VARIoT IoT vulnerabilities database

A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. This issue affected versions prior to iOS 11.4.1, Safari 11.1.2. iOS and Safari Is URL There is a vulnerability that can be spoofed due to a flaw in the processing of.Information may be tampered with. Apple Safari is prone to is prone to multiple address bar spoofing vulnerabilities. An attacker can exploit these issues to conduct spoofing attacks and perform unauthorized actions; other attacks are also possible. Apple iOS is an operating system developed for mobile devices. Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. WebKit is one of the web browser engine components. The vulnerability stems from the fact that the network system or product does not properly validate the input data. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-7-9-1 iOS 11.4.1 iOS 11.4.1 is now available and addresses the following: CFNetwork Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Cookies may unexpectedly persist in Safari Description: A cookie management issue was addressed with improved checks. CVE-2018-4293: an anonymous researcher Emoji Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing an emoji under certain configurations may lead to a denial of service Description: A denial of service issue was addressed with improved memory handling. CVE-2018-4290: Patrick Wardle of Digita Security Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to read kernel memory Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. CVE-2018-4282: Proteas of Qihoo 360 Nirvan Team libxpc Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to gain elevated privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4280: Brandon Azad libxpc Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2018-4248: Brandon Azad LinkPresentation Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: A spoofing issue existed in the handling of URLs. CVE-2018-4277: xisigr of Tencent's Xuanwu Lab (tencent.com) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may exfiltrate audio data cross-origin Description: Sound fetched through audio elements may be exfiltrated cross-origin. CVE-2018-4278: Jun Kokatsu (@shhnjk) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may be able to cause a denial of service Description: A race condition was addressed with additional validation. CVE-2018-4266: found by OSS-Fuzz WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: A spoofing issue existed in the handling of URLs. CVE-2018-4274: an anonymous researcher WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4270: found by OSS-Fuzz WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4284: Found by OSS-Fuzz WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4261: Omair working with Trend Micro's Zero Day Initiative CVE-2018-4262: Mateusz Krzywicki working with Trend Micro's Zero Day Initiative CVE-2018-4263: Arayz working with Trend Micro's Zero Day Initiative CVE-2018-4264: found by OSS-Fuzz, Yu Zhou and Jundong Xie of Ant-financial Light-Year Security Lab CVE-2018-4265: cc working with Trend Micro's Zero Day Initiative CVE-2018-4267: Arayz of Pangu team working with Trend Micro's Zero Day Initiative CVE-2018-4272: found by OSS-Fuzz WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2018-4271: found by OSS-Fuzz CVE-2018-4273: found by OSS-Fuzz WebKit Page Loading Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4260: xisigr of Tencent's Xuanwu Lab (tencent.com) Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4275: Brandon Azad Additional recognition Kernel We would like to acknowledge juwei lin (@panicaII) of Trend Micro working with Trend Micro's Zero Day Initiative for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 11.4.1". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAltDyFEpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQ8ecVjteJiCaYqQ/+ LoOw2Hgwr9l7EplQS1O9t9ssVvjaQ25JhxeAkEHhrrLTTpEHNOYhBgPj3XV3DkNT QR1XDKykgVXq1jAMqy2CzpVvb0bWrhAZte7lwLwTKiSdzWzY99LspMtck0uZXg5y qoePuHIifMF5oMzRsLq2IDKj7sDJ3mEOjOGizfJ5BRdFOZPKmuTLK/LnafzoqlOY XAYMj3puFWnlMs1ewTTbup5Oh0totisA7WlpDleG+a/IborfXe89nvUIAEyPH3UF jbPXGlIrB+aofMmoxgbJ7YDXm+7RZbRShrqS3IIwbuVWlWxi8M6AYvlFCAxKc3In R3Bum13NIR8ZTfLARmrRos54kzmygazCHK0yIkeKvJW3uSFIOUbBtkKQ8EpE8og9 KzNvxyMd5Le6kCJe8JECl6jrfnY7QrYBIPxowXymfcRyYpnpIidYHUPlej8OZYnT fH8lWsE09CikZjBLyKmM6NJ4Y24CAmILyJWTmrM+pM9jLN9InWxTr0raY+MiULnI MZgqDuP+wMKfcGGngOkDnmm84w4RSnwK7bRgVtCWV99rnqZvzDgoYhJXDyXXuPqL P0HN+TKdCJ7e+C4boqDup2Ojz7YhFXfCwkJ1fHLD+L+Aj46eLbuu9936vGgvAzQI 7aT98URG/GMffZ3Y53yDJZxHDTnFQ5/tOlNBv8LKJDA= =mzJ2 -----END PGP SIGNATURE----- . CVE-2018-4260: xisigr of Tencent's Xuanwu Lab (tencent.com) Installation note: Safari 11.1.2 may be obtained from the Mac App Store

