VARIoT IoT vulnerabilities database

A vulnerability in the ROM Monitor (ROMMON) code of Cisco IR800 Integrated Services Router Software could allow an unauthenticated, local attacker to boot an unsigned Hypervisor on an affected device and compromise the integrity of the system. The vulnerability is due to insufficient sanitization of user input. An attacker who can access an affected router via the console could exploit this vulnerability by entering ROMMON mode and modifying ROMMON variables. A successful exploit could allow the attacker to execute arbitrary code and install a malicious version of Hypervisor firmware on an affected device. Cisco Bug IDs: CSCvb44027. Cisco IR800 Integrated Services Router The software contains an input validation vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvb44027 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Failed attempts may lead to denial-of-service conditions. ROM Monitor is one of the resource monitors

A vulnerability in the ability for guest users to join meetings via a hyperlink with Cisco Meeting Server could allow an authenticated, remote attacker to enter a meeting with a hyperlink URL, even though access should be denied. The vulnerability is due to the incorrect implementation of the configuration setting Guest access via hyperlinks, which should allow the administrative user to prevent guest users from using hyperlinks to connect to meetings. An attacker could exploit this vulnerability by using a crafted hyperlink to connect to a meeting. An exploit could allow the attacker to connect directly to the meeting with a hyperlink, even though access should be denied. The attacker would still require a valid hyperlink and encoded secret identifier to be connected. Cisco Bug IDs: CSCve20873. Cisco Meeting Server Contains an information disclosure vulnerability. Vendors have confirmed this vulnerability Bug ID CSCve20873 It is released as.Information may be obtained. An attacker can exploit this issue to obtain sensitive information that may aid in further attacks

A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user's session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392. Vendors have confirmed this vulnerability Bug ID CSCvf58392 It is released as.Information may be tampered with. The solution configures, manages, monitors and maintains the network

A vulnerability in the SQL database interface for Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a blind SQL injection attack. The vulnerability is due to a failure to validate user-supplied input used in SQL queries that bypass protection filters. An attacker could exploit this vulnerability by sending crafted URLs that include SQL statements. An exploit could allow the attacker to view or modify entries in some database tables, affecting the integrity of the data. Cisco Bug IDs: CSCvb58973. Vendors have confirmed this vulnerability Bug ID CSCvb58973 It is released as.Information may be obtained and information may be altered. The software provides features such as real-time location tracking database and caller's location

A vulnerability in the UDP processing code of Cisco IOS 15.1, 15.2, and 15.4 and IOS XE 3.14 through 3.18 could allow an unauthenticated, remote attacker to cause the input queue of an affected system to hold UDP packets, causing an interface queue wedge and a denial of service (DoS) condition. The vulnerability is due to Cisco IOS Software application changes that create UDP sockets and leave the sockets idle without closing them. An attacker could exploit this vulnerability by sending UDP packets with a destination port of 0 to an affected device. A successful exploit could allow the attacker to cause UDP packets to be held in the input interfaces queue, resulting in a DoS condition. The input interface queue will stop holding UDP packets when it receives 250 packets. Cisco Bug IDs: CSCup10024, CSCva55744, CSCva95506. Cisco IOS and IOS XE contains a vulnerability related to improper shutdown and release of resources. Vendors must Bug ID CSCup10024 , CSCva55744 ,and CSCva95506 It is published as.Service operation interruption (DoS) It may be in a state. Both Cisco IOS and IOSXE are operating systems developed by Cisco for its network devices. UDPprocessing is one of the UDP (User Datagram Protocol) protocol handlers. Attackers can exploit this issue to crash the affected application, denying service to legitimate users

A vulnerability in the HTTP remote procedure call (RPC) service of set-top box (STB) receivers manufactured by Cisco for Yes could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability exists because the firmware of an affected device fails to handle certain XML values that are passed to the HTTP RPC service listening on the local subnet of the device. An attacker could exploit this vulnerability by submitting a malformed request to an affected device. A successful attack could cause the affected device to restart, resulting in a DoS condition. Yes has updated the affected devices with firmware that addresses this vulnerability. Customers are not required to take action. Vulnerable Products: This vulnerability affects YesMaxTotal, YesMax HD, and YesQuattro STB devices. Cisco Bug IDs: CSCvd08812. Vendors have confirmed this vulnerability Bug ID CSCvd08812 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. CiscoYesMaxTotal, YesMaxHD, and YesQuattroSTB are all video signal converter devices from Cisco. The HTTPremoteprocedurecall(RPC) service is one of the remote procedure call services. A denial of service vulnerability exists in the HTTPRPCservice for CiscoYesMaxTotal, YesMaxHD, and YesQuattroSTB devices. Multiple Cisco Products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service condition

