VARIoT IoT vulnerabilities database

Intelbras WRN 150 devices allow remote attackers to read the configuration file, and consequently bypass authentication, via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg containing an admin:language=pt cookie. Intelbras WRN 150 The device contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. IntelbrasWRN150devices is a wireless router from Brazil's Intelbras. A security hole exists in the IntelbrasWRN150 device

Red Lion HMI panels allow remote attackers to cause a denial of service (software exception) via an HTTP POST request to a long URI that does not exist, as demonstrated by version HMI 2.41 PLC 2.42. Red Lion HMI The panel contains an error handling vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Red Lion HMI panels HMI is the United States Red Lion Controls One of the company's human-machine interface products for industrial control. PLC It is a programmable logic controller. Red Lion HMI panels HMI 2.41 in version PLC 2.42 version has a security vulnerability

A vulnerability has been identified in RUGGEDCOM ROS for RSL910 devices (All versions < ROS V5.0.1), RUGGEDCOM ROS for all other devices (All versions < ROS V4.3.4), SCALANCE XB-200/XC-200/XP-200/XR300-WG (All versions between V3.0 (including) and V3.0.2 (excluding)), SCALANCE XR-500/XM-400 (All versions between V6.1 (including) and V6.1.1 (excluding)). After initial configuration, the Ruggedcom Discovery Protocol (RCDP) is still able to writeto the device under certain conditions, potentially allowing users located in the adjacentnetwork of the targeted device to perform unauthorized administrative actions. plural Siemens The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Siemens RuggedCom ROS is a ROX-based device for connecting devices in harsh environments, such as substations, traffic management chassis, etc. The SCALANCE XB-200 is an industrial Ethernet switch. Siemens Ruggedcom ROS and SCALANCE are not authorized to exploit the vulnerability. Multiple Siemens Products are prone to a remote security bypass vulnerability. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. RUGGEDCOM ROS prior to 4.3.4 for all other devices. SCALANCE XB-200/XC-200/XP-200/XR300-WG 3.0 and later. SCALANCE XR-500/XM-400 6.1 and later

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. tvOS before 10.2.2 is affected. The issue involves the "Wi-Fi" component. It allows attackers to cause a denial of service (memory corruption on the Wi-Fi chip) by leveraging proximity for 802.11. in the United States. Apple iOS is an operating system developed for mobile devices. tvOS is a smart TV operating system. Wi-Fi is one of the wireless Internet access components. A security vulnerability exists in the Wi-Fi component in Apple iOS versions prior to 10.3.3 and tvOS versions prior to 10.2.2. Broadcom: Denial of service and OOB read in TCP KeepAlive Offloading CVE-2017-7066 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to reduce overhead on the host, some Broadcom Wi-Fi chips support TCP ACK Offloading. When this feature is enabled, the firmware keeps a list of active TCP connections, including the 4-tuple, the SEQ/ACK numbers, etc. Before performing the offloading operation, incoming TCP packets are verified to ensure they are valid. During this verification process, the incoming packets' checksums are calculated. For IPv4 packets, the IPv4 header checksum and TCP/IPv4 checksum are calculated and compared to the checksums in the incoming packet. On the BCM4355C0 SoC with firmware version 9.44.78.27.0.1.56, the offloading verification is performed in RAM function 0x1800C8. Here is a snippet of the approximate high-level logic for this function: int function_1800C8(void* ctx, void* packet) { char* packet_data = *((char**)(packet + 8)); unsigned short packet_length = *((unsigned short*)(packet + 12)); char* packet_end = packet_data + packet_length; //Getting the ethertype. If there's a SNAP header, get the ethertype from SNAP. //Is this IPv4? if (ethertype == 0x800) { unsigned ip_header_length = (ip_header[0] & 0xF) * 4; //IHL * 4 char* tcp_header = ip_header + ip_header_length; if (tcp_header > packet_end) return 0; //Make sure this is TCP if (ip_header[9] != 6) //IPv4->Protocol == TCP return 0; //Making sure the IP total length is valid unsigned short ip_total_length = (ip_header[2] << 8) | ip_header[3]; unsigned tcp_length = ip_total_length - ip_header_length; if (tcp_header + tcp_length > packet_end) return 0; //Verify IPv4 checksum unsigned short ipv4_checksum = *((unsigned short*)(ip_header+10)); if (ipv4_checksum != do_ipv4_checksum(ip_header, ip_header_length)) return 0; //Verify TCP/IPv4 checksum unsigned short tcp_checksum = *((unsigned short*)(tcp_header+16)); if (tcp_checksum != do_tcp_ipv4_checksum(ip_header, tcp_header, tcp_length)) return 0; ... } ... } unsigned short do_ipv4_checksum(char* ip, unsigned len) { ... return internal_calculate_ipv4_checksum(..., ip + 12, len - 12); } unsigned short do_tcp_ipv4_checksum(char* ip, char* tcp, unsigned len) { ... return internal_calculate_tcp_ipv4_checksum(..., ip + 18, len - 18); } As can be seen above, there are a few missing length verifications in the snippet above: 1. The IHL field in the IPv4 header is not verified against in minimal allowed value (5). This means an attacker can provide an intentionally small value, such as zero. Doing so will cause the following accesses to be performed OOB (such as checking the IP header's protocol field, calculating the IPv4 checksum, etc). 2. The IP total length field is also not verified. An attacker can choose the total length field such that ip_total_length == ip_header_length. By doing so, tcp_length will contain the value zero. However, as the unsigned value (tcp_length - 12) is used as the length field in the internal TCP/IPv4 checksum calculation, this will cause the internal checksum calculation loop (RAM function 0x16DBF6) to receive a very large length field - causing an data abort due to an illegal access which will therefore crash the firmware. The bug can be addressed by validating that the IHL is not smaller than the minimal allowed value (5), and by ensuring that the IP total length field is large enough to contain the IPv4 and TCP headers. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb

