VARIoT IoT vulnerabilities database

On an F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.1, or 11.2.1-11.6.3.1 system configured in Appliance mode, the TMOS Shell (tmsh) may allow an administrative user to use the dig utility to gain unauthorized access to file system resources. plural F5 BIG-IP The product contains an access control vulnerability.Information may be obtained. F5BIG-IPLTM and other products are products of American F5 Company. F5BIG-IPLTM is a local traffic manager; BIG-IPAAM is an application acceleration manager. TMOSShell (tmsh) is one of the command line tools. There are security vulnerabilities in TMOSShell in several F5 products. F5 BIG-IP LTM, etc. The following products and versions are affected: F5 BIG-IP LTM version 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3, 11.2.1 to 11.6.3; BIG-IP AAM version 13.0.0 to version 13.1.0.5, version 12.1.0 to version 12.1.3, version 11.2.1 to version 11.6.3; BIG-IP AFM version 13.0.0 to version 13.1.0.5, version 12.1.0 to version 12.1.3, 11.2.1 to 11.6.3; BIG-IP Analytics 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3, 11.2.1 to 11.6.3; BIG-IP APM 13.0. 0 to 13.1.0.5, 12.1.0 to 12.1.3, 11.2.1 to 11.6.3; BIG-IP ASM 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3 Versions, 11.2.1 to 11.6.3; BIG-IP DNS 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3, 11.2.1 to 11.6.3; BIG-IP Edge Gateway 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3, 11.2.1 to 11.6.3; BIG-IP GTM 13.0.0 to 13.1.0.5, 12.1.0 to Version 12.1.3, Version 11.2.1 to Version 11.6.3; BIG-IP Link Controller Version 13.0.0 to Version 13.1.0.5, Version 12.1.0 to Version 12.1.3, Version 11.2.1 to Version 11

A vulnerability in Cisco WebEx Recording Format (WRF) Player could allow an unauthenticated, remote attacker to access sensitive data about the application. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks. The vulnerability is due to a design flaw in Cisco WRF Player. An attacker could exploit this vulnerability by utilizing a maliciously crafted file that could bypass checks in the code and enable an attacker to read memory from outside the bounds of the mapped file. This vulnerability affects Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, and Cisco WebEx WRF players. Cisco Bug IDs: CSCvh89107, CSCvh89113, CSCvh89132, CSCvh89142. Vendors have confirmed this vulnerability Bug ID CSCvh89107 , CSCvh89113 , CSCvh89132 ,and CSCvh89142 It is released as.Information may be obtained. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of WRF files. Crafted data in a WRF file can trigger a read past the end of a mapped view of a file. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process

A vulnerability in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. The vulnerability is due to a design flaw in the affected software. An attacker could exploit this vulnerability by sending a user an email attachment or link to a malicious ARF file and persuading the user to open the file or follow the link. A successful exploit could allow the attacker to execute arbitrary code on the user's system. This vulnerability affects Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and Cisco WebEx ARF players. Cisco Bug IDs: CSCvh70213, CSCvh70222, CSCvh70228. Vendors have confirmed this vulnerability Bug ID CSCvh70213 , CSCvh70222 ,and CSCvh70228 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

On D-Link DCS-5009 devices with firmware 1.08.11 and earlier, DCS-5010 devices with firmware 1.14.09 and earlier, and DCS-5020L devices with firmware before 1.15.01, command injection in alphapd (binary responsible for running the camera's web server) allows remote authenticated attackers to execute code through sanitized /setSystemAdmin user input in the AdminID field being passed directly to a call to system. D-Link DCS-5009 , DCS-5010 ,and DCS-5020L The device firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The D-Link DCS-5009, DCS-5010 and DCS-5020L are all different types of network camera products from D-Link. Alphapd is one of the web servers. A remote code execution vulnerability exists in D-LinkDCS-5009 with firmware version 1.08.11 and earlier, DCS-5010 with firmware version 1.14.09 and earlier, and alphapd in DCS-5020L with firmware prior to 1.15.01

