VARIoT IoT vulnerabilities database

Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1. Juniper Networks Junos Space Contains vulnerabilities related to insufficient validation of data reliability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Juniper Junos Space is prone to a security-bypass vulnerability. Successfully exploiting this issue may allow attackers to bypass security restrictions and perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. The solution supports automated configuration, monitoring, and troubleshooting of devices and services throughout their lifecycle

An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote unauthenticated network based attacker to login as any privileged user. This issue only affects Junos Space Network Management Platform 17.1R1 without Patch v1 and 16.1 releases prior to 16.1R3. This issue was found by an external security researcher. Juniper Networks Junos Space Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Juniper Junos Space is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may lead to further attacks. The platform enables automated configuration, monitoring and troubleshooting of devices and services throughout their lifecycle. A remote attacker could exploit this vulnerability to log in as a user with arbitrary privileges

SAP NetWeaver is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.

SAP Netweaver is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions.

Vacron is mainly engaged in the production of various types of mobile monitoring, CCTV monitoring systems, IP remote image monitoring systems and other related products, and can accept customized orders such as ODM and OEM. The main products: driving recorder, CCTV analog monitoring system, CMS, IPCAM and so on. A remote command execution vulnerability exists in the VacronNVR device. An attacker can exploit a vulnerability to execute arbitrary commands.

SAP NetWeaver is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.

SAP NetWeaver is prone to an unspecified memory-corruption vulnerability. Attackers can leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

An Improper Authentication issue was discovered in JanTek JTC-200, all versions. The improper authentication could provide an undocumented BusyBox Linux shell accessible over the TELNET service without any authentication. JanTek JTC-200 Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The JanTekJTC-200 is a TCP/IP converter (serial server) from JanTek Technology. An unauthorized access vulnerability exists in JanTekJTC-200. JanTek JTC-200 is prone to a cross-site request-forgery vulnerability and an authentication-bypass vulnerability. An attacker can exploit these issues to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. An attacker could exploit this vulnerability to gain access to the BusyBox Linux shell. Vendor: JanTek Equipment: JTC-200 Vulnerabilities: Cross-site Request Forgery, Improper Authentication Advisory URL: https://ipositivesecurity.com/2017/10/28/ics-jantek-jtc-200-rs232-net-converter-advisory-published/ ICS-CERT Advisory https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02 CVE-ID CVE-2016-5789 CVE-2016-5791 Detailed Proof of Concept: https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/ ------------------------ AFFECTED PRODUCTS ------------------------ The following versions of JTC-200, a TCP/IP converter, are affected: JTC-200 all versions. ------------------------ BACKGROUND ------------------------ Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Europe and Asia Company Headquarters Location: Taiwan ------------------------ IMPACT ------------------------ Successful exploitation of these vulnerabilities allow for remote code execution on the device with elevated privileges. ------------------------ VULNERABILITY OVERVIEW ------------------------ CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 An attacker could perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). --------- Trying IP... Connected to IP. Escape character is '^]'. BusyBox v0.60.4 (2008.02.21-16:59+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # BusyBox v0.60.4 (2008.02.21-16:59+0000) multi-call binary Usage: busybox [function] [arguments]... or: [function] [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use, and BusyBox will act like whatever it was invoked as. Currently defined functions: [, busybox, cat, cp, df, hostname, ifconfig, init, kill, killall, ls, mkdir, mknod, mount, msh, mv, ping, ps, pwd, rm, sh, test, touch, vi # # ls bin dev etc nfs proc swap usb var # cd etc # ls ConfigPage WRConfig.ini config inetd.conf inittab ppp protocols rc resolv.conf services # cat inetd.conf telnet stream tcpnowait root /bin/telnetd # --------- ------------------------ Technical Details ------------------------ https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/ +++++ Best Regards, Karn Ganeshen

