VARIoT IoT vulnerabilities database

XML parser in Huawei S12700 V200R005C00,S1700 V200R009C00, V200R010C00,S3700 V100R006C03, V100R006C05,S5700 V200R001C00, V200R002C00, V200R003C00, V200R003C02, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00,S6700 V200R001C00, V200R002C00, V200R003C00, V200R005C00, V200R005C02, V200R008C00, V200R009C00, V200R010C00,S7700 V200R001C00, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00,S9700 V200R001C00, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00,eCNS210_TD V100R004C10, V100R004C10SPC003, V100R004C10SPC100, V100R004C10SPC101, V100R004C10SPC102, V100R004C10SPC200, V100R004C10SPC221, V100R004C10SPC400 has a DOS vulnerability. An attacker may craft specific XML files to the affected products. Due to not check the specially XML file and to parse this file, successful exploit will result in DOS attacks. plural Huawei The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. HuaweiS12700 is an enterprise-class switch product from China's Huawei company. XMLparser is one of the XML parsers. The vulnerability stems from the failure of the network system or product to properly validate the input data

Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This vulnerability exists because of a lack of authentication checks in requests to CGI pages. Zivif Web The camera contains a vulnerability related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The ZivifPR115-204-P-RS is a network camera device. Attack vector: Remote Authentication: None Researcher: Silas Cutler `p1nk` <silas.cutler@blacklistthisdomain.com> Release date: December 10, 2017 Full Disclosure: 90 days CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 Vulnerable Device: Zivif PR115-204-P-RS Version: V2.3.4.2103 Timeline: 1 September 2017: Initial alerting to Zivif 1 September 2017: Zivif contact established. 3 September 2017: Details provided. 7 September 2017: Confirmation of vulnerabilities from Zivif 5 December 2017: Public note on Social Media CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic. 10 December 2017: This email -[Overview]- Implementation of access controls is Zivif cameras is severely lacking. This was first identified with the following request (CVE-2017-17106) http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser Cameras respond to this with: var name0="admin"; var password0="admin"; var authLevel0="255"; var name1="guest"; var password1="guest"; var authLevel1="3"; var name2="admin2"; var password2="admin"; var authLevel2="3"; var name3=""; var password3=""; var authLevel3="3"; var name4=""; var password4=""; var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3"; var name6=""; var password6=""; var authLevel6="3"; var name7=""; var password7=""; var authLevel7="3"; var name8=""; var password8=""; var authLevel8="0"; var name9=""; var password9=""; var authLevel9="0 Credentials are returned in cleartext to the requester. In exploring, unauthenticated remote command injection is possible using (CVE-2017-17105) http://<Camera IP>/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot) Command results are not returned, however are executed by the system. One last findings was the /etc/passwd file contains the following hard-coded entry (CVE-2017-17107): root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh The encrypted password is cat1029. (none) login: root Password: Login incorrect (none) login: root Password: Welcome to SONIX. \u@\h:\W$ Because of the way the file system is structured, changing this password requires more work then running passwd. -[Note]- The hi3510 is shared with a couple other cameras I'm exploring. The motd saying /Welcome to SONIX/ has lead me to speculate parts of this firmware may be shared with other cameras. -Silas

An issue was discovered in Apexis APM-H803-MPC software, as used with many different models of IP Camera. An unprotected CGI method inside the web application permits an unauthenticated user to bypass the login screen and access the webcam contents including: live video stream, configuration files with all the passwords, system information, and much more. With this vulnerability, anyone can access to a vulnerable webcam with 'super admin' privilege. Apexis APM-H803-MPC The software contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apexis APM-H803-MPC is an infrared network camera product of China Fuhong (Apexis) Electronics Company. Apexis APM-H803-MPC with firmware version 1.1.2.69 has a privilege escalation vulnerability

