VARIoT IoT vulnerabilities database

An exploitable denial of service vulnerability exists in Insteon Hub running firmware version 1012. Leftover demo functionality allows for arbitrarily rebooting the device without authentication. An attacker can send a UDP packet to trigger this vulnerability. Insteon Hub There are authentication vulnerabilities in the firmware.Service operation interruption (DoS) There is a possibility of being put into a state. InsteonHub is an Insteon central controller from Insteon, USA. This product can remotely control light bulbs, wall switches, air conditioners, etc. in the home. Insteon Hub is an Insteon central controller product of Insteon Company in the United States

An exploitable firmware update vulnerability exists in Insteon Hub running firmware version 1013. The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker can upload an MPFS binary via the '/mpfsupload' HTTP form and later on upload the firmware via a POST request to 'firmware.htm'. Insteon Hub The firmware contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Insteon Hub is an Insteon central controller product of Insteon Company in the United States. This product can remotely control light bulbs, wall switches, air conditioners, etc. in your home

The VMG3312-B10B is a router product from ZyXEL. A cross-site scripting vulnerability exists in ZyXELVMG3312-B10B that could allow an attacker to perform a cross-site scripting attack.

On Insteon Hub 2245-222 devices with firmware version 1012, specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. At 0x9d01ef24 the value for the s_offset key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. InsteonHub 2245-222 is an Insteon central controller device from Insteon, USA. This product can remotely control light bulbs, wall switches, air conditioners, etc. in the home

An Information Exposure vulnerability in Fortinet FortiOS 6.0.1, 5.6.5 and below, allow attackers to learn private IP as well as the hostname of FortiGate via Application Control Block page. Fortinet FortiOS Contains an information disclosure vulnerability.Information may be obtained. Fortinet FortiOS is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Versions prior to FortiOS 5.6.6 and 6.0.2 are vulnerable. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. This vulnerability stems from configuration errors in network systems or products during operation

In Philips' IntelliSpace Cardiovascular (ISCV) products (ISCV Version 2.x or prior and Xcelera Version 4.1 or prior), an attacker with escalated privileges could access folders which contain executables where authenticated users have write permissions, and could then execute arbitrary code with local administrative permissions. Philips IntelliSpace Cardiovascular (ISCV) and Xcelera Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips IntelliSpace Cardiovascular (ISCV) and Xcelera are both products of Philips in the Netherlands. Philips ISCV is a cardiac imaging information management system. Xcelera is its predecessor. There are security vulnerabilities in Philips ISCV 2.x and earlier versions and Xcelera 4.1 and earlier versions. The vulnerabilities are caused by the failure of the program to perform proper rights management

In Philips' IntelliSpace Cardiovascular (ISCV) products (ISCV Version 3.1 or prior and Xcelera Version 4.1 or prior), an unquoted search path or element vulnerability has been identified, which may allow an attacker to execute arbitrary code and escalate their level of privileges. Philips IntelliSpace Cardiovascular (ISCV) and Xcelera Contains an unquoted search path or element vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state

Improper input sanitization within the restricted administration shell on UCOPIA Wireless Appliance devices using firmware version 5.1.x before 5.1.13 allows authenticated remote attackers to escape the shell and escalate their privileges by adding a LocalCommand to the SSH configuration file in the user home folder. UCOPIA Wireless Appliance Device firmware contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Stack-based Buffer Overflow vulnerability in libUPnPHndlr.so in Belkin Wemo Insight Smart Plug allows remote attackers to bypass local security protection via a crafted HTTP post packet. Belkin Wemo Insight Smart Plug Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. BelkinWemoInsightSmartPlug is a smart plug device from Belkin, USA. A stack buffer overflow vulnerability exists in the libUPnPHndlr.so file in BelkinWemoInsightSmartPlug

lldptool version 1.0.1 and older can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal. lldptool Contains a buffer error vulnerability.Information may be tampered with. lldptool is an implementation of the Link Layer Discovery Protocol. There is a security vulnerability in lldptool 1.0.1 and earlier versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: lldpad security and bug fix update Advisory ID: RHSA-2019:3673-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:3673 Issue date: 2019-11-05 CVE Names: CVE-2018-10932 ===================================================================== 1. Summary: An update for lldpad is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The lldpad packages provide the Linux user space daemon and configuration tool for Intel's Link Layer Discovery Protocol (LLDP) Agent with Enhanced Ethernet support. Security Fix(es): * lldptool: improper sanitization of shell-escape codes (CVE-2018-10932) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1614896 - CVE-2018-10932 lldptool: improper sanitization of shell-escape codes 1727326 - lldpad memory usage increases over time 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: lldpad-1.0.1-13.git036e314.el8.src.rpm aarch64: lldpad-1.0.1-13.git036e314.el8.aarch64.rpm lldpad-debuginfo-1.0.1-13.git036e314.el8.aarch64.rpm lldpad-debugsource-1.0.1-13.git036e314.el8.aarch64.rpm ppc64le: lldpad-1.0.1-13.git036e314.el8.ppc64le.rpm lldpad-debuginfo-1.0.1-13.git036e314.el8.ppc64le.rpm lldpad-debugsource-1.0.1-13.git036e314.el8.ppc64le.rpm s390x: lldpad-1.0.1-13.git036e314.el8.s390x.rpm lldpad-debuginfo-1.0.1-13.git036e314.el8.s390x.rpm lldpad-debugsource-1.0.1-13.git036e314.el8.s390x.rpm x86_64: lldpad-1.0.1-13.git036e314.el8.i686.rpm lldpad-1.0.1-13.git036e314.el8.x86_64.rpm lldpad-debuginfo-1.0.1-13.git036e314.el8.i686.rpm lldpad-debuginfo-1.0.1-13.git036e314.el8.x86_64.rpm lldpad-debugsource-1.0.1-13.git036e314.el8.i686.rpm lldpad-debugsource-1.0.1-13.git036e314.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-10932 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXcHqL9zjgjWX9erEAQg8uxAAp1sXX7k616voF4T1ESaLw/2xgwVpXcFA rssf0zsmwNH4Ckt/ehyTMTyeE2b0pEZajfQDLfP5u6Baz6YHJr3/gnDG8/ffHJZ5 alvJGBoWPTtgVvcmC/T8++eUyMQ9KmpG1SX6sUiIvTbxNVGAe8eYEWmEv3cOVNo9 fClotoOCiOc+T18xqHfBiUybFuqYYnApzb/UH5R0LEY5hND76PKaijrnNhw+vLe8 KOnfFu3h79IAfAFbSfj62LTKLNnScHtzNB5N0dlmt/UzyTX0yRZLD4ISqq4j6a7H svOTOb7w2PefY+pIN/nwooR2rcD9w98N7KmH2q+8euzE2x9BeuoEgBLe7hH40dSo P8siGfzIGhnw1xNdF/8VgUlow0HFRfNXycxVYtTJCwcPczrUFJr0NeaQ9ATwdToI N14/JjJ/dpLGoTboUAub2Nhgx3Y4PJEKqnNHfA0hC/0YJ6VHHtbXAmKFiHmZGiNz LwAUMQYQ4BcOU0eIy1y55rDy4drAmf1QI+QXq7A0Ax8e8uCxAVcjkoeYbS1ecl1V fbC9wtM5Ev/OMWt1nEJfsScDeqIUZKpOYk2nYPVB2EoDzyzlPKJKiv8T1Eu9brY3 WcffJxHFd2JhPvrxEj9YfCZK4Zk7UEN0swQMEURknKgbSEyaU79mnU6Qlk8DNSJ4 KxLsAQumMR8= =tsSa -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

