VARIoT IoT vulnerabilities database

A vulnerability in the detection engine of Cisco Firepower Threat Defense Software could allow an unauthenticated, remote attacker to cause the unexpected restart of the SNORT detection engine, resulting in a denial of service (DoS) condition. The vulnerability is due to the incomplete error handling of the SSL or TLS packet header during the connection establishment. An attacker could exploit this vulnerability by sending a crafted SSL or TLS packet during the connection handshake. An exploit could allow the attacker to cause the SNORT detection engine to unexpectedly restart, resulting in a partial DoS condition while the detection engine restarts. Versions prior to 6.2.3.4 are affected. Cisco Firepower Threat Defense The software contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Exploiting this issue allows remote attackers to cause excessive memory consumption. This issue is being tracked by Cisco Bug ID CSCvj97647. An input validation vulnerability exists in the detection engine in Cisco FTD

MikroTik RouterOS before 6.43.12 (stable) and 6.42.12 (long-term) is vulnerable to an intermediary vulnerability. The software will execute user defined network requests to both WAN and LAN clients. A remote unauthenticated attacker can use this vulnerability to bypass the router's firewall or for general network scanning activities. MikroTik RouterOS Contains a vulnerability in bypassing filtering.Information may be obtained. MikroTik RouterOS is prone to a security-bypass vulnerability. An attacker can exploit this issue to security restrictions and perform unauthorized actions. This may lead to further attacks. MikroTik RouterOS version prior to 6.43.12, and 6.42.12 are vulnerable. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality

A vulnerability in the Cisco Discovery Protocol or Link Layer Discovery Protocol (LLDP) implementation for the Cisco IP Phone 7800 and 8800 Series could allow an unauthenticated, adjacent attacker to cause an affected phone to reload unexpectedly, resulting in a temporary denial of service (DoS) condition. The vulnerability is due to missing length validation of certain Cisco Discovery Protocol or LLDP packet header fields. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol or LLDP packet to the targeted phone. A successful exploit could allow the attacker to cause the affected phone to reload unexpectedly, resulting in a temporary DoS condition. Versions prior to 12.6(1)MN80 are affected. Cisco IP Phone 7800 and 8800 The series contains vulnerabilities related to resource management.Service operation interruption (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug IDs CSCvn47250

A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by importing a crafted XML file with malicious entries, which could allow the attacker to read files within the affected application. Versions prior to 4.4(0.26) are affected. Cisco IoT Field Network Director (IoT-FND) is a set of end-to-end IoT management systems from Cisco (USA). The system has functions such as equipment management, asset tracking and intelligent metering. This issue is being tracked by Cisco bug ID CSCvm85075

Mate20 Huawei smartphones versions earlier than HMA-AL00C00B175 have an out-of-bounds read vulnerability. An attacker with a high permission runs some specific commands on the smartphone. Due to insufficient input verification, successful exploit may cause out-of-bounds read of the memory and the system abnormal. Huawei Mate20 Smartphones contain a vulnerability related to out-of-bounds reading.Service operation interruption (DoS) There is a possibility of being put into a state. HuaweiMate20 is a smartphone from China's Huawei company. The vulnerability stems from a failure to adequately verify user input that could allow an attacker to cause a device exception

Mate 9 Pro Huawei smartphones earlier than LON-L29C 8.0.0.361(C636) versions have an information leak vulnerability due to the lack of input validation. An attacker tricks the user who has root privilege to install an application on the smart phone, and the application can read some process information, which may cause sensitive information leak. Huawei Mate 9 Pro LON-L29C An error in the previous version of 8.0.0.361 (C636) was caused by a network system or a product that was configured during operation. An unauthorized attacker can exploit the vulnerability to obtain sensitive information about the affected component

Bastet module of some Huawei smartphones with Versions earlier than Emily-AL00A 9.0.0.182(C00E82R1P21), Versions earlier than Emily-TL00B 9.0.0.182(C01E82R1P21), Versions earlier than Emily-L09C 9.0.0.203(C432E7R1P11), Versions earlier than Emily-L29C 9.0.0.203(C432E7R1P11), Versions earlier than Emily-L29C 9.0.0.202(C185E2R1P12) have a double free vulnerability. An attacker tricks the user into installing a malicious application, which frees on the same memory address twice. Successful exploit could result in malicious code execution. plural Huawei Of smartphone products Bastet The module contains a double release vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei Hima-AL00B is a smart phone from Huawei of China