Huawei DP300 V500R002C00, NIP6600 V500R001C00, V500R001C20, V500R001C30, Secospace USG6500 V500R001C00, V500R001C20, V500R001C30, TE60 V100R001C01, V100R001C10, V100R003C00, V500R002C00, V600R006C00, TP3106 V100R001C06, V100R002C00, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eCNS210_TD V100R004C10, eSpace U1981 V200R003C30 have a DoS vulnerability caused by memory exhaustion in some Huawei products. For lacking of adequate input validation, attackers can craft and send some malformed messages to the target device to exhaust the memory of the device and cause a Denial of Service (DoS). plural Huawei The product is vulnerable to resource exhaustion.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are products of China Huawei (Huawei). The DP300 is a video conferencing terminal. The eSpace7950 is a smart IP video phone product from China's Huawei company. A denial of service vulnerability exists in several Huawei products due to insufficient program validation of the input. An attacker could exploit the vulnerability to cause a denial of service (out of memory). The following products and versions are affected: Huawei NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version; DP300 V500R002C00 Version; Secospace USG6500 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version; TE60 V100R001C01 Version, V100R001C10 Version, V100R003C00 Version, V500R002C00 Version, V600R006C00 Version; TP3106 V100R001C06 Version, V100R002C00 Version; VP9660 V200R001C02 Version, V200R001C30 Version, V500R002C00 Version, V500R002C10 Version; ViewPoint 8660 V100R008C03 Version; ViewPoint 9030 V100R011C02 Version, V100R011C03 Version; eCNS210_TD V100R004C10 Version; eSpace U1981 V200R003C30 Version

The SIP module in Huawei DP300 V500R002C00, IPS Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, NGFW Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R002C00, V500R002C10, NIP6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6800 V500R001C50, RP200 V500R002C00, V600R006C00, SVN5600 V200R003C00, V200R003C10, SVN5800 V200R003C00, V200R003C10, SVN5800-C V200R003C00, V200R003C10, SeMG9811 V300R001C01, Secospace USG6300 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V100R001C00, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, USG9500 V500R001C00, V500R001C20, V500R001C30, USG9520 V300R001C01, V300R001C20, USG9560 V300R001C01, V300R001C20, USG9580 V300R001C01, V300R001C20, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eSpace U1981 V100R001C20, V200R003C00, V200R003C20, V200R003C30 has a buffer overflow vulnerability. An attacker would have to find a way to craft specific messages to the affected products. Due to the insufficient validation for SIP messages, successful exploit may cause services abnormal. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are all products of China Huawei. HuaweiDP300 is a video conferencing terminal device. IPSModule is an intrusion prevention module. SIPbackup is one of the SIP backup modules. The vulnerability is caused by the program failing to fully verify some of the values in the SIP message. An attacker could exploit the vulnerability by tampering with a message sent to the device to cause a service exception. The vulnerability is caused by the program's insufficient verification of some packets. The following products and versions are affected: Huawei DP300 Version; IPS Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NGFW Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R002C00 Version, V500R002C10 Version; NIP6300 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6800 V500R001C50 Version; RP200 V500R002C00 Version, V600R006C00 Version; SVN5600 wait

The SIP module in Huawei DP300 V500R002C00, IPS Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, NGFW Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R002C00, V500R002C10, NIP6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6800 V500R001C50, RP200 V500R002C00, V600R006C00, SVN5600 V200R003C00, V200R003C10, SVN5800 V200R003C00, V200R003C10, SVN5800-C V200R003C00, V200R003C10, SeMG9811 V300R001C01, Secospace USG6300 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V100R001C00, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, USG9500 V500R001C00, V500R001C20, V500R001C30, USG9520 V300R001C01, V300R001C20, USG9560 V300R001C01, V300R001C20, USG9580 V300R001C01, V300R001C20, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eSpace U1981 V100R001C20, V200R003C00, V200R003C20, V200R003C30 has a buffer overflow vulnerability. An attacker would have to find a way to craft specific messages to the affected products. Due to the insufficient validation for SIP messages, successful exploit may cause services abnormal. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are all products of China Huawei. HuaweiDP300 is a video conferencing terminal device. IPSModule is an intrusion prevention module. SIPbackup is one of the SIP backup modules. The vulnerability is caused by the program failing to fully verify some of the values in the SIP message. An attacker could exploit the vulnerability by tampering with a message sent to the device to cause a service exception. The vulnerability is caused by the program's insufficient verification of some packets. The following products and versions are affected: Huawei DP300 Version; IPS Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NGFW Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R002C00 Version, V500R002C10 Version; NIP6300 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6800 V500R001C50 Version; RP200 V500R002C00 Version, V600R006C00 Version; SVN5600 wait

