VARIoT IoT vulnerabilities database

A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the affected software. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code in the context of the affected system. Cisco Bug IDs: CSCvc38983. Vendors have confirmed this vulnerability Bug ID CSCvc38983 It is released as.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks

A vulnerability in the Trust Verification Service (TVS) of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper handling of Transport Layer Security (TLS) traffic by the affected software. An attacker could exploit this vulnerability by generating incomplete traffic streams. A successful exploit could allow the attacker to deny access to the TVS for an affected device, resulting in a DoS condition, until an administrator restarts the service. Known Affected Releases 10.0(1.10000.24) 10.5(2.10000.5) 11.0(1.10000.10) 9.1(2.10000.28). Cisco Bug IDs: CSCux21905. Cisco Unified Communications Manager Contains a data processing vulnerability. Vendors have confirmed this vulnerability Bug ID CSCux21905 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

D-Link DGS-1500 Ax devices before 2.51B021 have a hardcoded password, which allows remote attackers to obtain shell access. D-Link DGS-1500 Ax Device firmware contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDGS-1500Axdevices is a switch device from D-Link. D-Link DGS-1500 Ax Products are prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable device. Versions prior to D-Link DGS-1500 Ax 2.51B021 are vulnerable

Intel Active Management Technology, Intel Standard Manageability, and Intel Small Business Technology firmware versions 11.0.25.3001 and 11.0.26.3000 anti-rollback will not prevent upgrading to firmware version 11.6.x.1xxx which is vulnerable to CVE-2017-5689 and can be performed by a local user with administrative privileges. Multiple Intel products are prone to an unspecified local privilege-escalation vulnerability. Local attackers can exploit this issue to gain administrative privileges. Intel Management Engine (ME) is a management engine of Intel Corporation, which can remotely manage computers. A security vulnerability exists in Intel AMT, ISM, and SBT using firmware versions 11.0.25.3001 and 11.0.26.3000

GoAhead 3.4.0 through 3.6.5 has a NULL Pointer Dereference in the websDecodeUrl function in http.c, leading to a crash for a "POST / HTTP/1.1" request. GoAhead is a small and exquisite embedded Web server of American Embedthis Company, which supports embedding in various devices and applications. There is a security vulnerability in the 'websDecodeUrl' function of the http.c file in GoAhead versions 3.4.0 to 3.6.5

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. macOS before 10.12.6 is affected. tvOS before 10.2.2 is affected. The issue involves the "Wi-Fi" component. It allows remote attackers to execute arbitrary code (on the Wi-Fi chip) or cause a denial of service (memory corruption) by leveraging proximity for 802.11. Google Android is prone to multiple security vulnerabilities. An attacker can leverage these issues to execute arbitrary code, gain sensitive information or gain elevated privileges. Failed exploit attempts may result in a denial of service condition. Broadcom: Heap overflow when handling 802.11v WNM Sleep Mode Response CVE-2017-7065 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to allow clients to configure themselves within a wireless network and exchange information about the network topology, peers support an additional set of standards called "Wireless Network Management" (WNM) 802.11v. Much of the information related to WNM is transferred by means of Wi-Fi Action Frames, using the WNM category (10). One such frame which is handled by Broadcom's firmware is the "WNM Sleep Mode Response" frame, which has following general structure: --------------------------------------------------------------------------- | Category (10) | Action (17) | Dialog Token | Key Data Length | Key Data | --------------------------------------------------------------------------- 0 1 2 3 5 5 + Key Data Length (See 802.11-2016, 9.6.14.20 for more information). On the BCM4355C0 SoC with firmware version 9.44.78.27.0.1.56 the WNM Sleep Mode Response frame is handled by ROM function 0xC8380. This function verifies the dialog token (although that is a single byte field, so it can be easily brute-forced by an attacker if they do not know it in advance). Then, the function verifies that the "Key Data Length" field does not exceed the total frame's length. After performing these verifications, it calls an internal function (ROM 0xC8480) to install the GTK/IGTK. This function has the following approximate high-level logic: int function_C8480(..., uint8_t* body, int len) { //Validations uint8_t ie_len = body[1]; if (!len) return 0; if (ie_len + 1 >= len) return -1; ... //Handle IGTK if (body[0] == 1) { ... } //Handle GTK else if (body[0] == 0) { uint8_t gtk_len = body[4]; if ( ie_len != gtk_len + 11 ) return -1; function_BC804(..., gtk_len, body + 13, ...); } ... } As shown in the snippet above, the function validates that the length of the GTK in the embedded IE does not exceed the length of the IE itself (plus the metadata). However, the real restriction on the length of the GTK should be much shorter (in fact, I believe the maximal key size in 802.11 is restricted to 32 bytes). This possibly large GTK is then passed to an additional function which copies the GTK into a context structure, before passing it to an addition function in order to actually install the key: int function_BC804(..., int gtk_len, char* gtk, ...) { ... context_struct->gtk_len = gtk_len; ... memcpy(context_struct->gtk, gtk, gtk_len); return function_C9C14(..., context_struct->gtk, context_struct->gtk_len, ...); } int function_C9C14(..., char* gtk, int gtk_len, ...) { ... char* key_buffer = malloc(164); ... memcpy(key_buffer + 8, gtk, gtk_len); ... } As we can see above, the GTK is eventually copied into a heap buffer of size 164. Due to the validations performed above, the following restrictions apply: (1) Key Data Length + 5 < Frame Length (2) IE Length + 11 == GTK Length Therefore an attacker can set the "Key Data Length" field correctly, set "IE Length" to 255, and set the "GTK Length" to 244. By doing so, the GTK will be copied out of bounds into the heap buffer allocated in function_C9C14, thereby overflowing the heap chunk with attacker controlled data. I've been able to verify that this code path exists on various different firmware versions, including those present on the iPhone 7, Galaxy S7 Edge and the Nexus 6P. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: laginimaineb