fileshare.cmd on Telus Actiontec T2200H T2200H-31.128L.03 devices allows OS Command Injection via shell metacharacters in the smbdUserid or smbdPasswd field. Telus Actiontec T2200H The device includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The TelusActiontec T2200H is a modem device from Telus, USA. A command injection vulnerability exists in the fileshare.cmd file in the TelusActiontecT2200H with firmware T2200H-31.128L.03. An attacker could exploit this vulnerability to inject operating system commands with the help of shell metacharacters in the smbdUserid or smbdPasswd fields

Buffer overflow in the license management function of YOKOGAWA products (iDefine for ProSafe-RS R1.16.3 and earlier, STARDOM VDS R7.50 and earlier, STARDOM FCN/FCJ Simulator R4.20 and earlier, ASTPLANNER R15.01 and earlier, TriFellows V5.04 and earlier) allows remote attackers to stop the license management function or execute an arbitrary program via unspecified vectors. Multiple Yokogawa Products are prone to stack-based buffer overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Yokogawa ASTPLANNER, etc. are all products of Japan's Yokogawa Electric (Yokogawa) company. Yokogawa ASTPLANNER is a production planning system; iDefine for ProSafe-RS is a functional safety management tool in the system safety life cycle

D-Link DIR-300 is a D-Link wireless router product. The D-Link DIR-300 router contains files that contain vulnerabilities. Attackers can use the vulnerabilities to obtain sensitive information.

An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11. Embedthis GoAhead and Appweb for, NULL There is a vulnerability in pointer dereference.Service operation interruption (DoS) It may be in a state. Embedthis GoAhead and Appweb are both products of Embedthis Software in the United States. Embedthis GoAhead is an embedded Web server. Appweb is a fast and small web server, which is mainly used for embedded applications, devices and web services, and supports security defense strategies, digest authentication, virtual hosts, etc. Embedthis GoAhead versions prior to 4.0.1 and Appweb versions prior to 7.0.2 have a security vulnerability

An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 address. Embedthis GoAhead and Appweb for, NULL There is a vulnerability in pointer dereference.Service operation interruption (DoS) It may be in a state. Embedthis GoAhead and Appweb are both products of Embedthis Software in the United States. Embedthis GoAhead is an embedded Web server. Appweb is a fast and small web server, which is mainly used for embedded applications, devices and web services, and supports security defense strategies, digest authentication, virtual hosts, etc. There are security vulnerabilities in Embedthis GoAhead versions prior to 4.0. and Appweb versions prior to 7.0.2

Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for MLT application intents. The LG ID is LVE-SMP-180006. SystemUI application intents is one of the system applications. The vulnerability stems from the program's failure to perform correct access control. A remote attacker can use this vulnerability to bypass security restrictions by sending a specially crafted request and gain access to MLT applications

Certain LG devices based on Android 6.0 through 8.1 have incorrect access control in the GNSS application. The LG ID is LVE-SMP-180004. GNSS application is one of the global satellite navigation applications. The vulnerability stems from the program's failure to perform correct access control. Remote attackers can use this vulnerability to gain access to GNSS applications

Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for SystemUI application intents. The LG ID is LVE-SMP-180005. SystemUI application intents is one of the system applications. Remote attackers can use this vulnerability to bypass security restrictions and gain access to SystemUI applications

An authenticated attacker can execute arbitrary code using command ejection in Eltex ESP-200 firmware version 1.2.0. Eltex ESP-200 The firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The EltexESP-200 is a wireless router product

An authenticated attacker with low privileges can use insecure sudo configuration to expand attack surface in Eltex ESP-200 firmware version 1.2.0. Eltex ESP-200 Firmware contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Eltex ESP-200 is a wireless router product. A security vulnerability exists in the Eltex ESP-200 using firmware version 1.2.0. A remote attacker could exploit this vulnerability to gain elevated privileges