The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, NGFW Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R002C00, V500R002C10, NIP6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6800 V500R001C50, RP200 V500R002C00, V600R006C00, SVN5600 V200R003C00, V200R003C10, SVN5800 V200R003C00, V200R003C10, SVN5800-C V200R003C00, V200R003C10, SeMG9811 V300R001C01, Secospace USG6300 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V100R001C00, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, USG9500 V500R001C00, V500R001C20, V500R001C30, USG9520 V300R001C01, V300R001C20, USG9560 V300R001C01, V300R001C20, USG9580 V300R001C01, V300R001C20, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eSpace U1981 V100R001C20, V200R003C00, V200R003C20, V200R003C30 has a buffer overflow vulnerability. An attacker may send specially crafted messages to the affected products. Due to the insufficient validation of some values for SIP messages, successful exploit may cause services abnormal. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are all products of China Huawei. HuaweiDP300 is a video conferencing terminal device. IPSModule is an intrusion prevention module. SIPbackup is one of the SIP backup modules. The following products and versions are affected: Huawei DP300 Version; IPS Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NGFW Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R002C00 Version, V500R002C10 Version; NIP6300 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6800 V500R001C50 Version; RP200 V500R002C00 Version, V600R006C00 Version; SVN5600 wait

The SIP module in Huawei DP300 V500R002C00, IPS Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, NGFW Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R002C00, V500R002C10, NIP6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6800 V500R001C50, RP200 V500R002C00, V600R006C00, SVN5600 V200R003C00, V200R003C10, SVN5800 V200R003C00, V200R003C10, SVN5800-C V200R003C00, V200R003C10, SeMG9811 V300R001C01, Secospace USG6300 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V100R001C00, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, USG9500 V500R001C00, V500R001C20, V500R001C30, USG9520 V300R001C01, V300R001C20, USG9560 V300R001C01, V300R001C20, USG9580 V300R001C01, V300R001C20, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eSpace U1981 V100R001C20, V200R003C00, V200R003C20, V200R003C30 has a buffer overflow vulnerability. An attacker would have to find a way to craft specific messages to the affected products. Due to the insufficient validation for SIP messages, successful exploit may cause services abnormal. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are all products of China Huawei. HuaweiDP300 is a video conferencing terminal device. IPSModule is an intrusion prevention module. SIPbackup is one of the SIP backup modules. The vulnerability is caused by the program failing to fully verify some of the values in the SIP message. An attacker could exploit the vulnerability by tampering with a message sent to the device to cause a service exception. The vulnerability is caused by the program's insufficient verification of some packets. The following products and versions are affected: Huawei DP300 Version; IPS Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NGFW Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R002C00 Version, V500R002C10 Version; NIP6300 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6800 V500R001C50 Version; RP200 V500R002C00 Version, V600R006C00 Version; SVN5600 wait

The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, NGFW Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R002C00, V500R002C10, NIP6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6800 V500R001C50, RP200 V500R002C00, V600R006C00, SVN5600 V200R003C00, V200R003C10, SVN5800 V200R003C00, V200R003C10, SVN5800-C V200R003C00, V200R003C10, SeMG9811 V300R001C01, Secospace USG6300 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V100R001C00, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, USG9500 V500R001C00, V500R001C20, V500R001C30, USG9520 V300R001C01, V300R001C20, USG9560 V300R001C01, V300R001C20, USG9580 V300R001C01, V300R001C20, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eSpace U1981 V100R001C20, V200R003C00, V200R003C20, V200R003C30 has a buffer overflow vulnerability. An attacker may send specially crafted messages to the affected products. Due to the insufficient validation of some values for SIP messages, successful exploit may cause services abnormal. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are all products of China Huawei. HuaweiDP300 is a video conferencing terminal device. IPSModule is an intrusion prevention module. SIPbackup is one of the SIP backup modules. The following products and versions are affected: Huawei DP300 Version; IPS Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NGFW Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R002C00 Version, V500R002C10 Version; NIP6300 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6800 V500R001C50 Version; RP200 V500R002C00 Version, V600R006C00 Version; SVN5600 wait

