VARIoT IoT vulnerabilities database

A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well. Multiple F5 BIG-IP Products are prone to an information-disclosure vulnerability. Successfully exploiting this issue may allow attackers to obtain sensitive information. This may lead to other attacks. F5 BIG-IP Analytics and others are products of F5 Corporation of the United States. F5 BIG-IP Analytics is a suite of web application performance analysis software. APM is a set of solutions that provide secure and unified access to business-critical applications and networks. LTM is a local traffic manager. The virtual server is one of the common configuration components. The following products and versions are affected: F5 BIG-IP LTM Version 12.0.0 through 12.1.2, Version 11.4.0 through Version 11.6.1; BIG-IP AAM Version 12.0.0 through Version 12.1.2, Version 11.4.0 to 11.6.1; BIG-IP AFM 12.0.0 to 12.1.2, 11.4.0 to 11.6.1; BIG-IP Analytics 12.0.0 to 12.1.2, 11.4.0 to 11.6 .1 version; BIG-IP APM version 12.0.0 through 12.1.2, version 11.4.0 through version 11.6.1; BIG-IP ASM; BIG-IP Link Controller version 12.0.0 through version 12.1.2, version 11.4. 0 to 11.6.1; BIG-IP PEM 12.0.0 to 12.1.2, 11.4.0 to 11.6.1; BIG-IP PSM 11.4.0 to 11.4.1

An Open Redirect vulnerability in Fortinet FortiAnalyzer 5.4.0 through 5.4.2 and FortiManager 5.4.0 through 5.4.2 allows attacker to execute unauthorized code or commands via the next parameter. FortiAnalyzer and FortiManager are prone to an open-redirect vulnerability. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. An open redirection vulnerability exists in Fortinet FortiAnalyzer versions 5.4.0 through 5.4.2 and FortiManager versions 5.4.0 through 5.4.2

The emerg_data driver in CAM-L21C10B130 and earlier versions, CAM-L21C185B141 and earlier versions has a buffer overflow vulnerability. An attacker with the root privilege of the Android system can tricks a user into installing a malicious application on the smart phone, and send given parameter to smart phone to crash the system or escalate privilege. Huawei Smartphones contain a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei Glory 5A is a smartphone product from China's Huawei company. The emerg_data driver is an emerg_data (emergency data) driver that runs in it

The goldeneye driver in NMO-L31C432B120 and earlier versions,NEM-L21C432B100 and earlier versions,NEM-L51C432B120 and earlier versions,KNT-AL10C746B160 and earlier versions,VNS-L21C185B142 and earlier versions,CAM-L21C10B130 and earlier versions,CAM-L21C185B141 and earlier versions has buffer overflow vulnerability. An attacker with the root privilege of the Android system can tricks a user into installing a malicious application on the smart phone, and send given parameter to smart phone to crash the system or escalate privilege. plural Huawei Smartphones contain a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. HuaweiGT3, Honor5C, Glory V8, P9Lite, and Y6II are smart phones from China's Huawei company. Huawei GT3 and others are smartphone products of the Chinese company Huawei (Huawei). goldeneye driver is a goldeneye driver running in it. The following products and versions are affected: Huawei GT3 NMO-L31C432B120 and earlier; Honor 5C NEM-L21C432B100 and earlier, NEM-L21C432B120 and earlier; Honor V8 KNT-AL10C746B160 and earlier; P9 Lite VNS-L21C185B142 and previous versions; Y6ⅡCAM-L21C10B130 and previous versions, CAM-L21C185B141 and previous versions

Insufficient verification of uploaded files allows attackers with webui administrators privileges to perform arbitrary code execution by uploading a new webui theme. Fortinet Connect is prone to a remote code-execution vulnerability. Failed attempts may lead to denial-of-service conditions. Fortinet Connect 14.2, 14.10, 15.10 and 16.7 are vulnerable. Fortinet Connect is a network security access device developed by Fortinet based on device and user policy deployment. A security vulnerability exists in Fortinet Connect due to the program's insufficient validation of uploaded files. The following versions are affected: Fortinet Connect versions 14.2, 14.10, 15.10, 16.7

HPPrintersWi-Fi is a WiFi direct-connect printer from Hewlett Packard (HP). An unauthorized access vulnerability exists in the HP WiFi Direct Connect printer, which also affects printers with the same model as public IP. An attacker can exploit the vulnerability to obtain printer network information, modify firewall configuration, and so on.