Some NVIDIA Tegra mobile processors released prior to 2016 contain a buffer overflow vulnerability in BootROM Recovery Mode (RCM). An attacker with physical access to the device's USB and the ability to force the device to reboot into RCM could exploit the vulnerability to execute unverified code. BootROM Recovery Mode (RCM) Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NVIDIA Tegramobileprocessors is a central processing unit from NVIDIA. BootROMRecoveryMode (RCM) is one of the engineering mode components that can modify the data

On F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.3, or 11.2.1-11.6.3.1, administrative users by way of undisclosed methods can exploit the ssldump utility to write to arbitrary file paths. For users who do not have Advanced Shell access (for example, any user when licensed for Appliance Mode), this allows more permissive file access than intended. plural F5 BIG-IP The product contains an access control vulnerability.Information may be tampered with. F5BIG-IPLTM and other products are products of American F5 Company. F5BIG-IPLTM is a local traffic manager; BIG-IPAAM is an application acceleration manager. There are security vulnerabilities in several F5 products. An attacker could exploit this vulnerability to write to any file path. An attacker can exploit this issue to access, modify or delete arbitrary files or gain escalated privileges, which may aid in further attacks. F5 BIG-IP LTM, etc. The following products and versions are affected: F5 BIG-IP LTM version 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3, 11.2.1 to 11.6.3; BIG-IP AAM version 13.0.0 to version 13.1.0.5, version 12.1.0 to version 12.1.3, version 11.2.1 to version 11.6.3; BIG-IP AFM version 13.0.0 to version 13.1.0.5, version 12.1.0 to version 12.1.3, 11.2.1 to 11.6.3; BIG-IP Analytics 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3, 11.2.1 to 11.6.3; BIG-IP APM 13.0. 0 to 13.1.0.5, 12.1.0 to 12.1.3, 11.2.1 to 11.6.3; BIG-IP ASM 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3 Versions, 11.2.1 to 11.6.3; BIG-IP DNS 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3, 11.2.1 to 11.6.3; BIG-IP Edge Gateway 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3, 11.2.1 to 11.6.3; BIG-IP GTM 13.0.0 to 13.1.0.5, 12.1.0 to Version 12.1.3, Version 11.2.1 to Version 11.6.3; BIG-IP Link Controller Version 13.0.0 to Version 13.1.0.5, Version 12.1.0 to Version 12.1.3, Version 11.2.1 to Version 11.6.3; BIG-IP PEM version 13.0.0 to version 13.1.0.5, 12

On F5 BIG-IP 13.0.0-13.1.0.5 or 12.0.0-12.1.3.3, malicious root users with access to a VCMP guest can cause a disruption of service on adjacent VCMP guests running on the same host. Exploiting this vulnerability causes the vCMPd process on the adjacent VCMP guest to restart and produce a core file. This issue is only exploitable on a VCMP guest which is operating in "host-only" or "bridged" mode. VCMP guests which are "isolated" are not impacted by this issue and do not provide mechanism to exploit the vulnerability. Guests which are deployed in "Appliance Mode" may be impacted however the exploit is not possible from an Appliance Mode guest. To exploit this vulnerability root access on a guest system deployed as "host-only" or "bridged" mode is required. plural F5 BIG-IP The product contains an access control vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5BIG-IPLTM and other products are products of American F5 Company. F5BIG-IPLTM is a local traffic manager; BIG-IPAAM is an application acceleration manager. There are security vulnerabilities in several F5 products. An attacker can exploit this issue to cause a denial-of-service condition. F5 BIG-IP LTM, etc. The following products and versions are affected: F5 BIG-IP LTM version 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3; BIG-IP AAM version 13.0.0 to 13.1.0.5, 12.1.0 to version 12.1.3; BIG-IP AFM version 13.0.0 to version 13.1.0.5, version 12.1.0 to version 12.1.3; BIG-IP Analytics version 13.0.0 to version 13.1.0.5, version 12.1.0 to 12.1 .3 versions; BIG-IP APM versions 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3; BIG-IP ASM versions 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3 Versions; BIG-IP DNS 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3; BIG-IP Edge Gateway 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3 ; BIG-IP GTM versions 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3; BIG-IP Link Controller 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3; BIG-IP PEM Version 13.0.0 through Version 13.1.0.5, Version 12.1.0 through Version 12.1.3; BIG-IP WebAccelerator Version 13.0.0 through Version 13.1.0.5, Version 12.1.0 through Version 12.1.3; BIG- IP WebSafe version 13.0.0 to version 13.1.0.5, version 12.1.0 to version 12.1.3