The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, NGFW Module V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R002C00, V500R002C10, NIP6300 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6600 V500R001C00, V500R001C20, V500R001C30, V500R001C50, NIP6800 V500R001C50, RP200 V500R002C00, V600R006C00, SVN5600 V200R003C00, V200R003C10, SVN5800 V200R003C00, V200R003C10, SVN5800-C V200R003C00, V200R003C10, SeMG9811 V300R001C01, Secospace USG6300 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6500 V100R001C10, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, Secospace USG6600 V100R001C00, V100R001C20, V100R001C30, V500R001C00, V500R001C20, V500R001C30, V500R001C50, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, USG9500 V500R001C00, V500R001C20, V500R001C30, USG9520 V300R001C01, V300R001C20, USG9560 V300R001C01, V300R001C20, USG9580 V300R001C01, V300R001C20, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eSpace U1981 V100R001C20, V200R003C00, V200R003C20, V200R003C30 has a buffer overflow vulnerability. An attacker may send specially crafted messages to the affected products. Due to the insufficient validation of some values for SIP messages, successful exploit may cause services abnormal. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and other products are all products of China Huawei. HuaweiDP300 is a video conferencing terminal device. IPSModule is an intrusion prevention module. SIPbackup is one of the SIP backup modules. The following products and versions are affected: Huawei DP300 Version; IPS Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NGFW Module V100R001C10 Version, V100R001C20 Version, V100R001C30 Version, V500R001C00 Version, V500R001C20 Version, V500R002C00 Version, V500R002C10 Version; NIP6300 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6600 V500R001C00 Version, V500R001C20 Version, V500R001C30 Version, V500R001C50 Version; NIP6800 V500R001C50 Version; RP200 V500R002C00 Version, V600R006C00 Version; SVN5600 wait

XML parser in Huawei S12700 V200R005C00,S1700 V200R009C00, V200R010C00,S3700 V100R006C03, V100R006C05,S5700 V200R001C00, V200R002C00, V200R003C00, V200R003C02, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00,S6700 V200R001C00, V200R002C00, V200R003C00, V200R005C00, V200R005C02, V200R008C00, V200R009C00, V200R010C00,S7700 V200R001C00, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00,S9700 V200R001C00, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00,eCNS210_TD V100R004C10, V100R004C10SPC003, V100R004C10SPC100, V100R004C10SPC101, V100R004C10SPC102, V100R004C10SPC200, V100R004C10SPC221, V100R004C10SPC400 has a DOS vulnerability. An attacker may craft specific XML files to the affected products. Due to not check the specially XML file and to parse this file, successful exploit will result in DOS attacks. plural Huawei The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. HuaweiS12700 is an enterprise-class switch product from China's Huawei company. XMLparser is one of the XML parsers. The vulnerability stems from the failure of the network system or product to properly validate the input data. The following products and versions are affected: Huawei S12700 V200R005C00 Version; S1700 V200R009C00 Version, V200R010C00 Version; S2300 V100R006C03 Version, V100R006C05 Version, V200R003C00 Version, V200R005C00 Version, V200R006C00 Version, V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S3300 V100R006C03 Version , V100R006C05 version; S3700 V100R006C03 version, V100R006C05 version; S5300, etc

XML parser in Huawei DP300 V500R002C00; RP200 V500R002C00SPC200; V600R006C00; TE30 V100R001C10; V500R002C00; V600R006C00; TE40 V500R002C00; V600R006C00; TE50 V500R002C00; V600R006C00; TE60 V100R001C10; V500R002C00; V600R006C00 has a DoS vulnerability. Due to not check the specially XML file enough an authenticated local attacker may craft specific XML files to the affected products and parse this file which cause to null pointer accessing and result in DoS attacks. plural Huawei The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300 and RP200 are Huawei's integrated desktop telepresence products for high-end customers. The TE series is a high-definition video conferencing terminal that supports 1080p60. A number of Huawei product XML parsers have a denial of service vulnerability due to insufficient validation of the XML file by the affected product. The Huawei DP300 and others are all products of China's Huawei (Huawei). RP200 is a video conferencing all-in-one device. The following products and versions are affected: Huawei DP300 V500R002C00 Version; RP200 V500R002C00SPC200 Version, V600R006C00 Version; TE30 V100R001C10 Version, V500R002C00 Version, V600R006C00 Version; TE40 V500R002C00 Version, V600R006C00 Version; TE50 V500R002C00 Version, V600R006C00 Version; TE60 V100R001C10 Version, V500R002C00 Version, Version V600R006C00

