VARIoT IoT vulnerabilities database

Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter. Endress+Hauser WirelessHART Fieldgate SWG70 The device contains a path traversal vulnerability.Information may be obtained. Multiple PEPPERL+FUCHS products are prone to a directory-traversal vulnerability. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information. This may aid in further attacks. The following products and versions are affected: WirelessHART Gateway WHA-GW-F2D2-0-AS-Z2-ETH 03.00.08 WirelessHART Gateway WHA-GW-F2D2-0-AS-Z2-ETH.EIP 02.00.01. The Endress+Hauser WirelessHART Fieldgate SWG70 is an Ethernet gateway device. An attacker could exploit this vulnerability to view arbitrary files on the system

Fuji Xerox DocuCentre-V 3065, ApeosPort-VI C3371, ApeosPort-V C4475, ApeosPort-V C3375, DocuCentre-VI C2271, ApeosPort-V C5576, DocuCentre-IV C2263, DocuCentre-V C2263, and ApeosPort-V 5070 devices allow remote attackers to read or write to files via crafted PJL commands. plural Fuji Xerox The product contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Fuji Xerox DocuCentre-V 3065, etc. are all multi-function printers from Fuji Xerox, Japan. A security vulnerability exists in several Fuji Xerox products. The following products are affected: Fuji Xerox DocuCentre-V 3065; ApeosPort-VI C3371; ApeosPort-V C4475; ApeosPort-V C3375; DocuCentre-VI C2271; 5070

Untrusted search path vulnerability in Installer of INplc SDK Express 3.08 and earlier and Installer of INplc SDK Pro+ 3.08 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. INplc provided by MICRONET CORPORATION contains multiple vulnerabilities listed below. *DLL preloading vulnerability (CWE-427) - CVE-CVE-2018-0667 *Buffer overflow (CWE-119) - CVE-2018-0668 *Authentication bypass (CWE-287) - CVE-2018-0669 *Authentication bypass (CWE-287) - CVE-2018-0670 *Privilege escalation - CVE-2018-0671 Kotatsu Shiraki of University of Tokyo/NEC reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Although the expected impact will vary depending on the vulnerability, the following may be affected. *Arbitrary code may be executed with the privilege of the user invoking the installer - CVE-2018-0667 *A remote attacker may be able to cause a denial-of-service (DoS) condition or may execute arbitrary code - CVE-2018-0668 *A remote attacker may execute an arbitrary command through the traffic based on the protocol - CVE-2018-0669, CVE-2018-0670 *An attacker may execute arbitrary code with the administrative privilege on the Windows system which the product is installed on. - CVE-2018-0671. The Micronet INplc SDK is a software-defined PLC (Programmable Logic Controller) development kit from Micronet Corporation of Japan

Privilege escalation vulnerability in INplc-RT 3.08 and earlier allows an attacker with administrator rights to execute arbitrary code on the Windows system via unspecified vectors. INplc provided by MICRONET CORPORATION contains multiple vulnerabilities listed below. *DLL preloading vulnerability (CWE-427) - CVE-CVE-2018-0667 *Buffer overflow (CWE-119) - CVE-2018-0668 *Authentication bypass (CWE-287) - CVE-2018-0669 *Authentication bypass (CWE-287) - CVE-2018-0670 *Privilege escalation - CVE-2018-0671 Kotatsu Shiraki of University of Tokyo/NEC reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Although the expected impact will vary depending on the vulnerability, the following may be affected. - CVE-2018-0671. Micronet INplc-RT is a software-defined PLC (Programmable Logic Controller) from Micronet, Japan. An elevation of privilege vulnerability exists in Micronet INplc-RT 3.08 and earlier. An attacker could exploit the vulnerability to perform administrative operations with administrative privileges

INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic. This is a different vulnerability than CVE-2018-0670. INplc provided by MICRONET CORPORATION contains multiple vulnerabilities listed below. *DLL preloading vulnerability (CWE-427) - CVE-CVE-2018-0667 *Buffer overflow (CWE-119) - CVE-2018-0668 *Authentication bypass (CWE-287) - CVE-2018-0669 *Authentication bypass (CWE-287) - CVE-2018-0670 *Privilege escalation - CVE-2018-0671 Kotatsu Shiraki of University of Tokyo/NEC reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Although the expected impact will vary depending on the vulnerability, the following may be affected. - CVE-2018-0671. Micronet INplc-RT is a software-defined PLC (Programmable Logic Controller) from Micronet, Japan. An authorization vulnerability has been reported in Micronet INplc-RT 3.08 and earlier

INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic. This is a different vulnerability than CVE-2018-0669. INplc provided by MICRONET CORPORATION contains multiple vulnerabilities listed below. *DLL preloading vulnerability (CWE-427) - CVE-CVE-2018-0667 *Buffer overflow (CWE-119) - CVE-2018-0668 *Authentication bypass (CWE-287) - CVE-2018-0669 *Authentication bypass (CWE-287) - CVE-2018-0670 *Privilege escalation - CVE-2018-0671 Kotatsu Shiraki of University of Tokyo/NEC reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Although the expected impact will vary depending on the vulnerability, the following may be affected. - CVE-2018-0671. Micronet INplc-RT is a software-defined PLC (Programmable Logic Controller) from Micronet, Japan. An authorization vulnerability has been reported in Micronet INplc-RT 3.08 and earlier

Buffer overflow in INplc-RT 3.08 and earlier allows remote attackers to cause denial-of-service (DoS) condition that may result in executing arbtrary code via unspecified vectors. INplc provided by MICRONET CORPORATION contains multiple vulnerabilities listed below. *DLL preloading vulnerability (CWE-427) - CVE-CVE-2018-0667 *Buffer overflow (CWE-119) - CVE-2018-0668 *Authentication bypass (CWE-287) - CVE-2018-0669 *Authentication bypass (CWE-287) - CVE-2018-0670 *Privilege escalation - CVE-2018-0671 Kotatsu Shiraki of University of Tokyo/NEC reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Although the expected impact will vary depending on the vulnerability, the following may be affected. *Arbitrary code may be executed with the privilege of the user invoking the installer - CVE-2018-0667 *A remote attacker may be able to cause a denial-of-service (DoS) condition or may execute arbitrary code - CVE-2018-0668 *A remote attacker may execute an arbitrary command through the traffic based on the protocol - CVE-2018-0669, CVE-2018-0670 *An attacker may execute arbitrary code with the administrative privilege on the Windows system which the product is installed on. - CVE-2018-0671. Micronet INplc-RT is a software-defined PLC (Programmable Logic Controller) from Micronet, Japan. A buffer overflow vulnerability exists in Micronet INplc-RT 3.08 and earlier

On BIG-IP APM 11.6.0-11.6.3, an insecure AES ECB mode is used for orig_uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile, allowing a malicious user to build a redirect URI value using different blocks of cipher texts. BIG-IP APM Contains an open redirect vulnerability.The information may be obtained and the information may be falsified. F5 BIG-IP APM is prone to an open redirect vulnerability. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. F5 BIG-IP Access Policy Manager (APM) is a set of access and security solutions from F5 Corporation of the United States. The solution provides unified access to business-critical applications and networks. Attackers can exploit this vulnerability to construct redirection URI values