On F5 BIG-IP 13.1.0-13.1.0.5, malformed TCP packets sent to a self IP address or a FastL4 virtual server may cause an interruption of service. The control plane is not exposed to this issue. This issue impacts the data plane virtual servers and self IPs. plural F5 BIG-IP The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5BIG-IPLTM and other products are products of American F5 Company. F5BIG-IPLTM is a local traffic manager; BIG-IPAAM is an application acceleration manager. There are security vulnerabilities in several F5 products. F5 BIG-IP LTM, etc. The following products and versions are affected: F5 BIG-IP LTM version 13.1.0; BIG-IP AAM version 13.1.0; BIG-IP AFM version 13.1.0; BIG-IP Analytics version 13.1.0; BIG-IP APM 13.1. 0 version; BIG-IP ASM version 13.1.0; BIG-IP DNS version 13.1.0; BIG-IP Edge Gateway version 13.1.0; BIG-IP GTM version 13.1.0; BIG-IP Link Controller version 13.1.0; BIG-IP PEM version 13.1.0; BIG-IP WebAccelerator version 13.1.0; BIG-IP WebSafe version 13.1.0

Due to the lack of firmware authentication in the upgrade process of T&W WIFI Repeater BE126 devices, an attacker can craft a malicious firmware and use it as an update. T&W WIFI Repeater BE126 The device contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. GongjinElectronicsT&WWIFIRepeaterBE126 is a wireless Internet repeater from China's Gongjin Electronics. A security vulnerability exists in GongjinElectronicsT&WWIFIRepeaterBE126 that was caused by the upgrade process failing to authenticate the firmware. An attacker could exploit the vulnerability as a newer firmware with maliciously crafted firmware

A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can inject a specially crafted SNMP MIB file that could allow them to execute arbitrary commands and code on the WhatsUp Gold server. Ipswitch WhatsUp Gold Contains a code injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Ipswitch WhatsUp Gold is a set of unified infrastructure and application monitoring software from Ipswitch in the United States. The software supports the performance management of networks, servers, virtual environments and applications

An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can submit specially crafted requests via the NmAPI executable to (1) gain unauthorized access to the WhatsUp Gold system, (2) obtain information about the WhatsUp Gold system, or (3) execute remote commands. Ipswitch WhatsUp Gold Contains a server-side request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Ipswitch WhatsUp Gold is a set of unified infrastructure and application monitoring software from Ipswitch in the United States. The software supports the performance management of networks, servers, virtual environments and applications

On F5 BIG-IP 13.0.0-13.1.0.5, using RADIUS authentication responses from a RADIUS server with IPv6 addresses may cause TMM to crash, leading to a failover event. plural F5 BIG-IP The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5BIG-IPLTM and other products are products of American F5 Company. F5BIG-IPLTM is a local traffic manager; BIG-IPAAM is an application acceleration manager. There are security vulnerabilities in several F5 products. When LargeReceiveOffload and SYNcookies are opened, an attacker can exploit the vulnerability to cause a denial of service (restart). F5 BIG-IP is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, resulting in denial-of-service conditions. F5 BIG-IP LTM, etc. The following products and versions are affected: F5 BIG-IP LTM version 13.0.0 to 13.1.0; BIG-IP AAM version 13.0.0 to 13.1.0; BIG-IP AFM version 13.0.0 to 13.1.0; BIG-IP Analytics version 13.0.0 through 13.1.0; BIG-IP APM version 13.0.0 through 13.1.0; BIG-IP ASM version 13.0.0 through 13.1.0; BIG-IP DNS version 13.0.0 to version 13.1.0; BIG-IP Edge Gateway version 13.0.0 to version 13.1.0; BIG-IP GTM version 13.0.0 to version 13.1.0; BIG-IP Link Controller version 13.0.0 to version 13.1.0; BIG-IP PEM version 13.0.0 through 13.1.0; BIG-IP WebAccelerator version 13.0.0 through 13.1.0; BIG-IP WebSafe version 13.0.0 through 13.1.0

