VARIoT IoT vulnerabilities database

Due to the use of an insecure RFID technology (MIFARE Classic), ABUS proximity chip keys (RFID tokens) of the ABUS Secvest FUAA50000 wireless alarm system can easily be cloned and used to deactivate the alarm system in an unauthorized way. ABUS Secvest FUAA50000 wireless alarm There are cryptographic vulnerabilities in the system.Information may be obtained and information may be altered. ABUSSecvestFUAA50000 is a wireless remote control from ABUS, Germany. An encryption issue vulnerability exists in ABUSSecvestFUAA50000 using firmware version 3.01.01. The vulnerability stems from the network system or product not using the relevant cryptographic algorithm correctly, resulting in content not being properly encrypted, weakly encrypted, and plaintext storage sensitive information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2019-005 Product: ABUS Secvest (FUAA50000) Manufacturer: ABUS Affected Version(s): v3.01.01 Tested Version(s): v3.01.01 Vulnerability Type: Cryptographic Issues (CWE-310) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2019-03-15 Solution Date: - Public Disclosure: 2019-05-02 CVE Reference: CVE-2019-9861 Authors of Advisory: Matthias Deeg, Gerhard Klostermeier (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ABUS Secvest (FUAA50000) is a wireless alarm system with different features. The information stored on the used proximity keys can be read easily in a very short time from distances up to 1 meter, depending on the used RFID reader. A working cloned RFID token is ready for use within a couple of seconds using freely available tools. All three RFID cloning attacks are demonstrated in our SySS proof-of-concept video "ABUS Secvest Proximity Key Cloning PoC Attack" [6]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-03-15: Vulnerability reported to manufacturer 2016-05-02: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ABUS Secvest wireless alarm system https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Alarm-panels-and-kits/Secvest-Wireless-Alarm-System [2] Product website for ABUS proximity chip key https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Control-devices-and-extensions/Proximity-Chip-Key [3] MIFARE Classic Tool - MCT https://play.google.com/store/apps/details?id=de.syss.MifareClassicTool [4] GitHub repository of ChameleonMini https://github.com/emsec/ChameleonMini [5] OBO Hands RFID/NFC Reader/Writer https://www.amazon.de/dp/B07DHL9XQ4/ [6] SySS Proof-of-Concept Video: ABUS Secvest Proximity Key Cloning PoC Attack https://youtu.be/sPyXTQXTEcQ [7] SySS Security Advisory SYSS-2019-005 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-005.txt [8] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg and Gerhard Klostermeier of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB E-Mail: gerhard.klostermeier (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlzKsdkACgkQ2aS/ajSt TaujyQ/9FASdsNHxRgsOvBhw0V4+VPsVDprGjA4h39bhDJ8f4XIcAzz6ZUiXnR+0 2/0N7MkbFV4gjAmq6TVLQjw6bAlLVRHpLaWsWWQQGjDedynljMlls+bBNsIDLmfz 9mBl8S2lp26jycLgtPgL0hdjzBok9Gf6UZt5H2AnXkfDwthjqR7Ln+x4t3potLJt d87l4Xe/C1x1aMmiJWRy3CxzGTDtCoD/CwBTGvTCTPHnF/9gRobHPLIho6RKzwRE WUtTKQ9me19E5NYX7lPgF3UUcMxVP3f5Yf32K6XnuByEbk0LHiJzKxXNdMT/MCP4 jWAVkWtXHshWb17aGBCbcI1zt9DJEis6dPgm2PJ+qVE/C4s4EszDe/Hc7wgH3fU9 iXY/+SHhgBml55WyNssH+u6TBiIr20/YyABcPQmzCP97sPWzBxMrUlzaad88dsGO I6O9TlcveBrKDcyj8+frv/c+7BU95ZOZmUDLZJ99/KXF1APRGG6JaIQsJm1pi36W O4gUFgUSZ+SiELf/ZsFP3dgPaHMG/pyEVH6mYQKVrm8hEYL/Iyi9WYk4G9TztGN2 g7fkpTI4cTcPYkj9uPBMc5RWCPKCRflkG8QAxf92FBA1rNF3oJYEXQH2RQuvzYqB ghpsBL30GyEjh2DFo/sUzMPUt1Wl1otw3CzEH4eVqIX5J620ol4= =km71 -----END PGP SIGNATURE-----

On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, internal methods used to prevent arbitrary file overwrites in Appliance Mode were not fully effective. An authenticated attacker with a high privilege level may be able to bypass protections implemented in appliance mode to overwrite arbitrary system files. plural BIG-IP The product contains vulnerabilities related to authorization, permissions, and access control.Information may be tampered with. Multiple F5 BIG-IP products are prone to an arbitrary file-overwrite vulnerability. Successful exploits may allow an attacker to write arbitrary files in the context of the user running the affected application. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5

