VARIoT IoT vulnerabilities database

Huawei APP HiWallet earlier than 5.0.3.100 versions do not support signature verification for APK file. An attacker could exploit this vulnerability to hijack the APK and upload modified APK file. Successful exploit could lead to the APP is hijacking. Huawei application HiWallet Contains a vulnerability in the verification of digital signatures.Information may be tampered with. Huawei's partial APP lacks a signature authentication vulnerability. Huawei HiWallet is a money management (Huawei Wallet) app for mobile phones from the Chinese company Huawei (Huawei). There is a security vulnerability in Huawei HiWallet versions earlier than 5.0.3.100

HikVision Wi-Fi IP cameras, when used in a wired configuration, allow physically proximate attackers to trigger association with an arbitrary access point by leveraging a default SSID with no WiFi encryption or authentication. NOTE: Vendor states that this is not a vulnerability, but more an increase to the attack surface of the product. HikVision Wi-Fi IP Cameras have vulnerabilities related to authorization, permissions, and access control.Information may be tampered with. An attacker who is physically close can use this vulnerability to associate with any access point

Certain D-Link products are affected by: Buffer Overflow. This affects DIR-880L 1.08B04 and DIR-895 L/R 1.13b03. The impact is: execute arbitrary code (remote). The component is: htdocs/fileaccess.cgi. The attack vector is: A crafted HTTP request handled by fileacces.cgi could allow an attacker to mount a ROP attack: if the HTTP header field CONTENT_TYPE starts with ''boundary=' followed by more than 256 characters, a buffer overflow would be triggered, potentially causing code execution. plural D-Link The product contains a classic buffer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-Link DIR-880L is a wireless AC1900 dual-band Gigabit cloud router. D-Link DIR-895 L / R is an AC5300 Wi-Fi tri-band router. A buffer overflow vulnerability exists in the htdocs / fileaccess.cgi component in D-Link DIR-880L 1.08B04 and DIR-895 L / R 1.13b03. An attacker could use this vulnerability to execute arbitrary code through a specially crafted HTTP request

honor 8 Pro with software Duke-L09C10B120 and earlier versions,Duke-L09C432B120 and earlier versions,Duke-L09C636B120 and earlier versions has an integer overflow vulnerability. The attacker sends a response message to the device, which contains an illegal length field, it could produce an integer overflow and restart the modem system. Huaweihonor8Pro is a smartphone from China's Huawei company. There is an integer overflow vulnerability in Huaweihonor8Pro

The boot loaders of P10 and P10 Plus Huawei mobile phones with software the versions before Victoria-L09AC605B162, the versions before Victoria-L29AC605B162, the versions before Vicky-L29AC605B162 have an arbitrary memory write vulnerability due to the lack of parameter validation. An attacker with the root privilege of an Android system may trick a user into installing a malicious APP. The APP can modify specific data to cause arbitrary memory writing in the next system reboot, causing continuous system reboot or arbitrary code execution. Huawei P10 and P10 Plus Smartphone software contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. HuaweiP10 and P10Plus are both Huawei's smartphone products. The HuaweiP10 and P10Plus bootloaders have written arbitrary memory leaks due to lack of parameter checking. The Huawei P10 and P10 Plus are both smartphones from the Chinese company Huawei. Bootloader is one of the system startup programs. The bootloader in Huawei P10 and P10 Plus has a security vulnerability, which is caused by the program not checking parameters adequately. The following products and versions are affected: Huawei P10 Victoria-L09AC605B162 earlier, Victoria-L29AC605B162 earlier; P10 Plus Vicky-L29AC605B162 earlier

Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtain complete control of the connected accessories) by leveraging the ability to sniff HTTP traffic on the local intranet network. Philips Hue Bridge BSB002 The switch contains a cryptographic strength vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips Hue Bridge BSB002 is a smart home lighting system from Philips, Netherlands. The public API is one of the public interfaces. The public API in the Philips Hue Bridge BSB002 using the 1707040932 firmware has a security vulnerability. The vulnerable program failed to encrypt the transmission