An inconsistent user interface issue was addressed with improved state management. This issue affected versions prior to iOS 11.4.1, Safari 11.1.2. Apple Safari is prone to is prone to multiple address bar spoofing vulnerabilities. An attacker can exploit these issues to conduct spoofing attacks and perform unauthorized actions; other attacks are also possible. in the United States. Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. WebKit Page Loading is one of the page loading components. A remote attacker can use malicious websites to exploit this vulnerability to forge the contents of the address bar. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-7-9-1 iOS 11.4.1 iOS 11.4.1 is now available and addresses the following: CFNetwork Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Cookies may unexpectedly persist in Safari Description: A cookie management issue was addressed with improved checks. CVE-2018-4293: an anonymous researcher Emoji Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing an emoji under certain configurations may lead to a denial of service Description: A denial of service issue was addressed with improved memory handling. CVE-2018-4290: Patrick Wardle of Digita Security Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to read kernel memory Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. CVE-2018-4282: Proteas of Qihoo 360 Nirvan Team libxpc Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to gain elevated privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4280: Brandon Azad libxpc Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2018-4248: Brandon Azad LinkPresentation Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: A spoofing issue existed in the handling of URLs. CVE-2018-4277: xisigr of Tencent's Xuanwu Lab (tencent.com) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may exfiltrate audio data cross-origin Description: Sound fetched through audio elements may be exfiltrated cross-origin. CVE-2018-4278: Jun Kokatsu (@shhnjk) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may be able to cause a denial of service Description: A race condition was addressed with additional validation. CVE-2018-4266: found by OSS-Fuzz WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: A spoofing issue existed in the handling of URLs. CVE-2018-4274: an anonymous researcher WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4270: found by OSS-Fuzz WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4284: Found by OSS-Fuzz WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4261: Omair working with Trend Micro's Zero Day Initiative CVE-2018-4262: Mateusz Krzywicki working with Trend Micro's Zero Day Initiative CVE-2018-4263: Arayz working with Trend Micro's Zero Day Initiative CVE-2018-4264: found by OSS-Fuzz, Yu Zhou and Jundong Xie of Ant-financial Light-Year Security Lab CVE-2018-4265: cc working with Trend Micro's Zero Day Initiative CVE-2018-4267: Arayz of Pangu team working with Trend Micro's Zero Day Initiative CVE-2018-4272: found by OSS-Fuzz WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2018-4271: found by OSS-Fuzz CVE-2018-4273: found by OSS-Fuzz WebKit Page Loading Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4260: xisigr of Tencent's Xuanwu Lab (tencent.com) Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4275: Brandon Azad Additional recognition Kernel We would like to acknowledge juwei lin (@panicaII) of Trend Micro working with Trend Micro's Zero Day Initiative for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 11.4.1". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAltDyFEpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQ8ecVjteJiCaYqQ/+ LoOw2Hgwr9l7EplQS1O9t9ssVvjaQ25JhxeAkEHhrrLTTpEHNOYhBgPj3XV3DkNT QR1XDKykgVXq1jAMqy2CzpVvb0bWrhAZte7lwLwTKiSdzWzY99LspMtck0uZXg5y qoePuHIifMF5oMzRsLq2IDKj7sDJ3mEOjOGizfJ5BRdFOZPKmuTLK/LnafzoqlOY XAYMj3puFWnlMs1ewTTbup5Oh0totisA7WlpDleG+a/IborfXe89nvUIAEyPH3UF jbPXGlIrB+aofMmoxgbJ7YDXm+7RZbRShrqS3IIwbuVWlWxi8M6AYvlFCAxKc3In R3Bum13NIR8ZTfLARmrRos54kzmygazCHK0yIkeKvJW3uSFIOUbBtkKQ8EpE8og9 KzNvxyMd5Le6kCJe8JECl6jrfnY7QrYBIPxowXymfcRyYpnpIidYHUPlej8OZYnT fH8lWsE09CikZjBLyKmM6NJ4Y24CAmILyJWTmrM+pM9jLN9InWxTr0raY+MiULnI MZgqDuP+wMKfcGGngOkDnmm84w4RSnwK7bRgVtCWV99rnqZvzDgoYhJXDyXXuPqL P0HN+TKdCJ7e+C4boqDup2Ojz7YhFXfCwkJ1fHLD+L+Aj46eLbuu9936vGgvAzQI 7aT98URG/GMffZ3Y53yDJZxHDTnFQ5/tOlNBv8LKJDA= =mzJ2 -----END PGP SIGNATURE----- . CVE-2018-4260: xisigr of Tencent's Xuanwu Lab (tencent.com) Installation note: Safari 11.1.2 may be obtained from the Mac App Store