On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, the Traffic Management Microkernel (TMM) may restart when a virtual server has an HTTP/2 profile with Application Layer Protocol Negotiation (ALPN) enabled and it processes traffic where the ALPN extension size is zero. plural BIG-IP The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause a denial of service condition. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. Security vulnerabilities exist in F5 BIG-IP versions 14.0.0 through 14.1.0.1, 13.0.0 through 13.1.1.4, and 12.1.0 through 12.1.4

On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, users with the Resource Administrator role can modify sensitive portions of the filesystem if provided Advanced Shell Access, such as editing /etc/passwd. This allows modifications to user objects and is contrary to our definition for the Resource Administrator (RA) role restrictions. plural BIG-IP The product contains an access control vulnerability.Information may be tampered with. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in the F5 BIG-IP. An attacker could exploit this vulnerability to modify a user's project. The following versions are affected: F5 BIG-IP versions 14.0.0 to 14.1.0.1, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4, 11.6.1 to 11.6.3.4, 11.5 .2 version to 11.5.8 version

An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered HTTP proxy credentials being written to a log file in clear text. This only affects LXCA when HTTP proxy credentials have been configured. This affects LXCA versions 2.0.0 to 2.3.x. Lenovo XClarity Administrator (LXCA) Contains a vulnerability related to information disclosure from log files.Information may be obtained. Lenovo XClarity Administrator (LXCA) is a set of centralized resource management solutions for Lenovo, China. This product can provide agentless hardware management functions for servers, storage, network switches, etc. The vulnerability originates from abnormal output of log files of network systems or products. An attacker could use this vulnerability to obtain sensitive information on the website. Lenovo XClarity Administrator is prone to an information-disclosure vulnerability

The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter. ZyXEL P660HN-T1A v1 The router contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZyXEL P660HN-T1A is a wireless router made by ZyXEL, Taiwan, China. An operating system command injection vulnerability exists in ZyXEL P660HN-T1A (hardware v1 and TrueOnline firmware 340ULM0b31). The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. Attackers can exploit this vulnerability to execute illegal operating system commands

The Billion 5200W-T 1.02b.rc5.dt49 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the adv_remotelog.asp page and can be exploited through the syslogServerAddr parameter. Billion Electric 5200W-T is a wireless router produced by British company Billion Electric. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. Attackers can exploit this vulnerability to execute illegal operating system commands

An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes. Open XDMoD Contains a vulnerability related to the password management function.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Open XDMoD is an open source tool for managing high-performance computing resources. There is an authorization problem vulnerability in Open XDMoD 7.5.0 and earlier versions. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

An issue was discovered in Open XDMoD through 7.5.0. html/gui/general/dl_publication.php allows Path traversal via the file parameter, allowing remote attackers to read PDF files in arbitrary directories. Open XDMoD Contains a path traversal vulnerability.Information may be obtained. Open XDMoD is an open source tool for managing high-performance computing resources. The vulnerability stems from a network system or product that fails to properly filter resources or special elements in file paths. An attacker could exploit this vulnerability to access locations outside of restricted directories

An issue was discovered in Open XDMoD through 7.5.0. html/gui/general/login.php has Reflected XSS via the xd_user_formal_name parameter. Open XDMoD Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Open XDMoD is an open source tool for managing high-performance computing resources. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

A vulnerability in the TCP proxy functionality for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to restart unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability is due to an error in TCP-based packet inspection, which could cause the TCP packet to have an invalid Layer 2 (L2)-formatted header. An attacker could exploit this vulnerability by sending a crafted TCP packet sequence to the targeted device. A successful exploit could allow the attacker to cause a DoS condition. Cisco ASA Software和FTD Software中的TCP代理功能存在输入验证错误漏洞。该漏洞源于网络系统或产品未对输入的数据进行正确的验证。以下产品及版本受到影响：Cisco 3000 Series Industrial Security Appliances；ASA 1000V Cloud Firewall；ASA 5500 Series Adaptive Security Appliances；ASA 5500-X Series Firewalls；ASA Services Module for Cisco Catalyst 6500 Series Switches和Cisco 7600 Series Routers；Adaptive Security Virtual Appliance；Firepower 2100 Series；Firepower 4100 Series；Firepower 9300 Security Appliances. Multiple Cisco Products are prone to an remote denial-of-service vulnerability. This issue is being tracked by Cisco Bug ID CSCvk44166. The vulnerability stems from the failure of the network system or product to properly validate the input data

A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) Software could allow an unauthenticated, remote attacker to access sensitive system usage information. The vulnerability is due to a lack of proper data protection mechanisms for certain components in the underlying Application Centric Infrastructure (ACI). An attacker could exploit this vulnerability by attempting to observe certain network traffic when accessing the APIC. A successful exploit could allow the attacker to access and collect certain tracking data and usage statistics on an affected device. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCvn09869. This vulnerability stems from configuration errors in network systems or products during operation