A vulnerability in the TCP throttling process for Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to cause the system to consume additional memory, eventually forcing the device to restart, aka Memory Exhaustion. The vulnerability is due to insufficient rate-limiting protection. An attacker could exploit this vulnerability by sending a high rate of TCP packets to a specific group of open listening ports on a targeted device. An exploit could allow the attacker to cause the system to consume additional memory. If enough available memory is consumed, the system will restart, creating a temporary denial of service (DoS) condition. The DoS condition will end after the device has finished the restart process. This vulnerability affects the following Cisco products: Connected Grid Network Management System, if running a software release prior to IoT-FND Release 4.0; IoT Field Network Director, if running a software release prior to IoT-FND Release 4.0. Cisco Bug IDs: CSCvc77164. Vendors have confirmed this vulnerability Bug ID CSCvc77164 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. The system has functions such as equipment management, asset tracking and intelligent metering. Prior to Cisco IoT-FND 4.0, the TCP throttling process had a denial of service vulnerability, which originated from the program's insufficient execution rate limiting protection. Successful exploitation of the issue will cause excessive memory consumption and restart the affected application, resulting in a denial-of-service condition

A vulnerability in the Cisco Unified Intelligence Center web interface could allow an unauthenticated, remote attacker to impact the integrity of the system by executing a Document Object Model (DOM)-based, environment or client-side cross-site scripting (XSS) attack. The vulnerability occurs because user-supplied data in the DOM input is not validated. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious DOM statements to the affected system. A successful exploit could allow the attacker to affect the integrity of the system by manipulating the database. Known Affected Releases 11.0(1)ES10. Cisco Bug IDs: CSCvf18325. Vendors have confirmed this vulnerability Bug ID CSCvf18325 It is released as.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. The platform provides functions such as report-related business data and comprehensive display of call center data

A vulnerability in the batch provisioning feature in Cisco Prime Collaboration Provisioning Tool could allow an authenticated, remote attacker to overwrite system files as root. The vulnerability is due to lack of input validation of the parameters in BatchFileName and Directory. An attacker could exploit this vulnerability by manipulating the parameters of the batch action file function. Cisco Bug IDs: CSCvd61766. Vendors have confirmed this vulnerability Bug ID CSCvd61766 It is released as.Information may be tampered with. Attackers can overwrite arbitrary files on an unsuspecting user's computer in the context of the vulnerable application. The tool provides IP communications services capabilities for IP telephony, voice mail, and unified communications environments

A vulnerability in the Inventory Management feature of Cisco Prime Collaboration Provisioning Tool could allow an authenticated, remote attacker to view sensitive information on the system. The vulnerability is due to insufficient protection of restricted information. An attacker could exploit this vulnerability by accessing unauthorized information via the user interface. Cisco Bug IDs: CSCvd61932. Vendors have confirmed this vulnerability Bug ID CSCvd61932 It is released as.Information may be obtained. Successful exploits will allow attackers to obtain sensitive information. This may result in further attacks. The tool provides IP communications services capabilities for IP telephony, voice mail, and unified communications environments

An issue was discovered on FiberHome User End Routers Bearing Model Number AN1020-25 which could allow an attacker to easily restore a router to its factory settings by simply browsing to the link http://[Default-Router-IP]/restoreinfo.cgi & execute it. Due to improper authentication on this page, the software accepts the request hence allowing attacker to reset the router to its default configurations which later could allow attacker to login to router by using default username/password. FiberHomeUserEndRoutersBearingAN1020-25 is a router from China FiberHome. A security vulnerability exists in FiberHomeUserEndRoutersBearingAN1020-25 that caused the program to fail to perform authentication correctly. An attacker could use this vulnerability to restore the router to factory settings and log in to the router

The AC6005 is a wireless access controller AC (Access Controller) from Huawei Technologies Co., Ltd. The AR1200 and AR3200 are router products. The AR207 is the basic model of Huawei AR200 series enterprise routers. A denial of service vulnerability exists in MaxAgeLSA in the OSPF protocol of various Huawei products. When the device receives a specific LSA packet, the LS (LinkStatus) aging time is set to MaxAge, which is 3600 seconds. An attacker can exploit this vulnerability to poison the routing table and initiate a denial of service attack.

NSAE Application Security Gateway is a hardware device independently developed by Principal Century to provide security proxy services for application systems. There is an arbitrary file download vulnerability in the Principal Century NSAE Application Security Gateway. An attacker could use this vulnerability to obtain sensitive information.

Delllaptop is a portable computer from Dell Corporation of the United States. WavesAudioWavesMaxxAudio is one of the audio enhancements developed by Israel's WavesAudio. There is a security hole in WavesMaxxAudio in Delllaptop. A local attacker can exploit this vulnerability to execute arbitrary code.

