit could allow the attacker to fill up the filesystem or upload malicious scripts. Cisco Integrated Management Controller (IMC) Is vulnerable to a lack of authentication for critical functions.Information may be tampered with. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCvo35982. The software supports HTTP, SSH access, etc., and can perform operations such as starting, shutting down and restarting the server

Stack-based buffer overflow in the httpd server of TP-Link WR1043nd (Firmware Version 3) allows remote attackers to execute arbitrary code via a malicious MediaServer request to /userRpm/MediaServerFoldersCfgRpm.htm. TP-Link WR1043nd Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-Link TL-WR1043ND is a wireless router from China TP-Link. A buffer overflow vulnerability exists in TP-Link TL-WR1043ND. An attacker could exploit the vulnerability to cause a buffer overflow or heap overflow. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations

A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to cause a buffer overflow, resulting in a denial of service (DoS) condition on an affected device. The vulnerability is due to incorrect bounds checking. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected system. An exploit could allow the attacker to cause a buffer overflow, resulting in a process crash and DoS condition on the device. The software supports HTTP, SSH access, etc., and can perform operations such as starting, shutting down and restarting the server. A number error vulnerability exists in the web server in Cisco IMC due to improper bounds checking

On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices, an attacker on the local network has unauthenticated access to the internal SD card via the HTTP service on port 8000. The HTTP web server on the camera allows anyone to view or download the video archive recorded and saved on the external memory card attached to the device. Shenzhen Cylan Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 The device contains an information disclosure vulnerability.Information may be obtained. ShenzhenCylanTechnologyCleverDogSmartCameraDOG-2W and ShenzhenCylanTechnologyCleverDogSmartCameraDOG-2W-V4 are smart cameras from China's Shenzhen CylanTechnology. There are security holes in ShenzhenCylanTechnologyCleverDogSmartCameraDOG-2W and ShenzhenCylanTechnologyCleverDogSmartCameraDOG-2W-V4

On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices, an attacker on the network can login remotely to the camera and gain root access. The device ships with a hardcoded 12345678 password for the root account, accessible from a TELNET login prompt. Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ShenzhenCylanTechnologyCleverDogSmartCameraDOG-2W and ShenzhenCylanTechnologyCleverDogSmartCameraDOG-2W-V4 are smart cameras from China's Shenzhen CylanTechnology

A heap-based buffer over-read in Service_SetParamStringValue in cosa_x_cisco_com_ddns_dml.c of the RDK RDKB-20181217-1 CcspPandM module may allow attackers with login credentials to achieve information disclosure and code execution by crafting an AJAX call responsible for DDNS configuration with an exactly 64-byte username, password, or domain, for which the buffer size is insufficient for the final '\0' character. This is related to the CcspCommonLibrary and WebUI modules. RDK RDKB CcspPandM The module contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RDK is a set of modular, portable, and customizable open source IoT software solutions for the RDK Management community. CcspPandM is one of the modules used to implement the core configuration and management functions of the device. A buffer error vulnerability exists in the 'Service_SetParamStringValue' function of the cosa_x_cisco_com_ddns_dml.c file of the CcspPandM module in the RDK RDKB-20181217-1 version. The vulnerability originates from a network system or product that incorrectly validates data boundaries when performing operations on memory, causing incorrect read and write operations to be performed on other associated memory locations. An attacker could use this vulnerability to cause a buffer overflow or heap overflow

A heap-based buffer overflow in cosa_dhcpv4_dml.c in the RDK RDKB-20181217-1 CcspPandM module may allow attackers with login credentials to achieve remote code execution by crafting a long buffer in the "Comment" field of an IP reservation form in the admin panel. This is related to the CcspCommonLibrary module. RDK RDKB CcspPandM The module contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RDK is a set of modular, portable, and customizable open source IoT software solutions for the RDK Management community. CcspPandM is one of the modules used to implement the core configuration and management functions of the device. A buffer error vulnerability exists in the cosa_dhcpv4_dml.c file of the CcspPandM module in the RDK RDKB-20181217-1 version. The vulnerability originates from a network system or product that incorrectly validates data boundaries when performing operations on memory, causing incorrect read and write operations to be performed on other associated memory locations. An attacker could use this vulnerability to cause a buffer overflow or heap overflow

Incorrect access control in actionHandlerUtility.php in the RDK RDKB-20181217-1 WebUI module allows a logged in user to control DDNS, QoS, RIP, and other privileged configurations (intended only for the network operator) by sending an HTTP POST to the PHP backend, because the page filtering for non-superuser (in header.php) is done only for GET requests and not for direct AJAX calls. RDK RDKB WebUI The module contains an access control vulnerability.Information may be tampered with. RDK Management RDK is a modular, portable, and customizable open source IoT software solution for the RDK Management community