A web based timesheet is a program that monitors the work of employees. The Web Based TimeSheet script has an authentication bypass vulnerability. This vulnerability requires the string 'or' '=' to be entered in the password field. Attackers can use the vulnerability to bypass authentication.

NETWAVEIPCamera is a webcam product. NETWAVEIPCamera has a password leak vulnerability. The attacker can obtain the user name and password of the device through the POC code, which may result in password leakage.

The RG4332 is a wireless router. The TMRG4332 wireless router's web page has an arbitrary file disclosure vulnerability that can be exploited by an attacker to obtain sensitive information because the program does not adequately verify the user-supplied input.

An improper certificate validation vulnerability in Fortinet FortiManager 5.0.6 through 5.2.7 and 5.4.0 through 5.4.1 allows remote attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack via the Fortisandbox devices probing feature. FortiManager is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain potentially sensitive information. Information obtained may aid in further attacks. FortiManager 5.0.6 through 5.2.7 and 5.4.0 through 5.4.1 are vulnerable. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. A security vulnerability exists in Fortinet FortiManager due to the program not properly validating TLS certificates

A vulnerability in Common Internet Filesystem (CIFS) code in the Clientless SSL VPN functionality of Cisco ASA Software, Major Releases 9.0-9.6, could allow an authenticated, remote attacker to cause a heap overflow. The vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by sending a crafted URL to the affected system. An exploit could allow the remote attacker to cause a reload of the affected system or potentially execute code. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 or IPv6 traffic. A valid TCP connection is needed to perform the attack. The attacker needs to have valid credentials to log in to the Clientless SSL VPN portal. Vulnerable Cisco ASA Software running on the following products may be affected by this vulnerability: Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco ASA for Firepower 9300 Series, Cisco ASA for Firepower 4100 Series. Cisco Bug IDs: CSCvc23838. Failed exploit attempts will likely cause a denial-of-service condition. Cisco ASA: Buffer overflows in WebVPN cifs handling CVE-2017-3807 The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: <a href="https://portal/+webvpn+/CIFS_R/share_server/share_name/file" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/share_server/share_name/file</a>. When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct: http_cifs_context: +0x160 char* file_dir +0x168 char* file_name These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode: filename_copy_buf = calloc(1LL, 336LL); net_handle[10] = filename_copy_buf; if ( filename_copy_buf ) { src_len = _wrap_strlen(filename_from_request); if ( filename_from_request[src_len - 1] == ('|') ) { // wrong length (src length) strncpy((char *)filename_copy_buf, filename_from_request, src_len - 1); } In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow. There appear to be various other places where the copying is done in an unsafe way: http_cifs_context_to_name, which is called from ewaFile{Read,Write,Get}Cifs, and ewaFilePost, uses strcat to copy the file path and file name to a fixed size (stack) buffer. http_cifs_pre_fopen, which has a similar issue with passing the length of the src buffer to strncpy. Possibly http_add_query_str_from_context. There are probably others that I missed. Note that triggering this bug requires logging in to the WebVPN portal first, but the cifs share does not need to exist. Repro: Login to WebVPN portal, navigate to: <a href="https://portal/+webvpn+/CIFS_R/server/name/" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/server/name/</a> followed by 500 'A's. ("server" and "name" may be passed verbatim) *** Error in `lina': malloc(): memory corruption: 0x00007fa40c53f570 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x3f0486e74f)[0x7fa4139fc74f] /lib64/libc.so.6(+0x3f048783ee)[0x7fa413a063ee] /lib64/libc.so.6(+0x3f0487be99)[0x7fa413a09e99] /lib64/libc.so.6(__libc_malloc+0x60)[0x7fa413a0b5a0] lina(+0x321976a)[0x7fa41a2b276a] lina(mem_mh_calloc+0x123)[0x7fa41a2b4c83] lina(resMgrCalloc+0x100)[0x7fa419659410] lina(calloc+0x94)[0x7fa419589a34] lina(ewsFileSetupFilesystemDoc+0x28)[0x7fa41826a608] lina(ewsServeFindDocument+0x142)[0x7fa418278192] lina(ewsServeStart+0x114)[0x7fa4182784a4] lina(ewsParse+0x19a0)[0x7fa418272cc0] lina(ewsRun+0x9c)[0x7fa41826955c] lina(emweb_th+0x6ab)[0x7fa418286aeb] lina(+0xde58ab)[0x7fa417e7e8ab] This was tested on 9.6(2) This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: ochang

