VARIoT IoT vulnerabilities database

An exploitable authentication bypass vulnerability exists in the API daemon of Circle with Disney running firmware 2.0.1. A specially crafted token can bypass the authentication routine of the Apid binary, causing the device to grant unintended administrative access. An attacker needs network connectivity to the device to trigger this vulnerability. Circle with Disney Authentication firmware contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CirclewithDisney is a network monitoring and management device used by CircleMedia of the United States to monitor children's online behavior

An exploitable vulnerability exists in the WiFi configuration functionality of Circle with Disney running firmware 2.0.1. A specially crafted SSID can cause the device to execute arbitrary shell commands. An attacker needs to send a couple of HTTP requests and setup an access point reachable by the device to trigger this vulnerability. Circle with Disney Has a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CirclewithDisney is a network monitoring and management device used by CircleMedia of the United States to monitor children's online behavior

An exploitable vulnerability exists in the /api/CONFIG/restore functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an arbitrary file to be overwritten. An attacker can send an HTTP request to trigger this vulnerability. Circle with Disney Contains a link interpretation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CirclewithDisney is a network monitoring and management device used by CircleMedia of the United States to monitor children's online behavior. A post-linking vulnerability exists in the /api/CONFIG/restore feature in CirclewithDisney version 2.0.1

An exploitable vulnerability exists in the notifications functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request to trigger this vulnerability. Circle with Disney The firmware of OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CirclewithDisney is a network monitoring and management device used by CircleMedia of the United States to monitor children's online behavior. A command injection vulnerability exists in the notification feature in the CirclewithDisney 2.0.1 release

Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_sx, at 0x9d014ebc, the value for the `cmd2` key is copied using `strcpy` to the buffer at `$sp+0x2d0`.This buffer is 100 bytes large, sending anything longer will cause a buffer overflow. Insteon Hub Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. In cmd sn_sx, at 0x9d014f28, the value for the `cmd3` key is copied using `strcpy` to the buffer at `$sp+0x2b0`.This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. Insteon Hub Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

An issue was discovered in certain Apple products. iOS before 11.1 is affected. tvOS before 11.1 is affected. watchOS before 4.1 is affected. The issue involves the "CoreText" component. It allows remote attackers to cause a denial of service (application crash) via a crafted text file. Apple iOS is a set of operating systems developed for mobile devices; tvOS is a set of smart TV operating systems; watchOS is a set of smart watch operating systems. The CoreText component is one of the text engines that can control text formatting and text layout. Apple iOS/WatchOS/tvOS is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. in the United States. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-10-31-1 iOS 11.1 iOS 11.1 is now available and addresses the following: CoreText Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted text file may lead to an unexpected application termination Description: A denial of service issue was addressed through improved memory handling. CVE-2017-13849: Ro of SavSec Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13799: an anonymous researcher Messages Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A person with physical access to an iOS device may be able to access photos from the lock screen Description: A lock screen issue allowed access to photos via Reply With Message on a locked device. This issue was addressed with improved state management. CVE-2017-13844: Miguel Alvarado of iDeviceHelp INC Siri Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen Description: An issue existed with Siri permissions. This was addressed with improved permission checking. CVE-2017-13805: Yiğit Can YILMAZ (@yilmazcanyigit) StreamingZip Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious zip file may be able modify restricted areas of the file system Description: A path handling issue was addressed with improved validation. CVE-2017-13804: @qwertyoruiopz at KJC Research Intl. S.R.L. UIKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Characters in a secure text field might be revealed Description: The characters in a secure text field were revealed during focus change events. This issue was addressed through improved state management. CVE-2017-7113: an anonymous researcher, Duraiamuthan Harikrishnan of Tech Mahindra, Ricardo Sampayo of Bemo Ltd WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-13785: Ivan Fratric of Google Project Zero CVE-2017-13784: Ivan Fratric of Google Project Zero CVE-2017-13783: Ivan Fratric of Google Project Zero CVE-2017-13788: xisigr of Tencent's Xuanwu Lab (tencent.com) CVE-2017-13798: Ivan Fratric of Google Project Zero CVE-2017-13795: Ivan Fratric of Google Project Zero CVE-2017-13802: Ivan Fratric of Google Project Zero CVE-2017-13792: Ivan Fratric of Google Project Zero CVE-2017-13794: Ivan Fratric of Google Project Zero CVE-2017-13791: Ivan Fratric of Google Project Zero CVE-2017-13796: Ivan Fratric of Google Project Zero CVE-2017-13793: Hanul Choi working with Trend Micro's Zero Day Initiative CVE-2017-13803: chenqin (陈钦) of Ant-financial Light-Year Security Wi-Fi Available for: iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management. CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "11.1". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAln4u7opHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEbQiw// bEkSQWlXTfpJ/9F2VKbMv+++td8sXozC3ICj9Ho+zhctxNY3MvIqXY8B4MrWB5+e wgz1X/EQSCMItE2u20uISfApls/8/pBde6kKnca9rPGr7I2BKsuHTfCT3taSkhoj EWMHEb64Se0hSiWKj99HJ80It9bDGSHz1cofpYDCNSMFBCiGWF2EbMgxUa55T5Vx BtWZ91y2oU6gTsu4ZSR5NXG+Hi/vFYDnAFSr2/5Dgud4fl0tYk1KZ725g2YvXT7S E3qV6shwcQtpf5ixm4G2cYalfiAmkYYjA/q2sgLClHDVXaPzahTS9ScMygKo4BsZ RDboCM0q0ywPl+xnNJFuq2ZpZAfMefuXpcjTSxBDoNXliphzH2YOjk5YtHV47S+x E8+b/bGDvBiKXJFo+yotJ07er0XtFPxfJKwgaYAi8VAfEXZrIv0uDQfYIZieMIRz VznZvlaKXpA1Ms3R3rY2ukI9gdyPD0wk7r8zAGD0eTdl8E0bMI89UaSMWqDGf1Jm 9AWKOB7na2ElWNHeEMUAhReOL4jHqu/FLkRuoYVAiYKYUDWJGDlD79Yz8bTqnwtu AWHqstzzcUVg1HXcwR5ngUDGFFOU2vVkqZRK6uwzCRzd/a7QQ/Lu+86GkfxPUB+p 9rtwIDGcTg0795ylrx8NLY/3BD8xcBMhfcZbpX5TF8s= =qJV/ -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/. Wi-Fi Available for: Apple Watch Series 1 and Apple Watch Series 2 Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. Alternatively, on your watch, select "My Watch > General > About"