In ADSP RPC in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear, a Use After Free condition can occur in versions MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDX20. Snapdragon Automobile , Snapdragon Mobile ,and Snapdragon Wear Contains a vulnerability in the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QualcommMDM9206 is a central processing unit (CPU) product that Qualcomm uses on different platforms. ADSPRPC is one of the digital signal processing components. ADSPRPC in several Qualcomm products has a memory error reference vulnerability, and there is no detailed vulnerability description at present. Qualcomm MDM9206, etc. ADSP RPC in several Qualcomm products has a use-after-free vulnerability. A local attacker could exploit this vulnerability by sending a specially crafted request to cause a denial of service

All ADB broadband gateways / routers based on the Epicentro platform are affected by a local root jailbreak vulnerability where attackers are able to gain root access on the device, and extract further information such as sensitive configuration data of the ISP (e.g., VoIP credentials) or attack the internal network of the ISP. plural ADB Broadband gateways and routers contain access control vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ADBbroadbandgateways/routersonEpicentroplatform is a gateway and router device for the Epicentro platform from ADB, Switzerland. A security vulnerability exists in ADBbroadbandgateways/routers based on the Epicentro platform

All ADB broadband gateways / routers based on the Epicentro platform are affected by a privilege escalation vulnerability where attackers can gain access to the command line interface (CLI) if previously disabled by the ISP, escalate their privileges, and perform further attacks. plural ADB Broadband gateways and routers contain vulnerabilities related to authorization, authority, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ADBbroadbandgateways/routersonEpicentroplatform is a gateway and router device for the Epicentro platform from ADB, Switzerland. An elevation of privilege vulnerability exists in ADBbroadbandgateways/routers based on the Epicentro platform

All ADB broadband gateways / routers based on the Epicentro platform are affected by an authorization bypass vulnerability where attackers are able to access and manipulate settings within the web interface that are forbidden to end users (e.g., by the ISP). An attacker would be able to enable the TELNET server or other settings as well. plural ADB Broadband gateways and routers contain vulnerabilities related to authorization, authority, and access control.Information may be tampered with. ADBbroadbandgateways/routersonEpicentroplatform is a gateway and router device for the Epicentro platform from ADB, Switzerland. A security vulnerability exists in ADBbroadbandgateways/routers based on the Epicentro platform

MikroTikRouterOS is a routing operating system based on Linux kernel development, compatible with x86PC routing software, which can be used to turn a standard PC into a professional router. Winbox is a software for remotely managing RouterOS based on Windows, providing an intuitive and convenient graphical interface. There are arbitrary file access vulnerabilities in MikrotikWinbox. An attacker can download arbitrary files, including the user database file of RouterOS, through a carefully constructed request package.

Improper Validation of Array Index In the adreno OpenGL driver in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear, an out-of-bounds access can occur in SurfaceFlinger. Attackers can exploit this vulnerability to cause out-of-bounds access

Improper restriction of communication channel to intended endpoints vulnerability in HTTP daemon in Synology SSL VPN Client before 1.2.4-0224 allows remote attackers to conduct man-in-the-middle attacks via a crafted payload. Synology SSL VPN Client Contains vulnerabilities related to channel and path errors.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology SSL VPN Client is a VPN client software developed by Synology for connecting to internal encrypted networks. A remote attacker can exploit this vulnerability to implement a man-in-the-middle attack with a specially crafted payload

