VARIoT IoT vulnerabilities database

A Missing Encryption of Sensitive Data issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions, ProTouch Tandem, all versions, ProTouch ICON, all versions, and ProTouch AutoGloss, all versions. The username and password are transmitted insecurely. plural PDQ Manufacturing The product contains cryptographic vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PDQ Manufacturing LaserWash G5 and others are all automotive automatic cleaning equipment from PDQ Manufacturing. There are security vulnerabilities in several PDQ products due to the failure of the program to pass the username and password in a secure manner. An attacker can use this vulnerability to gain access to the system and issue commands that affect the normal operation of the system. An authentication bypass vulnerability 2

A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI). With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V. American Megatrends, Inc. LenovoIdeaCentre300-20ISH and so on are all products of China Lenovo. The LenovoIdeaCentre300-20ISH is a desktop computer; the ThinkServerRD540 is a server device. BIOSSMIHandler is one of the management information structure handlers. A security vulnerability exists in BIOSSMIHandler in several Lenovo products due to a program failing to perform input validation. A local attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Lenovo IdeaCentre 300-20ISH, etc. There is a security vulnerability in the BIOS SMI Handler in several Lenovo products. The following versions are affected: Lenovo IdeaCentre 300-20ISH; Lenovo M4550 ID; ThinkCentre E73s; ThinkCentre M4500k; ThinkServer RD540; ThinkServer TS140; Thinkstation P510; Thinkstation P910, etc

NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1.8.8 / Bootloader: 1.1.3 are vulnerable to stored cross-site scripting attacks. Creating an SSID with an XSS payload results in successful exploitation. NetComm Wireless 4GT101W Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. NetCommWireless4GT101Wrouters is a wireless router product from NetCommWireless, Australia. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML

NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1.8.8 / Bootloader: 1.1.3 are vulnerable to CSRF attacks, as demonstrated by using administration.html to disable the firewall. They does not contain any token that can mitigate CSRF vulnerabilities within the device. NetComm Wireless 4GT101W Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NetCommWireless4GT101Wrouters is a wireless router product from NetCommWireless, Australia. A cross-site request forgery vulnerability exists in the NetCommWireless4GT101W router running hardware version 0.01/software version 1.1.8.8/bootloader version 1.1.3. A remote attacker could exploit this vulnerability to perform unauthorized operations

Cross-site request forgery (CSRF) vulnerability in DrayTek Vigor AP910C devices with firmware 1.2.0_RC3 build r6594 allows remote attackers to hijack the authentication of unspecified users for requests that enable SNMP on the remote device via vectors involving goform/setSnmp. DrayTek Vigor AP910C The device firmware contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. DrayTekVigorAP910Cdevices is a firewall-enabled wireless router product from DrayTek. A remote attacker could exploit this vulnerability to open SNMP on a remote device

Cross-site scripting (XSS) vulnerability in DrayTek Vigor AP910C devices with firmware 1.2.0_RC3 build r6594 allows remote attackers to inject arbitrary web script or HTML via vectors involving home.asp. DrayTek Vigor AP910C The device firmware contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. DrayTekVigorAP910Cdevices is a firewall-enabled wireless router product from DrayTek

WN-AX1167GR firmware version 3.00 and earlier uses hardcoded credentials which may allow an attacker that can access the device to execute arbitrary code on the device. WN-AX1167GR provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-AX1167GR contains multiple vulnerabilities listed below. * Hard-coded credentials (CWE-798) - CVE-2017-2280 * OS command injection (CWE-78) - CVE-2017-2281 * Buffer overflow (CWE-119) - CVE-2017-2282 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. A buffer overflow vulnerability exists in WN-AX1167GR using firmware version 3.00 and earlier. An attacker could exploit this vulnerability to execute arbitrary commands