A vulnerability in the Quality of Voice Reporting (QOVR) service of Cisco Prime Collaboration Assurance (PCA) Software could allow an unauthenticated, remote attacker to access the system as a valid user. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the QOVR service with a valid username. A successful exploit could allow the attacker to perform actions with the privileges of the user that is used for access. This vulnerability affects Cisco PCA Software Releases prior to 12.1 SP2. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCvj07241. The product supports simplified unified communication and video collaboration network management through a unified management console, and rapid deployment of communication sites, among others. Quality of Voice Reporting is one of the quality voice reporting services

An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hard-coded to a string in the source code (/usr/share/www/check.lp file). By setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password, which results in authentication bypass. Even if a user changes the password on the device, this token is static and unchanged. Teracue ENC-400 Device firmware contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Teracue ENC-400 is a portable multi-stream encoder from Teracue, Germany. A security vulnerability exists in the Teracue ENC-400 due to the program's use of hardcoded authentication tokens. Introduction ============ Multiple vulnerabilities were identified within the Teracue ENC-400, including pre-authenticated remote code authentication. While the vendor has released updated firmware after these issues were identified, they are not all resolved with the latest version of the firmware. Product ======= The Teracue ENC-400 is accessible over an HTTP interface, which allows device configuration (including setting passwords or video stream destinations and servers). The vendor describes the device as follows: This HD/SD H.264 fanless video encoder is able to deliver multiple streams in multiple bitrates and protocols to multiple destinations. Note that the latest version of firmware, v2.57, does not adequately resolve all identified issues. Specific notes have been added to issues in the Technical Details section. Technical Details ================= 1) Command injection in login form ---------------------------------- CVE-2018-20218 The login form passes user input directly to a shell command without any kind of escaping or validation. In the file /usr/share/www/check.lp: #!/usr/bin/env cgilua.cgi <% local pass = cgilua.POST.password local com1 = os.execute("echo \'"..cgilua.POST.password.."\' | (su -c /bin/true)") An attacker is able to perform command injection using the "password" parameter displayed on the login form. * Resolution Status * While this instance of remote code execution has been resolved, the resolution does not protect the entire codebase. In /usr/share/www/web/system_password.lp: local oldpass = cgilua.POST.oldpass local newpass = cgilua.POST.newpass local com1=os.execute("echo '"..oldpass.."' | (su -c 'echo '"..oldpass.."' | (su root -c '/bin/true') > /dev/null 2>&1 ; echo $?')") This allows an authenticated user to execute commands without knowing the existing password. This is particularly important given the insufficient resolution of CVE-2018-20219 (issue 2). In the file /usr/share/www/check.lp: cookies.sethtml("AuthByPasswdENC400","Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==",{path='/'}) (Note: Line may be slightly different in different firmware versions, though the token is still the same). This results in an authentication bypass. * Resolution Status * While this cookie is now dynamically generated, the latest code generates cookie values from the current time in seconds. 2) Missing authentication on sensitive endpoints --------------------------------------------------------------------------------- CVE-2018-20220 While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. The "/configuration.xml" file, for example, includes all information required to access a video stream, such as the IP and port information, and any encryption information if specified. * Resolution Status * No verification was performed as to whether this issue was appropriately resolved, or whether other files may be left unprotected. Disclosure Timeline =================== Attempts to contact vendor begin: August 30, 2018 Vendor contacted: September 7, 2018 Vendor acknowledges issues: October 23, 2018 Initial fixes released for testing: December 4, 2018 Response indicating insufficient fixes: December 4, 2018 Public firmware release: February 13, 2019 References ========== [1] https://www.teracue.com/en/iptv-products/encoding

A vulnerability in the TFTP service of Cisco Network Convergence System 1000 Series software could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure. The vulnerability is due to improper validation of user-supplied input within TFTP requests processed by the affected software. An attacker could exploit this vulnerability by using directory traversal techniques in malicious requests sent to the TFTP service on a targeted device. An exploit could allow the attacker to retrieve arbitrary files from the targeted device, resulting in the disclosure of sensitive information. This vulnerability affects Cisco IOS XR Software releases prior to Release 6.5.2 for Cisco Network Convergence System 1000 Series devices when the TFTP service is enabled. Cisco IOS XR The software contains a path traversal vulnerability.Information may be obtained. This issue is tracked by Cisco Bug ID CSCvk32415