A information disclosure vulnerability in the Broadcom wi-fi driver. Product: Android. Versions: Android kernel. Android ID: A-37305578. References: B-V2017052301. This vulnerability Android ID: A-37305578 and Broadcom B-V2017052301 It is published asInformation may be obtained. Google Android is prone to multiple security vulnerabilities. An attacker can leverage these issues to execute arbitrary code, gain sensitive information or gain elevated privileges. Failed exploit attempts may result in a denial of service condition

Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated by /itplus/FileStorage/302/shell.jsp. Zoho ManageEngine Firewall Analyzer Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ManageEngine Firewall Analyzer is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application or privilege escalation. ManageEngine Firewall Analyzer 12200 is vulnerable; other versions may also be affected. Zoho ManageEngine Firewall Analyzer is a set of web-based firewall log analysis tools from Zoho, USA. It can collect, correlate analysis and report logs on firewalls, proxy servers and Radius servers throughout the enterprise. Group Chat is one of the team communication tools

A vulnerability to denial-of-service attacks was found in JP1 and Hitachi IT Operations Director.An attacker may conduct denial-of-service attacks.

Command Injection in the Ping Module in the Web Interface on Technicolor TD5336 OI_Fw_v7 devices allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the pingAddr parameter to mnt_ping.cgi. Technicolor TD5336 Is OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TechnicolorTD5336OI_Fw_v7devices is a modem from Technicolor, France. A command injection vulnerability exists in the WebModface's PingModule on the TechnicolorTD5336OI_Fw_v7 device

The modern agricultural park meteorological information comprehensive management system is a weather system suitable for agriculture. Chongqing Lanyu Tianchen Technology Co., Ltd.'s modern agricultural park meteorological information integrated management system has unauthorized access and weak password loopholes. An attacker could use the vulnerability to obtain sensitive information or perform unauthorized operations.

Maya-L02,VKY-L09,VTR-L29,Vicky-AL00A,Victoria-AL00A,Warsaw-AL00 smart phones with software of earlier than Maya-L02C636B126 versions,earlier than VKY-L29C10B151 versions,earlier than VTR-L29C10B151 versions,earlier than Vicky-AL00AC00B162 versions,earlier than Victoria-AL00AC00B167 versions,earlier than Warsaw-AL00C00B200 versions have a Factory Reset Protection (FRP) bypass security vulnerability. When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can login the configuration flow by some secret code and can perform some operations to update the Google account. As a result, the FRP function is bypassed. Huawei Smartphone software contains vulnerabilities related to authorization, permissions, and access control.Information may be tampered with. Maya-L02, VKY-L09, Vicky-AL00A, and Warsaw-AL00 are all smartphones of Huawei. Huawei Maya-L02 and others are smartphone products of China Huawei (Huawei). There are security vulnerabilities in many Huawei products. The following products and versions are affected: Huawei Maya-L02 prior to Maya-L02C636B126; VKY-L09 prior to VKY-L29C10B151; VTR-L29 prior to VTR-L29C10B151; Vicky-AL00A prior to Vicky-AL00AC00B162; AL00A Victoria-AL00AC00B167 prior to Warsaw-AL00 Warsaw-AL00C00B200 prior

