VARIoT IoT vulnerabilities database

In Snapdragon Automobile, Snapdragon IoT and Snapdragon Mobile MDM9206 MDM9607, MDM9650, S820A, S820Am, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 835, and SD 845, a buffer overread is possible if there are no newlines in an input file. plural Qualcomm Snapdragon The product contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. Qualcomm MDM9650 and others are products of Qualcomm (Qualcomm). MDM9650 is a central processing unit (CPU) product. SD 425 is a central processing unit (CPU) product. SD 430 is a central processing unit (CPU) product. SD 625 is a central processing unit (CPU) product. And so on are the best products. A buffer error vulnerability exists in several Qualcomm products. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc

In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mobile, Snapdragon Automobile APQ8096AU, MDM9206, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 625, SD 650/52, SD 820, SD 835, it is possible for the XBL loader to skip the authentication of device config. plural Qualcomm Run on product Android Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. These issues are being tracked by Android Bug IDs A-62212946, A-32584150, A-62212739, A-62212298, A-62212632, A-65944893 and A-66913721. Android is a Linux-based open source operating system jointly developed by Google and the Open Handheld Alliance (OHA). Qualcomm closed-source components is one of the closed-source components developed by Qualcomm (Qualcomm). A security vulnerability exists in Qualcomm closed-source components in Android versions prior to 2018-01-05. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mobile MDM9206, SD 625, SD 650/52, SD 835, SD 845, DDR address input validation is being improperly truncated. plural Qualcomm Run on product Android Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. These issues are being tracked by Android Bug IDs A-62212946, A-32584150, A-62212739, A-62212298, A-62212632, A-65944893 and A-66913721. Android is a Linux-based open source operating system developed by Google and the Open Handheld Alliance (OHA). An input validation error vulnerability exists in Android versions prior to 2018-01-05. The vulnerability stems from the failure of the network system or product to properly validate the input data. The following products and versions are affected: Qualcomm MDM9206; SD 625; SD 650/52; SD 835; SD 845

In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mobile [VERSION]: MDM9206, MDM9607, MDM9650, MSM8909W, SD 200, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 835, the attributes of buffers in Secure Display were not marked properly. plural Qualcomm Run on product Android Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. These issues are being tracked by Android Bug IDs A-62212946, A-32584150, A-62212739, A-62212298, A-62212632, A-65944893 and A-66913721. Android is a Linux-based open source operating system developed by Google and the Open Handheld Alliance (OHA). There is a buffer error vulnerability in Android versions before 2018-01-05. The vulnerability stems from the fact that the program does not correctly mark the buffer attribute in Secure Display. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

In Android before 2018-01-05 on Qualcomm Snapdragon Mobile SD 625, SD 650/52, SD 835, accessing SPCOM functions with a compromised client structure can result in a Use After Free condition. plural Qualcomm Run on product Android Contains a vulnerability in the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. These issues are being tracked by Android Bug IDs A-62212946, A-32584150, A-62212739, A-62212298, A-62212632, A-65944893 and A-66913721. Android is a Linux-based open source operating system developed by Google and the Open Handheld Alliance (OHA). A resource management error vulnerability exists in Android versions prior to 2018-01-05. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products. The following products and versions are affected: Qualcomm SD 625; SD 650/52; SD 835

Intelbras WRN 150 devices allow remote attackers to read the configuration file, and consequently bypass authentication, via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg containing an admin:language=pt cookie. Intelbras WRN 150 The device contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. IntelbrasWRN150devices is a wireless router from Brazil's Intelbras. A security hole exists in the IntelbrasWRN150 device

Red Lion HMI panels allow remote attackers to cause a denial of service (software exception) via an HTTP POST request to a long URI that does not exist, as demonstrated by version HMI 2.41 PLC 2.42. Red Lion HMI The panel contains an error handling vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Red Lion HMI panels HMI is the United States Red Lion Controls One of the company's human-machine interface products for industrial control. PLC It is a programmable logic controller. Red Lion HMI panels HMI 2.41 in version PLC 2.42 version has a security vulnerability

