VARIoT IoT vulnerabilities database

The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, NGFW Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R002C00, V500R002C10, NIP6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6800 V500R001C50, RP200 V500R002C00, V600R006C00, SVN5600 V200R003C00, V200R003C10, SVN5800 V200R003C00, V200R003C10, SVN5800-C V200R003C00, V200R003C10, SeMG9811 V300R001C01, Secospace USG6300 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V100R001C00, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, USG9500 V500R001C00, V500R001C20, V500R001C30, USG9520 V300R001C01, V300R001C20, USG9560 V300R001C01, V300R001C20, USG9580 V300R001C01, V300R001C20, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eSpace U1981 V100R001C20, V200R003C00, V200R003C20, V200R003C30 has a buffer overflow vulnerability. An attacker may send specially crafted messages to the affected products. Due to the insufficient validation of some values for SIP messages, successful exploit may cause services abnormal. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are all products of China Huawei. HuaweiDP300 is a video conferencing terminal device. IPSModule is an intrusion prevention module. SIPbackup is one of the SIP backup modules. The following products and versions are affected: Huawei DP300 Version; IPS Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NGFW Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R002C00 Version, V500R002C10 Version; NIP6300 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6800 V500R001C50 Version; RP200 V500R002C00 Version, V600R006C00 Version; SVN5600 wait

The SIP module in Huawei DP300 V500R002C00, IPS Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, NGFW Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R002C00, V500R002C10, NIP6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6800 V500R001C50, RP200 V500R002C00, V600R006C00, SVN5600 V200R003C00, V200R003C10, SVN5800 V200R003C00, V200R003C10, SVN5800-C V200R003C00, V200R003C10, SeMG9811 V300R001C01, Secospace USG6300 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V100R001C00, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, USG9500 V500R001C00, V500R001C20, V500R001C30, USG9520 V300R001C01, V300R001C20, USG9560 V300R001C01, V300R001C20, USG9580 V300R001C01, V300R001C20, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eSpace U1981 V100R001C20, V200R003C00, V200R003C20, V200R003C30 has a buffer overflow vulnerability. An attacker would have to find a way to craft specific messages to the affected products. Due to the insufficient validation for SIP messages, successful exploit may cause services abnormal. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are all products of China Huawei. HuaweiDP300 is a video conferencing terminal device. IPSModule is an intrusion prevention module. SIPbackup is one of the SIP backup modules. The vulnerability is caused by the program failing to fully verify some of the values in the SIP message. An attacker could exploit the vulnerability by tampering with a message sent to the device to cause a service exception. The vulnerability is caused by the program's insufficient verification of some packets. The following products and versions are affected: Huawei DP300 Version; IPS Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NGFW Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R002C00 Version, V500R002C10 Version; NIP6300 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6800 V500R001C50 Version; RP200 V500R002C00 Version, V600R006C00 Version; SVN5600 wait

The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, NGFW Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R002C00, V500R002C10, NIP6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6800 V500R001C50, RP200 V500R002C00, V600R006C00, SVN5600 V200R003C00, V200R003C10, SVN5800 V200R003C00, V200R003C10, SVN5800-C V200R003C00, V200R003C10, SeMG9811 V300R001C01, Secospace USG6300 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V100R001C00, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, USG9500 V500R001C00, V500R001C20, V500R001C30, USG9520 V300R001C01, V300R001C20, USG9560 V300R001C01, V300R001C20, USG9580 V300R001C01, V300R001C20, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eSpace U1981 V100R001C20, V200R003C00, V200R003C20, V200R003C30 has a buffer overflow vulnerability. An attacker may send specially crafted messages to the affected products. Due to the insufficient validation of some values for SIP messages, successful exploit may cause services abnormal. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are all products of China Huawei. HuaweiDP300 is a video conferencing terminal device. IPSModule is an intrusion prevention module. SIPbackup is one of the SIP backup modules. The following products and versions are affected: Huawei DP300 Version; IPS Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NGFW Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R002C00 Version, V500R002C10 Version; NIP6300 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6800 V500R001C50 Version; RP200 V500R002C00 Version, V600R006C00 Version; SVN5600 wait