A shell injection issue in cosa_wifi_apis.c in the RDK RDKB-20181217-1 CcspWifiAgent module allows attackers with login credentials to execute arbitrary shell commands under the CcspWifiSsp process (running as root) if the platform was compiled with the ENABLE_FEATURE_MESHWIFI macro. The attack is conducted by changing the Wi-Fi network password to include crafted escape characters. This is related to the WebUI module. RDK RDKB CcspWifiAgent The module contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RDK is a set of modular, portable, and customizable open source IoT software solutions for the RDK Management community. CcspWifiAgent is one of the modules that support the WiFi function. The cosa_wifi_apis.c file of the CcspWifiAgent module in the RDK RDKB-20181217-1 version has a security vulnerability. RDK RDKB-20181217-1 CcspWifiAgent module could allow a remote authenticated malicious user to execute arbitrary commands on the system, caused by a flaw in the cosa_wifi_apis.c

PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element. PC-Doctor Toolbox Contains a vulnerability related to uncontrolled search path elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PC-Doctor for Windows is prone to an arbitrary code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial of service condition. PC-Doctor Toolbox is a hardware diagnostic and system information monitoring tool developed by PC-Doctor Toolbox in the United States. A security vulnerability exists in PC-Doctor Toolbox versions prior to 7.3. Full Disclosure I. VULNERABILITY ------------------------- Uncontrolled search path element vulnerability in PC-Doctor Toolbox prior to version 7.3 allows local users to gain privileges and conduct DLL hijacking attacks via a trojan horse DLL located in an unsecured directory which has been added to the PATH environment variable. II. CVE REFERENCE ------------------------- CVE-2019-12280 III. VENDOR ------------------------- PC-Doctor, Inc. IV. Affected Products ------------------------- PC-Doctor Toolbox for Windows Also re-branded as: CORSAIR ONE Diagnostics CORSAIR Diagnostics Staples EasyTech Diagnostics Tobii I-Series Diagnostic Tool Tobii Dynavox Diagnostic Tool V. TIMELINE ------------------------- May 03, 2019 Vulnerability reported to PC-Doctor, Inc. May 04, 2019 Vulnerability confirmed by PC-Doctor, Inc. May 17, 2019 PC-Doctor, Inc. identified additional attack vectors in third party dependencies. June 11, 2019 PC-Doctor Toolbox for Windows 7.3 released to OEM customers for testing. June 12, 2019 PC-Doctor Toolbox for Windows 7.3 released to retail end-users. June 19, 2019 Disclosure published. VI. CREDIT ------------------------- Peleg Hadar from SafeBreach, Inc. VII. SOLUTION ------------------------- Upgrade to version 7.3 of PC-Doctor Toolbox (or re-branded products)

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without using quotes in the path. This can cause loading of a previously placed executable with a name similar to the parts of the path, instead of the intended one. Check Point Endpoint Security Client Contains vulnerabilities related to unquoted search paths or elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Check Point Endpoint Security Client for Windows, with Anti-Malware blade installed, before version E81.00, tries to load a non-existent DLL during an update initiated by the UI. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate. Check Point Endpoint Security Client Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state

Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist for Home PCs version 2.2, 2.2.1, 2.2.2, 2.2.3, 3.0, 3.0.1, 3.0.2, 3.1, 3.2, and 3.2.1 contain an Improper Privilege Management Vulnerability. A malicious local user can exploit this vulnerability by inheriting a system thread using a leaked thread handle to gain system privileges on the affected machine. in the United States. The program provides automated, proactive and predictive techniques for troubleshooting and more. The program provides automated, proactive and predictive techniques for troubleshooting and more

The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation. ASUS Vivobaby for Android is an Android platform-based baby physiological monitor control and management application developed by China Taiwan ASUS Corporation. There is a trust management issue vulnerability in ASUS Vivobaby versions earlier than 1.1.09 based on the Android platform. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components