A vulnerability in Trend Micro Maximum Security's (Consumer) 2018 (versions 12.0.1191 and below) User-Mode Hooking (UMH) driver could allow an attacker to create a specially crafted packet that could alter a vulnerable system in such a way that malicious code could be injected into other processes. Trend Micro Maximum Security Contains a code injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Entrust Datacard Syntera CS 5.x has XSS via the name field of "Domain or Computer Name" in the login page. Entrust Datacard Syntera CS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Entrust Datacard Syntera CS is an integrated suite of Entrust Datacard Corporation in the United States for connecting Datacard issuing systems and special software

An issue was discovered on Diqee Diqee360 devices. A firmware update process, integrated into the firmware, starts at boot and tries to find the update folder on the microSD card. It executes code, without a digital signature, as root from the /mnt/sdcard/$PRO_NAME/upgrade.sh or /sdcard/upgrage_360/upgrade.sh pathname. Diqee Diqee360 The device contains vulnerabilities related to security functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Diqee Diqee360 is an intelligent sweeping robot equipment produced by China Diqee Company. Diqee There is a security vulnerability in Diqee360. An attacker could exploit this vulnerability to execute arbitrary code on the system by sending a specially crafted request

An issue was discovered on Dongguan Diqee Diqee360 devices. The affected vacuum cleaner suffers from an authenticated remote code execution vulnerability. An authenticated attacker can send a specially crafted UDP packet, and execute commands on the vacuum cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). A crafted UDP packet runs "/mnt/skyeye/mode_switch.sh %s" with an attacker controlling the %s variable. In some cases, authentication can be achieved with the default password of 888888 for the admin account. Diqee Diqee360 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Diqee Diqee360 is an intelligent sweeping robot equipment produced by China Diqee Company

Huawei smart phones Emily-AL00A with software 8.1.0.106(SP2C00) and 8.1.0.107(SP5C00) have a Factory Reset Protection (FRP) bypass vulnerability. An attacker gets some user's smart phone and performs some special operations in the guide function. The attacker may exploit the vulnerability to bypass FRP function and use the phone normally. Emily-AL00A Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. HuaweiEmily-AL00A is a smartphone device from China's Huawei company. There is a security vulnerability in the HuaweiEmily-AL00A8.1.0.106 (SP2C00) version and 8.1.0.107 (SP5C00)

Airties 5444 1.0.0.18 and 5444TT 1.0.0.18 devices allow XSS. Airties 5444 and 5444TT Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Both Airties 5444 and 5444TT are modem products of Turkish company Airties. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

AutoEnt is a picture configuration software. AutoEnt has a memory corruption vulnerability. An attacker could exploit the vulnerability to cause memory corruption when reading a project file

Shenzhen INVT Electric Co., Ltd. is a product and service provider in the fields of electrical transmission, industrial control and new energy. The INVT VS series HMI programming software has a memory read out-of-bounds vulnerability. The vulnerability is caused by the failure of the file to verify the header of the project file. Attackers can use the vulnerability to cause memory reads to cross the boundary, causing a denial of service vulnerability. If the vulnerability is successfully exploited, it may also cause arbitrary code execution

Cross-site scripting (XSS) vulnerability in Address Book Editor in Synology CardDAV Server before 6.0.8-0086 allows remote authenticated users to inject arbitrary web script or HTML via the (1) family_name, (2) given_name, or (3) additional_name parameter. Synology CardDAV Server Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology CardDAV Server is an application from Synology for synchronizing contacts. Address Book Editor is one of the address book editors