yzt is a simple file server. yzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. yzt Contains a path traversal vulnerability.Information may be obtained. Yzt has a directory traversal vulnerability

lessindex is a static file server. lessindex is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. lessindex Contains a path traversal vulnerability.Information may be obtained. A directory traversal vulnerability exists in lessindex

sgqserve is a simple file server. sgqserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. sgqserve Contains a path traversal vulnerability.Information may be obtained. A directory traversal vulnerability exists in sgqserve

nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. nodeaaaaa Contains a path traversal vulnerability.Information may be obtained. A directory traversal vulnerability exists in nodeaaaaa

An issue was discovered in Barco ClickShare CSM-1 firmware before v1.7.0.3 and CSC-1 firmware before v1.10.0.10. An authenticated user can manage the wallpaper collection in the webUI to be shown as background on the ClickShare product. By uploading a wallpaper with a specially crafted name, an HTML injection can be triggered as special characters are not neutralized before output. Barco ClickShare CSM-1 and CSC-1 The firmware contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. BarcoClickShareCSM-1 and ClickShareCSC-1 are both host devices for Barco's wireless presentation system. BarcoClickShareCSM-1 with firmware prior to 1.7.0.3 and BarcoClickShareCSC-1 with firmware prior to 1.10.0.10 have security vulnerabilities. There are currently no detailed details of the vulnerability provided

mfrserver is a simple file server. mfrserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. mfrserver Contains a path traversal vulnerability.Information may be obtained. A directory traversal vulnerability exists in mfrserver

jn_jj_server is a static file server. jn_jj_server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. jn_jj_server Contains a path traversal vulnerability.Information may be obtained. Jn_jj_server has a directory traversal vulnerability

ltt is a static file server. ltt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. ltt Contains a path traversal vulnerability.Information may be obtained. Ltt has a directory traversal vulnerability

peiserver is a static file server. peiserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. peiserver Contains a path traversal vulnerability.Information may be obtained. A directory traversal vulnerability exists in peiserver

MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ES_113WJY0b16 devices have a zyad1234 password for the zyad1234 account, which is equivalent to root and undocumented. MitraStar GPT-2541GNAC (HGU) and DSL-100HN-T1 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MitraStarGPT-2541GNAC (HGU) and DSL-100HN-T1 are both MitraStar router products. A privilege escalation vulnerability exists in the MitraStarGPT-2541GNAC (HGU) 1.00 (VNJ0) b1 version and the DSL-100HN-T1ES_113WJY0b16 version. The vulnerability of the account originating from zyad1234 is zyad1234. An attacker could exploit this vulnerability to gain root privileges. Multiple MitraStar routers are prone to a local privilege-escalation vulnerability. MitraStar DSL-100HN-T1 and GPT-2541GNAC (HGU) Routers are vulnerable