Huawei VP9660 V500R002C10 has a null pointer reference vulnerability in license module due to insufficient verification. An authenticated local attacker could place a malicious license file into system which cause memory null pointer accessing and related processing crash. The attacker can exploit this vulnerability to cause a denial of service. HuaweiVP9660 is a new generation of multimedia switching platform with Huawei 1080p60 full-coded and super-processing capabilities, which is based on customer demand and combined with network equipment manufacturing advantages. Huawei VP9660 is a new-generation video conferencing terminal product of China Huawei (Huawei). The license module is one of the license management modules

Huawei VP9660 V500R002C10 has a uncontrolled format string vulnerability when the license module output the log information. An authenticated local attacker could exploit this vulnerability to cause a denial of service. Huawei VP9660 Contains a format string vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. HuaweiVP9660 is a new generation of multimedia switching platform with Huawei 1080p60 full-coded and super-processing capabilities, which is based on customer demand and combined with network equipment manufacturing advantages. Huawei VP9660 is a new-generation video conferencing terminal product of China Huawei (Huawei). The license module is one of the license management modules. The vulnerability is caused by insufficient verification of the program

Huawei CloudEngine 12800 V100R003C00, V100R005C00, V100R005C10, V100R006C00,CloudEngine 5800 V100R003C00, V100R005C00, V100R005C10, V100R006C00,CloudEngine 6800 V100R003C00, V100R005C00, V100R005C10, V100R006C00,CloudEngine 7800 V100R003C00, V100R005C00, V100R005C10, V100R006C00 have a memory leak vulnerability. An unauthenticated attacker may send specific Resource ReServation Protocol (RSVP) packets to the affected products. Due to not release the memory to handle the packets, successful exploit will result in memory leak of the affected products and lead to a DoS condition. Huawei CloudEngine Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei CloudEngine12800 and other Huawei Huayun (Cloud) series of switch products. The vulnerability stems from the fact that the program does not release the memory for processing the message. The following products and versions are affected: Huawei CloudEngine 12800 V100R003C00 Version, V100R005C00 Version, V100R005C10 Version, V100R006C00 Version; CloudEngine 5800 V100R003C00 Version, V100R005C00 Version, V100R005C10 Version, V100R006C00 Version; CloudEngine 6800 V100R003C00 Version, V100R005C00 Version, V100R005C10 Version, V100R006C00 Version; CloudEngine 7800 V100R003C00, V100R005C00, V100R005C10, and V100R006C00

PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; V500R001C30; NGFW Module V500R001C00; V500R002C00; NIP6300 V500R001C00; V500R001C30; NIP6600 V500R001C00; V500R001C30; RP200 V500R002C00; V600R006C00; S12700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00; S1700 V200R006C10; V200R009C00; V200R010C00; S2700 V200R006C10; V200R007C00; V200R008C00; V200R009C00; V200R010C00; S5700 V200R006C00; V200R007C00; V200R008C00; V200R009C00; V200R010C00; S6700 V200R008C00; V200R009C00; V200R010C00; S7700 V200R007C00; V200R008C00; V200R009C00; V200R010C00; S9700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00; Secospace USG6300 V500R001C00; V500R001C30; Secospace USG6500 V500R001C00; V500R001C30; Secospace USG6600 V500R001C00; V500R001C30S; TE30 V100R001C02; V100R001C10; V500R002C00; V600R006C00; TE40 V500R002C00; V600R006C00; TE50 V500R002C00; V600R006C00; TE60 V100R001C01; V100R001C10; V500R002C00; V600R006C00; TP3106 V100R002C00; TP3206 V100R002C00; V100R002C10; USG9500 V500R001C00; V500R001C30; ViewPoint 9030 V100R011C02; V100R011C03 has a heap overflow vulnerability due to insufficient verification. An authenticated local attacker can make processing crash by a malicious certificate. The attacker can exploit this vulnerability to cause a denial of service. plural Huawei The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300, IPSModule, and NGFWModule are all products of China Huawei. DP300 is a video conferencing terminal. RP200 is a video conferencing all-in-one device. The following products and versions are affected: Huawei DP300 V500R002C00 Version; IPS Module V500R001C00 Version, V500R001C30 Version; NGFW Module V500R001C00 Version, V500R002C00 Version; NIP6300 V500R001C00 Version, V500R001C30 Version; NIP6600 V500R001C00 Version, V500R001C30 Version; RP200 V500R002C00 Version, V600R006C00 Version; S12700 V200R007C00 Version, V200R007C01 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S1700 V200R006C10 Version, V200R009C00 Version, V200R010C00 Version; S2700 V200R006C10 Version, V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S5700 V200R006C00 Version, V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S6700 V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S7700 V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S9700 V200R007C00 Version, V200R007C01 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; Secospace

Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 V100R001C10; V600R006C00; TE50 V600R006C00; TE60 V100R001C10; V500R002C00; V600R006C00; VP9660 V500R002C10 have an DoS vulnerability due to insufficient validation of the parameter when a putty comment key is loaded. An authenticated remote attacker can place a malformed putty key file in system when a system manager load the key an infinite loop happens which lead to reboot the system. plural Huawei The product contains an input validation vulnerability.Denial of service (DoS) May be in a state. Huawei DP300, RP200, and TE30/40/50/60 are Huawei's integrated desktop telepresence products and high-definition video conferencing terminal products for high-end customers. The Huawei DP300 and others are all products of China's Huawei (Huawei). DP300 is a video conferencing terminal. RP200 is a video conferencing all-in-one device. The following products and versions are affected: Huawei DP300 V500R002C00 Version; RP200 V500R002C00 Version, V600R006C00 Version; TE30 V100R001C10 Version, V600R006C00 Version; TE50 V600R006C00 Version; TE60 V100R001C10 Version, V500R002C00 Version, V600R006C00 Version; VP9660 V500R002C10 Version

Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 (and possibly in-between versions) web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the web interface, as demonstrated by a cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot) request. Zivif Web The camera contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The ZivifPR115-204-P-RS is a network camera device. A remote command injection vulnerability exists in the ZivifPR115-204-P-RS2.3.4.2103 release. A remote attacker can exploit this vulnerability to inject arbitrary commands. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. Attack vector: Remote Authentication: None Researcher: Silas Cutler `p1nk` <silas.cutler@blacklistthisdomain.com> Release date: December 10, 2017 Full Disclosure: 90 days CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 Vulnerable Device: Zivif PR115-204-P-RS Version: V2.3.4.2103 Timeline: 1 September 2017: Initial alerting to Zivif 1 September 2017: Zivif contact established. 3 September 2017: Details provided. 7 September 2017: Confirmation of vulnerabilities from Zivif 5 December 2017: Public note on Social Media CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic. 10 December 2017: This email -[Overview]- Implementation of access controls is Zivif cameras is severely lacking. As a result, CGI functions can be called directly, bypassing authentication checks. This was first identified with the following request (CVE-2017-17106) http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser Cameras respond to this with: var name0="admin"; var password0="admin"; var authLevel0="255"; var name1="guest"; var password1="guest"; var authLevel1="3"; var name2="admin2"; var password2="admin"; var authLevel2="3"; var name3=""; var password3=""; var authLevel3="3"; var name4=""; var password4=""; var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3"; var name6=""; var password6=""; var authLevel6="3"; var name7=""; var password7=""; var authLevel7="3"; var name8=""; var password8=""; var authLevel8="0"; var name9=""; var password9=""; var authLevel9="0 Credentials are returned in cleartext to the requester. One last findings was the /etc/passwd file contains the following hard-coded entry (CVE-2017-17107): root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh The encrypted password is cat1029. (none) login: root Password: Login incorrect (none) login: root Password: Welcome to SONIX. \u@\h:\W$ Because of the way the file system is structured, changing this password requires more work then running passwd. -[Note]- The hi3510 is shared with a couple other cameras I'm exploring. The motd saying /Welcome to SONIX/ has lead me to speculate parts of this firmware may be shared with other cameras. -Silas

Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session. Zivif Web The camera contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The ZivifPR115-204-P-RS is a network camera device. Attack vector: Remote Authentication: None Researcher: Silas Cutler `p1nk` <silas.cutler@blacklistthisdomain.com> Release date: December 10, 2017 Full Disclosure: 90 days CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 Vulnerable Device: Zivif PR115-204-P-RS Version: V2.3.4.2103 Timeline: 1 September 2017: Initial alerting to Zivif 1 September 2017: Zivif contact established. 3 September 2017: Details provided. 7 September 2017: Confirmation of vulnerabilities from Zivif 5 December 2017: Public note on Social Media CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic. 10 December 2017: This email -[Overview]- Implementation of access controls is Zivif cameras is severely lacking. As a result, CGI functions can be called directly, bypassing authentication checks. This was first identified with the following request (CVE-2017-17106) http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser Cameras respond to this with: var name0="admin"; var password0="admin"; var authLevel0="255"; var name1="guest"; var password1="guest"; var authLevel1="3"; var name2="admin2"; var password2="admin"; var authLevel2="3"; var name3=""; var password3=""; var authLevel3="3"; var name4=""; var password4=""; var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3"; var name6=""; var password6=""; var authLevel6="3"; var name7=""; var password7=""; var authLevel7="3"; var name8=""; var password8=""; var authLevel8="0"; var name9=""; var password9=""; var authLevel9="0 Credentials are returned in cleartext to the requester. In exploring, unauthenticated remote command injection is possible using (CVE-2017-17105) http://<Camera IP>/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot) Command results are not returned, however are executed by the system. One last findings was the /etc/passwd file contains the following hard-coded entry (CVE-2017-17107): root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh The encrypted password is cat1029. (none) login: root Password: Login incorrect (none) login: root Password: Welcome to SONIX. \u@\h:\W$ Because of the way the file system is structured, changing this password requires more work then running passwd. -[Note]- The hi3510 is shared with a couple other cameras I'm exploring. The motd saying /Welcome to SONIX/ has lead me to speculate parts of this firmware may be shared with other cameras. -Silas

PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; V500R001C30; NGFW Module V500R001C00; V500R002C00; NIP6300 V500R001C00; V500R001C30; NIP6600 V500R001C00; V500R001C30; RP200 V500R002C00; V600R006C00; S12700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00; S1700 V200R006C10; V200R009C00; V200R010C00; S2700 V200R006C10; V200R007C00; V200R008C00; V200R009C00; V200R010C00; S5700 V200R006C00; V200R007C00; V200R008C00; V200R009C00; V200R010C00; S6700 V200R008C00; V200R009C00; V200R010C00; S7700 V200R007C00; V200R008C00; V200R009C00; V200R010C00; S9700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00; Secospace USG6300 V500R001C00; V500R001C30; Secospace USG6500 V500R001C00; V500R001C30; Secospace USG6600 V500R001C00; V500R001C30S; TE30 V100R001C02; V100R001C10; V500R002C00; V600R006C00; TE40 V500R002C00; V600R006C00; TE50 V500R002C00; V600R006C00; TE60 V100R001C01; V100R001C10; V500R002C00; V600R006C00; TP3106 V100R002C00; TP3206 V100R002C00; V100R002C10; USG9500 V500R001C00; V500R001C30; ViewPoint 9030 V100R011C02; V100R011C03 has a null pointer reference vulnerability due to insufficient verification. An authenticated local attacker calls PEM decoder with special parameter which could cause a denial of service. plural Huawei The product includes NULL A vulnerability related to pointer dereference exists.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei DP300, IPSModule, and NGFWModule are all products of China Huawei. DP300 is a video conferencing terminal. RP200 is a video conferencing all-in-one device. PEM module is one of the security modules. The following products and versions are affected: Huawei DP300 V500R002C00 Version; IPS Module V500R001C00 Version, V500R001C30 Version; NGFW Module V500R001C00 Version, V500R002C00 Version; NIP6300 V500R001C00 Version, V500R001C30 Version; NIP6600 V500R001C00 Version, V500R001C30 Version; RP200 V500R002C00 Version, V600R006C00 Version; S12700 V200R007C00 Version, V200R007C01 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S1700 V200R006C10 Version, V200R009C00 Version, V200R010C00 Version; S2700 V200R006C10 Version, V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S5700 V200R006C00 Version, V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S6700 V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S7700 V200R007C00 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; S9700 V200R007C00 Version, V200R007C01 Version, V200R008C00 Version, V200R009C00 Version, V200R010C00 Version; Secospace