The boot loaders of P10 and P10 Plus Huawei mobile phones with software the versions before Victoria-L09AC605B162, the versions before Victoria-L29AC605B162, the versions before Vicky-L29AC605B162 have an out-of-bounds memory access vulnerability due to the lack of parameter validation. An attacker with the root privilege of an Android system may trick a user into installing a malicious APP. the APP can modify specific data to cause buffer overflow in the next system reboot, causing out-of-bounds memory read which can continuous system reboot. Huawei P10 and P10 Plus Smartphone software contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. HuaweiP10 and P10Plus are both Huawei's smartphone products. There are memory access violations in the Bootloader of HuaweiP10 and P10Plus due to lack of parameter checking

In Snapdragon Automobile, Snapdragon IoT and Snapdragon Mobile MDM9206 MDM9607, MDM9650, S820A, S820Am, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 835, and SD 845, a buffer overread is possible if there are no newlines in an input file. plural Qualcomm Snapdragon The product contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. Qualcomm MDM9650 and others are products of Qualcomm (Qualcomm). MDM9650 is a central processing unit (CPU) product. SD 425 is a central processing unit (CPU) product. SD 430 is a central processing unit (CPU) product. SD 625 is a central processing unit (CPU) product. And so on are the best products. A buffer error vulnerability exists in several Qualcomm products. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc

In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mobile, Snapdragon Automobile APQ8096AU, MDM9206, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 625, SD 650/52, SD 820, SD 835, it is possible for the XBL loader to skip the authentication of device config. plural Qualcomm Run on product Android Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. These issues are being tracked by Android Bug IDs A-62212946, A-32584150, A-62212739, A-62212298, A-62212632, A-65944893 and A-66913721. Android is a Linux-based open source operating system jointly developed by Google and the Open Handheld Alliance (OHA). Qualcomm closed-source components is one of the closed-source components developed by Qualcomm (Qualcomm). A security vulnerability exists in Qualcomm closed-source components in Android versions prior to 2018-01-05. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mobile MDM9206, SD 625, SD 650/52, SD 835, SD 845, DDR address input validation is being improperly truncated. plural Qualcomm Run on product Android Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. These issues are being tracked by Android Bug IDs A-62212946, A-32584150, A-62212739, A-62212298, A-62212632, A-65944893 and A-66913721. Android is a Linux-based open source operating system developed by Google and the Open Handheld Alliance (OHA). An input validation error vulnerability exists in Android versions prior to 2018-01-05. The vulnerability stems from the failure of the network system or product to properly validate the input data. The following products and versions are affected: Qualcomm MDM9206; SD 625; SD 650/52; SD 835; SD 845

In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mobile [VERSION]: MDM9206, MDM9607, MDM9650, MSM8909W, SD 200, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 835, the attributes of buffers in Secure Display were not marked properly. plural Qualcomm Run on product Android Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. These issues are being tracked by Android Bug IDs A-62212946, A-32584150, A-62212739, A-62212298, A-62212632, A-65944893 and A-66913721. Android is a Linux-based open source operating system developed by Google and the Open Handheld Alliance (OHA). There is a buffer error vulnerability in Android versions before 2018-01-05. The vulnerability stems from the fact that the program does not correctly mark the buffer attribute in Secure Display. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

In Android before 2018-01-05 on Qualcomm Snapdragon Mobile SD 625, SD 650/52, SD 835, accessing SPCOM functions with a compromised client structure can result in a Use After Free condition. plural Qualcomm Run on product Android Contains a vulnerability in the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. These issues are being tracked by Android Bug IDs A-62212946, A-32584150, A-62212739, A-62212298, A-62212632, A-65944893 and A-66913721. Android is a Linux-based open source operating system developed by Google and the Open Handheld Alliance (OHA). A resource management error vulnerability exists in Android versions prior to 2018-01-05. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products. The following products and versions are affected: Qualcomm SD 625; SD 650/52; SD 835

Intelbras WRN 150 devices allow remote attackers to read the configuration file, and consequently bypass authentication, via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg containing an admin:language=pt cookie. Intelbras WRN 150 The device contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. IntelbrasWRN150devices is a wireless router from Brazil's Intelbras. A security hole exists in the IntelbrasWRN150 device