Unquoted service paths in Intel Processor Diagnostic Tool (IPDT) before version 4.1.0.27 allows a local attacker to potentially execute arbitrary code. Intel Processor Diagnostic Tool (IPDT) is a processor function diagnostic tool of Intel Corporation. A security vulnerability exists in versions prior to Intel IPDT 4.1.0.27. Intel published advisory SA-00140 <https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00140.html> on 2018-06-27 and updated installers on 2018-05-18. The vulnerabilities can be exploited in standard installations of Windows where the user^WUAC-"protected administrator" account created during Windows setup is used, without elevation. This precondition holds for the majority of Windows installations: according to Microsoft's own security intelligence reports <https://www.microsoft.com/security/sir>, about 1/2 to 3/4 of the about 600 million Windows installations which send telemetry data have only ONE active user account. #1 Denial of service through insecure file permissions ====================================================== The downloadable executable installer (really: executable self-extractor built with WinZIP) IPDT_Installer_4.1.0.24.exe creates a subdirectory with random name in %TEMP%, copies itself into this subdirectory and then executes its copy. The subdirectory inherits the NTFS ACLs from its parent %TEMP%, and so does the copy of the executable self-extractor. For this well-known and well-documented vulnerability see <https://cwe.mitre.org/data/definitions/377.html> and <https://cwe.mitre.org/data/definitions/379.html> plus <https://capec.mitre.org/data/definitions/29.html> Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. download IPDT_Installer_4.1.0.24.exe (quite some clueless copycats still offer it, violating Intel's copyright; <http://d.computerbild.de/downloads/7835763/IPDT_Installer_4.1.0.24.exe>) and save it in your "Downloads" directory"; 2. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning "deny execution of files in this directory for everyone, inheritable to files in all subdirectories" to the (user's) %TEMP% directory. 3. execute IPDT_Installer_4.1.024.exe: notice the complete failure of the executable installer^Wself-extractor, WITHOUT error message! #2 Escalation of privilege through insecure file permissions ============================================================ Although the (copy of the) executable self-extractor runs with administrative privileges (its embedded "application manifest" specifies 'requireAdministrator'), it extracts its payload, the REAL installers setup.exe and setup64.exe, plus the batch script setup.bat, UNPROTECTED into the user's %TEMP% directory, CD's into %TEMP% and finally executes the extracted batch script %TEMP%\setup.bat: --- setup.bat --- echo off ver | findstr 6.1.7600 if %errorlevel%==0 goto WinUnsup ver | findstr 6.0.6001 if %errorlevel%==0 goto WinUnsup if "%programfiles(x86)%XXX"=="XXX" goto 32BIT :64BIT setup64.exe goto END :32BIT setup.exe goto END :WinUnsup echo Intel Processor Diagnostic Tool cannot be installed on this Operating System echo Please go to Online support page to view list of supported Oerating Systems pause :END exit 0 --- EOF --- The extracted files inherit the NTFS ACLs from their parent %TEMP%, allowing "full access" for the unprivileged (owning) user, who can replace/overwrite the files between their creation and execution. Since the files are executed with administrative privileges, this vulnerability results in arbitrary code execution with escalation of privilege. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. create the following batch script in an arbitrary directory: --- IPDT.CMD --- :LOOP1 @If Not Exist "%TEMP%\setup.exe" Goto :LOOP1 Echo >"%TEMP%\setup.bat" WhoAMI.exe /all Echo >>"%TEMP%\setup.bat" Pause :LOOP2 @If Not Exist "%TEMP%\setup64.exe" Goto :LOOP2 Copy /Y %COMSPEC% "%TEMP%\setup.exe" :LOOP3 @Copy %COMSPEC% "%TEMP%\setup64.exe" @If ERRORLEVEL 1 Goto :LOOP3 --- EOF --- NOTE: the batch script needs to win a race (which it almost always will, due to the size of the files extracted). 