VARIoT IoT vulnerabilities database

.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly handling web requests, aka ".NET CORE Denial Of Service Vulnerability". Microsoft ASP.NET Core is a cross-platform open source framework of Microsoft Corporation of the United States. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. The vulnerability stems from programs that do not properly handle web requests. ASP.NET Core 1.0, 1.1 and 2.0 are vulnerable

ASP.NET Core 2.0 allows an attacker to steal log-in session information such as cookies or authentication tokens via a specially crafted URL aka "ASP.NET Core Elevation Of Privilege Vulnerability". Microsoft ASP.NET Core is a cross-platform open source framework of Microsoft Corporation of the United States. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible

SAP NetWeaver is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.

.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly parsing certificate data. A denial of service vulnerability exists when .NET Core improperly handles parsing certificate data, aka ".NET CORE Denial Of Service Vulnerability". ASP.NET Core 1.0, 1.1 and 2.0 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: .NET Core security update Advisory ID: RHSA-2017:3248-01 Product: dotNET on RHEL Advisory URL: https://access.redhat.com/errata/RHSA-2017:3248 Issue date: 2017-11-20 CVE Names: CVE-2017-8585 CVE-2017-11770 ===================================================================== 1. Summary: A security update for .NET Core on RHEL is now available. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: dotNET on RHEL for Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 dotNET on RHEL for Red Hat Enterprise Linux Server (v. 7) - x86_64 dotNET on RHEL for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: New versions of .NET Core that address several security vulnerabilities are now available. The updated versions are .NET Core 1.0.8, 1.1.5 and 2.0.3. (CVE-2017-11770) 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1512982 - CVE-2017-8585 dotNet: DDoS via invalid culture 1512992 - CVE-2017-11770 dotNET: DDos via bad certificate 6. Package List: dotNET on RHEL for Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnetcore10-dotnetcore-1.0.8-1.el7.src.rpm x86_64: rh-dotnetcore10-dotnetcore-1.0.8-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.8-1.el7.x86_64.rpm dotNET on RHEL for Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnetcore11-dotnetcore-1.1.5-1.el7.src.rpm x86_64: rh-dotnetcore11-dotnetcore-1.1.5-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.5-1.el7.x86_64.rpm dotNET on RHEL for Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnet20-dotnet-2.0.3-4.el7.src.rpm x86_64: rh-dotnet20-dotnet-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-debuginfo-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-host-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-runtime-2.0-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-sdk-2.0-2.0.3-4.el7.x86_64.rpm dotNET on RHEL for Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnetcore10-dotnetcore-1.0.8-1.el7.src.rpm x86_64: rh-dotnetcore10-dotnetcore-1.0.8-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.8-1.el7.x86_64.rpm dotNET on RHEL for Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnetcore11-dotnetcore-1.1.5-1.el7.src.rpm x86_64: rh-dotnetcore11-dotnetcore-1.1.5-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.5-1.el7.x86_64.rpm dotNET on RHEL for Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnet20-dotnet-2.0.3-4.el7.src.rpm x86_64: rh-dotnet20-dotnet-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-debuginfo-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-host-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-runtime-2.0-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-sdk-2.0-2.0.3-4.el7.x86_64.rpm dotNET on RHEL for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnetcore10-dotnetcore-1.0.8-1.el7.src.rpm x86_64: rh-dotnetcore10-dotnetcore-1.0.8-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.8-1.el7.x86_64.rpm dotNET on RHEL for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnetcore11-dotnetcore-1.1.5-1.el7.src.rpm x86_64: rh-dotnetcore11-dotnetcore-1.1.5-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.5-1.el7.x86_64.rpm dotNET on RHEL for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnet20-dotnet-2.0.3-4.el7.src.rpm x86_64: rh-dotnet20-dotnet-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-debuginfo-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-host-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-runtime-2.0-2.0.3-4.el7.x86_64.rpm rh-dotnet20-dotnet-sdk-2.0-2.0.3-4.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-8585 https://access.redhat.com/security/cve/CVE-2017-11770 https://access.redhat.com/security/updates/classification/#low https://github.com/dotnet/announcements/issues/34 https://github.com/dotnet/announcements/issues/44 https://github.com/dotnet/core/blob/master/release-notes/2.0/2.0.3.md https://github.com/dotnet/core/blob/master/release-notes/1.1/1.1.5.md https://github.com/dotnet/core/blob/master/release-notes/1.0/1.0.8.md 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaEsB8XlSAg2UNWIIRAmOjAJ9wjYtfCUbtPpsnb6lS24iFpnlohwCfW3q7 qK6A1l+OTjiiqdhM/cGc8ZU= =DZ68 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. DDNSclient is one of the dynamic domain name service clients