An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. FTP does not require authentication or authorization, aka KONE-03. There is an authorization problem vulnerability in KONE KGC versions prior to 4.6.5. Attackers can exploit this vulnerability to bypass access restrictions and access FTP. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive. Its purpose is to optimize the operation of a group of elevators, and it allows features such as destination calls and locking and unlocking floors. Group controller is not an essential component of an elevator control system and vulnerabilities in KGC do not affect the safety of the elevators connected to the group. More information at https://www.kone.com/en/vulnerability.aspx Affected Software And Versions ============================== - KONE KGC version 4.6.4 and below CVE === The following CVEs were assigned to the issues described in this report: CVE-2018-15483 CVE-2018-15484 CVE-2018-15485 CVE-2018-15486 Vulnerability Overview ====================== 01. CVE-2018-15484: Unauthenticated Remote Code Execution 02. CVE-2018-15486: Unauthenticated Local File Inclusion / Unauthenticated Local File modification 03. CVE-2018-15483: Denial of Service Vulnerability Details ===================== --------------------------------------------- CVE-2018-15484: Unauthenticated Remote Code Execution --------------------------------------------- By modifying the file autoexec.bat via the web interface using an unauthenticated local file modification method (see CVE-2018-15486), an attacker can inject arbitrary operating systems commands, which get executed at boot time. To trigger a reboot, an HTTP GET request to /reboot has to be made. This enables an attacker to compromise the integrity of all software running on the device. This includes specific autoexec commands but also the full range of command.com (operating system) commands regarding to FreeDOS. Injecting an interactive command, such as the help command, effectively prevents the KGC from booting up again and therefore causes a Denial of Service Attack (CVE-2018-15483). -------------------------------------------------- CVE-2018-15486: Unauthenticated Local File Inclusion / Unauthenticated Local File modification -------------------------------------------------- By modifying the name parameter of the file endpoint, any file the webserver has access to can be viewed. GET /file?name=secret.txt HTTP/1.1 Host: <redacted> However, more importantly, by modifying the name parameter of the editfile endpoint, any file can be modified: GET /editfile?name=secret.txt HTTP/1.1 Host: <redacted> After calling the endpoint above, the file to edit is presented in a textbox for modification. This way, attackers can choose from a wide range of attack scenarios, e.g., persisting backdoors in files such as KERNEL.SYS, enable access to floors, they wouldn't have access to in normal cases (KGC config files) or carry out DNS redirection- and Man-in-the-Middle attacks. The latter could be achieved by modifying the DNS parameter or the default gateway, respectively: [ETHERNET] card=7 : DHCP on or off [0-1] : Attacker would switch to 0 dhcp=0 : Static IP address [IP] : Set a static IP ip=<static IP> : Subnet mask [IP] mask=<appropriate mask> : Default gateway [IP] : Change gateway default_gateway=<attacker controlled gateway> : DNS [IP] dns=<attacker controlled dns server> : Host name [string] host_name=KGC_1 This way, an attacker could read and modify all the data transmitted over the wires. A user that connects to that port is logged in as SuperUser, with needing a username or password (also blank usernames and passwords are accepted). $ ftp -p <redacted-IP> Connected to <redacted-IP>. 220 KGC FTP Server ready Name (<redacted-IP>:username): <blank> 331 User name okay, need password. Password: <blank> 230 SuperUser logged in, proceed. Remote system type is WIN32. This way all available data can be downloaded and new data can be uploaded to the KGC. --------------------------------------------- CVE-2018-15483: Denial of Service --------------------------------------------- There are several possible ways to cause a denial of service on the KGC. One of them is the possibility to reboot the system via the web interface. An attacker could reboot the system every time it boots back up to interrupt the service and cause a denial of service attack: GET /reboot HTTP/1.1 Host: <redacted> Author ====== The vulnerabilities were discovered by Sebastian Neuner (@sebastian9er) from the Google Security Team. Timeline ======== 2018/05/10 - Security report sent to KONE security. 2018/05/11 - KONE acknowledges the report and starts working on the issues. 2018/05/25 - KONE requested grace period due to internal patch cycle. 2018/05/25 - Google granted grace period until patch available and being deployed. 2018/08/06 - Public disclosure on the bugtraq Mailing List