2. execute the batch script per double-click; 3. execute IPDT_Installer_4.1.024.exe per double-click: notice the command processor started instead one of the executable installers, running with administrative privileges. #3 Escalation of privilege through unsafe search path ===================================================== In Windows Vista and newer versions, the current working directory can be removed from the executable search path: <https://msdn.microsoft.com/en-us/library/ms684269.aspx> The batch script setup.bat calls setup.exe and setup64.exe without a path, so the command processor doesn't find the extracted setup.exe and setup64.exe in its CWD and searches them via %PATH%. %PATH% is under full control of the unprivileged user, who can create rogue setup.exe and setup64.exe in an arbitrary directory he adds to the %PATH%, resulting again in arbitrary code execution with escalation of privilege. For this well-known and well-documented vulnerability see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. start an unprivileged command prompt in an arbitrary directory where the unprivileged user can create files, for example the user's "Downloads" directory; 2. add this (current working) directory to the user's PATH: PATH %CD%;%PATH% REG.exe Add HKCU\Environment /V PATH /T REG_SZ /D "%CD%" /F 3. copy the command processor %COMSPEC% (or any rogue executable of your choice) as setup.exe and setup64.exe into the current (working) directory: COPY %COMSPEC% "%CD%\setup.exe" COPY %COMSPEC% "%CD%\setup64.exe" 4. set the environment variable NoDefaultCurrentDirectoryInExePath to an arbitrary value: SET NoDefaultCurrentDirectoryInExePath=* REG.exe Add HKCU\Environment /V NoDefaultCurrentDirectoryInExePath /T REG_SZ /D "*" /F 5. execute IPDT_Installer_4.1.024.exe per double-click: notice the command processor started instead of the extracted executable installers, running with administrative privileges. #4 Escalation of privilege through DLL search order hijacking ============================================================= The extracted executable installers setup.exe and setup64.exe, built with the crapware known as InstallShield, load multiple Windows system DLLs from their "application directory" %TEMP% instead from Windows' "system directory" %SystemRoot%\System32\ To quote Raymond Chen <https://blogs.msdn.microsoft.com/oldnewthing/20121031-00/?p=6203> | a rogue DLL in the TEMP directory is a trap waiting to be sprung. An unprivileged attacker running in the same user account can copy rogue DLLs into %TEMP%; these are loaded and their DllMain() routine executed with administrative privileges, once more resulting in arbitrary code execution with escalation of privilege. For this well-known and well-documented vulnerability see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. follow the instructions from <https://skanthak.homepage.t-online.de/minesweeper.html> and build a minefield of forwarder DLLs in your %TEMP% directory; NOTE: if you can't or don't want to build the minefield, download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL> and save it as UXTheme.dll, DWMAPI.dll, NTMARTA.dll and MSI.dll in your %TEMP% directory. 2. execute IPDT_Installer_4.1.0.24.exe: notice the message boxes displayed from the DLLs built in step 1! NOTE: on a fully patched Windows 7 SP1, setup64.exe loads at least the following 32-bit DLLs from %TEMP%: UXTheme.dll, Version.dll, NTMARTA.dll and MSI.dll Due to its filename, setup.exe additionally loads WinMM.dll, SAMCli.dll, MSACM32.dll, SFC.dll, SFC_OS.dll, DWMAPI.dll and MPR.dll. Fix: ==== 1. DUMP all those forever vulnerable executable installers and self-extractors; provide an .MSI package or an .INF script plus a .CAB archive instead! 2. NEVER use an unqualified filename to execute/load an application or a DLL, ALWAYS specify their fully qualified pathname! Mitigations: ============ 1. DON'T execute executable self-extractors. 2. NEVER execute executable self-extractors with administrative privileges. 3. extract the payload of the self-extractor with a SAFE and SECURE unzip.exe into a properly protected directory. 4. exercise STRICT privilege separation: use separate unprivileged user accounts and privileged administrator account, DISABLE the "security theatre" UAC in the unprivileged user accounts. stay tuned Stefan Kanthak PS: the "portable executable" IPDT_Installer_4.1.024.exe has an export directory, but does NOT export any symbols: both the numbers of names and functions are 0, and the RVAs of the functions, names and ordinals arrays are 0 too. Timeline: ========= 2018-03-28 sent vulnerability report to <secure@intel.com> no reply, not even an acknowledgement of receipt 2018-04-05 resent vulnerability report to <secure@intel.com>, CC: to CERT/CC no reply, not even an acknowledgement of receipt 2018-05-03 resent vulnerability report via HackerOne 2018-05-04 Intel acknowledges receipt 2018-05-17 Intel confirms the reported vulnerabilities 2018-05-21 Intel publishes fixed installers, with a dangling reference to SA-00140 in the release notes, plus inaccuracies regarding the dependencies of IPDT NO notification sent to me that fixes have been published! 2018-06-05 sent report about the errors in the release notes after stumbling over the fixes 2018-06-12 Intel acknowledges the report regarding the notes 2018-06-27 Intel publishes their advisory SA-00140 AGAIN no notification sent that the advisory has been published! Intel's understanding of coordinated disclosure looks rather weird to me