WN-AX1167GR firmware version 3.00 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors. WN-AX1167GR provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-AX1167GR contains multiple vulnerabilities listed below. * Hard-coded credentials (CWE-798) - CVE-2017-2280 * OS command injection (CWE-78) - CVE-2017-2281 * Buffer overflow (CWE-119) - CVE-2017-2282 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.The possible impact of each vulnerability is as follows: * A user with access to the network that is connected to the affected device may execute arbitrary code on the device - CVE-2017-2280 * A user with access to the affected device may execute an arbitrary command - CVE-2017-2281 * If a user views a specially crafted page while logged into the affected device, an arbitrary command may be executed - CVE-2017-2282

Buffer overflow in WN-AX1167GR firmware version 3.00 and earlier allows an attacker to execute arbitrary commands via unspecified vectors. WN-AX1167GR provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-AX1167GR contains multiple vulnerabilities listed below. * Hard-coded credentials (CWE-798) - CVE-2017-2280 * OS command injection (CWE-78) - CVE-2017-2281 * Buffer overflow (CWE-119) - CVE-2017-2282 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.The possible impact of each vulnerability is as follows: * A user with access to the network that is connected to the affected device may execute arbitrary code on the device - CVE-2017-2280 * A user with access to the affected device may execute an arbitrary command - CVE-2017-2281 * If a user views a specially crafted page while logged into the affected device, an arbitrary command may be executed - CVE-2017-2282

WN-G300R3 firmware version 1.0.2 and earlier uses hardcoded credentials which may allow an attacker that can access the device to execute arbitrary code on the device. WN-G300R31 provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-G300R3 uses hard-coded credentials (CWE-798). Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. A hard-coded credential vulnerability exists in I-ODATADEVICEWN-G300R3 with firmware version 1.0.2 and earlier. The vulnerability stems from the fact that the program uses a hard-coded certificate

Untrusted search path vulnerability in NFC Port Software Version 5.5.0.6 and earlier (for RC-S310, RC-S320, RC-S330, RC-S370, RC-S380, RC-S380/S), NFC Port Software Version 5.3.6.7 and earlier (for RC-S320, RC-S310/J1C, RC-S310/ED4C), PC/SC Activator for Type B Ver.1.2.1.0 and earlier, SFCard Viewer 2 Ver.2.5.0.0 and earlier, NFC Net Installer Ver.1.1.0.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. PaSoRi provided by Sony Corporation is contactless IC card reader/writer. Installers of PaSoRi driver and other related software for Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Arbitrary code may be executed with the privilege of the user invoking the installer. Sony NFC Port Software, etc. are all products of Sony Corporation of Japan. Sony NFC Port Software is a set of NFC interface software. PC/SC Activator for Type B is a Type B interface support software. An untrusted search path vulnerability exists in several Sony products. A remote attacker can exploit this vulnerability to obtain permissions with the help of malicious DLLs in the directory

Techroutes TR 1803-3G Wireless Cellular Router/Modem 2.4.25 devices do not possess any protection against a CSRF vulnerability, as demonstrated by a goform/BasicSettings request to disable port filtering. Techroutes TR 1803-3G Wireless Cellular Router/Modem Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TechroutesTR1803-3GWirelessCellularRouter/Modem is a wireless router from India TechroutesNework. A security vulnerability exists in the TechroutesTR1803-3GWirelessCellularRouter/Modem2.4.25 release that caused the program to fail to enforce cross-site request forgery. A remote attacker could exploit this vulnerability to perform unauthorized operations

Cisco IOS 12.0 through 15.6, Adaptive Security Appliance (ASA) Software 7.0.1 through 9.7.1.2, NX-OS 4.0 through 12.0, and IOS XE 3.6 through 3.18 are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated, remote attacker to take full control of the OSPF Autonomous System (AS) domain routing table, allowing the attacker to intercept or black-hole traffic. The attacker could exploit this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause the targeted router to flush its routing table and propagate the crafted OSPF LSA type 1 update throughout the OSPF AS domain. To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast OSPF LSA type 1 packets. No other LSA type packets can trigger this vulnerability. OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability. Cisco Bug IDs: CSCva74756, CSCve47393, CSCve47401. Vendors have confirmed this vulnerability Bug ID CSCva74756 , CSCve47393 ,and CSCve47401 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco Nexus 7000 Series Switches, etc. are products of Cisco. OSPFLSAManipulation is one of the OSPF control components. A security vulnerability exists in OSPFLSAManipulation in several Cisco products. This may aid in further attacks