After initial configuration, the Ruggedcom Discovery Protocol (RCDP) is still able to write to the device under certain conditions. This could allow an attacker located in the adjacent network of the targeted device to perform unauthorized administrative actions. plural Siemens The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Siemens RuggedCom ROS is a ROX-based device for connecting devices in harsh environments, such as substations, traffic management chassis, etc. The SCALANCE XB-200 is an industrial Ethernet switch. Siemens Ruggedcom ROS and SCALANCE are not authorized to exploit the vulnerability. Multiple Siemens Products are prone to a remote security bypass vulnerability. Following products and versions are vulnerable: RUGGEDCOM ROS prior to 5.0.1 for RSL910 devices. RUGGEDCOM ROS prior to 4.3.4 for all other devices. SCALANCE XB-200/XC-200/XP-200/XR300-WG 3.0 and later. SCALANCE XR-500/XM-400 6.1 and later

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. tvOS before 10.2.2 is affected. The issue involves the "Wi-Fi" component. It allows attackers to cause a denial of service (memory corruption on the Wi-Fi chip) by leveraging proximity for 802.11. in the United States. Apple iOS is an operating system developed for mobile devices. tvOS is a smart TV operating system. Wi-Fi is one of the wireless Internet access components. A security vulnerability exists in the Wi-Fi component in Apple iOS versions prior to 10.3.3 and tvOS versions prior to 10.2.2. Broadcom: Denial of service and OOB read in TCP KeepAlive Offloading CVE-2017-7066 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to reduce overhead on the host, some Broadcom Wi-Fi chips support TCP ACK Offloading. When this feature is enabled, the firmware keeps a list of active TCP connections, including the 4-tuple, the SEQ/ACK numbers, etc. Before performing the offloading operation, incoming TCP packets are verified to ensure they are valid. During this verification process, the incoming packets' checksums are calculated. For IPv4 packets, the IPv4 header checksum and TCP/IPv4 checksum are calculated and compared to the checksums in the incoming packet. On the BCM4355C0 SoC with firmware version 9.44.78.27.0.1.56, the offloading verification is performed in RAM function 0x1800C8. Here is a snippet of the approximate high-level logic for this function: int function_1800C8(void* ctx, void* packet) { char* packet_data = *((char**)(packet + 8)); unsigned short packet_length = *((unsigned short*)(packet + 12)); char* packet_end = packet_data + packet_length; //Getting the ethertype. If there's a SNAP header, get the ethertype from SNAP. //Is this IPv4? if (ethertype == 0x800) { unsigned ip_header_length = (ip_header[0] & 0xF) * 4; //IHL * 4 char* tcp_header = ip_header + ip_header_length; if (tcp_header > packet_end) return 0; //Make sure this is TCP if (ip_header[9] != 6) //IPv4->Protocol == TCP return 0; //Making sure the IP total length is valid unsigned short ip_total_length = (ip_header[2] << 8) | ip_header[3]; unsigned tcp_length = ip_total_length - ip_header_length; if (tcp_header + tcp_length > packet_end) return 0; //Verify IPv4 checksum unsigned short ipv4_checksum = *((unsigned short*)(ip_header+10)); if (ipv4_checksum != do_ipv4_checksum(ip_header, ip_header_length)) return 0; //Verify TCP/IPv4 checksum unsigned short tcp_checksum = *((unsigned short*)(tcp_header+16)); if (tcp_checksum != do_tcp_ipv4_checksum(ip_header, tcp_header, tcp_length)) return 0; ... } ... } unsigned short do_ipv4_checksum(char* ip, unsigned len) { ... return internal_calculate_ipv4_checksum(..., ip + 12, len - 12); } unsigned short do_tcp_ipv4_checksum(char* ip, char* tcp, unsigned len) { ... return internal_calculate_tcp_ipv4_checksum(..., ip + 18, len - 18); } As can be seen above, there are a few missing length verifications in the snippet above: 1. The IHL field in the IPv4 header is not verified against in minimal allowed value (5). This means an attacker can provide an intentionally small value, such as zero. Doing so will cause the following accesses to be performed OOB (such as checking the IP header's protocol field, calculating the IPv4 checksum, etc). 2. The IP total length field is also not verified. An attacker can choose the total length field such that ip_total_length == ip_header_length. By doing so, tcp_length will contain the value zero. However, as the unsigned value (tcp_length - 12) is used as the length field in the internal TCP/IPv4 checksum calculation, this will cause the internal checksum calculation loop (RAM function 0x16DBF6) to receive a very large length field - causing an data abort due to an illegal access which will therefore crash the firmware. The bug can be addressed by validating that the IHL is not smaller than the minimal allowed value (5), and by ensuring that the IP total length field is large enough to contain the IPv4 and TCP headers. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb

The Bastet Driver of Nova 2 Plus,Nova 2 Huawei smart phones with software of Versions earlier than BAC-AL00C00B173,Versions earlier than PIC-AL00C00B173 has a use after free (UAF) vulnerability. An attacker can convince a user to install a malicious application which has a high privilege to exploit this vulnerability, Successful exploitation may cause arbitrary code execution. Huawei Nova 2 Plus and Nova 2 Smartphone software contains a vulnerability related to the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Nova2 and Nova2Plus are smartphone devices from China's Huawei company. The UseAfterFree (UAF) security vulnerability exists in the Bastet driver of HuaweiNova2 and Nova2Plus. Huawei Smart Phones are prone to a remote code-execution vulnerability. Failed exploit attempts will likely cause a denial-of-service condition

A vulnerability in the Virtual Private LAN Service (VPLS) code of Cisco IOS 15.0 through 15.4 for Cisco Catalyst 6800 Series Switches could allow an unauthenticated, adjacent attacker to cause a C6800-16P10G or C6800-16P10G-XL type line card to crash, resulting in a denial of service (DoS) condition. The vulnerability is due to a memory management issue in the affected software. An attacker could exploit this vulnerability by creating a large number of VPLS-generated MAC entries in the MAC address table of an affected device. A successful exploit could allow the attacker to cause a C6800-16P10G or C6800-16P10G-XL type line card to crash, resulting in a DoS condition. This vulnerability affects Cisco Catalyst 6800 Series Switches that are running a vulnerable release of Cisco IOS Software and have a Cisco C6800-16P10G or C6800-16P10G-XL line card in use with Supervisor Engine 6T. To be vulnerable, the device must also be configured with VPLS and the C6800-16P10G or C6800-16P10G-XL line card needs to be the core-facing MPLS interfaces. Cisco Bug IDs: CSCva61927. Cisco IOS Contains a resource management vulnerability. Vendors have confirmed this vulnerability Bug ID CSCva61927 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. IOS is one of the operating systems for network devices

A vulnerability in motherboard console ports of line cards for Cisco ASR 1000 Series Aggregation Services Routers and Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, physical attacker to access an affected device's operating system. The vulnerability exists because an engineering console port is available on the motherboard of the affected line cards. An attacker could exploit this vulnerability by physically connecting to the console port on the line card. A successful exploit could allow the attacker to gain full access to the affected device's operating system. This vulnerability affects only Cisco ASR 1000 Series Routers that have removable line cards and Cisco cBR-8 Converged Broadband Routers, if they are running certain Cisco IOS XE 3.16 through 16.5 releases. Cisco Bug IDs: CSCvc65866, CSCve77132. Cisco IOS XE Contains vulnerabilities related to authorization, permissions, and access control. Vendors have confirmed this vulnerability Bug ID CSCvc65866 and CSCve77132 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Cisco ASR1000 is a system router provided by Cisco. Multiple Cisco Products are prone to an local unauthorized-access vulnerability. This may aid in further attacks. IOS XE is a dedicated operating system for a set of network devices used in it

Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress allows SQL Injection via the id parameter. WordPress is a set of blogging platform developed by WordPress Software Foundation using PHP language, which supports setting up personal blogging websites on PHP and MySQL servers. Mojoomla SMSmaster Multipurpose SMS Gateway is one of the multipurpose SMS gateways. A remote attacker can exploit this vulnerability to inject arbitrary SQL commands by using the 'id' parameter

print-wb.c in tcpdump before 4.7.4 allows remote attackers to cause a denial of service (segmentation fault and process crash). tcpdump Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. TcpDump can completely intercept the data packets transmitted in the network for analysis. It supports filtering for the network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information