A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected. Cisco HyperFlex The software is vulnerable to insufficient validation of data reliability.Information may be tampered with. Cisco HyperFlex is prone to an arbitrary file-overwrite vulnerability. Attackers can overwrite arbitrary files on an unsuspecting user's computer in the context of the vulnerable application. This issue is being tracked by Cisco Bug IDs CSCvj95590. Cisco HyperFlex Software is a set of scalable distributed file systems from Cisco. The system provides unified computing, storage and network through cloud management, and provides enterprise-level data management and optimization services

A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process. A successful exploit could allow the attacker to run commands on the affected host as the root user. This vulnerability affects Cisco HyperFlex Software releases prior to 3.5(2a). Cisco HyperFlex The software includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug ID CSCvj95606. The system provides unified computing, storage and network through cloud management, and provides enterprise-level data management and optimization services

A vulnerability in the client application for iOS of Cisco Webex Teams could allow an authenticated, remote attacker to upload arbitrary files within the scope of the iOS application. The vulnerability is due to improper input validation in the client application. An attacker could exploit this vulnerability by sending a malicious file to a targeted user and persuading the user to manually open it. An exploit could allow the attacker to overwrite sensitive application files and eventually cause a denial of service (DoS) condition by foreclosing future access to the system to the targeted user. This vulnerability is fixed in version 3.13.26920. Cisco Webex Teams Contains an input validation vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug ID CSCvn16403. The program includes features such as video conferencing, group messaging and file sharing

A vulnerability in the web-based management interface of Cisco HyperFlex software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Versions prior to 3.5(1a) are affected. Cisco HyperFlex The software contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvk59165. Cisco HyperFlex Software is a set of scalable distributed file systems from Cisco. The system provides unified computing, storage and network through cloud management, and provides enterprise-level data management and optimization services

A vulnerability in the hxterm service of Cisco HyperFlex Software could allow an unauthenticated, local attacker to gain root access to all nodes in the cluster. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster. This vulnerability affects Cisco HyperFlex Software Releases prior to 3.5(2a). Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. This issue is being tracked by Cisco Bug ID CSCvk31047. The system provides unified computing, storage and network through cloud management, and provides enterprise-level data management and optimization services

A vulnerability in the Graphite service of Cisco HyperFlex software could allow an unauthenticated, remote attacker to retrieve data from the Graphite service. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by sending crafted requests to the Graphite service. A successful exploit could allow the attacker to retrieve any statistics from the Graphite service. Versions prior to 3.5(2a) are affected. Cisco HyperFlex There is an access control vulnerability in the software.Information may be obtained. An attacker can exploit this issue to access arbitrary files in the context of the application, which may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCvj95580. Cisco HyperFlex Software is a set of scalable distributed file systems from Cisco. The system provides unified computing, storage and network through cloud management, and provides enterprise-level data management and optimization services

Cscape, 9.80 SP4 and prior. An improper input validation vulnerability may be exploited by processing specially crafted POC files. This may allow an attacker to read confidential information and remotely execute arbitrary code. Cscape Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of CSP files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. Horner Automation Cscape version 9.80 SP4 and prior are vulnerable

Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00.84 and prior. An out-of-bounds read vulnerability may cause the software to crash due to lacking user input validation for processing project files. CNCSoft ScreenEditor Contains an out-of-bounds vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Delta Industrial Automation CNCSoft ScreenEditor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of DPB files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Remote attackers may exploit this issue to cause denial-of-service conditions, denying service to legitimate users

Avidsen, RTJ, TENVIS and other manufacturers webcam. An unauthorized remote command execution vulnerability exists in multiple vendors IPCamera. A remote attacker can execute arbitrary commands on the device without authorization.

In SonicWall SonicOS, administrators without full permissions can download imported certificates. Occurs when administrators who are not in the SonicWall Administrators user group attempt to download imported certificates. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier, Gen 6 version 6.2.7.3, 6.5.1.3, 6.5.2.2, 6.5.3.1, 6.2.7.8, 6.4.0.0, 6.5.1.8, 6.0.5.3-86o and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V). SonicWall SonicOS Contains an access control vulnerability.Information may be obtained. SonicWall SonicOS is a set of operating system specially designed for SonicWall firewall equipment of SonicWall Company in the United States. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles