VARIoT IoT vulnerabilities database

A vulnerability in Cisco Unified Communications Domain Manager Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on an affected system. The vulnerability is due to improper validation of input that is passed to the affected software. An attacker could exploit this vulnerability by persuading a user of the affected software to access a malicious URL. A successful exploit could allow the attacker to access sensitive, browser-based information on the affected system or perform arbitrary actions in the affected software in the security context of the user. Cisco Bug IDs: CSCvh49694. Vendors have confirmed this vulnerability Bug ID CSCvh49694 It is released as.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This component features scalable, distributed, and highly available enterprise Voice over IP call processing

A vulnerability in the implementation of Extensible Authentication Protocol over LAN (EAPOL) functionality in Cisco Small Business 100 Series Wireless Access Points and Cisco Small Business 300 Series Wireless Access Points could allow an authenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to the improper processing of certain EAPOL frames. An attacker could exploit this vulnerability by sending a stream of crafted EAPOL frames to an affected device. A successful exploit could allow the attacker to force the access point (AP) to disassociate all the associated stations (STAs) and to disallow future, new association requests. Cisco Bug IDs: CSCvj97472. Vendors have confirmed this vulnerability Bug ID CSCvj97472 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. A denial of service vulnerability exists in the implementation of the ExtensibleAuthenticationProtocoloverLAN (EAPOL) feature in CiscoSmallBusiness100SeriesWirelessAccessPoints and SmallBusiness300SeriesWirelessAccessPoints, which stems from a program not properly processing EAPOL frames. Multiple Cisco Products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition

A vulnerability in the Local Packet Transport Services (LPTS) feature set of Cisco ASR 9000 Series Aggregation Services Router Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input and validation checking on certain Precision Time Protocol (PTP) ingress traffic to an affected device. An attacker could exploit this vulnerability by injecting malformed traffic into an affected device. A successful exploit could allow the attacker to cause services on the device to become unresponsive, resulting in a DoS condition. Cisco Bug IDs: CSCvj22858. Cisco ASR 9000 There are vulnerabilities related to input validation and resource exhaustion in the series. Vendors have confirmed this vulnerability Bug ID CSCvj22858 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. Cisco IOSXR for Cisco ASR9000 Series Aggregation Services Routers is an operating system running on 9000 Series routers. The LocalPacketTransportServices(LPTS) featureset in CiscoASR9000SeriesAggregationServicesRouterSoftware has a denial of service vulnerability

A vulnerability in certain attachment detection mechanisms of Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to bypass the filtering functionality of an affected system. The vulnerability is due to the improper detection of content within executable (EXE) files. An attacker could exploit this vulnerability by sending a customized EXE file that is not recognized and blocked by the ESA. A successful exploit could allow an attacker to send email messages that contain malicious executable files to unsuspecting users. Cisco Bug IDs: CSCvh03786. Vendors have confirmed this vulnerability Bug ID CSCvh03786 It is released as.Information may be tampered with. The device provides spam protection, email encryption, and data loss prevention. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks

ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections. ZyXEL ZyWALL/USG Series devices contain cryptographic vulnerabilities.Information may be tampered with. ZyXEL ZyWALL/USG is a network security firewall device of ZyXEL Technology Company. An attacker could exploit this vulnerability to retrieve the IKEv1 session key and decrypt the connection

A vulnerability in the CronJob scheduler API of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to incorrect input validation of user-supplied data. An attacker could exploit this vulnerability by sending a malicious packet. A successful exploit could allow the attacker to execute arbitrary commands with root privileges. Cisco Bug IDs: CSCvi42263. Vendors have confirmed this vulnerability Bug ID CSCvi42263 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The solution scales and protects devices, applications, and more within the network

TP-Link WR840N devices have a buffer overflow via a long Authorization HTTP header. TP-Link WR840N The device contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The TP-LinkWR840N is a wireless router product from China Unicom (TP-LINK). A buffer overflow vulnerability exists in TP-LinkWR840N. An attacker could exploit the vulnerability to cause a denial of service

A vulnerability in the account management subsystem of Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to elevate privileges to root. The attacker must authenticate with valid administrator credentials. The vulnerability is due to improper implementation of access controls. An attacker could exploit this vulnerability by authenticating to the device as a specific user to gain the information needed to elevate privileges to root in a separate login shell. A successful exploit could allow the attacker to escape the CLI subshell and execute system-level commands on the underlying operating system as root. Cisco Bug IDs: CSCvj93548. Vendors have confirmed this vulnerability Bug ID CSCvj93548 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

A vulnerability in the implementation of Extensible Authentication Protocol over LAN (EAPOL) functionality in Cisco Small Business 100 Series Wireless Access Points and Cisco Small Business 300 Series Wireless Access Points could allow an unauthenticated, adjacent attacker to force the downgrade of the encryption algorithm that is used between an authenticator (access point) and a supplicant (Wi-Fi client). The vulnerability is due to the improper processing of certain EAPOL messages that are received during the Wi-Fi handshake process. An attacker could exploit this vulnerability by establishing a man-in-the-middle position between a supplicant and an authenticator and manipulating an EAPOL message exchange to force usage of a WPA-TKIP cipher instead of the more secure AES-CCMP cipher. A successful exploit could allow the attacker to conduct subsequent cryptographic attacks, which could lead to the disclosure of confidential information. Cisco Bug IDs: CSCvj29229. Vendors have confirmed this vulnerability Bug ID CSCvj29229 It is released as.Information may be tampered with

A Cross-site scripting (XSS) vulnerability was discovered on Intelbras Win 240 V1.1.0 devices. An attacker can change the Admin Password without a Login. Win 240 Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. IntelbrasWin240 is a wireless router from Brazil's Intelbras

The session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10. CUPS is prone to a security weakness. Successfully exploiting this issue may allow attackers to bypass security mechanism. This may lead to other attacks. CPUS is an open source printing system. This vulnerability stems from configuration errors in network systems or products during operation. An unauthorized attacker could exploit the vulnerability to obtain sensitive information of the affected components. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-005 Multiple Vulnerabilities in Apple smartcardservices =================================================== Overview - -------- Confirmed Affected Versions: e3eb96a6eff9d02497a51b3c155a10fa5989021f Confirmed Patched Versions: 8eef01a5e218ae78cc358de32213b50a601662de Vendor: Apple Vendor URL: https://smartcardservices.github.io/ Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-005-smartcardservices/ Summary and Impact - ------------------ Attackers with local access can exploit security issues in the smartcard driver. These result in memory corruptions, which might lead to code execution. Since smartcards can be used for authentication, the vulnerabilities may allow an attacker to login to the system without valid credentials as any user. X41 did not perform a full test or audit on the software. Product Description - ------------------- The Smart Card Services project is comprised of several components which, when combined, provide the necessary abstraction layer and integration of smart cards into Appleas CDSA implementation. Stack based buffer overflow =========================== Severity Rating: Medium Vector: APDU Response CVE: CVE-2018-4300 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - ------------------ In file Tokend/CAC/CACRecord.cpp the function CACCertificateRecord::getDataAttribute() might overwrite the value certificate and possibly other stack data, if a smartcard provides malicious data. {% highlight c++ %} unsigned char command[] = { 0x80, 0x36, 0x00, 0x00, 0x64 }; unsigned char result[MAXBUFFERSIZE]; sizet resultLength = sizeof(result); uint8 certificate[CACMAXSIZECERT]; uint8 uncompressed[CACMAXSIZECERT]; sizet certificateLength = 0; try { PCSC::Transaction (cacToken); cacToken.select(mApplication); uint32t cacreturn; do { cacreturn = cacToken.exchangeAPDU(command, sizeof(command), result, resultLength); if ((cacreturn & 0xFF00) != 0x6300) CACError::check(cacreturn); sizet requested = command[4]; if (resultLength != requested + 2) PCSC::Error::throwMe(SCARDEPROTOMISMATCH); memcpy(certificate + certificateLength, result, resultLength - 2); certificateLength += resultLength - 2; // Number of bytes to fetch next time around is in the last byte // returned. command[4] = cacreturn & 0xFF; } while ((cacreturn & 0xFF00) == 0x6300); } catch (...) { return NULL; } {% endhighlight %} As long as the smartcard returns a return code of 0x63FF, more data is copied into the certificate buffer, causing a stack based overflow. A malicious smartcard is able to control all of the overflowed bytes. Workarounds - ----------- None Stack based buffer overflow with limited input ============================================== Severity Rating: Medium Vector: APDU Response CVE: CVE-2018-4301 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - ------------------ In file Tokend/PKCS11/GemaltoKeyHandle.cpp the function GemaltoPrivateKeyRecord::computeDecrypt() might overwrite the value strData if the supplied dataLength is too big. {% highlight c++ %} void GemaltoPrivateKeyRecord::computeDecrypt(GemaltoToken &gemaltoToken, CKULONG mech, const AccessCredentials *cred, unsigned char *data, sizet dataLength, unsigned char output, size_t &outputLength) { GemaltoToken::log("\nGemaltoPrivateKeyRecord::computeDecrypt <BEGIN>\n"); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - mechanism <%lu>\n", mech); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - cred <%p>\n", cred); char strData[6000]; memset(strData, '\0', sizeof(strData)); char str = strData; for (size_t i=0; i<dataLength; i++) { str += sprintf(str, "%02x ", data[i]); } GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - dataLength <%lu> - data <%s>\n", dataLength, strData); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - output <%p>\n", output); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - outputLength <%lu>\n", outputLength); {% endhighlight %} The attacker might control the data which is to be decrypted, but exploitation is limited by the sprintf() format string. Workarounds - ----------- None Timeline ======== 2018-02-03 Issues found 2018-05-22 Vendor contacted 2018-05-22 Automated vendor reply 2018-05-23 Personal vendor reply 2018-06-05 Requesting technical feedback from the vendor 2018-06-22 Vendor states that the bugs are fixed in public git 2018-07-12 CVE IDs assigned 2018-08-03 https://smartcardservices.github.io/security/ updated 2018-08-11 Advisory released - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3ScACgkQo5Klpg50 CxCRNQ/+I+0oXn6oWXNARh+qU+fBxuUx8ydAIgDvEeBQddHAWaHQpVzkE7xgSZbg wUsmCMGEvAd6Jvfc4rH1gHy3jHl4zdLs7XDSslYUC3hc+BgsfvSR078+zNzzZ1yX 7Fe4vpq2Oep4Vbq2Y8wBrh5zui4PoS2afFRHKY5KaEKuzfvQGOS5WcKdFwm0WZNB 4l+b3ie/v2pBA7/YglYACyNkZU8bsNDAumuVeMP5MFdT0S88eE4hCwo3QJ1GurR5 4L5B+QDUwbMCA4pgH5ifOpdgDtHTLnYvoIKZGPT8Vu7lbjlHCdFKOjw52aiBqaHo iac/RBE8EzWjmeqE9UbHB6U0PeFdWbjVGhlPNBn1wErwyj18hK2rZRIJR0kGdBXU +1SXhxYbR4a2pB4VQcIpqWSQqgMe3IwoXIPpY5IIZwV/StjZ6/mnRMxZgiF7JnPQ OgI/F2AWFryJWtEtQ6gXAGEE2dkInVALo0ym509d5gRkkfAcoJXpSM3oa3BcOanV DJ3tMIE0H8UKXwL3EvRn02TvuZpbtvSDUyZniBl9vl5FMQJCK8Zh++jX9dOvplsR a/Ytuxt4KWFtuzU/gaQ5BjBHS80m9M7HJzMMohYY60Yyr4aczZxd8/8lZpggMNKE gDrded2INA+9ybxlcnWpSTIoD+Cl034kCqOWcjVzWW6/tYIiN+Q= =9tdn -----END PGP SIGNATURE-----