A missing error check exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10001 could allow an attacker to reset the user accounts to factory defaults, without authentication. Foscam C1 Indoor HD Camera Application firmware contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. There is a factory reset vulnerability in the Multi-Camera interface in FoscamC1IndoorHDCamera that caused the program to fail to implement error detection

An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. ### Tested Versions * Foscam Indoor IP Camera C1 Series * System Firmware Version: 1.9.3.18 * Application Firmware Version: 2.52.2.43 * Plug-In Version: 3.3.0.26 ### Product URLs http://www.foscam.com/downloads/index.html ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-121: Stack-based Buffer Overflow ### Details Foscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use and with wireless capability. One of these models is the C1 series which contains a web-based user interface for management and is based on the arm architecture. Foscam is..

Insufficient security checks exist in the recovery procedure used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A HTTP request can allow for a user to perform a firmware upgrade using a crafted image. Before any firmware upgrades in this image are flashed to the device, binaries as well as arguments to shell commands contained in the image are executed with elevated privileges. Foscam C1 Indoor HD Camera Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. A remote code execution vulnerability exists in recoveryprocedure in FoscamC1IndoorHDCamera that caused the program to fail to perform adequate security monitoring

An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. DDNSclient is one of the dynamic domain name service clients

An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. DDNSclient is one of the dynamic domain name service clients

An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. ### Tested Versions * Foscam Indoor IP Camera C1 Series * System Firmware Version: 1.9.3.18 * Application Firmware Version: 2.52.2.43 * Plug-In Version: 3.3.0.26 ### Product URLs http://www.foscam.com/downloads/index.html ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-121: Stack-based Buffer Overflow ### Details Foscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use and with wireless capability. One of these models is the C1 series which contains a web-based user interface for management and is based on the arm architecture. Foscam is..

An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the SoftAP configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam

The workstation logging function in Philips IntelliSpace Cardiovascular (ISCV) 2.3.0 and earlier and Xcelera R4.1L1 and earlier records domain authentication credentials, which if accessed allows an attacker to use credentials to access the application, or other user entitlements. Philips IntelliSpace Cardiovascular (ISCV) and Xcelera Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Philips IntelliSpace Cardiovascular and Xcelera systems (the predecessor to IntelliSpace Cardiovascular) are comprehensive cardiac imaging and information management software. A plaintext storage vulnerability exists in the Philips IntelliSpace Cardiovascular System and Xcelera System. Credentials are stored in clear file in system files, resulting in highly privileged attackers gaining unauthorized access to data, including patient health information, system resources, and misuse connections. assets. this may lead to further attacks. Xcelera is its predecessor. The vulnerability is caused by the program storing certificates in clear text in system files

An exploitable buffer overflow vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can cause a buffer overflow resulting in overwriting arbitrary data. An attacker can simply send an HTTP request to the device to trigger this vulnerability. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam

An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. DDNSclient is one of the dynamic domain name service clients

An exploitable buffer overflow vulnerability exists in the UPnP implementation used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted UPnP discovery response can cause a buffer overflow resulting in overwriting arbitrary data. An attacker needs to be in the same subnetwork and reply to a discovery message to trigger this vulnerability. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam

An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00, and DNPi00. The integrated web server (port 80/tcp) of the affected devices could allow unauthenticated remote attackers to execute arbitrary code on the affected device. Siemens SICAM RTUs SM-2556 COM Module firmware contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The SM-2556 communication module is a protocol component for LAN/WAN communication with a Fast Ethernet interface that can be connected to the SICAM1703 and SICAMRTU substation controllers. Multiple Siemens SICAM RTU Products are prone to multiple security vulnerabilities. This can allow the attacker to steal cookie-based authentication credentials and aid in further attacks. Siemens SICAM RTUs is a substation controller of Siemens (Siemens) in Germany. SM-2556 COM Modules is used in one of the communication modules for LAN/WAN. Products using the following firmware are affected: ENOS00; ERAC00; ETA2; ETLS00; MODi00; DNPi00. SEC Consult Vulnerability Lab Security Advisory < 20171114-0 > ======================================================================= title: Authentication bypass, cross-site scripting & code execution product: Siemens SICAM RTUs SM-2556 COM Modules (firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00 vulnerable version: FW 1549 Revision 07 fixed version: none, see Workaround section below CVE number: CVE-2017-12737 (authentication bypass) CVE-2017-12738 (XSS) CVE-2017-12739 (web server) impact: critical homepage: www.siemens.com found: 2017-08-17 by: SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Siemens is a global powerhouse focusing on the areas of electrification, automation and digitalization. One of the world's largest producers of energy-efficient, resource-saving technologies, Siemens is a leading supplier of systems for power generation and transmission as well as medical diagnosis." Source: https://www.siemens.com/global/en/home/company/about.html Business recommendation: ------------------------ SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. The device must not be accessible from untrusted networks. Vulnerability overview/description: ----------------------------------- 1) Authentication Bypass (client-side "authentication" enforcement) The web interface (TCP port 80) suffers from an authentication bypass vulnerability that allows unauthenticated attackers to access arbitray functionality and information (i.e. password lists) available through the webserver. 2) Reflected Cross-Site Scripting The web interface provides a "ping" functionality. This form is vulnerable to reflected cross-site-scripting because of missing input handling and output encoding. 3) Outdated Webserver (GoAhead) The used webserver version contains known weaknesses. Proof of concept: ----------------- 1) Authentication Bypass Use a browser which has JavaScript disabled ("Authentication" checks are performed client-side) and open legitimate URLs directly. Examples: http://<hostname>/start.asp http://<hostname>/pwliste.asp http://<hostname>/goform/webforms_readmem?start_addr=0&length=100 2) Reflected Cross-Site Scripting All parameters in "webforms_ping" are vulnerable to reflected XSS: http://<hostname>/goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1 3) Outdated Webserver The used version of "GoAhead" webserver is 2.1.7 (released in Oct. 2003) This version has known vulnerabilities: http://aluigi.altervista.org/adv/goahead-adv3.txt https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp Vulnerable / tested versions: ----------------------------- SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00 (FW 1549 Revision 07) Vendor contact timeline: ------------------------ 2017-09-25: Encrypted advisory sent to Siemens ProductCERT 2017-10-02: Requesting status update. 2017-10-09: Vendor states that the "affected device is out of service" and provides workaround (disable webserver). They are "still assessing the next steps". 2017-11-02: Requesting status update. 2017-11-06: Siemens ProductCERT will reach out to development team and keep us posted. 2017-11-08: Siemens ProductCERT prepares advisory. 2017-11-08: Asking about planned release date. 2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14) 2017-11-14: Coordinated public release. Solution: --------- No firmware update is available as the device is no longer supported by the vendor. Workaround: ----------- According to the vendor the webserver can be disabled to mitigate all the vulnerabilities documented in this advisory. The webserver is optional and only used for commissioning and debugging purposes. The vendor published the following document for further information: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-164516.pdf Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Twitter: https://twitter.com/sec_consult EOF SEC Consult Vulnerability Lab / @2017

IBM WebSphere MQ 8.0 and 9.0 could allow an authenticated user to cause a shared memory leak by MQ applications using dynamic queues, which can lead to lack of resources for other MQ applications. IBM X-Force ID: 125144. IBM WebSphere MQ Contains a resource management vulnerability. Vendors have confirmed this vulnerability IBM X-Force ID: 125144 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause the excessive resource consumption thereby denying service to other legitimate users