A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1, 9.14.0 -> 9.14.2. Also all releases of the BIND 9.13 development branch and version 9.15.0 of the BIND 9.15 development branch and BIND Supported Preview Edition versions 9.11.3-S1 -> 9.11.7-S1. ISC BIND 9 There is a service disruption (DoS) Vulnerabilities exist. An attacker can exploit this issue to cause a denial-of-service condition. ISC BIND is a set of open source software developed by ISC Corporation in the United States that implements the DNS protocol. The vulnerability stems from the improper handling of concurrent access when concurrent codes need to access shared resources mutually exclusive during the running of the network system or product. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted system. ISC has confirmed the vulnerability and released software updates. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] bind (SSA:2019-171-01) New bind packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a denial-of-service security issue. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/bind-9.11.8-i586-1_slack14.2.txz: Upgraded. For more information, see: https://kb.isc.org/docs/cve-2019-6471 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6471 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bind-9.11.8-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bind-9.11.8-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bind-9.11.8-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bind-9.11.8-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/bind-9.11.8-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/bind-9.11.8-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.14.3-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bind-9.14.3-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.0 package: 9607f8e5a02ddd973b611b132e27a18a bind-9.11.8-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 7ca41b2cc7476a177d86efb8e0d635ca bind-9.11.8-x86_64-1_slack14.0.txz Slackware 14.1 package: 82fe22a0cd33f6401ea24ad0f2f4a3d3 bind-9.11.8-i486-1_slack14.1.txz Slackware x86_64 14.1 package: b5abf1923df6e5eeb88d3ef2764cf74c bind-9.11.8-x86_64-1_slack14.1.txz Slackware 14.2 package: c94fa2993da21984d436c8f7e6a31478 bind-9.11.8-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 681a10d5b96c806146b68e15c785e073 bind-9.11.8-x86_64-1_slack14.2.txz Slackware -current package: 27af9b7debe692841182193eb397e2da n/bind-9.14.3-i586-1.txz Slackware x86_64 -current package: a8e742c791d996a68be9e687a50b8288 n/bind-9.14.3-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg bind-9.11.8-i586-1_slack14.2.txz Then, restart the name server: # /etc/rc.d/rc.bind restart +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAl0LzDsACgkQakRjwEAQIjOsnQCeN3xh8ruGxMCerBrwdOiuDE+M bwoAn2F6rHk2C5UOr5B6Yqbt77gfk7eh =Q1GL -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-4026-1 June 20, 2019 bind9 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.04 - Ubuntu 18.10 - Ubuntu 18.04 LTS Summary: Bind could be made to crash if it received specially crafted network traffic. Software Description: - bind9: Internet Domain Name Server Details: It was discovered that Bind incorrectly handled certain malformed packets. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04: bind9 1:9.11.5.P1+dfsg-1ubuntu2.5 Ubuntu 18.10: bind9 1:9.11.4+dfsg-3ubuntu5.4 Ubuntu 18.04 LTS: bind9 1:9.11.3+dfsg-1ubuntu1.8 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4026-1 CVE-2019-6471 Package Information: https://launchpad.net/ubuntu/+source/bind9/1:9.11.5.P1+dfsg-1ubuntu2.5 https://launchpad.net/ubuntu/+source/bind9/1:9.11.4+dfsg-3ubuntu5.4 https://launchpad.net/ubuntu/+source/bind9/1:9.11.3+dfsg-1ubuntu1.8

A vulnerability in the vManage web-based UI (Web UI) of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected vManage device. The vulnerability is due to a failure to properly authorize certain user actions in the device configuration. An attacker could exploit this vulnerability by logging in to the vManage Web UI and sending crafted HTTP requests to vManage. A successful exploit could allow attackers to gain elevated privileges and make changes to the configuration that they would not normally be authorized to make. Cisco SD-WAN Solution Vulnerabilities related to authorization, authority, and access controlInformation is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco SD-WAN Solution is prone to a remote privilege-escalation vulnerability. This issue is being tracked by Cisco Bug ID CSCvi69886. CLI is one of those command line interfaces

A vulnerability in the CLI of Cisco SD-WAN Solution could allow an authenticated, local attacker to elevate lower-level privileges to the root user on an affected device. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. A successful exploit could allow the attacker to make configuration changes to the system as the root user. Cisco SD-WAN Solution Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco SD-WAN Solution is prone to local privilege-escalation vulnerability. This issue is being tracked by Cisco Bug ID CSCvi69756. Versions prior to Cisco SD-WAN Solution 18.3.6, 18.4.1, and 19.1.0 are vulnerable. CLI is one of those command line interfaces. The following products and versions are affected: Cisco vBond Orchestrator Software; vEdge 100 Series Routers; vEdge 1000 Series Routers; vEdge 2000 Series Routers; vEdge 5000 Series Routers; vEdge Cloud Router Platform; vManage Network Management Software; vSmart Controller Software

A vulnerability in the CLI configuration shell of Cisco Meeting Server could allow an authenticated, local attacker to inject arbitrary commands as the root user. The vulnerability is due to insufficient input validation during the execution of a vulnerable CLI command. An attacker with administrator-level credentials could exploit this vulnerability by injecting crafted arguments during command execution. A successful exploit could allow the attacker to perform arbitrary code execution as root on an affected product. Cisco Meeting Server Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco Meeting Server is prone to local command-injection vulnerability. This issue is being tracked by Cisco Bug ID CSCvk42093