On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, a user with the Resource Administrator role is able to overwrite sensitive low-level files (such as /etc/passwd) using SFTP to modify user permissions, without Advanced Shell access. This is contrary to our definition for the Resource Administrator (RA) role restrictions. plural BIG-IP The product contains a permission vulnerability.Information may be tampered with. Multiple F5 BIG-IP products are prone to an arbitrary file-overwrite vulnerability. Successful exploits may allow an attacker to write arbitrary files in the context of the user running the affected application. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. An authorization issue vulnerability exists in the F5 BIG-IP. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products. The following versions are affected: F5 BIG-IP versions 4.0.0 to 14.1.0.1, 13.0.0 to 3.1.1.4, 12.1.0 to 12.1.4, 11.6.1 to 11.6.3.4, 11.5. 2 - Version 11.5.8

On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, administrative users with TMSH access can overwrite critical system files on BIG-IP which can result in bypass of whitelist / blacklist restrictions enforced by appliance mode. plural BIG-IP The product contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP products are prone to an arbitrary file-overwrite vulnerability. Successful exploits may allow an attacker to write arbitrary files in the context of the user running the affected application. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. Attackers can exploit this vulnerability to bypass whitelist/blacklist restrictions. The following versions are affected: F5 BIG-IP versions 14.0.0 to 14.1.0.1, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4, 11.6.1 to 11.6.3.4, 11.5 .2 version to 11.5.8 version

On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, Administrator and Resource Administrator roles might exploit TMSH access to bypass Appliance Mode restrictions on BIG-IP systems. plural BIG-IP The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5 BIG-IP SNMP is prone to an access bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Successful exploitation may aid in launching further attacks. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The following versions are affected: F5 BIG-IP versions 14.0.0 to 14.1.0.1, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4, 11.6.1 to 11.6.3.4, 11.5 .2 version to 11.5.8 version

A vulnerability in the implementation of Security Assertion Markup Language (SAML) 2.0 Single Sign-On (SSO) for Clientless SSL VPN (WebVPN) and AnyConnect Remote Access VPN in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to successfully establish a VPN session to an affected device. The vulnerability is due to improper credential management when using NT LAN Manager (NTLM) or basic authentication. An attacker could exploit this vulnerability by opening a VPN session to an affected device after another VPN user has successfully authenticated to the affected device via SAML SSO. A successful exploit could allow the attacker to connect to secured networks behind the affected device. This issue is tracked by Cisco Bug ID CSCvn72570. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components

A vulnerability in the Deterministic Random Bit Generator (DRBG), also known as Pseudorandom Number Generator (PRNG), used in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a cryptographic collision, enabling the attacker to discover the private key of an affected device. The vulnerability is due to insufficient entropy in the DRBG when generating cryptographic keys. An attacker could exploit this vulnerability by generating a large number of cryptographic keys on an affected device and looking for collisions with target devices. A successful exploit could allow the attacker to impersonate an affected target device or to decrypt traffic secured by an affected key that is sent to or from an affected target device. Cisco ASA Software and FTD Software are prone to an information-disclosure vulnerability. This may lead to further attacks. This issue being tracked by Cisco Bug ID CSCvj52266. The following products are vulnerable: Cisco ASA Software 9.8, and 9.9 Cisco FTD Software 6.2.1, 6.2.2,and 6.2.3. Cisco Firepower 4100 Series, etc. Cisco Firepower 4100 Series is a 4100 series firewall device. FTD Software is one of the unified software that provides next-generation firewall services. Cisco 3000 Series Industrial Security Appliances is a 3000 series firewall appliance. The platform provides features such as highly secure access to data and network resources

A vulnerability in the session management functionality of the web-based interface for Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to hijack a valid user session on an affected system. An attacker could use this impersonated session to create a new user account or otherwise control the device with the privileges of the hijacked session. The vulnerability is due to a lack of proper session management controls. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted device. A successful exploit could allow the attacker to take control of an existing user session on the device. Exploitation of the vulnerability requires that an authorized user session is active and that the attacker can craft an HTTP request to impersonate that session. Cisco Small Business RV320 is a VPN router of Cisco Company in the United States. This issue is being tracked by Cisco bug ID CSCvn77859, CSCvn79158. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

When BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 are processing certain rare data sequences occurring in PPTP VPN traffic, the BIG-IP system may execute incorrect logic. The TMM may restart and produce a core file as a result of this condition. The BIG-IP system provisioned with the CGNAT module and configured with a virtual server using a PPTP profile is exposed to this vulnerability. BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause a denial of service condition. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The following versions are affected: F5 BIG-IP 14.0.0 to 14.1.0.1, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4, 11.6.1 to 11.6.3.4, 11.5 .2 version to 11.5.8 version

On BIG-IP 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, SNMP may expose sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is used with various profile types and is accessed using SNMPv2. BIG-IP Contains an information disclosure vulnerability.Information may be obtained. F5 BIG-IP SNMP is prone to an information-disclosure vulnerability. Successfully exploiting this issue may allow attackers to obtain sensitive information. This may lead to other attacks. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. This vulnerability stems from configuration errors in network systems or products during operation. The following products and versions are affected: F5 BIG-IP 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4, 11.6.1 to 11.6.3.4, 11.5.2 to 11.5.8