An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Local File Inclusion and File modification is possible through the open HTTP interface by modifying the name parameter of the file endpoint, aka KONE-02. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive. Its purpose is to optimize the operation of a group of elevators, and it allows features such as destination calls and locking and unlocking floors. Group controller is not an essential component of an elevator control system and vulnerabilities in KGC do not affect the safety of the elevators connected to the group. More information at https://www.kone.com/en/vulnerability.aspx Affected Software And Versions ============================== - KONE KGC version 4.6.4 and below CVE === The following CVEs were assigned to the issues described in this report: CVE-2018-15483 CVE-2018-15484 CVE-2018-15485 CVE-2018-15486 Vulnerability Overview ====================== 01. CVE-2018-15484: Unauthenticated Remote Code Execution 02. CVE-2018-15485: FTP without authentication and authorization 04. CVE-2018-15483: Denial of Service Vulnerability Details ===================== --------------------------------------------- CVE-2018-15484: Unauthenticated Remote Code Execution --------------------------------------------- By modifying the file autoexec.bat via the web interface using an unauthenticated local file modification method (see CVE-2018-15486), an attacker can inject arbitrary operating systems commands, which get executed at boot time. To trigger a reboot, an HTTP GET request to /reboot has to be made. This enables an attacker to compromise the integrity of all software running on the device. This includes specific autoexec commands but also the full range of command.com (operating system) commands regarding to FreeDOS. Injecting an interactive command, such as the help command, effectively prevents the KGC from booting up again and therefore causes a Denial of Service Attack (CVE-2018-15483). This way, attackers can choose from a wide range of attack scenarios, e.g., persisting backdoors in files such as KERNEL.SYS, enable access to floors, they wouldn't have access to in normal cases (KGC config files) or carry out DNS redirection- and Man-in-the-Middle attacks. The latter could be achieved by modifying the DNS parameter or the default gateway, respectively: [ETHERNET] card=7 : DHCP on or off [0-1] : Attacker would switch to 0 dhcp=0 : Static IP address [IP] : Set a static IP ip=<static IP> : Subnet mask [IP] mask=<appropriate mask> : Default gateway [IP] : Change gateway default_gateway=<attacker controlled gateway> : DNS [IP] dns=<attacker controlled dns server> : Host name [string] host_name=KGC_1 This way, an attacker could read and modify all the data transmitted over the wires. ----------------------------------------------- CVE-2018-15485: FTP without authentication and authorization ----------------------------------------------- FTP on the KGC is enabled on port 21 and is not secured by authentication or authorization mechanisms. A user that connects to that port is logged in as SuperUser, with needing a username or password (also blank usernames and passwords are accepted). $ ftp -p <redacted-IP> Connected to <redacted-IP>. 220 KGC FTP Server ready Name (<redacted-IP>:username): <blank> 331 User name okay, need password. Password: <blank> 230 SuperUser logged in, proceed. Remote system type is WIN32. This way all available data can be downloaded and new data can be uploaded to the KGC. --------------------------------------------- CVE-2018-15483: Denial of Service --------------------------------------------- There are several possible ways to cause a denial of service on the KGC. One of them is the possibility to reboot the system via the web interface. An attacker could reboot the system every time it boots back up to interrupt the service and cause a denial of service attack: GET /reboot HTTP/1.1 Host: <redacted> Author ====== The vulnerabilities were discovered by Sebastian Neuner (@sebastian9er) from the Google Security Team. Timeline ======== 2018/05/10 - Security report sent to KONE security. 2018/05/11 - KONE acknowledges the report and starts working on the issues. 2018/05/25 - KONE requested grace period due to internal patch cycle. 2018/05/25 - Google granted grace period until patch available and being deployed. 2018/08/06 - Public disclosure on the bugtraq Mailing List