An industry-wide vulnerability has been identified in the implementation of the Open Shortest Path First (OSPF) routing protocol used on some Lenovo switches. Exploitation of these implementation flaws may result in attackers being able to erase or alter the routing tables of one or many routers, switches, or other devices that support OSPF within a routing domain. Part of Lenovo and IBM Switch Open Shortest Path First (OSPF) Routing protocol implementations have input validation vulnerabilities and data integrity validation vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. LenovoFlexSystemFabricCN409310GbConvergedScalableSwitch, etc. are all switch devices of China Lenovo. IBM1GL2-7SLBswitchforBladecenter and so on are all IBM IBM switch devices. A number of security vulnerabilities exist in OpenShortestPathFirst (OSPF) routingprotocol implementations in Lenovo and IBM NetworkingSwitches. An attacker could use this vulnerability to delete and change routing tables. Lenovo and IBM Networking Switches are prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks

Incorrect check in Intel processors from 6th and 7th Generation Intel Core Processor Families, Intel Xeon E3-1500M v5 and v6 Product Families, and Intel Xeon E3-1200 v5 and v6 Product Families allows compromised system firmware to impact SGX security via incorrect early system state. Intel The processor contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple Lenovo Products are prone to a local privilege escalation vulnerability. A local attacker can leverage this issue to gain elevated privileges. Intel NUC7i3BNK (KBL) and so on are mini desktops of Intel Corporation of the United States. Several Intel products have security vulnerabilities. Attackers can exploit this vulnerability to control the system firmware and affect the security of SGX. The following products are affected: Intel NUC7i3BNK (KBL); NUC7i5BNK; NUC7i7BNH; STK2MV64CC (SKL); STK2M3W64CC (SKL); NUC6i7KYK (SKL); NUC6i3SYK (SKL); R1208SPOSHORR; Intel Server System LR1304SPCFG1R; Intel Server System R1208SPOSHOR; Intel Server Board S1200SPSR; Intel Server Board S1200SPOR; S1200SPLR; Intel Server System R1304SPOSHBNR. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesb3p03767en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesb3p03767en_us Version: 1 HPESB3P03767 rev.1 - HPE Proliant ML10 Gen9 servers using Intel Xeon E3-1200M v5 and 6th Generation Intel Core Processors, Unauthorized Write to Filesystem NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2017-08-03 Last Updated: 2017-08-03 Potential Security Impact: Local: Unauthorized Write Access to the File System; Remote: Unauthorized Write Access to the File System Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security problem has been identified in HPE Proliant ML10 Gen9 server using Intel Xeon E3-1200M v5 and 6th Generation Intel Core Processors. The vulnerability could allow a remote unauthorized attacker to write to file systems. References: - CVE-2017-5691 - Intel SGX Update and Attestation Key Recovery SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE ProLiant ML10 Gen9 E3-1225 v5 3.3GHz 4-core 8GB-R 1TB Non-hot Plug 4LFF SATA 300W AP Svr/Promo SP - HPE ProLiant ML10 Gen9 E3-1225 v5 4GB-R 1TB Non-hot Plug 4LFF SATA 300W Svr/S-Buy SP - HPE ProLiant ML10 Gen9 E3-1225 v5 8GB-R 1TB Non-hot Plug 4LFF SATA 300W Perf Svr SP - HPE ProLiant ML10 Gen9 E3-1225 v5 8GB-R 2TB Non-hot Plug 4LFF SATA 300W Svr/GO SP - HPE ProLiant ML10 Gen9 E3-1225 v5 8GB-R 2TB Non-hot Plug 4LFF SATA 300W Svr/TV SP - HPE ProLiant ML10 Gen9 G4400 4GB-R Non-hot Plug 4LFF SATA 300W Entry Svr SP BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2017-5691 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has provided the following update: * Update to ML10 Gen 9 BIOS 1.07, which contains the 0xBA microcode update, will patch the SGX security issue. Available for download at this link: - <https://www.hpe.com/global/swpublishing/MTX-df1494b3e9df455caf95a63c42> **Note:** Please contact HPE Technical Support if any assistance is needed with this information. HISTORY Version:1 (rev.1) - 4 August 2017 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZg4xWAAoJELXhAxt7SZaijWIH/1bWATsLRK3sL2+urTNKGBnG gvVj0Oej02UmL1NY2sOeRJGV5ZO7NOvHlw7/+xgVEWaAOnlMgU22FEFOz7pMaSst MSgLWpraxYkh6uyncQjlaXQKgm+icOT6R/zDOYgw3Wm+GdyTO1eFXVpKGgCiTb24 /Bs12WZdvTDXefjHHbgR1T29EIzLtswFWNezsBQSLoy+CJ64tdtUAoyMi5hZjG7k 09dFJQ2PDIU8zRaa1+eiHzX1Qg5avT+L37aFdWQrd6+yXzsmh3xWqHUdnwUrqwZe DcC6XLY9TBbv1znuzSHhSY2cSwWZdIMb776C/90GDfXD78YDv05LFmxFBonTVKQ= =igsr -----END PGP SIGNATURE-----