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and Websafe software version 13.0.0, 12.0.0 to 12.1.2 and 11.5.1 to 11.6.1, under limited circumstances connections handled by a Virtual Server with an associated SOCKS profile may not be properly cleaned up, potentially leading to resource starvation. Connections may be left in the connection table which then can only be removed by restarting TMM. Over time this may lead to the BIG-IP being unable to process further connections. plural F5 BIG-IP The product contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause resource starvation, resulting in denial-of-service condition. F5 BIG-IP APM, etc. are all products of F5 Company in the United States. F5 BIG-IP APM is an access and security solution. F5 BIG-IP is an application delivery platform that integrates functions such as network traffic management, application security management, and load balancing. F5 BIG-IP PEM is a policy enforcer used in BIG-IP. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products. The following products and versions are affected: F5 BIG-IP LTM Release 13.0.0, Release 12.0.0 to Release 12.1.2, Release 11.6.0 to Release 11.6.1, Release 11.5.1 to Release 11.5.4; BIG-IP AAM 13.0.0, 12.0.0 to 12.1.2, 11.6.0 to 11.6.1, 11.5.1 to 11.5.4; BIG-IP AFM 13.0.0, 12.0.0 to Version 12.1.2, Version 11.6.0 to Version 11.6.1, Version 11.5.1 to Version 11.5.4; BIG-IP Analytics Version 13.0.0, Version 12.0.0 to Version 12.1.2, Version 11.6.0 to Version 11.6 .1 version, 11.5.1 to 11.5.4 version; BIG-IP APM 13.0.0 version, 12.0.0 to 12.1.2 version, 11.6.0 to 11.6.1 version, 11.5.1 to 11.5 version. 4 releases; BIG-IP ASM releases 13.0.0, 12.0.0 to 12.1.2, 11.6.0 to 11.6.1, 11.5.1 to 11.5.4; BIG-IP Link Controller 13.0.0 Versions, 12.0.0 to 12.1.2, 11.6.0 to 11.6.1, 11.5.1 to 11.5.4; BIG-IP PEM 13.0.0, 12.0.0 to 12.1.2 , 11.6.0 to 11.6.1, 11.5.1 to 11.5.4; BIG-IP DNS; 13.0.0, 12.0.0 to 12.1

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and Websafe software version 12.0.0 to 12.1.1, 11.6.0 to 11.6.1, 11.5.0 - 11.5.4, virtual servers with a configuration using the HTTP Explicit Proxy functionality and/or SOCKS profile are vulnerable to an unauthenticated, remote attack that allows modification of BIG-IP system configuration, extraction of sensitive system files, and/or possible remote command execution on the BIG-IP system. plural F5 BIG-IP The product contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a remote command-execution vulnerability. An attacker can execute arbitrary system commands within the context of the affected application. F5 BIG-IP LTM, etc. are all products of F5 Company in the United States. F5 BIG-IP LTM is a local traffic manager; BIG-IP AAM is an application acceleration manager. Virtual server is one of the virtual servers. A remote attacker could exploit this vulnerability to change the BIG-IP system configuration, extract sensitive system files or possibly execute code. The following products and versions are affected: BIG-IP LTM version 12.0.0 to 12.1.1, 11.6.0 to 11.6.1, 11.5.0 to 11.5.4; BIG-IP AAM version 12.0.0 to 12.1.1, 11.6.0 to 11.6.1, 11.5.0 to 11.5.4; BIG-IP AFM 12.0.0 to 12.1.1, 11.6.0 to 11.6.1, 11.5 .0 to 11.5.4; BIG-IP APM 12.0.0 to 12.1.1, 11.6.0 to 11.6.1, 11.5.0 to 11.5.4; BIG-IP ASM 12.0.0 Versions to 12.1.1, 11.6.0 to 11.6.1, 11.5.0 to 11.5.4; BIG-IP Link Controller 12.0.0 to 12.1.1, 11.6.0 to 11.6.1 Versions, 11.5.0 to 11.5.4; BIG-IP PEM 12.0.0 to 12.1.1, 11.6.0 to 11.6.1, 11.5.0 to 11.5.4; BIG-IP WebSafe 11.6.0 to 11.6.1, 11.5.0 to 11.5.4

Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter. Synology DiskStation Manager (DSM) Contains a path traversal vulnerability.Information may be tampered with. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information. A directory traversal vulnerability exists in Synology DSM 6.0.x versions prior to 6.0.3-8754-3 and SYNO.FileStation.Extract in versions prior to 5.2-5967-6