An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Remote Code Execution is possible through the open HTTP interface by modifying autoexec.bat, aka KONE-01. KONE Group Controller (KGC) The device includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive. Its purpose is to optimize the operation of a group of elevators, and it allows features such as destination calls and locking and unlocking floors. Group controller is not an essential component of an elevator control system and vulnerabilities in KGC do not affect the safety of the elevators connected to the group. More information at https://www.kone.com/en/vulnerability.aspx Affected Software And Versions ============================== - KONE KGC version 4.6.4 and below CVE === The following CVEs were assigned to the issues described in this report: CVE-2018-15483 CVE-2018-15484 CVE-2018-15485 CVE-2018-15486 Vulnerability Overview ====================== 01. CVE-2018-15486: Unauthenticated Local File Inclusion / Unauthenticated Local File modification 03. CVE-2018-15485: FTP without authentication and authorization 04. To trigger a reboot, an HTTP GET request to /reboot has to be made. This enables an attacker to compromise the integrity of all software running on the device. This includes specific autoexec commands but also the full range of command.com (operating system) commands regarding to FreeDOS. Injecting an interactive command, such as the help command, effectively prevents the KGC from booting up again and therefore causes a Denial of Service Attack (CVE-2018-15483). -------------------------------------------------- CVE-2018-15486: Unauthenticated Local File Inclusion / Unauthenticated Local File modification -------------------------------------------------- By modifying the name parameter of the file endpoint, any file the webserver has access to can be viewed. GET /file?name=secret.txt HTTP/1.1 Host: <redacted> However, more importantly, by modifying the name parameter of the editfile endpoint, any file can be modified: GET /editfile?name=secret.txt HTTP/1.1 Host: <redacted> After calling the endpoint above, the file to edit is presented in a textbox for modification. This way, attackers can choose from a wide range of attack scenarios, e.g., persisting backdoors in files such as KERNEL.SYS, enable access to floors, they wouldn't have access to in normal cases (KGC config files) or carry out DNS redirection- and Man-in-the-Middle attacks. The latter could be achieved by modifying the DNS parameter or the default gateway, respectively: [ETHERNET] card=7 : DHCP on or off [0-1] : Attacker would switch to 0 dhcp=0 : Static IP address [IP] : Set a static IP ip=<static IP> : Subnet mask [IP] mask=<appropriate mask> : Default gateway [IP] : Change gateway default_gateway=<attacker controlled gateway> : DNS [IP] dns=<attacker controlled dns server> : Host name [string] host_name=KGC_1 This way, an attacker could read and modify all the data transmitted over the wires. ----------------------------------------------- CVE-2018-15485: FTP without authentication and authorization ----------------------------------------------- FTP on the KGC is enabled on port 21 and is not secured by authentication or authorization mechanisms. A user that connects to that port is logged in as SuperUser, with needing a username or password (also blank usernames and passwords are accepted). $ ftp -p <redacted-IP> Connected to <redacted-IP>. 220 KGC FTP Server ready Name (<redacted-IP>:username): <blank> 331 User name okay, need password. Password: <blank> 230 SuperUser logged in, proceed. Remote system type is WIN32. This way all available data can be downloaded and new data can be uploaded to the KGC. --------------------------------------------- CVE-2018-15483: Denial of Service --------------------------------------------- There are several possible ways to cause a denial of service on the KGC. One of them is the possibility to reboot the system via the web interface. An attacker could reboot the system every time it boots back up to interrupt the service and cause a denial of service attack: GET /reboot HTTP/1.1 Host: <redacted> Author ====== The vulnerabilities were discovered by Sebastian Neuner (@sebastian9er) from the Google Security Team. Timeline ======== 2018/05/10 - Security report sent to KONE security. 2018/05/11 - KONE acknowledges the report and starts working on the issues. 2018/05/25 - KONE requested grace period due to internal patch cycle. 2018/05/25 - Google granted grace period until patch available and being deployed. 2018/08/06 - Public disclosure on the bugtraq Mailing List