Huawei Honor 5S smart phones with software the versions before TAG-TL00C01B173 have a Factory Reset Protection (FRP) bypass security vulnerability due to the improper design. An attacker can access factory reset page without authorization by only dial with special code. The attacker can exploit this vulnerability to restore the phone to factory settings. Huawei Honor 5S Smartphone software has a security check vulnerability.Information may be tampered with. HuaweiHonor5S is a smartphone from China's Huawei company

Arris Modems are modems made by telecommunications equipment maker Arris. They are specially designed for AT & T home users. Arris Modems has a hard-coded backdoor vulnerability. An attacker can obtain the serial number of the device and use the account password "bdctest / bdctest" to access the device on port 61001, thereby obtaining information such as WiFi passwords and device MAC addresses.

Arris Modems is a modem produced by telecommunications equipment manufacturer Arris, a network access device customized for AT&T home users. Arris Modems has a hard-coded backdoor vulnerability. The Arris modem has a built-in web server. The attacker can access the background management panel by using the "tech/empty" account password through port 49955.

Arris Modems is a modem produced by telecommunications equipment manufacturer Arris, a network access device customized for AT&T home users. Arris Modems has a hard-coded backdoor vulnerability. The modem enables SSH by default and allows Internet connections. Attackers use the built-in default account password "remotessh/5SaP9I26" to access, and can directly obtain ROOT permissions and perform arbitrary operations.

In Ice Qube Thermal Management Center versions prior to version 4.13, the web application does not properly authenticate users which may allow an attacker to gain access to sensitive information. Ice Qube Thermal Management Center Contains an authentication vulnerability.Information may be obtained. The program includes email notifications, remote management, LCD display and temperature alarms. Attackers may exploit these issues to gain unauthorized access to the affected device or to obtain sensitive information that may aid in launching further attacks

An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. ALC WebCTRL , i-Vu ,and SiteScan Web Is XML An external entity vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AutomatedLogic provides a complete set of building electrical and mechanical control systems for the majority of users, including central air conditioning automatic control, power distribution monitoring, water supply and drainage monitoring, lighting monitoring and elevator monitoring. The system has been widely used in the United States, China and other regions. There are XML external entity vulnerabilities in multiple devices of AutomatedLogicCorporation. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service condition

MoxaSoftCMSLiveViewer is a video surveillance software designed for industrial automation systems. A SQL injection vulnerability exists in MoxaSoftCMSLiveViewer 1.6 and earlier. An attacker exploits a vulnerability to access SoftCMS without knowing the user's password. Moxa SoftCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Versions prior to Moxa SoftCMS 1.7 are vulnerable

An Improper Input Validation issue was discovered in Rockwell Automation FactoryTalk Alarms and Events, Version 2.90 and earlier. An unauthenticated attacker with remote access to a network with FactoryTalk Alarms and Events can send a specially crafted set of packets packet to Port 403/TCP (the history archiver service), causing the service to either stall or terminate. Rockwell Automation is a solution provider for industrial automation, control and information technology. An attacker can exploit this issue to cause denial-of-service condition. FactoryTalk Alarms and Events 2.90 and prior are vulnerable. Rockwell Automation Studio 5000 Logix Designer, FactoryTalk View SE and FactoryTalk Services are all products of Rockwell Automation, USA. Rockwell Automation Studio 5000 Logix Designer is an application program used to configure and maintain the controller; FactoryTalk View SE is a set of human-machine interface software; FactoryTalk Services is a set of production and performance management platform. The following products and versions are affected: Rockwell Automation Studio 5000 Logix Designer 24 and later, FactoryTalk View SE version 5.00, FactoryTalk Services