Installation tool IPDT (Intel Processor Diagnostic Tool) 4.1.0.24 sets permissions of installed files incorrectly, allowing for execution of arbitrary code and potential privilege escalation. Intel Processor Diagnostic Tool (IPDT) is a processor function diagnostic tool of Intel Corporation. Intel published advisory SA-00140 <https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00140.html> on 2018-06-27 and updated installers on 2018-05-18. The vulnerabilities can be exploited in standard installations of Windows where the user^WUAC-"protected administrator" account created during Windows setup is used, without elevation. This precondition holds for the majority of Windows installations: according to Microsoft's own security intelligence reports <https://www.microsoft.com/security/sir>, about 1/2 to 3/4 of the about 600 million Windows installations which send telemetry data have only ONE active user account. #1 Denial of service through insecure file permissions ====================================================== The downloadable executable installer (really: executable self-extractor built with WinZIP) IPDT_Installer_4.1.0.24.exe creates a subdirectory with random name in %TEMP%, copies itself into this subdirectory and then executes its copy. The subdirectory inherits the NTFS ACLs from its parent %TEMP%, and so does the copy of the executable self-extractor. For this well-known and well-documented vulnerability see <https://cwe.mitre.org/data/definitions/377.html> and <https://cwe.mitre.org/data/definitions/379.html> plus <https://capec.mitre.org/data/definitions/29.html> Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. download IPDT_Installer_4.1.0.24.exe (quite some clueless copycats still offer it, violating Intel's copyright; <http://d.computerbild.de/downloads/7835763/IPDT_Installer_4.1.0.24.exe>) and save it in your "Downloads" directory"; 2. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning "deny execution of files in this directory for everyone, inheritable to files in all subdirectories" to the (user's) %TEMP% directory. 3. execute IPDT_Installer_4.1.024.exe: notice the complete failure of the executable installer^Wself-extractor, WITHOUT error message! #2 Escalation of privilege through insecure file permissions ============================================================ Although the (copy of the) executable self-extractor runs with administrative privileges (its embedded "application manifest" specifies 'requireAdministrator'), it extracts its payload, the REAL installers setup.exe and setup64.exe, plus the batch script setup.bat, UNPROTECTED into the user's %TEMP% directory, CD's into %TEMP% and finally executes the extracted batch script %TEMP%\setup.bat: --- setup.bat --- echo off ver | findstr 6.1.7600 if %errorlevel%==0 goto WinUnsup ver | findstr 6.0.6001 if %errorlevel%==0 goto WinUnsup if "%programfiles(x86)%XXX"=="XXX" goto 32BIT :64BIT setup64.exe goto END :32BIT setup.exe goto END :WinUnsup echo Intel Processor Diagnostic Tool cannot be installed on this Operating System echo Please go to Online support page to view list of supported Oerating Systems pause :END exit 0 --- EOF --- The extracted files inherit the NTFS ACLs from their parent %TEMP%, allowing "full access" for the unprivileged (owning) user, who can replace/overwrite the files between their creation and execution. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. create the following batch script in an arbitrary directory: --- IPDT.CMD --- :LOOP1 @If Not Exist "%TEMP%\setup.exe" Goto :LOOP1 Echo >"%TEMP%\setup.bat" WhoAMI.exe /all Echo >>"%TEMP%\setup.bat" Pause :LOOP2 @If Not Exist "%TEMP%\setup64.exe" Goto :LOOP2 Copy /Y %COMSPEC% "%TEMP%\setup.exe" :LOOP3 @Copy %COMSPEC% "%TEMP%\setup64.exe" @If ERRORLEVEL 1 Goto :LOOP3 --- EOF --- NOTE: the batch script needs to win a race (which it almost always will, due to the size of the files extracted). 2. execute the batch script per double-click; 3. execute IPDT_Installer_4.1.024.exe per double-click: notice the command processor started instead one of the executable installers, running with administrative privileges. #3 Escalation of privilege through unsafe search path ===================================================== In Windows Vista and newer versions, the current working directory can be removed from the executable search path: <https://msdn.microsoft.com/en-us/library/ms684269.aspx> The batch script setup.bat calls setup.exe and setup64.exe without a path, so the command processor doesn't find the extracted setup.exe and setup64.exe in its CWD and searches them via %PATH%. %PATH% is under full control of the unprivileged user, who can create rogue setup.exe and setup64.exe in an