An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Denial of Service can occur through the open HTTP interface, aka KONE-04. KONE Group Controller (KGC) Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive. Its purpose is to optimize the operation of a group of elevators, and it allows features such as destination calls and locking and unlocking floors. Group controller is not an essential component of an elevator control system and vulnerabilities in KGC do not affect the safety of the elevators connected to the group. More information at https://www.kone.com/en/vulnerability.aspx Affected Software And Versions ============================== - KONE KGC version 4.6.4 and below CVE === The following CVEs were assigned to the issues described in this report: CVE-2018-15483 CVE-2018-15484 CVE-2018-15485 CVE-2018-15486 Vulnerability Overview ====================== 01. CVE-2018-15484: Unauthenticated Remote Code Execution 02. CVE-2018-15486: Unauthenticated Local File Inclusion / Unauthenticated Local File modification 03. CVE-2018-15485: FTP without authentication and authorization 04. CVE-2018-15483: Denial of Service Vulnerability Details ===================== --------------------------------------------- CVE-2018-15484: Unauthenticated Remote Code Execution --------------------------------------------- By modifying the file autoexec.bat via the web interface using an unauthenticated local file modification method (see CVE-2018-15486), an attacker can inject arbitrary operating systems commands, which get executed at boot time. To trigger a reboot, an HTTP GET request to /reboot has to be made. This enables an attacker to compromise the integrity of all software running on the device. This includes specific autoexec commands but also the full range of command.com (operating system) commands regarding to FreeDOS. Injecting an interactive command, such as the help command, effectively prevents the KGC from booting up again and therefore causes a Denial of Service Attack (CVE-2018-15483). -------------------------------------------------- CVE-2018-15486: Unauthenticated Local File Inclusion / Unauthenticated Local File modification -------------------------------------------------- By modifying the name parameter of the file endpoint, any file the webserver has access to can be viewed. GET /file?name=secret.txt HTTP/1.1 Host: <redacted> However, more importantly, by modifying the name parameter of the editfile endpoint, any file can be modified: GET /editfile?name=secret.txt HTTP/1.1 Host: <redacted> After calling the endpoint above, the file to edit is presented in a textbox for modification. This way, attackers can choose from a wide range of attack scenarios, e.g., persisting backdoors in files such as KERNEL.SYS, enable access to floors, they wouldn't have access to in normal cases (KGC config files) or carry out DNS redirection- and Man-in-the-Middle attacks. The latter could be achieved by modifying the DNS parameter or the default gateway, respectively: [ETHERNET] card=7 : DHCP on or off [0-1] : Attacker would switch to 0 dhcp=0 : Static IP address [IP] : Set a static IP ip=<static IP> : Subnet mask [IP] mask=<appropriate mask> : Default gateway [IP] : Change gateway default_gateway=<attacker controlled gateway> : DNS [IP] dns=<attacker controlled dns server> : Host name [string] host_name=KGC_1 This way, an attacker could read and modify all the data transmitted over the wires. ----------------------------------------------- CVE-2018-15485: FTP without authentication and authorization ----------------------------------------------- FTP on the KGC is enabled on port 21 and is not secured by authentication or authorization mechanisms. A user that connects to that port is logged in as SuperUser, with needing a username or password (also blank usernames and passwords are accepted). $ ftp -p <redacted-IP> Connected to <redacted-IP>. 220 KGC FTP Server ready Name (<redacted-IP>:username): <blank> 331 User name okay, need password. Password: <blank> 230 SuperUser logged in, proceed. Remote system type is WIN32. This way all available data can be downloaded and new data can be uploaded to the KGC. --------------------------------------------- CVE-2018-15483: Denial of Service --------------------------------------------- There are several possible ways to cause a denial of service on the KGC. One of them is the possibility to reboot the system via the web interface. An attacker could reboot the system every time it boots back up to interrupt the service and cause a denial of service attack: GET /reboot HTTP/1.1 Host: <redacted> Author ====== The vulnerabilities were discovered by Sebastian Neuner (@sebastian9er) from the Google Security Team. Timeline ======== 2018/05/10 - Security report sent to KONE security. 2018/05/11 - KONE acknowledges the report and starts working on the issues. 2018/05/25 - KONE requested grace period due to internal patch cycle. 2018/05/25 - Google granted grace period until patch available and being deployed. 2018/08/06 - Public disclosure on the bugtraq Mailing List

