VARIoT IoT vulnerabilities database

A vulnerability in the CLI of Cisco ASR 5000 Series Aggregated Services Routers running the Cisco StarOS operating system could allow an authenticated, local attacker to bypass the CLI restrictions and execute commands on the underlying operating system. The vulnerability is due to insufficient input sanitization of user-supplied input at the CLI. An attacker could exploit this vulnerability by crafting a script on the device that will allow them to bypass built-in restrictions. An exploit could allow the unauthorized user to launch the CLI directly from a command shell. Cisco Bug IDs: CSCvd47722. Known Affected Releases: 21.0.v0.65839. Vendors have confirmed this vulnerability Bug ID CSCvd47722 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco ASR5000 Series AggregatedServicesRouters is the ASR5000 series of integrated services router products from Cisco. StarOS is a set of operating systems running on it. The CLI is one of the command line programs

A vulnerability in Cisco ASR 5000 Series Aggregated Services Routers running the Cisco StarOS operating system could allow an authenticated, remote attacker to overwrite or modify sensitive system files. The vulnerability is due to the inclusion of sensitive system files within specific FTP subdirectories. An attacker could exploit this vulnerability by overwriting sensitive configuration files through FTP. An exploit could allow the attacker to overwrite configuration files on an affected system. Cisco Bug IDs: CSCvd47739. Known Affected Releases: 21.0.v0.65839. Vendors have confirmed this vulnerability Bug ID CSCvd47739 It is released as.Information may be tampered with. Cisco ASR5000 Series AggregatedServicesRouters is the ASR5000 series of integrated services router products from Cisco. StarOS is a set of operating systems running on it. This may aid in further attacks

A vulnerability in the CLI of Cisco ASR 5000 Series Aggregated Services Routers running the Cisco StarOS operating system could allow an authenticated, local attacker to elevate their privileges to admin-level privileges. The vulnerability is due to incorrect permissions that are given to a set of users. An attacker could exploit this vulnerability by logging in to the shell of an affected device and elevating their privileges by modifying environment variables. An exploit could allow the attacker to gain admin-level privileges and take control of the affected device. Cisco Bug IDs: CSCvd47741. Known Affected Releases: 21.0.v0.65839. Vendors have confirmed this vulnerability Bug ID CSCvd47741 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco ASR5000 Series AggregatedServicesRouters is the ASR5000 series of integrated services router products from Cisco. StarOS is a set of operating systems running on it. The CLI is one of the command line programs. The StarOS CLI in Cisco ASR5000 Series AggregatedServicesRouters21.0.v0.65839 has a privilege elevation vulnerability that stems from the program failing to assign the correct permissions to the user

The WebLaunch functionality of Cisco AnyConnect Secure Mobility Client Software contains a vulnerability that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the affected software. The vulnerability is due to insufficient input validation of some parameters that are passed to the WebLaunch function of the affected software. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. Cisco Bug IDs: CSCvf12055. Known Affected Releases: 98.89(40). Vendors have confirmed this vulnerability Bug ID CSCvf12055 It is released as.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

A vulnerability in the Session Initiation Protocol (SIP) on the Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the targeted appliance. The vulnerability is due to excessive SIP traffic sent to the device. An attacker could exploit this vulnerability by transmitting large volumes of SIP traffic to the VCS. An exploit could allow the attacker to cause a complete DoS condition on the targeted system. Cisco Bug IDs: CSCve32897. Vendors have confirmed this vulnerability Bug ID CSCve32897 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. Session Initiation Protocol (SIP) is one of the session initiation protocols

Polycom SoundStation IP, VVX, and RealPresence Trio that are running software older than UCS 4.0.12, 5.4.5 rev AG, 5.4.7, 5.5.2, or 5.6.0 are affected by a vulnerability in their UCS web application. This vulnerability could allow an authenticated remote attacker to read a segment of the phone's memory which could contain an administrator's password or other sensitive information. Polycom UCS Contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PolycomSoundStationIP, VVX and RealPresenceTrio are products of Polycom Corporation of the United States. PolycomSoundStationIP is an IP phone; VVX is a video conferencing phone; RealPresenceTrio is a smart multimedia device. An information disclosure vulnerability exists in UCS in PolycomSoundStationIP, VVX, and RealPresenceTrio

VideoXpert is a video management solution designed for scalability, suitable for any size monitoring operation. Schneider Electric Pelco VideoXpert has a directory traversal vulnerability that could allow an attacker to view arbitrary files in the context of a Web server.