A memory leak was found in the way SIPcrack 0.2 handled processing of SIP traffic, because a lines array was mismanaged. A remote attacker could potentially use this flaw to crash long-running sipdump network sniffing sessions. sipcrack Contains a buffer error vulnerability.Denial of service (DoS) May be in a state. SIPcrack is a VoIP scanning and detection tool for penetration testing. A memory leak vulnerability exists in the SIPcrack0.2 release. Debian SIPcrack Package is prone to a denial-of-service vulnerability. Debian SIPcrack Package 0.2 is vulnerable; other versions may also be affected

An out-of-bounds read and write flaw was found in the way SIPcrack 0.2 processed SIP traffic, because 0x00 termination of a payload array was mishandled. A remote attacker could potentially use this flaw to crash the sipdump process by generating specially crafted SIP traffic. sipcrack Contains an out-of-bounds vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Debian SIPcrack Package is prone to a denial-of-service vulnerability. An attacker may exploit this issue to crash the sipdump process, resulting in a denial-of-service condition. Debian SIPcrack Package 0.2 is vulnerable; other versions may also be affected

An information leak exists in Wanscam's HW0021 network camera that allows an unauthenticated remote attacker to recover the administrator username and password via an ONVIF GetSnapshotUri request. Wanscam HW0021 Network cameras contain vulnerabilities related to certificate and password management.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. WanscamHW0021 is a network camera product from China Wanscam. An information disclosure vulnerability exists in WanscamHW0021

A vulnerability in the Autonomic Networking feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause autonomic nodes of an affected system to reload, resulting in a denial of service (DoS) condition. More Information: CSCvd88936. Known Affected Releases: Denali-16.2.1 Denali-16.3.1. Cisco IOS software and Cisco IOS XE The software has unspecified vulnerabilities. Vendors may Bug ID CSCvd88936 It is published as.Service operation interruption (DoS) It may be in a state. Cisco IOS/IOSXESoftware's AutonomicNetworking feature has a security vulnerability that allows remote attackers to exploit a vulnerability to submit a special request for a denial of service attack. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCvd88936

A vulnerability in the Autonomic Networking feature of Cisco IOS XE Software could allow an unauthenticated, remote, autonomic node to access the Autonomic Networking infrastructure of an affected system, after the certificate for the autonomic node has been revoked. This vulnerability affected devices that are running Release 16.x of Cisco IOS XE Software and are configured to use Autonomic Networking. This vulnerability does not affect devices that are running an earlier release of Cisco IOS XE Software or devices that are not configured to use Autonomic Networking. More Information: CSCvd22328. Known Affected Releases: 15.5(1)S3.1 Denali-16.2.1. Vendors have confirmed this vulnerability Bug ID CSCvd22328 It is released as.Information may be tampered with. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOSXESoftware's AutonomicNetworking feature has a security vulnerability that allows remote attackers to exploit a vulnerability to submit a special request revocation certificate for attack. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. This issue is being tracked by Cisco Bug ID: CSCvd2232