The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, NGFW Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R002C00, V500R002C10, NIP6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6800 V500R001C50, RP200 V500R002C00, V600R006C00, SVN5600 V200R003C00, V200R003C10, SVN5800 V200R003C00, V200R003C10, SVN5800-C V200R003C00, V200R003C10, SeMG9811 V300R001C01, Secospace USG6300 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V100R001C00, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, USG9500 V500R001C00, V500R001C20, V500R001C30, USG9520 V300R001C01, V300R001C20, USG9560 V300R001C01, V300R001C20, USG9580 V300R001C01, V300R001C20, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eSpace U1981 V100R001C20, V200R003C00, V200R003C20, V200R003C30 has a buffer overflow vulnerability. An attacker may send specially crafted messages to the affected products. Due to the insufficient validation of some values for SIP messages, successful exploit may cause services abnormal. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are all products of China Huawei. HuaweiDP300 is a video conferencing terminal device. IPSModule is an intrusion prevention module. SIPbackup is one of the SIP backup modules. The following products and versions are affected: Huawei DP300 Version; IPS Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NGFW Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R002C00 Version, V500R002C10 Version; NIP6300 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6800 V500R001C50 Version; RP200 V500R002C00 Version, V600R006C00 Version; SVN5600 wait

XML parser in Huawei S12700 V200R005C00,S1700 V200R009C00, V200R010C00,S3700 V100R006C03, V100R006C05,S5700 V200R001C00, V200R002C00, V200R003C00, V200R003C02, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00,S6700 V200R001C00, V200R002C00, V200R003C00, V200R005C00, V200R005C02, V200R008C00, V200R009C00, V200R010C00,S7700 V200R001C00, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00,S9700 V200R001C00, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00,eCNS210_TD V100R004C10, V100R004C10SPC003, V100R004C10SPC100, V100R004C10SPC101, V100R004C10SPC102, V100R004C10SPC200, V100R004C10SPC221, V100R004C10SPC400 has a DOS vulnerability. An attacker may craft specific XML files to the affected products. Due to not check the specially XML file and to parse this file, successful exploit will result in DOS attacks. plural Huawei The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. HuaweiS12700 is an enterprise-class switch product from China's Huawei company. XMLparser is one of the XML parsers. The vulnerability stems from the failure of the network system or product to properly validate the input data. The following products and versions are affected: Huawei S12700 V200R005C00 Version; S1700 V200R009C00 Version, V200R010C00 Version; S2300 V100R006C03 Version, V100R006C05 Version, V200R003C00 Version, V200R005C00 Version, V200R006C00 Version, V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S3300 V100R006C03 Version , V100R006C05 version; S3700 V100R006C03 version, V100R006C05 version; S5300, etc

XML parser in Huawei DP300 V500R002C00; RP200 V500R002C00SPC200; V600R006C00; TE30 V100R001C10; V500R002C00; V600R006C00; TE40 V500R002C00; V600R006C00; TE50 V500R002C00; V600R006C00; TE60 V100R001C10; V500R002C00; V600R006C00 has a DoS vulnerability. Due to not check the specially XML file enough an authenticated local attacker may craft specific XML files to the affected products and parse this file which cause to null pointer accessing and result in DoS attacks. plural Huawei The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and RP200 are Huawei's integrated desktop telepresence products for high-end customers. The TE series is a high-definition video conferencing terminal that supports 1080p60. A number of Huawei product XML parsers have a denial of service vulnerability due to insufficient validation of the XML file by the affected product. The Huawei DP300 and others are all products of China's Huawei (Huawei). RP200 is a video conferencing all-in-one device. The following products and versions are affected: Huawei DP300 V500R002C00 Version; RP200 V500R002C00SPC200 Version, V600R006C00 Version; TE30 V100R001C10 Version, V500R002C00 Version, V600R006C00 Version; TE40 V500R002C00 Version, V600R006C00 Version; TE50 V500R002C00 Version, V600R006C00 Version; TE60 V100R001C10 Version, V500R002C00 Version, Version V600R006C00

Huawei VP9660 V500R002C10 has a null pointer reference vulnerability in license module due to insufficient verification. An authenticated local attacker could place a malicious license file into system which cause memory null pointer accessing and related processing crash. The attacker can exploit this vulnerability to cause a denial of service. HuaweiVP9660 is a new generation of multimedia switching platform with Huawei 1080p60 full-coded and super-processing capabilities, which is based on customer demand and combined with network equipment manufacturing advantages. Huawei VP9660 is a new-generation video conferencing terminal product of China Huawei (Huawei). The license module is one of the license management modules