Pro-Face GP Pro-Server EX is the preferred HMI development software for both dedicated and open HMI (PC-based) solutions. Schneider Electric Pro-Face WinGP has an arbitrary code execution vulnerability that an attacker can use to force the process to load arbitrary DLLs and execute arbitrary code in the context of the process

VideoXpert is a video management solution designed for scalability, suitable for any size monitoring operation. A privilege escalation vulnerability exists in Schneider Electric Pelco VideoXpert, allowing local attackers to elevate privileges to execute arbitrary code.

A vulnerability in the web interface of the Cisco RV340, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional reconnaissance attacks. The vulnerability is due to Cisco WebEx Meetings not sufficiently protecting sensitive data when responding to an HTTP request to the web interface. An attacker could exploit the vulnerability by attempting to use the HTTP protocol and looking at the data in the HTTP responses from the Cisco WebEx Meetings Server. An exploit could allow the attacker to find sensitive information about the application. Cisco Bug IDs: CSCve37988. Known Affected Releases: firmware 1.0.0.30, 1.0.0.33, 1.0.1.9, 1.0.1.16. Vendors have confirmed this vulnerability Bug ID CSCve37988 It is released as.Information may be obtained. The Cisco RV340, RV345, and RV345PDualWANGigabitVPNRouters are all VPN firewall router products from Cisco. The vulnerability stems from the failure of the program to adequately protect sensitive data. This may lead to other attacks. Use of the following firmware versions is affected: Version 1.0.0.30, Version 1.0.0.33, Version 1.0.1.9, Version 1.0.1.16

A vulnerability in Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to gain higher privileges than the account is assigned. The attacker will be granted the privileges of the last user to log in, regardless of whether those privileges are higher or lower than what should have been granted. The attacker cannot gain root-level privileges. The vulnerability is due to a limitation with how Role-Based Access Control (RBAC) grants privileges to remotely authenticated users when login occurs via SSH directly to the local management interface of the APIC. An attacker could exploit this vulnerability by authenticating to the targeted device. The attacker's privilege level will be modified to match that of the last user to log in via SSH. An exploit could allow the attacker to gain elevated privileges and perform CLI commands that should be restricted by the attacker's configured role. Cisco Bug IDs: CSCvc34335. Known Affected Releases: 1.0(1e), 1.0(1h), 1.0(1k), 1.0(1n), 1.0(2j), 1.0(2m), 1.0(3f), 1.0(3i), 1.0(3k), 1.0(3n), 1.0(4h), 1.0(4o); 1.1(0.920a), 1.1(1j), 1.1(3f); 1.2 Base, 1.2(2), 1.2(3), 1.2.2; 1.3(1), 1.3(2), 1.3(2f); 2.0 Base, 2.0(1). Vendors have confirmed this vulnerability Bug ID CSCvc34335 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An elevation of privilege vulnerability exists in Cisco APIC

