VARIoT IoT vulnerabilities database

A vulnerability in the web management GUI of the Cisco D9800 Network Transport Receiver could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of GUI command arguments. An attacker could exploit this vulnerability by injecting crafted arguments into a vulnerable GUI command. An exploit could allow the attacker to execute commands on the underlying BusyBox operating system. These commands are run at the privilege level of the authenticated user. The attacker needs valid device credentials for this attack. Cisco Bug IDs: CSCvg74691. Vendors have confirmed this vulnerability Bug ID CSCvg74691 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WebmanagementGUI is one of the web management interfaces

A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of the XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by injecting a crafted XML file with malicious entries, which could allow the attacker to read and write files. Cisco Bug IDs: CSCvg19341. Vendors have confirmed this vulnerability Bug ID CSCvg19341 It is released as.Information may be obtained and information may be altered. ProfileEditor is one of the Profile document editors. Attackers can exploit this issue to obtain potentially sensitive information or perform unauthorized actions. This may lead to further attacks

A vulnerability in the Pong tool of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected software attempts to free the same area of memory twice. An attacker could exploit this vulnerability by sending a pong request to an affected device from a location on the network that causes the pong reply packet to egress both a FabricPath port and a non-FabricPath port. An exploit could allow the attacker to cause a dual or quad supervisor virtual port-channel (vPC) to reload. This vulnerability affects the following products when running Cisco NX-OS Software Release 7.2(1)D(1), 7.2(2)D1(1), or 7.2(2)D1(2) with both the Pong and FabricPath features enabled and the FabricPath port is actively monitored via a SPAN session: Cisco Nexus 7000 Series Switches and Cisco Nexus 7700 Series Switches. Cisco Bug IDs: CSCuv98660. Cisco NX-OS Contains a resource management vulnerability. Vendors have confirmed this vulnerability Bug ID CSCuv98660 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. NX-OS Software is a data center operating system that runs on it

A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data. The vulnerability is due to insufficient protection of database tables. An attacker could exploit this vulnerability by browsing to a specific URL. An exploit could allow the attacker to view data library information. Cisco Bug IDs: CSCvf20269. Vendors have confirmed this vulnerability Bug ID CSCvf20269 It is released as.Information may be obtained. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

A vulnerability in the ConfD server of the Cisco Elastic Services Controller (ESC) could allow an unauthenticated, local attacker to access sensitive information on a targeted system. The vulnerability is due to insufficient security restrictions. An attacker could exploit this vulnerability by accessing unauthorized information within the ConfD directory and file structure. Successful exploitation could allow the attacker to view sensitive information. Cisco Bug IDs: CSCvg00221. Vendors have confirmed this vulnerability Bug ID CSCvg00221 It is released as.Information may be obtained. This may result in further attacks. ConfD server is one of the configuration management servers

A vulnerability in the web framework of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to execute unwanted actions on an affected device. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit this vulnerability by tricking the user of a web application into executing an adverse action. Cisco Bug IDs: CSCvg30313. Vendors have confirmed this vulnerability Bug ID CSCvg30313 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Other attacks are also possible. The solution supports automated ordering of a unified service catalog of computing, networking, storage, and other data center resources

A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to collect customer files via an out-of-band XML External Entity (XXE) injection. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks. The vulnerability is due to the ability of an attacker to perform an out-of-band XXE injection on the system, which could allow an attacker to capture customer files and redirect them to another destination address. An exploit could allow the attacker to discover sensitive customer data. Cisco Bug IDs: CSCvg36996. Vendors have confirmed this vulnerability Bug ID CSCvg36996 It is released as.Information may be obtained. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution. An information disclosure vulnerability exists in CWMS

A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to access sensitive data about the application. An attacker could exploit this vulnerability to obtain information to conduct additional reconnaissance attacks. The vulnerability is due to a design flaw in Cisco WebEx Meetings Server that could allow an attacker who is authenticated as root to gain shared secrets. An attacker could exploit the vulnerability by accessing the root account and viewing sensitive information. Successful exploitation could allow the attacker to discover sensitive information about the application. Cisco Bug IDs: CSCvg42664. Vendors have confirmed this vulnerability Bug ID CSCvg42664 It is released as.Information may be obtained. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution

A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to access the remote support account even after it has been disabled via the web application. The vulnerability is due to a design flaw in Cisco WebEx Meetings Server, which would not disable access to specifically configured user accounts, even after access had been disabled in the web application. An attacker could exploit this vulnerability by connecting to the remote support account, even after it had been disabled at the web application level. An exploit could allow the attacker to modify server configuration and gain access to customer data. Cisco Bug IDs: CSCvg46741. Cisco WebEx Meetings Server Contains vulnerabilities related to security features. Vendors have confirmed this vulnerability Bug ID CSCvg46741 It is released as.Information may be obtained and information may be altered. This may aid in further attacks. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution

A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to access sensitive data about the application. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks. The vulnerability is due to a design flaw in Cisco WebEx Meetings Server, which could include internal network information that should be restricted. An attacker could exploit the vulnerability by utilizing available resources to study the customer network. An exploit could allow the attacker to discover sensitive data about the application. Cisco Bug IDs: CSCvg46806. Vendors have confirmed this vulnerability Bug ID CSCvg46806 It is released as.Information may be obtained. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution

D-LinkDIR615/645/815 is a wireless router product from D-Link. A remote command execution vulnerability exists in D-Link DIR615/645/815 Router 1.03 and previous firmware versions. The vulnerability is caused by the splicing of the data in the HTTP POST request in service.cgi, causing the background commands to be spliced, resulting in arbitrary commands.

A vulnerability in the IPv6 stack on Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) versions before 7.4.2b, 8.1.2 and 8.2.0 could allow an attacker to cause a denial of service (CPU consumption and device hang) condition by sending crafted Router Advertisement (RA) messages to a targeted system. Brocade Fabric OS (FOS) Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. BrocadeFibreChannelSANproducts are Brocade switches and BrocadeFabricOS (FOS) is an embedded system running on them. Security vulnerabilities exist in BrocadeFibreChannelSAN products prior to BrocadeFOS7.4.2b, pre-8.1.2, and pre-8.0.6 IPv6 stacks. Broadcom Fabric OS is prone to a remote denial-of-service vulnerability. Exploiting this issue allows remote attackers to cause a denial-of-service condition due to excessive CPU consumption. Versions prior to Broadcom Fabric OS 7.4.2b, 8.1.2 and 8.2.0 are vulnerable

Stack-based buffer overflow in the ej_update_variables function in router/httpd/web.c on ASUS routers (when using software from https://github.com/RMerl/asuswrt-merlin) allows web authenticated attackers to execute code via a request that updates a setting. In ej_update_variables, the length of the variable action_script is not checked, as long as it includes a "_wan_if" substring. ASUS The router contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUSrouters is a wireless router product from ASUS. A buffer overflow vulnerability exists in the \342\200\230ej_update_variables\342\200\231 function of the router/httpd/web.c file in the ASUS router. An attacker could exploit the vulnerability to execute code by sending a request to update settings

A vulnerability in IPv6 ingress packet processing for Cisco UCS Central Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to high CPU utilization on the targeted device. The vulnerability is due to insufficient rate limiting protection for IPv6 ingress traffic. An attacker could exploit this vulnerability by sending the affected device a high rate of IPv6 packets. Successful exploitation could allow the attacker to cause a DoS condition due to CPU and resource constraints. Cisco Bug IDs: CSCuv34544. Cisco UCS Central The software is vulnerable to resource exhaustion. Vendors have confirmed this vulnerability Bug ID CSCuv34544 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. Attackers can exploit this issue to cause the affected device to consume excessive CPU resources, denying service to legitimate users