An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00, and DNPi00. The integrated web server (port 80/tcp) of the affected devices could allow unauthenticated remote attackers to obtain sensitive device information over the network. The SM-2556 communication module is a protocol component for LAN/WAN communication with a Fast Ethernet interface that can be connected to the SICAM1703 and SICAMRTU substation controllers. Multiple Siemens SICAM RTU Products are prone to multiple security vulnerabilities. Attackers can exploit these issues to obtain sensitive information, to execute arbitrary code or arbitrary HTML or script code in the browser of an unsuspecting user within the context of the affected application. This can allow the attacker to steal cookie-based authentication credentials and aid in further attacks. Siemens SICAM RTUs is a substation controller of Siemens (Siemens) in Germany. SM-2556 COM Modules is used in one of the communication modules for LAN/WAN. Products using the following firmware are affected: ENOS00; ERAC00; ETA2; ETLS00; MODi00; DNPi00. SEC Consult Vulnerability Lab Security Advisory < 20171114-0 > ======================================================================= title: Authentication bypass, cross-site scripting & code execution product: Siemens SICAM RTUs SM-2556 COM Modules (firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00 vulnerable version: FW 1549 Revision 07 fixed version: none, see Workaround section below CVE number: CVE-2017-12737 (authentication bypass) CVE-2017-12738 (XSS) CVE-2017-12739 (web server) impact: critical homepage: www.siemens.com found: 2017-08-17 by: SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Siemens is a global powerhouse focusing on the areas of electrification, automation and digitalization. One of the world's largest producers of energy-efficient, resource-saving technologies, Siemens is a leading supplier of systems for power generation and transmission as well as medical diagnosis." Source: https://www.siemens.com/global/en/home/company/about.html Business recommendation: ------------------------ SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. The device must not be accessible from untrusted networks. Vulnerability overview/description: ----------------------------------- 1) Authentication Bypass (client-side "authentication" enforcement) The web interface (TCP port 80) suffers from an authentication bypass vulnerability that allows unauthenticated attackers to access arbitray functionality and information (i.e. password lists) available through the webserver. 2) Reflected Cross-Site Scripting The web interface provides a "ping" functionality. This form is vulnerable to reflected cross-site-scripting because of missing input handling and output encoding. 3) Outdated Webserver (GoAhead) The used webserver version contains known weaknesses. Proof of concept: ----------------- 1) Authentication Bypass Use a browser which has JavaScript disabled ("Authentication" checks are performed client-side) and open legitimate URLs directly. Examples: http://<hostname>/start.asp http://<hostname>/pwliste.asp http://<hostname>/goform/webforms_readmem?start_addr=0&length=100 2) Reflected Cross-Site Scripting All parameters in "webforms_ping" are vulnerable to reflected XSS: http://<hostname>/goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1 3) Outdated Webserver The used version of "GoAhead" webserver is 2.1.7 (released in Oct. 2003) This version has known vulnerabilities: http://aluigi.altervista.org/adv/goahead-adv3.txt https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp Vulnerable / tested versions: ----------------------------- SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00 (FW 1549 Revision 07) Vendor contact timeline: ------------------------ 2017-09-25: Encrypted advisory sent to Siemens ProductCERT 2017-10-02: Requesting status update. 2017-10-09: Vendor states that the "affected device is out of service" and provides workaround (disable webserver). They are "still assessing the next steps". 2017-11-02: Requesting status update. 2017-11-06: Siemens ProductCERT will reach out to development team and keep us posted. 2017-11-08: Siemens ProductCERT prepares advisory. 2017-11-08: Asking about planned release date. 2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14) 2017-11-14: Coordinated public release. Solution: --------- No firmware update is available as the device is no longer supported by the vendor. Workaround: ----------- According to the vendor the webserver can be disabled to mitigate all the vulnerabilities documented in this advisory. The webserver is optional and only used for commissioning and debugging purposes. The vendor published the following document for further information: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-164516.pdf Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Twitter: https://twitter.com/sec_consult EOF SEC Consult Vulnerability Lab / @2017