Stack-based buffer overflow in "dnsproxy.c" in connman 1.34 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted response query string passed to the "name" variable. ConnMan Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. connman is prone to a stack-based buffer overflow vulnerability. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. connman 1.34 and prior are vulnerable. ConnMan is a tool for network management on Tizen systems. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3956-1 security@debian.org https://www.debian.org/security/ Luciano Bello August 27, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : connman CVE ID : CVE-2017-12865 Debian Bug : 872844 Security consultants in NRI Secure Technologies discovered a stack overflow vulnerability in ConnMan, a network manager for embedded devices. For the oldstable distribution (jessie), this problem has been fixed in version 1.21-1.2+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.33-3+deb9u1. For the testing distribution (buster), this problem has been fixed in version 1.33-3+deb9u1. For the unstable distribution (sid), this problem has been fixed in version 1.35-1. We recommend that you upgrade your connman packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlmjRVgACgkQbsLe9o/+ N3T3/Q//VQRbz2KIvb/nJA79D9HsmJiV5MCs8odlsPfV+796eENsgepO3elsdm75 vo5FHTORoN+tc2cw9zOkpgR/tTNYVFq/adcchecjW6E8Ruh57AwT1PaDDStaTger ra9tk3QBVOWBkhdZmag8RxNt99EK9o1pVn0zu2cdNWwWR+0DJFLOTn+icvaX9a00 E53GXX/CCMEYw0Smo3t3D0HuR6NLLDFbyV1Cf/fte29Hdt7Ni0aXUZsjyqlND7LI mF1m4OcouoGhS/QFBEkIsduMs07Merc7ZHQ93z/RMtqQzo9Ev/7qBsgGG7TokTif m+HmH6x6OJ+QIVca2VK7i3pKmWu+zLtF5zixG/U0ED5nVoeDE1vnHmLlQilHOzi/ Dxmb6gPNQvbLYE3Hr2ytgL4ICmADVeUlpVfEc4km17G8fiTCaCY5vAlKRUy209bE d9izLn1u3J2i1gb3IsJ1qxfIG3kxy6xnXXED0sGZXCp61HU2SaXTiK76B5MLiBHP wQN335oSsRIbORSsCvfcqVUAtLs9BLqV3fQ57wb7nM5qH7vfHndcGXc/lVNb6eJe 3PjOIyDUU58K987FnvbN+FSWGuv5cfbsQLZwfICU5s95r2EAoS06tk2/iGU76Wwy zjmu3on4C2men6TxIaWCOamkBR+igB9MvRIRD2wRIUkg5mudmf8= =p3fr -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201812-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ConnMan: Multiple vulnerabilities Date: December 02, 2018 Bugs: #628566, #630028 ID: 201812-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in ConnMan, the worst of which could result in the remote execution of code. Background ========== ConnMan provides a daemon for managing Internet connections. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/connman < 1.35-r1 >= 1.35-r1 Description =========== Multiple vulnerabilities have been discovered in ConnMan. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All ConnMan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/connman-1.35-r1" References ========== [ 1 ] CVE-2017-12865 https://nvd.nist.gov/vuln/detail/CVE-2017-12865 [ 2 ] CVE-2017-5716 https://nvd.nist.gov/vuln/detail/CVE-2017-5716 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201812-02 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

BMC Medical Luna CPAP Machines released prior to July 1, 2017, contain an improper input validation vulnerability which may allow an authenticated attacker to crash the CPAP's Wi-Fi module resulting in a denial-of-service condition. BMC Medical Luna CPAP machine Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. BMCMedicalLunaCPAPMachine is a ventilator from China's BMCMedical. 3BMedicalLunaCPAPMachine is a ventilator from 3BMedical in the United States. A denial of service vulnerability exists in BMCMedicalLunaCPAPMachine and 3BMedicalLunaCPAPMachine. A remote attacker could exploit the vulnerability to cause a denial of service. BMC Medical and 3B Medical Luna CPAP Machine is prone to a denial-of-service vulnerability. Attackers may leverage this issue to cause a denial-of-service condition, denying service to legitimate users

Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors. D-Link DIR-600L The router firmware contains a session fixation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDIR-600L is a cloud router product from D-Link

The RealTime RWR-3G-100 Router Firmware Version : Ver1.0.56 is affected by CSRF an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. RealTime RWR-3G-100 Router firmware contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RealTimeRWR-3G-100Router is a router from RealTimeSystem of India. A cross-site request forgery vulnerability exists in RealTimeRWR-3G-100Router using firmware version 1.0.56. This vulnerability can be exploited by remote attackers to force end users to perform unintended operations

FS726T is a classic intelligent switch under Netgear. There is an XSS vulnerability in the background of NETGEAR FS726Tv2. An attacker can use this vulnerability to pop up a message in the login box to modify it.