On F5 BIG-IP 13.1.0-13.1.0.5, maliciously crafted HTTP/2 request frames can lead to denial of service. There is data plane exposure for virtual servers when the HTTP2 profile is enabled. There is no control plane exposure to this issue. plural F5 BIG-IP The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5BIG-IPLTM and other products are products of American F5 Company. F5BIG-IPLTM is a local traffic manager; BIG-IPAAM is an application acceleration manager. There are security vulnerabilities in several F5 products. An attacker could exploit the vulnerability to cause a denial of service or potentially expose the data layer. F5 BIG-IP is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, resulting in denial-of-service conditions. F5 BIG-IP LTM, etc. The following versions are affected: F5 BIG-IP LTM Version 13.1.0; BIG-IP AAM Version 13.1.0; BIG-IP AFM Version 13.1.0; BIG-IP APM Version 13.1.0; BIG-IP ASM Version 13.1.0 ; BIG-IP Link Controller Version 13.1.0; BIG-IP PEM Version 13.1.0; BIG-IP WebAccelerator Version 13.1.0; BIG-IP WebSafe Version 13.1.0

On F5 BIG-IP 13.1.0-13.1.0.5, when Large Receive Offload (LRO) and SYN cookies are enabled (default settings), undisclosed traffic patterns may cause TMM to restart. plural F5 BIG-IP The product contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5BIG-IPLTM and other products are products of American F5 Company. F5BIG-IPLTM is a local traffic manager; BIG-IPAAM is an application acceleration manager. There are security vulnerabilities in several F5 products. When LargeReceiveOffload and SYNcookies are opened, an attacker can exploit the vulnerability to cause a denial of service (restart). F5 BIG-IP is prone to a remote denial-of-service vulnerability. F5 BIG-IP LTM, etc. The following products and versions are affected: F5 BIG-IP LTM version 13.1.0 to 13.1.0.5; BIG-IP AAM version 13.1.0 to 13.1.0.5; BIG-IP AFM version 13.1.0 to 13.1.0.5; BIG-IP Analytics 13.1.0 through 13.1.0.5; BIG-IP APM 13.1.0 through 13.1.0.5; BIG-IP ASM 13.1.0 through 13.1.0.5; BIG-IP DNS 13.1.0 to version 13.1.0.5; BIG-IP Edge Gateway version 13.1.0 to version 13.1.0.5; BIG-IP GTM version 13.1.0 to version 13.1.0.5; BIG-IP Link Controller version 13.1.0 to version 13.1.0.5; BIG-IP PEM version 13.1.0 through 13.1.0.5; BIG-IP WebAccelerator version 13.1.0 through 13.1.0.5; BIG-IP WebSafe version 13.1.0 through 13.1.0.5