Huawei VP9660 V500R002C10 has a uncontrolled format string vulnerability when the license module output the log information. An authenticated local attacker could exploit this vulnerability to cause a denial of service. Huawei VP9660 Contains a format string vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. HuaweiVP9660 is a new generation of multimedia switching platform with Huawei 1080p60 full-coded and super-processing capabilities, which is based on customer demand and combined with network equipment manufacturing advantages. Huawei VP9660 is a new-generation video conferencing terminal product of China Huawei (Huawei). The license module is one of the license management modules. The vulnerability is caused by insufficient verification of the program

Huawei CloudEngine 12800 V100R003C00, V100R005C00, V100R005C10, V100R006C00,CloudEngine 5800 V100R003C00, V100R005C00, V100R005C10, V100R006C00,CloudEngine 6800 V100R003C00, V100R005C00, V100R005C10, V100R006C00,CloudEngine 7800 V100R003C00, V100R005C00, V100R005C10, V100R006C00 have a memory leak vulnerability. An unauthenticated attacker may send specific Resource ReServation Protocol (RSVP) packets to the affected products. Due to not release the memory to handle the packets, successful exploit will result in memory leak of the affected products and lead to a DoS condition. Huawei CloudEngine Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei CloudEngine12800 and other Huawei Huayun (Cloud) series of switch products. The vulnerability stems from the fact that the program does not release the memory for processing the message. The following products and versions are affected: Huawei CloudEngine 12800 V100R003C00 Version, V100R005C00 Version, V100R005C10 Version, V100R006C00 Version; CloudEngine 5800 V100R003C00 Version, V100R005C00 Version, V100R005C10 Version, V100R006C00 Version; CloudEngine 6800 V100R003C00 Version, V100R005C00 Version, V100R005C10 Version, V100R006C00 Version; CloudEngine 7800 V100R003C00, V100R005C00, V100R005C10, and V100R006C00

PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; V500R001C30; NGFW Module V500R001C00; V500R002C00; NIP6300 V500R001C00; V500R001C30; NIP6600 V500R001C00; V500R001C30; RP200 V500R002C00; V600R006C00; S12700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00; S1700 V200R006C10; V200R009C00; V200R010C00; S2700 V200R006C10; V200R007C00; V200R008C00; V200R009C00; V200R010C00; S5700 V200R006C00; V200R007C00; V200R008C00; V200R009C00; V200R010C00; S6700 V200R008C00; V200R009C00; V200R010C00; S7700 V200R007C00; V200R008C00; V200R009C00; V200R010C00; S9700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00; Secospace USG6300 V500R001C00; V500R001C30; Secospace USG6500 V500R001C00; V500R001C30; Secospace USG6600 V500R001C00; V500R001C30S; TE30 V100R001C02; V100R001C10; V500R002C00; V600R006C00; TE40 V500R002C00; V600R006C00; TE50 V500R002C00; V600R006C00; TE60 V100R001C01; V100R001C10; V500R002C00; V600R006C00; TP3106 V100R002C00; TP3206 V100R002C00; V100R002C10; USG9500 V500R001C00; V500R001C30; ViewPoint 9030 V100R011C02; V100R011C03 has a heap overflow vulnerability due to insufficient verification. An authenticated local attacker can make processing crash by a malicious certificate. The attacker can exploit this vulnerability to cause a denial of service. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300, IPSModule, and NGFWModule are all products of China Huawei. DP300 is a video conferencing terminal. RP200 is a video conferencing all-in-one device. The following products and versions are affected: Huawei DP300 V500R002C00 Version; IPS Module V500R001C00 Version, V500R001C30 Version; NGFW Module V500R001C00 Version, V500R002C00 Version; NIP6300 V500R001C00 Version, V500R001C30 Version; NIP6600 V500R001C00 Version, V500R001C30 Version; RP200 V500R002C00 Version, V600R006C00 Version; S12700 V200R007C00 Version, V200R007C01 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S1700 V200R006C10 Version, V200R009C00 Version, V200R010C00 Version; S2700 V200R006C10 Version, V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S5700 V200R006C00 Version, V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S6700 V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S7700 V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S9700 V200R007C00 Version, V200R007C01 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; Secospace

Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 V100R001C10; V600R006C00; TE50 V600R006C00; TE60 V100R001C10; V500R002C00; V600R006C00; VP9660 V500R002C10 have an DoS vulnerability due to insufficient validation of the parameter when a putty comment key is loaded. An authenticated remote attacker can place a malformed putty key file in system when a system manager load the key an infinite loop happens which lead to reboot the system. plural Huawei The product contains an input validation vulnerability.Denial of service (DoS) May be in a state. Huawei DP300, RP200, and TE30/40/50/60 are Huawei's integrated desktop telepresence products and high-definition video conferencing terminal products for high-end customers. The Huawei DP300 and others are all products of China's Huawei (Huawei). DP300 is a video conferencing terminal. RP200 is a video conferencing all-in-one device. The following products and versions are affected: Huawei DP300 V500R002C00 Version; RP200 V500R002C00 Version, V600R006C00 Version; TE30 V100R001C10 Version, V600R006C00 Version; TE50 V600R006C00 Version; TE60 V100R001C10 Version, V500R002C00 Version, V600R006C00 Version; VP9660 V500R002C10 Version

Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 (and possibly in-between versions) web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the web interface, as demonstrated by a cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot) request. Zivif Web The camera contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The ZivifPR115-204-P-RS is a network camera device. A remote command injection vulnerability exists in the ZivifPR115-204-P-RS2.3.4.2103 release. A remote attacker can exploit this vulnerability to inject arbitrary commands. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. Attack vector: Remote Authentication: None Researcher: Silas Cutler `p1nk` <silas.cutler@blacklistthisdomain.com> Release date: December 10, 2017 Full Disclosure: 90 days CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 Vulnerable Device: Zivif PR115-204-P-RS Version: V2.3.4.2103 Timeline: 1 September 2017: Initial alerting to Zivif 1 September 2017: Zivif contact established. 3 September 2017: Details provided. 7 September 2017: Confirmation of vulnerabilities from Zivif 5 December 2017: Public note on Social Media CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic. 10 December 2017: This email -[Overview]- Implementation of access controls is Zivif cameras is severely lacking. As a result, CGI functions can be called directly, bypassing authentication checks. This was first identified with the following request (CVE-2017-17106) http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser Cameras respond to this with: var name0="admin"; var password0="admin"; var authLevel0="255"; var name1="guest"; var password1="guest"; var authLevel1="3"; var name2="admin2"; var password2="admin"; var authLevel2="3"; var name3=""; var password3=""; var authLevel3="3"; var name4=""; var password4=""; var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3"; var name6=""; var password6=""; var authLevel6="3"; var name7=""; var password7=""; var authLevel7="3"; var name8=""; var password8=""; var authLevel8="0"; var name9=""; var password9=""; var authLevel9="0 Credentials are returned in cleartext to the requester. One last findings was the /etc/passwd file contains the following hard-coded entry (CVE-2017-17107): root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh The encrypted password is cat1029. (none) login: root Password: Login incorrect (none) login: root Password: Welcome to SONIX. \u@\h:\W$ Because of the way the file system is structured, changing this password requires more work then running passwd. -[Note]- The hi3510 is shared with a couple other cameras I'm exploring. The motd saying /Welcome to SONIX/ has lead me to speculate parts of this firmware may be shared with other cameras. -Silas

Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session. Zivif Web The camera contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The ZivifPR115-204-P-RS is a network camera device. Attack vector: Remote Authentication: None Researcher: Silas Cutler `p1nk` <silas.cutler@blacklistthisdomain.com> Release date: December 10, 2017 Full Disclosure: 90 days CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 Vulnerable Device: Zivif PR115-204-P-RS Version: V2.3.4.2103 Timeline: 1 September 2017: Initial alerting to Zivif 1 September 2017: Zivif contact established. 3 September 2017: Details provided. 7 September 2017: Confirmation of vulnerabilities from Zivif 5 December 2017: Public note on Social Media CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic. 10 December 2017: This email -[Overview]- Implementation of access controls is Zivif cameras is severely lacking. As a result, CGI functions can be called directly, bypassing authentication checks. This was first identified with the following request (CVE-2017-17106) http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser Cameras respond to this with: var name0="admin"; var password0="admin"; var authLevel0="255"; var name1="guest"; var password1="guest"; var authLevel1="3"; var name2="admin2"; var password2="admin"; var authLevel2="3"; var name3=""; var password3=""; var authLevel3="3"; var name4=""; var password4=""; var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3"; var name6=""; var password6=""; var authLevel6="3"; var name7=""; var password7=""; var authLevel7="3"; var name8=""; var password8=""; var authLevel8="0"; var name9=""; var password9=""; var authLevel9="0 Credentials are returned in cleartext to the requester. In exploring, unauthenticated remote command injection is possible using (CVE-2017-17105) http://<Camera IP>/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot) Command results are not returned, however are executed by the system. One last findings was the /etc/passwd file contains the following hard-coded entry (CVE-2017-17107): root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh The encrypted password is cat1029. (none) login: root Password: Login incorrect (none) login: root Password: Welcome to SONIX. \u@\h:\W$ Because of the way the file system is structured, changing this password requires more work then running passwd. -[Note]- The hi3510 is shared with a couple other cameras I'm exploring. The motd saying /Welcome to SONIX/ has lead me to speculate parts of this firmware may be shared with other cameras. -Silas

PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; V500R001C30; NGFW Module V500R001C00; V500R002C00; NIP6300 V500R001C00; V500R001C30; NIP6600 V500R001C00; V500R001C30; RP200 V500R002C00; V600R006C00; S12700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00; S1700 V200R006C10; V200R009C00; V200R010C00; S2700 V200R006C10; V200R007C00; V200R008C00; V200R009C00; V200R010C00; S5700 V200R006C00; V200R007C00; V200R008C00; V200R009C00; V200R010C00; S6700 V200R008C00; V200R009C00; V200R010C00; S7700 V200R007C00; V200R008C00; V200R009C00; V200R010C00; S9700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00; Secospace USG6300 V500R001C00; V500R001C30; Secospace USG6500 V500R001C00; V500R001C30; Secospace USG6600 V500R001C00; V500R001C30S; TE30 V100R001C02; V100R001C10; V500R002C00; V600R006C00; TE40 V500R002C00; V600R006C00; TE50 V500R002C00; V600R006C00; TE60 V100R001C01; V100R001C10; V500R002C00; V600R006C00; TP3106 V100R002C00; TP3206 V100R002C00; V100R002C10; USG9500 V500R001C00; V500R001C30; ViewPoint 9030 V100R011C02; V100R011C03 has a null pointer reference vulnerability due to insufficient verification. An authenticated local attacker calls PEM decoder with special parameter which could cause a denial of service. plural Huawei The product includes NULL A vulnerability related to pointer dereference exists.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300, IPSModule, and NGFWModule are all products of China Huawei. DP300 is a video conferencing terminal. RP200 is a video conferencing all-in-one device. PEM module is one of the security modules. The following products and versions are affected: Huawei DP300 V500R002C00 Version; IPS Module V500R001C00 Version, V500R001C30 Version; NGFW Module V500R001C00 Version, V500R002C00 Version; NIP6300 V500R001C00 Version, V500R001C30 Version; NIP6600 V500R001C00 Version, V500R001C30 Version; RP200 V500R002C00 Version, V600R006C00 Version; S12700 V200R007C00 Version, V200R007C01 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S1700 V200R006C10 Version, V200R009C00 Version, V200R010C00 Version; S2700 V200R006C10 Version, V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S5700 V200R006C00 Version, V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S6700 V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S7700 V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S9700 V200R007C00 Version, V200R007C01 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; Secospace

The remote management interface on the Claymore Dual GPU miner 10.1 allows an unauthenticated remote attacker to execute arbitrary code due to a stack-based buffer overflow in the request handler. This can be exploited via a long API request that is mishandled during logging. Claymore Dual GPU Miner Contains a buffer error vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. ClaymoreDualGPUminer is a GPU monitoring software for mining (virtual currency computing)