Remote enabling and disabling admin interface in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to new attack vectors. Gemalto Sentinel License Manager is prone to the following security vulnerabilities: 1. Multiple stack-based buffer-overflow vulnerabilities. 2. Multiple heap-based buffer-overflow vulnerabilities. 3. A security bypass vulnerability. 4. A denial-of-service vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition. Sentinel LDK is a license management tool. A remote attacker could exploit this vulnerability to execute code

Arbitrary memory read from controlled memory pointer in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to remote denial of service. Gemalto Sentinel License Manager is prone to the following security vulnerabilities: 1. Multiple stack-based buffer-overflow vulnerabilities. 2. Multiple heap-based buffer-overflow vulnerabilities. 3. A security bypass vulnerability. 4. A denial-of-service vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition. Sentinel LDK is a license management tool

Memory corruption in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 might cause remote code execution. Gemalto Sentinel License Manager is prone to the following security vulnerabilities: 1. Multiple stack-based buffer-overflow vulnerabilities. 2. Multiple heap-based buffer-overflow vulnerabilities. 3. A security bypass vulnerability. 4. A denial-of-service vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition. Sentinel LDK is a license management tool

Network interfaces of the cliengine and noviengine services, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, can be inadvertently exposed if an operator attempts to modify ACLs, because of a bug when ACL modifications are applied. This could be leveraged by remote, unauthenticated attackers to gain resultant privileged (root) code execution on the switch, because there is a stack-based buffer overflow during unserialization of packet data. NoviWare Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NoviFlowNoviWare and NoviSwitchdevices are products of NoviFlow Canada. NoviSwitchdevices is a series of switch devices. NoviWare is the switch software used in it. A stack buffer overflow vulnerability exists in the NoviFlowNoviWareNW400.2.6 and earlier versions and the Network interface for the cliengine and noviengine services in the NoviSwitch device. A remote attacker could exploit the vulnerability to execute code with root privileges. NoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities Introduction ========== NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant switch software developed by NoviFlow and available for license to network equipment manufacturers. Multiple vulnerabilities were identified in the NoviWare software deployed on NoviSwitch devices. CVEs ===== * CVE-2017-12784: remote code execution in novi_process_manager_daemon Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) * CVE-2017-12785: cli breakout in novish Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) * CVE-2017-12786: remote code execution in noviengine and cliengine Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Affected versions ============== NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version is deployed Author ====== FranASSois Goichon - Google Security Team CVE-2017-12784 ============== Remote code execution in novi_process_manager_daemon Summary ------------- The NoviWare switching software distribution is prone to two distinct bugs which could potentially allow a remote, unauthenticated attacker to gain privileged (root) code execution on the switch device. - A flaw when applying ACL changes requested from the CLI could expose the novi_process_manager_daemon network service - This network service is prone to command injection and a stack-based buffer overflow Reproduction ------------------ If TCP port 2020 is accepting connections from the network, the following python script can be used to ping yourself on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, 2020)) payload = pack("<I", 0xffffffff).ljust(0x24) + "ping <your ip>; echo\x00" s.sendall(pack("<II", 1, len(payload)+8)) s.sendall(payload) s.close() --- On vulnerable versions, the appliance will perform an ICMP request to the specified IP, which can be observed in network logs. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. CVE-2017-12785 ============== Cli breakout in novish Summary ------------- The NoviWare switching software distribution is prone to a buffer overflow and a command injection, allowing authenticated, low-privileged users to break out of the CLI and execute commands as root. Reproduction ------------------ Log in to the appliance via SSH and run the following command from the CLI: -- noviswitch# show log cli username AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -- If the appliance is vulnerable, the cli crashes and the session ends. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. - A flaw when applying ACL changes requested from the CLI could expose noviengine and cliengine network services - These network services are prone to a stack-based buffer overflow when unpacking serialized values. Reproduction ------------------ If TCP ports 9090 or 12345 are accepting connections from the network, the following python script can be used to cause a crash on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, <9090 or 12345>)) payload = "".join([pack("<I", 4) + "AAAA" for i in xrange(408)]) payload = pack("<IIQ", 0, len(payload) + 16, 0) + payload s.sendall(payload) s.read(1) s.close() --- A watchdog should restart the service if it has crashed. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. Disclosure timeline =============== 2017/05/11 - Report sent to NoviFlow 2017/05/26 - Bugs acknowledged and remediation timeline confirmed 2017/07/27 - NoviWare400 3.0 release fixes all the above vulnerabilities 2017/08/09 - CVE requests 2017/08/16 - Public disclosure