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user). WatchGuard AP100 , AP102 ,and AP200 An authentication vulnerability exists in the device software.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. WatchGuardAP100, AP102 and AP200 are different series of indoor wireless access point devices from WatchGuard. A security vulnerability exists in WatchGuardAP100, AP102, and AP200 using firmware prior to 1.2.9.15, which stems from the failure of the local AccessPoint WebUI to properly handle authentication. An attacker can use this vulnerability to gain access to an AP device with the help of a local system account. Introduction ============ Multiple vulnerabilities can be chained together in a number of WatchGuard AP products which result in pre-authenticated remote code execution. The vendor has produced a knowledge-base article[1] and announcement[2] regarding these issues. ZX Security would like to commend the prompt response and resolution of these reported issues by the vendor. Product ======= Several WatchGuard Access Points running firmware before v1.2.9.15 are affected, including: * AP100 * AP102 * AP200 The AP300 is also affected by issues 2, 3 and 4 when running firmware before 2.0.0.10. The latest firmware update resolves these issues. Technical Details ================= 1) Hard-coded credentials ------------------------- CVE-2018-10575 A hard-coded user exists in /etc/passwd. The vendor has requested the specific password and hash be withheld until users can apply the patch. There is no way for a user of the access point to change this password. An attacker who is aware of this password is able to access the device over SSH and pivot network requests through the device, though they may not run commands as the shell is set to /bin/false. 2) Hidden authentication method in web interface allows for authentication bypass --------------------------------------------------------------------------------- CVE-2018-10576 The standard authentication method for accessing the webserver involves submitting an HTML form. This uses a username and password separate from the standard Linux based /etc/passwd authentication. An alternative authentication method was identified from reviewing the source code whereby setting the HTTP headers AUTH_USER and AUTH_PASS, credentials are instead tested against the standard Linux /etc/passwd file. This allows an attacker to use the hardcoded credentials found previously (see 1. Hard-coded credentials) to gain web access to the device. An example command that demonstrates this issue is: curl https://watchguard-ap200/cgi-bin/luci -H "AUTH_USER: admin" -H "AUTH_PASS: [REDACTED]" -k -v This session allows for complete access to the web interface as an administrator. 3) Hidden "wgupload" functionality allows for file uploads as root and remote code execution -------------------------------------------------------------------------------------------- CVE-2018-10577 Reviewing the code reveals file upload functionality that is not shown to the user via the web interface. An attacker needs only a serial number (which is displayed to the user when they login to the device through the standard web interface and can be retrieved programmatically) and a valid session. An example request to demonstrate this issue is: res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-bin/luci/;#{stok}/wgupload", 'headers' => { 'AUTH_USER' => 'admin', 'AUTH_PASS' => '[REDACTED]', }, 'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail", 'data' => "#!/usr/bin/lua os.execute('touch /code-execution'); }) An attacker can then visit the URL http://watchguard-ap200/cgi-bin/payload.luci to execute this command (or any other command). 4) Change password functionality incorrectly verifies old password ------------------------------------------------------------------ CVE-2018-10578 The change password functionality within the web interface attempts to verify the old password before setting a new one, however, this is done through AJAX. An attacker is able to simply modify the JavaScript to avoid this check or perform the POST request manually. Metasploit Module ================= ZX Security will be releasing a Metasploit module which automates exploitation of this chain of vulnerabilities. This has been delayed till 30 days after the initial patch was made available to ensure users are able to patch their devices. The module and the hard-coded password will be released on May the 14th 2018. Disclosure Timeline =================== Vendor notification: April 04, 2018 Vendor response: April 06, 2018 Firmware update released to public: April 13, 2018 Metasploit module release: May 14, 2018 References ========== [1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy [2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false. WatchGuard AP100 , AP102 ,and AP200 The device software contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WatchGuardAP100, AP102 and AP200 are different series of indoor wireless access point devices from WatchGuard. A security vulnerability exists in WatchGuardAP100, AP102, and AP200 using firmware prior to 1.2.9.15, which was caused by the program using hard-coded credentials. An attacker could use this vulnerability to gain access to an AP device. Introduction ============ Multiple vulnerabilities can be chained together in a number of WatchGuard AP products which result in pre-authenticated remote code execution. The vendor has produced a knowledge-base article[1] and announcement[2] regarding these issues. ZX Security would like to commend the prompt response and resolution of these reported issues by the vendor. Product ======= Several WatchGuard Access Points running firmware before v1.2.9.15 are affected, including: * AP100 * AP102 * AP200 The AP300 is also affected by issues 2, 3 and 4 when running firmware before 2.0.0.10. The latest firmware update resolves these issues. The vendor has requested the specific password and hash be withheld until users can apply the patch. There is no way for a user of the access point to change this password. An attacker who is aware of this password is able to access the device over SSH and pivot network requests through the device, though they may not run commands as the shell is set to /bin/false. 2) Hidden authentication method in web interface allows for authentication bypass --------------------------------------------------------------------------------- CVE-2018-10576 The standard authentication method for accessing the webserver involves submitting an HTML form. This uses a username and password separate from the standard Linux based /etc/passwd authentication. An alternative authentication method was identified from reviewing the source code whereby setting the HTTP headers AUTH_USER and AUTH_PASS, credentials are instead tested against the standard Linux /etc/passwd file. This allows an attacker to use the hardcoded credentials found previously (see 1. An example command that demonstrates this issue is: curl https://watchguard-ap200/cgi-bin/luci -H "AUTH_USER: admin" -H "AUTH_PASS: [REDACTED]" -k -v This session allows for complete access to the web interface as an administrator. 3) Hidden "wgupload" functionality allows for file uploads as root and remote code execution -------------------------------------------------------------------------------------------- CVE-2018-10577 Reviewing the code reveals file upload functionality that is not shown to the user via the web interface. An attacker needs only a serial number (which is displayed to the user when they login to the device through the standard web interface and can be retrieved programmatically) and a valid session. An example request to demonstrate this issue is: res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-bin/luci/;#{stok}/wgupload", 'headers' => { 'AUTH_USER' => 'admin', 'AUTH_PASS' => '[REDACTED]', }, 'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail", 'data' => "#!/usr/bin/lua os.execute('touch /code-execution'); }) An attacker can then visit the URL http://watchguard-ap200/cgi-bin/payload.luci to execute this command (or any other command). 4) Change password functionality incorrectly verifies old password ------------------------------------------------------------------ CVE-2018-10578 The change password functionality within the web interface attempts to verify the old password before setting a new one, however, this is done through AJAX. An attacker is able to simply modify the JavaScript to avoid this check or perform the POST request manually. Metasploit Module ================= ZX Security will be releasing a Metasploit module which automates exploitation of this chain of vulnerabilities. This has been delayed till 30 days after the initial patch was made available to ensure users are able to patch their devices. The module and the hard-coded password will be released on May the 14th 2018. Disclosure Timeline =================== Vendor notification: April 04, 2018 Vendor response: April 06, 2018 Firmware update released to public: April 13, 2018 Metasploit module release: May 14, 2018 References ========== [1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy [2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