Red Lion HMI panels allow remote attackers to cause a denial of service (software exception) via an HTTP POST request to a long URI that does not exist, as demonstrated by version HMI 2.41 PLC 2.42. Red Lion HMI The panel contains an error handling vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Red Lion HMI panels HMI is the United States Red Lion Controls One of the company's human-machine interface products for industrial control. PLC It is a programmable logic controller. Red Lion HMI panels HMI 2.41 in version PLC 2.42 version has a security vulnerability

After initial configuration, the Ruggedcom Discovery Protocol (RCDP) is still able to write to the device under certain conditions. This could allow an attacker located in the adjacent network of the targeted device to perform unauthorized administrative actions. plural Siemens The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Siemens RuggedCom ROS is a ROX-based device for connecting devices in harsh environments, such as substations, traffic management chassis, etc. The SCALANCE XB-200 is an industrial Ethernet switch. Siemens Ruggedcom ROS and SCALANCE are not authorized to exploit the vulnerability. Multiple Siemens Products are prone to a remote security bypass vulnerability. Following products and versions are vulnerable: RUGGEDCOM ROS prior to 5.0.1 for RSL910 devices. RUGGEDCOM ROS prior to 4.3.4 for all other devices. SCALANCE XB-200/XC-200/XP-200/XR300-WG 3.0 and later. SCALANCE XR-500/XM-400 6.1 and later

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. tvOS before 10.2.2 is affected. The issue involves the "Wi-Fi" component. It allows attackers to cause a denial of service (memory corruption on the Wi-Fi chip) by leveraging proximity for 802.11. in the United States. Apple iOS is an operating system developed for mobile devices. tvOS is a smart TV operating system. Wi-Fi is one of the wireless Internet access components. A security vulnerability exists in the Wi-Fi component in Apple iOS versions prior to 10.3.3 and tvOS versions prior to 10.2.2. Broadcom: Denial of service and OOB read in TCP KeepAlive Offloading CVE-2017-7066 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to reduce overhead on the host, some Broadcom Wi-Fi chips support TCP ACK Offloading. When this feature is enabled, the firmware keeps a list of active TCP connections, including the 4-tuple, the SEQ/ACK numbers, etc. Before performing the offloading operation, incoming TCP packets are verified to ensure they are valid. During this verification process, the incoming packets' checksums are calculated. For IPv4 packets, the IPv4 header checksum and TCP/IPv4 checksum are calculated and compared to the checksums in the incoming packet. On the BCM4355C0 SoC with firmware version 9.44.78.27.0.1.56, the offloading verification is performed in RAM function 0x1800C8. Here is a snippet of the approximate high-level logic for this function: int function_1800C8(void* ctx, void* packet) { char* packet_data = *((char**)(packet + 8)); unsigned short packet_length = *((unsigned short*)(packet + 12)); char* packet_end = packet_data + packet_length; //Getting the ethertype. If there's a SNAP header, get the ethertype from SNAP. //Is this IPv4? if (ethertype == 0x800) { unsigned ip_header_length = (ip_header[0] & 0xF) * 4; //IHL * 4 char* tcp_header = ip_header + ip_header_length; if (tcp_header > packet_end) return 0; //Make sure this is TCP if (ip_header[9] != 6) //IPv4->Protocol == TCP return 0; //Making sure the IP total length is valid unsigned short ip_total_length = (ip_header[2] << 8) | ip_header[3]; unsigned tcp_length = ip_total_length - ip_header_length; if (tcp_header + tcp_length > packet_end) return 0; //Verify IPv4 checksum unsigned short ipv4_checksum = *((unsigned short*)(ip_header+10)); if (ipv4_checksum != do_ipv4_checksum(ip_header, ip_header_length)) return 0; //Verify TCP/IPv4 checksum unsigned short tcp_checksum = *((unsigned short*)(tcp_header+16)); if (tcp_checksum != do_tcp_ipv4_checksum(ip_header, tcp_header, tcp_length)) return 0; ... } ... } unsigned short do_ipv4_checksum(char* ip, unsigned len) { ... return internal_calculate_ipv4_checksum(..., ip + 12, len - 12); } unsigned short do_tcp_ipv4_checksum(char* ip, char* tcp, unsigned len) { ... return internal_calculate_tcp_ipv4_checksum(..., ip + 18, len - 18); } As can be seen above, there are a few missing length verifications in the snippet above: 1. The IHL field in the IPv4 header is not verified against in minimal allowed value (5). This means an attacker can provide an intentionally small value, such as zero. Doing so will cause the following accesses to be performed OOB (such as checking the IP header's protocol field, calculating the IPv4 checksum, etc). 2. The IP total length field is also not verified. An attacker can choose the total length field such that ip_total_length == ip_header_length. By doing so, tcp_length will contain the value zero. However, as the unsigned value (tcp_length - 12) is used as the length field in the internal TCP/IPv4 checksum calculation, this will cause the internal checksum calculation loop (RAM function 0x16DBF6) to receive a very large length field - causing an data abort due to an illegal access which will therefore crash the firmware. The bug can be addressed by validating that the IHL is not smaller than the minimal allowed value (5), and by ensuring that the IP total length field is large enough to contain the IPv4 and TCP headers. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb

The Bastet Driver of Nova 2 Plus,Nova 2 Huawei smart phones with software of Versions earlier than BAC-AL00C00B173,Versions earlier than PIC-AL00C00B173 has a use after free (UAF) vulnerability. An attacker can convince a user to install a malicious application which has a high privilege to exploit this vulnerability, Successful exploitation may cause arbitrary code execution. Huawei Nova 2 Plus and Nova 2 Smartphone software contains a vulnerability related to the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Nova2 and Nova2Plus are smartphone devices from China's Huawei company. The UseAfterFree (UAF) security vulnerability exists in the Bastet driver of HuaweiNova2 and Nova2Plus. Huawei Smart Phones are prone to a remote code-execution vulnerability. Failed exploit attempts will likely cause a denial-of-service condition

A vulnerability in the Virtual Private LAN Service (VPLS) code of Cisco IOS 15.0 through 15.4 for Cisco Catalyst 6800 Series Switches could allow an unauthenticated, adjacent attacker to cause a C6800-16P10G or C6800-16P10G-XL type line card to crash, resulting in a denial of service (DoS) condition. The vulnerability is due to a memory management issue in the affected software. An attacker could exploit this vulnerability by creating a large number of VPLS-generated MAC entries in the MAC address table of an affected device. A successful exploit could allow the attacker to cause a C6800-16P10G or C6800-16P10G-XL type line card to crash, resulting in a DoS condition. This vulnerability affects Cisco Catalyst 6800 Series Switches that are running a vulnerable release of Cisco IOS Software and have a Cisco C6800-16P10G or C6800-16P10G-XL line card in use with Supervisor Engine 6T. To be vulnerable, the device must also be configured with VPLS and the C6800-16P10G or C6800-16P10G-XL line card needs to be the core-facing MPLS interfaces. Cisco Bug IDs: CSCva61927. Cisco IOS Contains a resource management vulnerability. Vendors have confirmed this vulnerability Bug ID CSCva61927 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. IOS is one of the operating systems for network devices

A vulnerability in motherboard console ports of line cards for Cisco ASR 1000 Series Aggregation Services Routers and Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, physical attacker to access an affected device's operating system. The vulnerability exists because an engineering console port is available on the motherboard of the affected line cards. An attacker could exploit this vulnerability by physically connecting to the console port on the line card. A successful exploit could allow the attacker to gain full access to the affected device's operating system. This vulnerability affects only Cisco ASR 1000 Series Routers that have removable line cards and Cisco cBR-8 Converged Broadband Routers, if they are running certain Cisco IOS XE 3.16 through 16.5 releases. Cisco Bug IDs: CSCvc65866, CSCve77132. Cisco IOS XE Contains vulnerabilities related to authorization, permissions, and access control. Vendors have confirmed this vulnerability Bug ID CSCvc65866 and CSCve77132 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Cisco ASR1000 is a system router provided by Cisco. Multiple Cisco Products are prone to an local unauthorized-access vulnerability. This may aid in further attacks. IOS XE is a dedicated operating system for a set of network devices used in it

Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress allows SQL Injection via the id parameter. WordPress is a set of blogging platform developed by WordPress Software Foundation using PHP language, which supports setting up personal blogging websites on PHP and MySQL servers. Mojoomla SMSmaster Multipurpose SMS Gateway is one of the multipurpose SMS gateways. A remote attacker can exploit this vulnerability to inject arbitrary SQL commands by using the 'id' parameter