A vulnerability in the Start Before Logon (SBL) module of Cisco AnyConnect Secure Mobility Client Software for Windows could allow an unauthenticated, local attacker to open Internet Explorer with the privileges of the SYSTEM user. The vulnerability is due to insufficient implementation of the access controls. An attacker could exploit this vulnerability by opening the Internet Explorer browser. An exploit could allow the attacker to use Internet Explorer with the privileges of the SYSTEM user. This may allow the attacker to execute privileged commands on the targeted system. This vulnerability affects versions prior to released versions 4.4.00243 and later and 4.3.05017 and later. Cisco Bug IDs: CSCvc43976. Cisco AnyConnect Secure Mobility Client is prone to a local privilege-escalation vulnerability. Start Before Logon (SBL) is one of the login dialog modules

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402310. References: QC-CR#1092497. GoogleNexus/Pixel is a Google smartphone from the United States. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402604. References: QC-CR#1092497. GoogleNexus/Pixel is a Google smartphone from the United States. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An issue was discovered in Sielco Sistemi Winlog Lite SCADA Software, versions prior to Version 3.02.01, and Winlog Pro SCADA Software, versions prior to Version 3.02.01. An uncontrolled search path element (DLL Hijacking) vulnerability has been identified. Exploitation of this vulnerability could give an attacker access to the system with the same level of privilege as the application that utilizes the malicious DLL. SIELCO SISTEMI Winlog is an application for data acquisition and remote control of SCADA HMI monitoring software. A native code execution vulnerability exists in Sielco Sistemi Winlog Pro and Winlog Lite. An attacker exploited the vulnerability to execute arbitrary code or crash an application in an affected application, causing a denial of service

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience. The Alaris 8015 PC unit is the heart of the Alaris System, a US company's BD that provides a user-common interface for programming intravenous infusions. An information disclosure vulnerability exists in the Alaris 8015 PC unit. Attackers can exploit vulnerabilities to obtain sensitive information and launch further attacks

MyCloudMirror is the MyCloud personal cloud storage device from Western Digital. WDMyCloudMirror has authentication bypass and remote code execution vulnerabilities that allow an attacker to exploit a vulnerability to bypass an restriction, perform an unauthorized operation, or execute arbitrary code.

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32450647. References: QC-CR#1092059. GoogleNexus/Pixel is a Google smartphone from the United States. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32877494. References: QC-CR#1092497. GoogleNexus/Pixel is a Google smartphone from the United States. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device's flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection. The Alaris 8000 and 8015 PC units are at the heart of the BD Alaris system in the United States, providing a common user interface for programming intravenous fluids. An information disclosure vulnerability exists in Alaris 8000 and 8015 PC units. Attackers can exploit vulnerabilities to obtain sensitive information, leading to further attacks