The Milestone XProtect Video Management Software (Corporate, Expert, Professional+, Express+, Essential+) 2016 R1 (10.0.a) to 2018 R1 (12.1a) contains .NET Remoting endpoints that are vulnerable to deserialization attacks resulting in remote code execution. Siemens Milestone XProtect Video Management Software is a set of video management software for managing surveillance video and other content. A remote attacker could use this vulnerability to execute code. Siemens Siveillance VMS is prone to a remote privilege-escalation vulnerability because it fails to properly sanitize user-supplied input. Failed exploit attempts may result in a denial of service condition

RCS module in Huawei ALP-AL00B smart phones with software versions earlier than 8.0.0.129, BLA-AL00B smart phones with software versions earlier than 8.0.0.129 has a remote control vulnerability. An attacker can trick a user to install a malicious application. When the application connects with RCS for the first time, it needs user to manually click to agree. In addition, the attacker needs to obtain the key that RCS uses to authenticate the application. Successful exploitation may cause the attacker to control keyboard remotely. Huawei ALP-AL00B Smartphone and BLA-AL00B Smartphones have vulnerabilities related to authorization, authority, and access control.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. HuaweiALP-AL00B and BLA-AL00B are both Huawei's smartphone products. RCSmodule is one of the converged communication modules

Huawei MBB (Mobile Broadband) products E5771h-937 with the versions before E5771h-937TCPU-V200R001B328D62SP00C1133 and the versions before E5771h-937TCPU-V200R001B329D05SP00C1308 have a Denial of Service (DoS) vulnerability. When an attacker accessing device sends special http request to device, the webserver process will try to apply too much memory which can cause the device to become unable to respond. An attacker can launch a DoS attack by exploiting this vulnerability. HuaweiE5771h-937 is a portable wireless router from China's Huawei company

The Norton Core router prior to v237 may be susceptible to a command injection exploit. This is a type of attack in which the goal is execution of arbitrary commands on the host system via vulnerable software. Symantec Norton Corerouter is a home security router device from Symantec Corporation of the United States