A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series routers could allow an authenticated, local attacker to execute arbitrary commands with root privileges on an affected host operating system. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by injecting malicious command arguments into a vulnerable CLI command. A successful exploit could allow the attacker to execute arbitrary commands with root privileges. To exploit this vulnerability, the attacker would need to authenticate to the affected system by using valid administrator credentials. Cisco Bug IDs: CSCvf93332. Cisco StarOS The operating system includes OS A command injection vulnerability exists. Vendors have confirmed this vulnerability Bug ID CSCvf93332 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Cisco ASR5000 Seriesrouters is a 5000 series secure router device from Cisco. The Cisco StarOS operating system is a set of virtualized operating systems running on it

MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configuration Change, as demonstrated by the port number of the web server. MASTER IPCAMERA01 The device contains an access control vulnerability.Information may be tampered with. MASTERIPCAMERA01 is an IP network camera product. A configuration error vulnerability exists in the MASTERIPCAMERA013.3.4.2103 release. An attacker could exploit this vulnerability to change the configuration. # Exploit Title: Master IP CAM 01 Multiple Vulnerabilities # Date: 17-01-2018 # Remote: Yes # Exploit Authors: Daniele Linguaglossa, Raffaele Sabato # Contact: https://twitter.com/dzonerzy, https://twitter.com/syrion89 # Vendor: Master IP CAM # Version: 3.3.4.2103 # CVE: CVE-2018-5723, CVE-2018-5724, CVE-2018-5725, CVE-2018-5726 I DESCRIPTION ======================================================================== The Master IP CAM 01 suffers of multiple vulnerabilities: # [CVE-2018-5723] Hardcoded Password for Root Account # [CVE-2018-5724] Unauthenticated Configuration Download and Upload # [CVE-2018-5725] Unauthenticated Configuration Change # [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure II PROOF OF CONCEPT ======================================================================== ## [CVE-2018-5723] Hardcoded Password for Root Account Is possible to access telnet with the hardcoded credential root:cat1029 ## [CVE-2018-5724] Unauthenticated Configuration Download and Upload Download: http://192.168.1.15/web/cgi-bin/hi3510/backup.cgi Upload Form: ### Unauthenticated Configuration Upload <form name="form6" method="post" enctype="multipart/form-data" action="cgi-bin/hi3510/restore.cgi" > <input type="file" name="setting_file" > <input type="submit" value="restore" > </form> ## [CVE-2018-5725] Unauthenticated Configuration Change Change configuration: http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=sethttpport&-httport=8080 List of available commands here: http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf ## [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure Retrieve sensitive information: http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=getuser III REFERENCES ======================================================================== http://syrion.me/blog/master-ipcam/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5723 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5724 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5725 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5726 http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf

MASTER IPCAMERA01 3.3.4.2103 devices have a hardcoded password of cat1029 for the root account. MASTER IPCAMERA01 The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MASTERIPCAMERA01 is an IP network camera product. An attacker could exploit this vulnerability to gain root privileges. # Exploit Title: Master IP CAM 01 Multiple Vulnerabilities # Date: 17-01-2018 # Remote: Yes # Exploit Authors: Daniele Linguaglossa, Raffaele Sabato # Contact: https://twitter.com/dzonerzy, https://twitter.com/syrion89 # Vendor: Master IP CAM # Version: 3.3.4.2103 # CVE: CVE-2018-5723, CVE-2018-5724, CVE-2018-5725, CVE-2018-5726 I DESCRIPTION ======================================================================== The Master IP CAM 01 suffers of multiple vulnerabilities: # [CVE-2018-5723] Hardcoded Password for Root Account # [CVE-2018-5724] Unauthenticated Configuration Download and Upload # [CVE-2018-5725] Unauthenticated Configuration Change # [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure II PROOF OF CONCEPT ======================================================================== ## [CVE-2018-5723] Hardcoded Password for Root Account Is possible to access telnet with the hardcoded credential root:cat1029 ## [CVE-2018-5724] Unauthenticated Configuration Download and Upload Download: http://192.168.1.15/web/cgi-bin/hi3510/backup.cgi Upload Form: ### Unauthenticated Configuration Upload <form name="form6" method="post" enctype="multipart/form-data" action="cgi-bin/hi3510/restore.cgi" > <input type="file" name="setting_file" > <input type="submit" value="restore" > </form> ## [CVE-2018-5725] Unauthenticated Configuration Change Change configuration: http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=sethttpport&-httport=8080 List of available commands here: http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf ## [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure Retrieve sensitive information: http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=getuser III REFERENCES ======================================================================== http://syrion.me/blog/master-ipcam/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5723 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5724 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5725 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5726 http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf

MASTER IPCAMERA01 3.3.4.2103 devices allow remote attackers to obtain sensitive information via a crafted HTTP request, as demonstrated by the username, password, and configuration settings. MASTER IPCAMERA01 The device contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MASTERIPCAMERA01 is an IP network camera product. An information disclosure vulnerability exists in the MASTERIPCAMERA013.3.4.2103 release. # Exploit Title: Master IP CAM 01 Multiple Vulnerabilities # Date: 17-01-2018 # Remote: Yes # Exploit Authors: Daniele Linguaglossa, Raffaele Sabato # Contact: https://twitter.com/dzonerzy, https://twitter.com/syrion89 # Vendor: Master IP CAM # Version: 3.3.4.2103 # CVE: CVE-2018-5723, CVE-2018-5724, CVE-2018-5725, CVE-2018-5726 I DESCRIPTION ======================================================================== The Master IP CAM 01 suffers of multiple vulnerabilities: # [CVE-2018-5723] Hardcoded Password for Root Account # [CVE-2018-5724] Unauthenticated Configuration Download and Upload # [CVE-2018-5725] Unauthenticated Configuration Change # [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure II PROOF OF CONCEPT ======================================================================== ## [CVE-2018-5723] Hardcoded Password for Root Account Is possible to access telnet with the hardcoded credential root:cat1029 ## [CVE-2018-5724] Unauthenticated Configuration Download and Upload Download: http://192.168.1.15/web/cgi-bin/hi3510/backup.cgi Upload Form: ### Unauthenticated Configuration Upload <form name="form6" method="post" enctype="multipart/form-data" action="cgi-bin/hi3510/restore.cgi" > <input type="file" name="setting_file" > <input type="submit" value="restore" > </form> ## [CVE-2018-5725] Unauthenticated Configuration Change Change configuration: http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=sethttpport&-httport=8080 List of available commands here: http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf ## [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure Retrieve sensitive information: http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=getuser III REFERENCES ======================================================================== http://syrion.me/blog/master-ipcam/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5723 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5724 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5725 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5726 http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf

Vulnerability in the Integrated Lights Out Manager (ILOM) component of Oracle Sun Systems Products Suite (subcomponent: Remote Console Application). Supported versions that are affected are 3.x and 4.x. Difficult to exploit vulnerability allows low privileged attacker with network access via TLS to compromise Integrated Lights Out Manager (ILOM). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Integrated Lights Out Manager (ILOM), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Integrated Lights Out Manager (ILOM) accessible data as well as unauthorized access to critical data or complete access to all Integrated Lights Out Manager (ILOM) accessible data. CVSS 3.0 Base Score 7.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N). The vulnerability can be exploited over the 'TLS' protocol

Vulnerability in the Integrated Lights Out Manager (ILOM) component of Oracle Sun Systems Products Suite (subcomponent: Remote Console Application). Supported versions that are affected are 3.x and 4.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Integrated Lights Out Manager (ILOM). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Integrated Lights Out Manager (ILOM) accessible data as well as unauthorized read access to a subset of Integrated Lights Out Manager (ILOM) accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Integrated Lights Out Manager (ILOM). CVSS 3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The vulnerability can be exploited over the 'TLS' protocol. Attackers can take advantage of this vulnerability to read, update, insert or delete data without authorization, causing denial of service and affecting data confidentiality, availability and integrity