The Bastet Driver of Nova 2 Plus,Nova 2 Huawei smart phones with software of Versions earlier than BAC-AL00C00B173,Versions earlier than PIC-AL00C00B173 has a use after free (UAF) vulnerability. An attacker can convince a user to install a malicious application which has a high privilege to exploit this vulnerability, Successful exploitation may cause arbitrary code execution. Huawei Nova 2 Plus and Nova 2 Smartphone software contains a vulnerability related to the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Nova2 and Nova2Plus are smartphone devices from China's Huawei company. The UseAfterFree (UAF) security vulnerability exists in the Bastet driver of HuaweiNova2 and Nova2Plus. Huawei Smart Phones are prone to a remote code-execution vulnerability. Failed exploit attempts will likely cause a denial-of-service condition

A vulnerability in the Virtual Private LAN Service (VPLS) code of Cisco IOS 15.0 through 15.4 for Cisco Catalyst 6800 Series Switches could allow an unauthenticated, adjacent attacker to cause a C6800-16P10G or C6800-16P10G-XL type line card to crash, resulting in a denial of service (DoS) condition. The vulnerability is due to a memory management issue in the affected software. An attacker could exploit this vulnerability by creating a large number of VPLS-generated MAC entries in the MAC address table of an affected device. A successful exploit could allow the attacker to cause a C6800-16P10G or C6800-16P10G-XL type line card to crash, resulting in a DoS condition. This vulnerability affects Cisco Catalyst 6800 Series Switches that are running a vulnerable release of Cisco IOS Software and have a Cisco C6800-16P10G or C6800-16P10G-XL line card in use with Supervisor Engine 6T. To be vulnerable, the device must also be configured with VPLS and the C6800-16P10G or C6800-16P10G-XL line card needs to be the core-facing MPLS interfaces. Cisco Bug IDs: CSCva61927. Cisco IOS Contains a resource management vulnerability. Vendors have confirmed this vulnerability Bug ID CSCva61927 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. IOS is one of the operating systems for network devices

A vulnerability in motherboard console ports of line cards for Cisco ASR 1000 Series Aggregation Services Routers and Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, physical attacker to access an affected device's operating system. The vulnerability exists because an engineering console port is available on the motherboard of the affected line cards. An attacker could exploit this vulnerability by physically connecting to the console port on the line card. A successful exploit could allow the attacker to gain full access to the affected device's operating system. This vulnerability affects only Cisco ASR 1000 Series Routers that have removable line cards and Cisco cBR-8 Converged Broadband Routers, if they are running certain Cisco IOS XE 3.16 through 16.5 releases. Cisco Bug IDs: CSCvc65866, CSCve77132. Cisco IOS XE Contains vulnerabilities related to authorization, permissions, and access control. Vendors have confirmed this vulnerability Bug ID CSCvc65866 and CSCve77132 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Cisco ASR1000 is a system router provided by Cisco. Multiple Cisco Products are prone to an local unauthorized-access vulnerability. This may aid in further attacks. IOS XE is a dedicated operating system for a set of network devices used in it

Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress allows SQL Injection via the id parameter. WordPress is a set of blogging platform developed by WordPress Software Foundation using PHP language, which supports setting up personal blogging websites on PHP and MySQL servers. Mojoomla SMSmaster Multipurpose SMS Gateway is one of the multipurpose SMS gateways. A remote attacker can exploit this vulnerability to inject arbitrary SQL commands by using the 'id' parameter

print-wb.c in tcpdump before 4.7.4 allows remote attackers to cause a denial of service (segmentation fault and process crash). tcpdump Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. TcpDump can completely intercept the data packets transmitted in the network for analysis. It supports filtering for the network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information