The DHCP relay subsystem of Cisco IOS 12.2 through 15.6 and Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to a buffer overflow condition in the DHCP relay subsystem of the affected software. An attacker could exploit this vulnerability by sending a crafted DHCP Version 4 (DHCPv4) packet to an affected system. A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a DoS condition. Cisco Bug IDs: CSCsm45390, CSCuw77959. Vendors have confirmed this vulnerability Bug ID CSCsm45390 and CSCuw77959 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Cisco IOS and IOSXE are operating systems developed by Cisco for its network devices. Failed attempts will likely result in denial-of-service conditions. DHCP relay is one of the components used to implement the function of processing and forwarding DHCP information between different subnets and physical network segments

A vulnerability in the REST API of the web-based user interface (web UI) of Cisco IOS XE 3.1 through 16.5 could allow an unauthenticated, remote attacker to bypass authentication to the REST API of the web UI of the affected software. The vulnerability is due to insufficient input validation for the REST API of the affected software. An attacker could exploit this vulnerability by sending a malicious API request to an affected device. A successful exploit could allow the attacker to bypass authentication and gain access to the web UI of the affected software. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software, if the HTTP Server feature is enabled for the device. The newly redesigned, web-based administration UI was introduced in the Denali 16.2 Release of Cisco IOS XE Software. This vulnerability does not affect the web-based administration UI in earlier releases of Cisco IOS XE Software. Cisco Bug IDs: CSCuz46036. Vendors have confirmed this vulnerability Bug ID CSCuz46036 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This may lead to further attacks

MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have an out-of-bounds read vulnerability in H323 protocol. An attacker logs in to the system as a user and send crafted packets to the affected products. Due to insufficient verification of the packets, successful exploit will cause process reboot. Huawei MAX PRESENCE , TP3106 ,and TP3206 Contains an out-of-bounds vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple Huawei products are prone to a remote denial-of-service vulnerability. Huawei MAX PRESENCE, TP3106 and TP3206 are all panoramic video conferencing solutions of China's Huawei (Huawei). H323 protocol is one of the video and audio communication protocols. The vulnerability is caused by the fact that the program does not fully verify data packets. An attacker who successfully logs in could exploit the vulnerability by sending a specially crafted packet to cause a process restart (out-of-bounds read)

MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have an out-of-bounds read vulnerability in H323 protocol. An attacker logs in to the system as a user and send crafted packets to the affected products. Due to insufficient verification of the packets, successful exploit will cause process reboot. Huawei MAX PRESENCE , TP3106 ,and TP3206 Contains an out-of-bounds vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple Huawei products are prone to a remote denial-of-service vulnerability. Huawei MAX PRESENCE, TP3106 and TP3206 are all panoramic video conferencing solutions of China's Huawei (Huawei). H323 protocol is one of the video and audio communication protocols. The vulnerability is caused by the fact that the program does not fully verify data packets. An attacker who successfully logs in could exploit the vulnerability by sending a specially crafted packet to cause a process restart (out-of-bounds read)

MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have an a memory leak vulnerability in H323 protocol. An attacker logs in to the system as a user and send crafted packets to the affected products. Due to insufficient verification of the packets, successful exploit could cause a memory leak and eventual denial of service (DoS) condition. Huawei MAX PRESENCE , TP3106 ,and TP3206 Contains vulnerabilities related to insufficient validation of data reliability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple Huawei products are prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions. Huawei MAX PRESENCE, TP3106 and TP3206 are all panoramic video conferencing solutions of China's Huawei (Huawei). H323 protocol is one of the video and audio communication protocols

A vulnerability in the wireless controller manager of Cisco IOS XE could allow an unauthenticated, adjacent attacker to cause a restart of the switch and result in a denial of service (DoS) condition. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting a crafted association request. An exploit could allow the attacker to cause the switch to restart. This vulnerability affects Cisco Catalyst 3650 and 3850 switches running IOS XE Software versions 16.1 through 16.3.3, and acting as wireless LAN controllers (WLC). Cisco Bug IDs: CSCvd45069. Vendors report this vulnerability Bug IDs: CSCvd45069 Published as.Denial of service (DoS) May be in a state. The Cisco Catalyst 3650 and 3850 switches are Cisco switches. IOSXESoftware is one of the operating systems for network devices. Wirelesscontrollermanager is one of the wireless controller management programs. A denial of service vulnerability exists in the wirelesscontrollermanager in IOSXESoftware on the Cisco Catalyst 3650 and 3850 switches, which stems from a program failing to validate the input