A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the affected software. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code in the context of the affected system. Cisco Bug IDs: CSCvc38983. Vendors have confirmed this vulnerability Bug ID CSCvc38983 It is released as.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks

A vulnerability in the Trust Verification Service (TVS) of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper handling of Transport Layer Security (TLS) traffic by the affected software. An attacker could exploit this vulnerability by generating incomplete traffic streams. A successful exploit could allow the attacker to deny access to the TVS for an affected device, resulting in a DoS condition, until an administrator restarts the service. Known Affected Releases 10.0(1.10000.24) 10.5(2.10000.5) 11.0(1.10000.10) 9.1(2.10000.28). Cisco Bug IDs: CSCux21905. Cisco Unified Communications Manager Contains a data processing vulnerability. Vendors have confirmed this vulnerability Bug ID CSCux21905 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

D-Link DGS-1500 Ax devices before 2.51B021 have a hardcoded password, which allows remote attackers to obtain shell access. D-Link DGS-1500 Ax Device firmware contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDGS-1500Axdevices is a switch device from D-Link. D-Link DGS-1500 Ax Products are prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable device. Versions prior to D-Link DGS-1500 Ax 2.51B021 are vulnerable

Intel Active Management Technology, Intel Standard Manageability, and Intel Small Business Technology firmware versions 11.0.25.3001 and 11.0.26.3000 anti-rollback will not prevent upgrading to firmware version 11.6.x.1xxx which is vulnerable to CVE-2017-5689 and can be performed by a local user with administrative privileges. Multiple Intel products are prone to an unspecified local privilege-escalation vulnerability. Local attackers can exploit this issue to gain administrative privileges. Intel Management Engine (ME) is a management engine of Intel Corporation, which can remotely manage computers. A security vulnerability exists in Intel AMT, ISM, and SBT using firmware versions 11.0.25.3001 and 11.0.26.3000

GoAhead 3.4.0 through 3.6.5 has a NULL Pointer Dereference in the websDecodeUrl function in http.c, leading to a crash for a "POST / HTTP/1.1" request. GoAhead is a small and exquisite embedded Web server of American Embedthis Company, which supports embedding in various devices and applications. There is a security vulnerability in the 'websDecodeUrl' function of the http.c file in GoAhead versions 3.4.0 to 3.6.5

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. macOS before 10.12.6 is affected. tvOS before 10.2.2 is affected. The issue involves the "Wi-Fi" component. It allows remote attackers to execute arbitrary code (on the Wi-Fi chip) or cause a denial of service (memory corruption) by leveraging proximity for 802.11. Google Android is prone to multiple security vulnerabilities. An attacker can leverage these issues to execute arbitrary code, gain sensitive information or gain elevated privileges. Failed exploit attempts may result in a denial of service condition. Broadcom: Heap overflow when handling 802.11v WNM Sleep Mode Response CVE-2017-7065 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to allow clients to configure themselves within a wireless network and exchange information about the network topology, peers support an additional set of standards called "Wireless Network Management" (WNM) 802.11v. Much of the information related to WNM is transferred by means of Wi-Fi Action Frames, using the WNM category (10). One such frame which is handled by Broadcom's firmware is the "WNM Sleep Mode Response" frame, which has following general structure: --------------------------------------------------------------------------- | Category (10) | Action (17) | Dialog Token | Key Data Length | Key Data | --------------------------------------------------------------------------- 0 1 2 3 5 5 + Key Data Length (See 802.11-2016, 9.6.14.20 for more information). On the BCM4355C0 SoC with firmware version 9.44.78.27.0.1.56 the WNM Sleep Mode Response frame is handled by ROM function 0xC8380. This function verifies the dialog token (although that is a single byte field, so it can be easily brute-forced by an attacker if they do not know it in advance). Then, the function verifies that the "Key Data Length" field does not exceed the total frame's length. After performing these verifications, it calls an internal function (ROM 0xC8480) to install the GTK/IGTK. This function has the following approximate high-level logic: int function_C8480(..., uint8_t* body, int len) { //Validations uint8_t ie_len = body[1]; if (!len) return 0; if (ie_len + 1 >= len) return -1; ... //Handle IGTK if (body[0] == 1) { ... } //Handle GTK else if (body[0] == 0) { uint8_t gtk_len = body[4]; if ( ie_len != gtk_len + 11 ) return -1; function_BC804(..., gtk_len, body + 13, ...); } ... } As shown in the snippet above, the function validates that the length of the GTK in the embedded IE does not exceed the length of the IE itself (plus the metadata). However, the real restriction on the length of the GTK should be much shorter (in fact, I believe the maximal key size in 802.11 is restricted to 32 bytes). This possibly large GTK is then passed to an additional function which copies the GTK into a context structure, before passing it to an addition function in order to actually install the key: int function_BC804(..., int gtk_len, char* gtk, ...) { ... context_struct->gtk_len = gtk_len; ... memcpy(context_struct->gtk, gtk, gtk_len); return function_C9C14(..., context_struct->gtk, context_struct->gtk_len, ...); } int function_C9C14(..., char* gtk, int gtk_len, ...) { ... char* key_buffer = malloc(164); ... memcpy(key_buffer + 8, gtk, gtk_len); ... } As we can see above, the GTK is eventually copied into a heap buffer of size 164. Due to the validations performed above, the following restrictions apply: (1) Key Data Length + 5 < Frame Length (2) IE Length + 11 == GTK Length Therefore an attacker can set the "Key Data Length" field correctly, set "IE Length" to 255, and set the "GTK Length" to 244. By doing so, the GTK will be copied out of bounds into the heap buffer allocated in function_C9C14, thereby overflowing the heap chunk with attacker controlled data. I've been able to verify that this code path exists on various different firmware versions, including those present on the iPhone 7, Galaxy S7 Edge and the Nexus 6P. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: laginimaineb