arbitrary directory he adds to the %PATH%, resulting again in arbitrary code execution with escalation of privilege. For this well-known and well-documented vulnerability see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. start an unprivileged command prompt in an arbitrary directory where the unprivileged user can create files, for example the user's "Downloads" directory; 2. add this (current working) directory to the user's PATH: PATH %CD%;%PATH% REG.exe Add HKCU\Environment /V PATH /T REG_SZ /D "%CD%" /F 3. copy the command processor %COMSPEC% (or any rogue executable of your choice) as setup.exe and setup64.exe into the current (working) directory: COPY %COMSPEC% "%CD%\setup.exe" COPY %COMSPEC% "%CD%\setup64.exe" 4. set the environment variable NoDefaultCurrentDirectoryInExePath to an arbitrary value: SET NoDefaultCurrentDirectoryInExePath=* REG.exe Add HKCU\Environment /V NoDefaultCurrentDirectoryInExePath /T REG_SZ /D "*" /F 5. execute IPDT_Installer_4.1.024.exe per double-click: notice the command processor started instead of the extracted executable installers, running with administrative privileges. #4 Escalation of privilege through DLL search order hijacking ============================================================= The extracted executable installers setup.exe and setup64.exe, built with the crapware known as InstallShield, load multiple Windows system DLLs from their "application directory" %TEMP% instead from Windows' "system directory" %SystemRoot%\System32\ To quote Raymond Chen <https://blogs.msdn.microsoft.com/oldnewthing/20121031-00/?p=6203> | a rogue DLL in the TEMP directory is a trap waiting to be sprung. An unprivileged attacker running in the same user account can copy rogue DLLs into %TEMP%; these are loaded and their DllMain() routine executed with administrative privileges, once more resulting in arbitrary code execution with escalation of privilege. For this well-known and well-documented vulnerability see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. follow the instructions from <https://skanthak.homepage.t-online.de/minesweeper.html> and build a minefield of forwarder DLLs in your %TEMP% directory; NOTE: if you can't or don't want to build the minefield, download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL> and save it as UXTheme.dll, DWMAPI.dll, NTMARTA.dll and MSI.dll in your %TEMP% directory. 2. execute IPDT_Installer_4.1.0.24.exe: notice the message boxes displayed from the DLLs built in step 1! NOTE: on a fully patched Windows 7 SP1, setup64.exe loads at least the following 32-bit DLLs from %TEMP%: UXTheme.dll, Version.dll, NTMARTA.dll and MSI.dll Due to its filename, setup.exe additionally loads WinMM.dll, SAMCli.dll, MSACM32.dll, SFC.dll, SFC_OS.dll, DWMAPI.dll and MPR.dll. Fix: ==== 1. DUMP all those forever vulnerable executable installers and self-extractors; provide an .MSI package or an .INF script plus a .CAB archive instead! 2. NEVER use an unqualified filename to execute/load an application or a DLL, ALWAYS specify their fully qualified pathname! Mitigations: ============ 1. DON'T execute executable self-extractors. 2. NEVER execute executable self-extractors with administrative privileges. 3. extract the payload of the self-extractor with a SAFE and SECURE unzip.exe into a properly protected directory. 4. exercise STRICT privilege separation: use separate unprivileged user accounts and privileged administrator account, DISABLE the "security theatre" UAC in the unprivileged user accounts. stay tuned Stefan Kanthak PS: the "portable executable" IPDT_Installer_4.1.024.exe has an export directory, but does NOT export any symbols: both the numbers of names and functions are 0, and the RVAs of the functions, names and ordinals arrays are 0 too. Timeline: ========= 2018-03-28 sent vulnerability report to <secure@intel.com> no reply, not even an acknowledgement of receipt 2018-04-05 resent vulnerability report to <secure@intel.com>, CC: to CERT/CC no reply, not even an acknowledgement of receipt 2018-05-03 resent vulnerability report via HackerOne 2018-05-04 Intel acknowledges receipt 2018-05-17 Intel confirms the reported vulnerabilities 2018-05-21 Intel publishes fixed installers, with a dangling reference to SA-00140 in the release notes, plus inaccuracies regarding the dependencies of IPDT NO notification sent to me that fixes have been published! 2018-06-05 sent report about the errors in the release notes after stumbling over the fixes 2018-06-12 Intel acknowledges the report regarding the notes 2018-06-27 Intel publishes their advisory SA-00140 AGAIN no notification sent that the advisory has been published! Intel's understanding of coordinated disclosure looks rather weird to me