The DHCP relay subsystem of Cisco IOS 12.2 through 15.6 and Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to a buffer overflow condition in the DHCP relay subsystem of the affected software. An attacker could exploit this vulnerability by sending a crafted DHCP Version 4 (DHCPv4) packet to an affected system. A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a DoS condition. Cisco Bug IDs: CSCsm45390, CSCuw77959. Vendors have confirmed this vulnerability Bug ID CSCsm45390 and CSCuw77959 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Cisco IOS and IOSXE are operating systems developed by Cisco for its network devices. Failed attempts will likely result in denial-of-service conditions. DHCP relay is one of the components used to implement the function of processing and forwarding DHCP information between different subnets and physical network segments

A vulnerability in the REST API of the web-based user interface (web UI) of Cisco IOS XE 3.1 through 16.5 could allow an unauthenticated, remote attacker to bypass authentication to the REST API of the web UI of the affected software. The vulnerability is due to insufficient input validation for the REST API of the affected software. An attacker could exploit this vulnerability by sending a malicious API request to an affected device. A successful exploit could allow the attacker to bypass authentication and gain access to the web UI of the affected software. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software, if the HTTP Server feature is enabled for the device. The newly redesigned, web-based administration UI was introduced in the Denali 16.2 Release of Cisco IOS XE Software. This vulnerability does not affect the web-based administration UI in earlier releases of Cisco IOS XE Software. Cisco Bug IDs: CSCuz46036. Vendors have confirmed this vulnerability Bug ID CSCuz46036 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This may lead to further attacks

MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have an out-of-bounds read vulnerability in H323 protocol. An attacker logs in to the system as a user and send crafted packets to the affected products. Due to insufficient verification of the packets, successful exploit will cause process reboot. Huawei MAX PRESENCE , TP3106 ,and TP3206 Contains an out-of-bounds vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple Huawei products are prone to a remote denial-of-service vulnerability. Huawei MAX PRESENCE, TP3106 and TP3206 are all panoramic video conferencing solutions of China's Huawei (Huawei). H323 protocol is one of the video and audio communication protocols. The vulnerability is caused by the fact that the program does not fully verify data packets. An attacker who successfully logs in could exploit the vulnerability by sending a specially crafted packet to cause a process restart (out-of-bounds read)

MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have an out-of-bounds read vulnerability in H323 protocol. An attacker logs in to the system as a user and send crafted packets to the affected products. Due to insufficient verification of the packets, successful exploit will cause process reboot. Huawei MAX PRESENCE , TP3106 ,and TP3206 Contains an out-of-bounds vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple Huawei products are prone to a remote denial-of-service vulnerability. Huawei MAX PRESENCE, TP3106 and TP3206 are all panoramic video conferencing solutions of China's Huawei (Huawei). H323 protocol is one of the video and audio communication protocols. The vulnerability is caused by the fact that the program does not fully verify data packets. An attacker who successfully logs in could exploit the vulnerability by sending a specially crafted packet to cause a process restart (out-of-bounds read)

MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have an a memory leak vulnerability in H323 protocol. An attacker logs in to the system as a user and send crafted packets to the affected products. Due to insufficient verification of the packets, successful exploit could cause a memory leak and eventual denial of service (DoS) condition. Huawei MAX PRESENCE , TP3106 ,and TP3206 Contains vulnerabilities related to insufficient validation of data reliability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple Huawei products are prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions. Huawei MAX PRESENCE, TP3106 and TP3206 are all panoramic video conferencing solutions of China's Huawei (Huawei). H323 protocol is one of the video and audio communication protocols

A vulnerability in the wireless controller manager of Cisco IOS XE could allow an unauthenticated, adjacent attacker to cause a restart of the switch and result in a denial of service (DoS) condition. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting a crafted association request. An exploit could allow the attacker to cause the switch to restart. This vulnerability affects Cisco Catalyst 3650 and 3850 switches running IOS XE Software versions 16.1 through 16.3.3, and acting as wireless LAN controllers (WLC). Cisco Bug IDs: CSCvd45069. Vendors report this vulnerability Bug IDs: CSCvd45069 Published as.Denial of service (DoS) May be in a state. The Cisco Catalyst 3650 and 3850 switches are Cisco switches. IOSXESoftware is one of the operating systems for network devices. Wirelesscontrollermanager is one of the wireless controller management programs. A denial of service vulnerability exists in the wirelesscontrollermanager in IOSXESoftware on the Cisco Catalyst 3650 and 3850 switches, which stems from a program failing to validate the input