A potential remote denial of service security vulnerability has been identified in HPE Integrated Lights Out 4 prior to v2.60 and iLO 5 for Gen 10 servers prior to v1.30. HPE Integrated Lights Out 4 and iLO 5 Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. HP Integrated Lights-Out is prone to an unspecified remote denial-of-service vulnerability. Exploiting this issue allows remote attackers to trigger denial-of-service conditions. Through an integrated remote management port, Monitor and maintain the running status of the server, remotely manage and control the server, etc. A remote attacker could exploit this vulnerability to cause a denial of service

A security vulnerability in HPE Integrated Lights-Out 3 prior to v1.90, iLO 4 prior to v2.60, iLO 5 prior to v1.30, Moonshot Chassis Manager firmware prior to v1.58, and Moonshot Component Pack prior to v2.55 could be remotely exploited to create a denial of service. plural HPE The product contains vulnerabilities related to security functions.Service operation interruption (DoS) There is a possibility of being put into a state. HPE Integrated Lights-Out (iLO) is an embedded server management technology, which monitors and maintains the health of the server, remotely manages the server, etc. through an integrated remote management port. Moonshot Chassis Manager is a movement chassis manager. Moonshot Component Pack is a Moonshot component pack. Security vulnerabilities exist in several HPE products. A remote attacker could exploit this vulnerability to cause a denial of service

SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database. SAP MaxDB (liveCache) Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SAP MaxDB is prone to an unspecified SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SAP MaxDB (liveCache) 7.8 and 7.9 are vulnerable

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-5.0.0.0-22913(GA). The vulnerability may be exploited locally to allow disclosure of privileged information

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be exploited remotely to allow cross-site request forgery. 3PAR Service Processor (SP) Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be locally exploited to allow directory traversal

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be locally exploited to allow disclosure of privileged information

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be exploited remotely to allow access restriction bypass. 3PAR Service Processor (SP) Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be exploited remotely to allow code execution