In Ice Qube Thermal Management Center versions prior to version 4.13, passwords are stored in plaintext in a file that is accessible without authentication. Ice Qube Thermal Management Center Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Ice Qube Thermal Management Center is a thermal management application from Ice Qube, USA. The program includes email notifications, remote management, LCD display and temperature alarms. An attacker could exploit this vulnerability to obtain sensitive information

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an authenticated, remote attacker to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input to scripts by the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the root user. The RV110W is a Wireless-NVPN firewall router. The RV130W is a Wireless-N multi-function VPN router. The RV215W is a Wireless-NVPN router. The vulnerability stems from a failure to validate data entered by the user

A vulnerability in the web-based management interface of Cisco Cloud Services Platform 2100 could allow an authenticated, remote attacker to perform command injection. The vulnerability is due to insufficient input validation of command input. An attacker could exploit this vulnerability by sending customized commands to the web-based management interface. Cisco Cloud Services Platform (CSP) 2100 is a set of hardware and software platform for data center network function virtualization developed by Cisco

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of command input by the affected software. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary, system-level commands with root privileges on an affected device. The software supports HTTP, SSH access, etc., and can perform operations such as starting, shutting down and restarting the server

A vulnerability in the web interface of Cisco Data Center Network Manager could allow an authenticated application administrator to execute commands on the underlying operating system with root-level privileges. The vulnerability is due to incomplete input validation of user input within an HTTP request. An attacker could exploit this vulnerability by authenticating to the application and then sending a crafted HTTP request to the targeted application. A successful exploit could allow the authenticated attacker to issue commands on the underlying operating system as the root user. Cisco Data Center Network Manager is a set of data center management system of Cisco (Cisco). The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions

Technicolor TG588V V2 devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof. NOTE: this might overlap CVE-2018-15852 and CVE-2018-15907. NOTE: Technicolor denies that the described behavior is a vulnerability and states that Wi-Fi traffic is slowed or stopped only while the devices are exposed to a MAC flooding attack. This has been confirmed through testing against official up-to-date versions. ** Unsettled ** This case has not been confirmed as a vulnerability. TG588V V2 The device contains a resource exhaustion vulnerability. The vendor disputes this vulnerability. For more information, see the following: NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2018-16310Service operation interruption (DoS) It may be in a state. Technicolor TG588V V2 is an ADSL VDSL router

Some Huawei smart phones with software of Leland-AL00 8.0.0.114(C636), Leland-AL00A 8.0.0.171(C00) have a denial of service (DoS) vulnerability. An attacker can trick a user to install a malicious application to exploit this vulnerability. Due to insufficient verification of the parameter, successful exploitation can cause the smartphone black screen until restarting the phone. Huawei smartphone Leland-AL00 and Leland-AL00A Software contains input validation vulnerabilities.Service operation interruption (DoS) There is a possibility of being put into a state. HuaweiLeland-AL00 and Leland-AL00A are all smartphone products of China Huawei. There is a security vulnerability in Huawei Leland-AL00 version 8.0.0.114(C636) and Leland-AL00A version 8.0.0.171(C00). The vulnerability is caused by the fact that the program does not fully verify the parameters

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper access control to files within the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device. A successful exploit could allow the attacker to gain access to sensitive configuration information, including user authentication credentials. The RV110W is a Wireless-NVPN firewall router. The RV130W is a Wireless-N multi-function VPN router. The RV215W is a Wireless-NVPN router