A Cross-site Request Forgery issue was discovered in JanTek JTC-200, all versions. An attacker could perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. JanTek JTC-200 Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The JanTekJTC-200 is a TCP/IP converter (serial server) from JanTek Technology. A remote attacker could exploit the vulnerability to perform unauthorized operations as a user. This may aid in further attacks. Vendor: JanTek Equipment: JTC-200 Vulnerabilities: Cross-site Request Forgery, Improper Authentication Advisory URL: https://ipositivesecurity.com/2017/10/28/ics-jantek-jtc-200-rs232-net-converter-advisory-published/ ICS-CERT Advisory https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02 CVE-ID CVE-2016-5789 CVE-2016-5791 Detailed Proof of Concept: https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/ ------------------------ AFFECTED PRODUCTS ------------------------ The following versions of JTC-200, a TCP/IP converter, are affected: JTC-200 all versions. ------------------------ BACKGROUND ------------------------ Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Europe and Asia Company Headquarters Location: Taiwan ------------------------ IMPACT ------------------------ Successful exploitation of these vulnerabilities allow for remote code execution on the device with elevated privileges. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). IMPROPER AUTHENTICATION CWE-287 The improper authentication could provide undocumented Busybox Linux shell accessible over Telnet service without any authentication. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). --------- Trying IP... Connected to IP. Escape character is '^]'. BusyBox v0.60.4 (2008.02.21-16:59+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # BusyBox v0.60.4 (2008.02.21-16:59+0000) multi-call binary Usage: busybox [function] [arguments]... or: [function] [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use, and BusyBox will act like whatever it was invoked as. Currently defined functions: [, busybox, cat, cp, df, hostname, ifconfig, init, kill, killall, ls, mkdir, mknod, mount, msh, mv, ping, ps, pwd, rm, sh, test, touch, vi # # ls bin dev etc nfs proc swap usb var # cd etc # ls ConfigPage WRConfig.ini config inetd.conf inittab ppp protocols rc resolv.conf services # cat inetd.conf telnet stream tcpnowait root /bin/telnetd # --------- ------------------------ Technical Details ------------------------ https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/ +++++ Best Regards, Karn Ganeshen

An Authentication Bypass by Spoofing issue was discovered in LAVA Ether-Serial Link (ESL) running firmware versions 6.01.00/29.03.2007 and prior versions. An improper authentication vulnerability has been identified, which, if exploited, would allow an attacker with the same IP address to bypass authentication by accessing a specific uniform resource locator. LAVA Ether-Serial Link (ESL) Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Ether-SerialLink is an Ethernet serial link device from LAVAComputerMFG. An authentication bypass vulnerability exists in LAVA ComputerMFGEther-SerialLink6.01.00/29.03.2007 and earlier. LAVA Computer MFG Inc. Ether-Serial Link is prone to an authentication-bypass vulnerability. Attackers may exploit this issue to gain unauthorized access or bypass intended security restrictions. LAVA Computer MFG Inc

Incorrect policy enforcement in system firmware for Intel NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows attackers with local or physical access to bypass enforcement of integrity protections via manipulation of firmware storage. Intel NUC7i3BNK , NUC7i3BNH , NUC7i5BNK , NUC7i5BNH ,and NUC7i7BNH Vulnerabilities related to authorization, permissions and access control exist in the firmware.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. IntelNUC7i3BNK and other products are CPU (Central Processing Unit) products of Intel Corporation of the United States. IntelBootgaurd has a local security bypass vulnerability that can be exploited by local attackers to bypass certain security restrictions. Intel Bootgaurd is prone to a local security-bypass vulnerability. Other attacks are also possible. Intel NUC7i3BNK, etc. Security vulnerabilities exist in the system firmware of several Intel products. The following products and versions are affected: NUC7i3BNK BN0049 and earlier; NUC7i3BNH BN0049 and earlier; NUC7i5BNK BN0049 and earlier; NUC7i5BNH BN0049 and earlier; NUC7i7BNH BN0049 and earlier

Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex are used directly in a popen call. ZyXEL NBG6716 Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZyxelNBG6716 is a wireless router product from ZyXEL Technology. Ozkerzcomponent is one of the components. The ozkerz component in the ZyxelNBG6716V1.00 (AAKG.9) C0 version has a security vulnerability. The vulnerability stems from the fact that in the popen call, the program directly uses beginIndex and endIndex. An attacker can exploit this vulnerability to inject commands

Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11792, CVE-2017-11796, CVE-2017-11798, CVE-2017-11799, CVE-2017-11800, CVE-2017-11801, CVE-2017-11802, CVE-2017-11804, CVE-2017-11805, CVE-2017-11806, CVE-2017-11807, CVE-2017-11808, CVE-2017-11809, CVE-2017-11810, CVE-2017-11811, CVE-2017-11812, and CVE-2017-11821. Automatic DNS registration and autodiscovery functionality provides an opportunity for the misconfiguration of networks, resulting in a loss of confidentiality and integrity of the network if an attacker on the network adds a specially configured proxy device. Router DNS The dynamic registration / update function is enabled and the client PC In the network where the auto-detection function is enabled in "wpad" If a device with the host name is added to the network, the contents of the communication may be obtained or altered. Used in home and office (Google WiFi And Ubiquiti UniFi General including etc. ) In routers, often DNS Dynamic registration / update function is used. DNS Dynamic registration / update function DHCP Use the host name sent from the client side in the request as it is A Records are automatically registered / updated. An attacker with access to the network "wpad" And "isatap" A device with a host name of DNS By registering with, you may attract access to the device and attack it. Also, the discoverer mDNS Clients in the network without using a router PC In "wpad" And "isatap" It is confirmed that it can be accessed in combination with the automatic detection function. WPAD About proxy auto-configuration by so-called Nora DHCP Server or higher DNS On the server <a href="https://googleprojectzero.blogspot.fi/2017/12/apacolypse-now-exploiting-windows-10-in_18.html"target="blank"> Has been considered a problem </a> But, LAN/WLAN There was no mention of the internal auto-configuration function. This problem, Arctic Security Company Ossi Salmi , Mika Seppanen , Marko Laakso , Kasper Kyllonen Discovered and verified by NCSC-FI Made adjustments.In an internal network, an attacker "wpad" If a device with the host name is added to the network, the device can be used as an attack proxy, and as a result, the contents of the communication may be obtained or altered. Internet Explorer Contains a flaw in the memory of the script engine that could allow arbitrary code execution in the current user's context. The vendor Scripting Engine Memory Corruption Vulnerability ". This vulnerability CVE-2017-11792 , CVE-2017-11796 , CVE-2017-11798 , CVE-2017-11799 , CVE-2017-11800 , CVE-2017-11801 , CVE-2017-11802 , CVE-2017-11804 , CVE-2017-11805 , CVE-2017-11806 , CVE-2017-11807 , CVE-2017-11808 , CVE-2017-11809 , CVE-2017-11810 , CVE-2017-11811 , CVE-2017-11812 ,and CVE-2017-11821 Is a different vulnerability.An attacker could execute arbitrary code in the context of the current user. Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability. Failed attacks will cause denial of service conditions. Internet Explorer 9, 10 and 11 are vulnerable; other versions may also be affected. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks

TLINK IoT is an open platform for IoT products from Shenzhen Analog Technology Co., Ltd. Tlink IoT cloud service platform Android App password retrieval function has a logic design vulnerability. Allows the attacker to send SMS without restriction on the modified mobile phone number by capturing packets and modifying the mobile phone number, consuming server resources.

The Fixon K2 wireless router is a wireless router for home use. Shanghai Feixun Data Communication Technology Co., Ltd. Feixun K2 wireless router has a command execution vulnerability. The vulnerability is because the timeRebootEnablestatus and timeRebootrange parameters do not filter the data submitted by the user, allowing an attacker to log in to the router as an administrator to execute arbitrary commands and gain server permissions.

The bunker bastion machine is the industry's first software bastion machine, which provides single point functions of centralized identity authentication, centralized access authorization, centralized access management, centralized operation audit, and simplified operation and management required for remote operation and maintenance management. There are two arbitrary file upload vulnerabilities in the background system settings "Workflow Settings" and "System Upgrade Function" of the Bunker Fortress Machine, allowing attackers to upload a webshell and gain server permissions.

Infocus Mondopad 2.2.08 is vulnerable to a Hashed Credential Disclosure vulnerability. The attacker provides a crafted Microsoft Office document containing a link that has a UNC pathname associated with an attacker-controller server. In one specific scenario, the attacker provides an Excel spreadsheet, and the attacker-controller server receives the victim's NetNTLMv2 hash. InFocusMondopad is a full-featured touch-screen whiteboard from InFocus

InFocus Mondopad 2.2.08 is vulnerable to authentication bypass when accessing uploaded files by entering Control-Alt-Delete, and then using Task Manager to reach a file. InFocus Mondopad Contains an authentication vulnerability.Information may be obtained. InFocusMondopad is a full-featured touch-screen whiteboard from InFocus. An authentication bypass vulnerability exists in the InFocusMondopad version 2.2.08. A remote attacker can exploit this vulnerability to obtain information

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue associated with the originally named downstream provider. Notes: none. IntelPuma is a system-on-chip (SoC) from Intel. Intel Puma has a denial of service vulnerability that allows remote attackers to cause denial of service (degraded performance) by sending the right amount of small packets to many TCP or UDP ports

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue associated with the originally named downstream provider. Notes: none. IntelPuma is a system-on-chip (SoC) from Intel. Intel Puma has a denial of service vulnerability that allows remote attackers to cause denial of service (degraded performance) by sending the right amount of small packets to many TCP or UDP ports