A vulnerability in the web-based Wireless Controller GUI of Cisco IOS XE Software for Cisco 5760 Wireless LAN Controllers, Cisco Catalyst 4500E Supervisor Engine 8-E (Wireless) Switches, and Cisco New Generation Wireless Controllers (NGWC) 3850 could allow an authenticated, remote attacker to elevate their privileges on an affected device. The vulnerability is due to incomplete input validation of HTTP requests by the affected GUI, if the GUI connection state or protocol changes. An attacker could exploit this vulnerability by authenticating to the Wireless Controller GUI as a Lobby Administrator user of an affected device and subsequently changing the state or protocol for their connection to the GUI. A successful exploit could allow the attacker to elevate their privilege level to administrator and gain full control of the affected device. This vulnerability affects the following Cisco products if they are running Cisco IOS XE Software Release 3.7.0E, 3.7.1E, 3.7.2E, 3.7.3E, 3.7.4E, or 3.7.5E: Cisco 5760 Wireless LAN Controllers, Cisco Catalyst 4500E Supervisor Engine 8-E (Wireless) Switches, Cisco New Generation Wireless Controllers (NGWC) 3850. Cisco Bug IDs: CSCvd73746. Cisco IOS XE Contains vulnerabilities related to authorization, permissions, and access control. Vendors have confirmed this vulnerability Bug ID CSCvd73746 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Catalyst 4500E SupervisorEngine8-E (Wireless) Switches is a switch device. IOSXESoftware is a set of operating systems used in it. The WirelessControllerGUI is the graphical user interface of one of the wireless controllers. There are privilege escalation vulnerabilities in IOSXESoftware's Web-based WirelessControllerGUI in several Cisco products. IOS XE Software is an operating system used in it. 2E version, 3.7.3E version, 3.7.4E version, 3.7.5E version

A vulnerability in the Cisco Network Plug and Play application of Cisco IOS 12.4 through 15.6 and Cisco IOS XE 3.3 through 16.4 could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software. Cisco Bug IDs: CSCvc33171. Cisco IOS and IOS XE Contains an input validation vulnerability and an information disclosure vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvc33171 It is released as.Information may be obtained. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. The title have been changed to better reflect the vulnerability information. Network Plug and Play application is one of the network hot plug applications

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE 16.2 could allow an authenticated, remote attacker to elevate their privileges on an affected device. The vulnerability is due to incorrect default permission settings for new users who are created by using the web UI of the affected software. An attacker could exploit this vulnerability by using the web UI of the affected software to create a new user and then logging into the web UI as the newly created user. A successful exploit could allow the attacker to elevate their privileges on the affected device. This vulnerability affects Cisco devices that are running a vulnerable release Cisco IOS XE Software, if the HTTP Server feature is enabled for the device. The newly redesigned, web-based administration UI was introduced in the Denali 16.2 Release of Cisco IOS XE Software. This vulnerability does not affect the web-based administration UI in earlier releases of Cisco IOS XE Software. Cisco Bug IDs: CSCuy83062. Vendors have confirmed this vulnerability Bug ID CSCuy83062 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

A vulnerability in the implementation of Network Address Translation (NAT) functionality in Cisco IOS 12.4 through 15.6 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to the improper translation of H.323 messages that use the Registration, Admission, and Status (RAS) protocol and are sent to an affected device via IPv4 packets. An attacker could exploit this vulnerability by sending a crafted H.323 RAS packet through an affected device. A successful exploit could allow the attacker to cause the affected device to crash and reload, resulting in a DoS condition. This vulnerability affects Cisco devices that are configured to use an application layer gateway with NAT (NAT ALG) for H.323 RAS messages. By default, a NAT ALG is enabled for H.323 RAS messages. Cisco Bug IDs: CSCvc57217. Cisco IOS Contains a resource management vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvc57217 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

A vulnerability in the implementation of a protocol in Cisco Integrated Services Routers Generation 2 (ISR G2) Routers running Cisco IOS 15.0 through 15.6 could allow an unauthenticated, adjacent attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to a misclassification of Ethernet frames. An attacker could exploit this vulnerability by sending a crafted Ethernet frame to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. Cisco Bug IDs: CSCvc03809. Cisco IOS Contains a resource management vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvc03809 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. CiscoIntegratedServicesRoutersGeneration2(ISRG2)Routers is a router device from Cisco. IOS is one of the operating systems for network devices. A denial of service vulnerability exists in the protocol implementation of IOS15.0 to 15.6 in CiscoIntegratedServicesRoutersGeneration2(ISRG2)Routers, which stems from the failure of the program to properly classify Ethernet frames