An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00, and DNPi00. The integrated web server (port 80/tcp) of the affected devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into clicking on a malicious link. The SM-2556 communication module is a protocol component for LAN/WAN communication with a Fast Ethernet interface that can be connected to the SICAM1703 and SICAMRTU substation controllers. Multiple Siemens SICAM RTU Products are prone to multiple security vulnerabilities. Attackers can exploit these issues to obtain sensitive information, to execute arbitrary code or arbitrary HTML or script code in the browser of an unsuspecting user within the context of the affected application. This can allow the attacker to steal cookie-based authentication credentials and aid in further attacks. Siemens SICAM RTUs is a substation controller of Siemens (Siemens) in Germany. SM-2556 COM Modules is used in one of the communication modules for LAN/WAN. Products using the following firmware are affected: ENOS00; ERAC00; ETA2; ETLS00; MODi00; DNPi00. SEC Consult Vulnerability Lab Security Advisory < 20171114-0 > ======================================================================= title: Authentication bypass, cross-site scripting & code execution product: Siemens SICAM RTUs SM-2556 COM Modules (firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00 vulnerable version: FW 1549 Revision 07 fixed version: none, see Workaround section below CVE number: CVE-2017-12737 (authentication bypass) CVE-2017-12738 (XSS) CVE-2017-12739 (web server) impact: critical homepage: www.siemens.com found: 2017-08-17 by: SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Siemens is a global powerhouse focusing on the areas of electrification, automation and digitalization. One of the world's largest producers of energy-efficient, resource-saving technologies, Siemens is a leading supplier of systems for power generation and transmission as well as medical diagnosis." Source: https://www.siemens.com/global/en/home/company/about.html Business recommendation: ------------------------ SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. The device must not be accessible from untrusted networks. Vulnerability overview/description: ----------------------------------- 1) Authentication Bypass (client-side "authentication" enforcement) The web interface (TCP port 80) suffers from an authentication bypass vulnerability that allows unauthenticated attackers to access arbitray functionality and information (i.e. password lists) available through the webserver. 2) Reflected Cross-Site Scripting The web interface provides a "ping" functionality. This form is vulnerable to reflected cross-site-scripting because of missing input handling and output encoding. 3) Outdated Webserver (GoAhead) The used webserver version contains known weaknesses. Proof of concept: ----------------- 1) Authentication Bypass Use a browser which has JavaScript disabled ("Authentication" checks are performed client-side) and open legitimate URLs directly. Examples: http://<hostname>/start.asp http://<hostname>/pwliste.asp http://<hostname>/goform/webforms_readmem?start_addr=0&length=100 2) Reflected Cross-Site Scripting All parameters in "webforms_ping" are vulnerable to reflected XSS: http://<hostname>/goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1 3) Outdated Webserver The used version of "GoAhead" webserver is 2.1.7 (released in Oct. 2003) This version has known vulnerabilities: http://aluigi.altervista.org/adv/goahead-adv3.txt https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp Vulnerable / tested versions: ----------------------------- SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00 (FW 1549 Revision 07) Vendor contact timeline: ------------------------ 2017-09-25: Encrypted advisory sent to Siemens ProductCERT 2017-10-02: Requesting status update. 2017-10-09: Vendor states that the "affected device is out of service" and provides workaround (disable webserver). They are "still assessing the next steps". 2017-11-02: Requesting status update. 2017-11-06: Siemens ProductCERT will reach out to development team and keep us posted. 2017-11-08: Siemens ProductCERT prepares advisory. 2017-11-08: Asking about planned release date. 2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14) 2017-11-14: Coordinated public release. Solution: --------- No firmware update is available as the device is no longer supported by the vendor. Workaround: ----------- According to the vendor the webserver can be disabled to mitigate all the vulnerabilities documented in this advisory. The webserver is optional and only used for commissioning and debugging purposes. The vendor published the following document for further information: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-164516.pdf Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Twitter: https://twitter.com/sec_consult EOF SEC Consult Vulnerability Lab / @2017