An issue was discovered in certain Apple products. iOS before 11.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "IOSurface" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. watchOS is a mobile operating system for the Apple Watch developed by Apple. It is based on the iOS operating system and has many similar features. A memory corruption vulnerability exists in the IOSurface component of Apple watchOS. Failed exploit attempts may result in a denial-of-service condition. The following versions fixes the issue: Versions prior to Apple iOS 11.2 Versions prior to Apple tvOS 11.2 Versions prior to Apple watchOS 4.2. in the United States. IOSurface is one of the programming framework components. Alternatively, on your watch, select "My Watch > General > About". -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-12-13-6 Additional information for APPLE-SA-2017-12-6-2 iOS 11.2 iOS 11.2 addresses the following: IOKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with system privileges Description: Multiple memory corruption issues were addressed through improved state management. CVE-2017-13847: Ian Beer of Google Project Zero IOMobileFrameBuffer Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privilege Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13879: Apple IOSurface Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13861: Ian Beer of Google Project Zero Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13862: Apple CVE-2017-13876: Ian Beer of Google Project Zero CVE-2017-13867: Ian Beer of Google Project Zero Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2017-13833: Brandon Azad Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A type confusion issue was addressed with improved memory handling. CVE-2017-13855: Jann Horn of Google Project Zero Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-13865: Ian Beer of Google Project Zero CVE-2017-13868: Brandon Azad CVE-2017-13869: Jann Horn of Google Project Zero Mail Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Incorrect certificate is used for encryption Description: A S/MIME issue existed in the handling of encrypted email. This issue was addressed through improved selection of the encryption certificate. CVE-2017-13874: an anonymous researcher Mail Drafts Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker with a privileged network position may be able to intercept mail Description: An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks and user control. CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH Mail Message Framework Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-2433: an anonymous researcher, an anonymous researcher, an anonymous researcher WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7156: an anonymous researcher CVE-2017-7157: an anonymous researcher CVE-2017-13856: Jeonghoon Shin CVE-2017-13870: an anonymous researcher CVE-2017-13866: an anonymous researcher Entry added December 13, 2017 Wi-Fi Available for: iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation Released for iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later in iOS 11.1. Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management. CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "11.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAloxpFkpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEZl4BAA mIM4eryXVEmYPSwJFEm6vobzCLahEng05NHE5Vm8eD94T/ZS1HCnkkWwD9KVQEMT HvoZsEB+UZSQQ8VtR3zXDnRJTY1ajSC47CT5GPIZUFTpDb6QrprVEtsFqaqtO+G8 B2JpRL6OY4KRFiSQWPgjr0BaxC6oRc9LmgYByJLyQp5dNAlzhuUsGcK/Dd6NWQgH 0GOqHe/xLc4evNsJTfPKPzXTaH0BvBUOhtYJo9pof4xBxRQES4vNcJpR366eBP1z zSmQwvB9+Hkcol2Cclt+p6pPHLgqFXbd+xDVOEE1aGdlC29cIF46kKu3PGwwMUTA xSCrVGLWvwnoF5LhHKhhN3D1i35NmJcL1Fq7AF/na2POFrM3uyC8iRBKBwUeRyGG GZwPwFvRzPVXW8iVVte0qgJ4PYEwbXvh8Ju5F1U7s0g2Fvqw9XIasQeK4Uf/lvsl c9SsDQaePBbBDrskL77ZQviMW9H1p/o2KHbFNgnpJzqdTwj4eFMdp/3zmRPULFT4 jd8n0TRjI/oB7/5r89jQ+5rp3cX0Nupfq0Fvf5pl6A3t4YYUHHQGjJF6Rbgu2EPy Pn+9WOt6mHhp/e5D5Z4lLCe2q+WeeWGI425UaJC60VTXy4mwKWDQpwGpSnSDkawE Ja6XuvBRDwFQSQTbXG7vdIKPEtzHWpHY3YUHipa5XKU= =ptgx -----END PGP SIGNATURE-----

IBM WebSphere MQ 8.0 and 9.0 could allow, under special circumstances, an unauthorized user to access an object which they should have been denied access. IBM X-Force ID: 126456. Vendors have confirmed this vulnerability IBM X-Force ID: 126456 It is released as.Information may be tampered with. An attacker can exploit this issue to bypass the security mechanism and gain unauthorized access. This may lead to further attacks

IBM Sterling File Gateway 2.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 133178. Vendors have confirmed this vulnerability IBM X-Force ID: 133178 It is released as.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The software consolidates different centers of file transfer activity and facilitates the secure exchange of file-based data over the Internet

An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file. Synology Photo Station Contains an information disclosure vulnerability.Information may be obtained. Synology Photo Station is a set of solutions from Synology for sharing pictures, videos and blogs on the Internet

Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field. Synology Photo Station Contains an information disclosure vulnerability.Information may be obtained. Synology Photo Station is a set of solutions from Synology for sharing pictures, videos and blogs on the Internet. There is a security vulnerability in the picasa.php file in Synology Photo Station versions earlier than 6.8.1-3458 and versions earlier than 6.3-2970