VARIoT IoT vulnerabilities database

Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory corruption that results in Denial of Service. When connected to the "Blip" open wireless connection provided by the device, if a large string is sent as a part of the HTTP request in any part of the HTTP headers, the device could become completely unresponsive. Presumably this happens as the memory footprint provided to this device is very small. According to the specs from Rezolt, the Wi-Fi module only has 256k of memory. As a result, an incorrect string copy operation using either memcpy, strcpy, or any of their other variants could result in filling up the memory space allocated to the function executing and this would result in memory corruption. To test the theory, one can modify the demo application provided by the Cypress WICED SDK and introduce an incorrect "memcpy" operation and use the compiled application on the evaluation board provided by Cypress semiconductors with exactly the same Wi-Fi SOC. The results were identical where the device would completely stop responding to any of the ping or web requests. An attacker could exploit this vulnerability to cause a denial of service

D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has a remote code execution vulnerability. A UDP "Discover" service, which provides multiple functions such as changing the passwords and getting basic information, was installed on the device. A remote attacker can send a crafted UDP request to finderd to perform stack overflow and execute arbitrary code with root privilege on the device. D-Link EyeOn Baby Monitor (DCS-825L) Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The EyeOnBabyMonitorDCS-825L is a baby monitor from D-Link. # Vulnerability Type Buffer Overflow # Affected Product Code Base DCS-825L EyeOn Baby Monitor - 1.08.1 # Affected Component finderd daemon (Device Discovery) # Attack Type Remote # Attack Vectors Send crafted UDP packets to overflow buffer and lead to remote code execution # Discoverer Dove Chiu (Trend Micro) and Kenney Lu (Trend Micro) # Vulnerability Details A UDP aDiscovera service, which provides multiple functions such as changing the passwords and getting basic information, was installed on the device. Reference: https://documents.trendmicro.com/assets/tech_brief_Device_Vulnerabilities_in_the_Connected_Home2.pdf # Status Fixed in the latest beta firmware <table class="TM_EMAIL_NOTICE"><tr><td><pre> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. </pre></td></tr></table>

An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors. Synology DiskStation Manager (DSM) Contains an information disclosure vulnerability.Information may be obtained. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information

A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass the encryption protection mechanism via the crafted version parameter. Synology DiskStation Manager (DSM) Contains a cryptographic vulnerability.Information may be obtained. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information. There is a security vulnerability in SYNO.API.Encryption in versions earlier than Synology DSM 6.1.3-15152

On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1 ADSL2+ Residential Gateway DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 devices, there is remote command execution via shell metacharacters in the pingAddr parameter to the waitPingqry.cgi URI. The command output is visible at /PingMsg.cmd. Cisco DDR2200 ADSL2+ Residential Gateway and DDR2201v1 ADSL2+ Residential Gateway Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Cisco DDR2200ADSL2+ResidentialGateway and DDR2201v1ADSL2+ResidentialGateway are home wireless gateway devices from Cisco. A remote code execution vulnerability exists in the device for the Cisco DDR2200ADSL2+ResidentGatewayDDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1ADSL2+ResidentialGatewayDDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 devices. A remote attacker can exploit this vulnerability to execute arbitrary code by sending a 'pingAddr' parameter with a shell metacharacter to waitPingqry.cgiURL. This may aid in further attacks

Stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center), all versions ranging from HASP SRM 2.10 to Sentinel LDK 7.50, allows remote attackers to execute arbitrary code via language packs containing filenames longer than 1024 characters. Sentinel LDK Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SIMATIC WinCC is an automated data acquisition and monitoring control (SCADA) system. Gemalto Sentinel LDK RTE is a software protection and licensing solution. Gemalto Sentinel License Manager is prone to the following security vulnerabilities: 1. Multiple stack-based buffer-overflow vulnerabilities. 2. Multiple heap-based buffer-overflow vulnerabilities. 3. A security bypass vulnerability. 4. A denial-of-service vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition. The following Sentinel License Manger services are affected: Gemalto HASP SRM Gemalto Sentinel HASP Gemalto Sentinel LDK products prior to Sentinel LDK RTE 7.55

Buffer overflow in hasplms in Gemalto ACC (Admin Control Center), all versions ranging from HASP SRM 2.10 to Sentinel LDK 7.50, allows remote attackers to shut down the remote process (a denial of service) via a language pack (ZIP file) with invalid HTML files. Sentinel LDK Contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. SIMATIC WinCC is an automated data acquisition and monitoring control (SCADA) system. Gemalto Sentinel LDK RTE is a software protection and licensing solution. A denial of service vulnerability exists in the SIEMENS SIMATIC WinCC Add-On Gemalto Sentinel LDK RTE component. Gemalto Sentinel License Manager is prone to the following security vulnerabilities: 1. Multiple stack-based buffer-overflow vulnerabilities. 2. Multiple heap-based buffer-overflow vulnerabilities. 3. A security bypass vulnerability. 4. A denial-of-service vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition. The following Sentinel License Manger services are affected: Gemalto HASP SRM Gemalto Sentinel HASP Gemalto Sentinel LDK products prior to Sentinel LDK RTE 7.55

The NETGEARDGN2200 is an ADSL router device. There is a command injection vulnerability in NetgearDGN2200dnslookup.cgi. The module allows an attacker to exploit a vulnerability to inject arbitrary commands by sending a specially crafted publish request with valid login details.

Stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center), all versions ranging from HASP SRM 2.10 to Sentinel LDK 7.50, allows remote attackers to execute arbitrary code via malformed ASN.1 streams in V2C and similar input files. Sentinel LDK Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SIMATIC WinCC is an automated data acquisition and monitoring control (SCADA) system. Gemalto Sentinel LDK RTE is a software protection and licensing solution. Gemalto Sentinel License Manager is prone to the following security vulnerabilities: 1. Multiple stack-based buffer-overflow vulnerabilities. 2. Multiple heap-based buffer-overflow vulnerabilities. 3. A security bypass vulnerability. 4. A denial-of-service vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition. The following Sentinel License Manger services are affected: Gemalto HASP SRM Gemalto Sentinel HASP Gemalto Sentinel LDK products prior to Sentinel LDK RTE 7.55

passwd_recovery.lua on the TP-Link Archer C9(UN)_V2_160517 allows an attacker to reset the admin password by leveraging a predictable random number generator seed. This is fixed in C9(UN)_V2_170511. TP-LinkArcherC9 (UN) is a wireless router product of China TP-LINK. A security vulnerability exists in the passwd_recovery.lua file in the TP-LinkArcherC9(UN) V2_160517 release. TP-Link Archer C9 Router is prone to a security-bypass vulnerability. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. TP-Link Archer C9(UN)_V2_160517 is vulnerable; other versions may also be affected

Cross-Site Request Forgery (CSRF) exists in Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, as demonstrated by a request to ajax.cgi that enables UPnP. The GreenPacketDX-350 is a network access point device from GreenPacket, USA. A remote attacker can exploit the vulnerability to perform unauthorized operations by sending a request to the ajax.cgi file

Cross-Site Scripting (XSS) exists in Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, as demonstrated by the action parameter to ajax.cgi. The GreenPacketDX-350 is a network access point device from GreenPacket, USA. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML by sending an 'action' parameter to the ajax.cgi file

Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb has a default password of admin for the admin account. Green Packet DX-350 The firmware contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The GreenPacketDX-350 is a network access point device from GreenPacket, USA. There are currently no detailed details of the vulnerability provided

SQL injection vulnerability in SOL.Connect ISET-mpp meter 1.2.4.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter in a login action. SOL.Connect ISET-mpp meter Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SOL.Connect ISET-mpp meter is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SOL.Connect ISET-mpp meter 1.2.4.2 is vulnerable; other versions may also be affected. Popendorf Software Engineering SOL.Connect ISET-mpp meter is a photovoltaic equipment data acquisition meter from Popendorf Software Engineering in Germany

Cross-site request forgery (CSRF) vulnerability in WMR-433 firmware Ver.1.02 and earlier, WMR-433W firmware Ver.1.40 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. WMR-433 and WMR-433W provided by BUFFALO INC. are wireless LAN routers. WMR-433 and WMR-433W contain multiple vulnerabilities listed below. * Cross-site Request Forgery (CWE-352) - CVE-2017-2273 * Reflected Cross-site Scripting (CWE-79) - CVE-2017-2274 Manabu Kobayashi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.The possible impact of each vulnerability is as follows: * If a logged-in user accesses a specially crafted page, configuration of the device may be changed or the device may be rebooted - CVE-2017-2273 * If a logged-in user accesses a specially crafted page, an arbitrary script may be executed on the user's web browser - CVE-2017-2274. Both the BUFFALOWAPM-1166D and the WAPM-APG600H are wireless LAN access point devices from Japan's BUFFALO Corporation. A remote attacker could exploit this vulnerability to perform unauthorized operations

Cross-site scripting vulnerability in WMR-433 firmware Ver.1.02 and earlier, WMR-433W firmware Ver.1.40 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. WMR-433 and WMR-433W provided by BUFFALO INC. are wireless LAN routers. WMR-433 and WMR-433W contain multiple vulnerabilities listed below. * Cross-site Request Forgery (CWE-352) - CVE-2017-2273 * Reflected Cross-site Scripting (CWE-79) - CVE-2017-2274 Manabu Kobayashi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.The possible impact of each vulnerability is as follows: * If a logged-in user accesses a specially crafted page, configuration of the device may be changed or the device may be rebooted - CVE-2017-2273 * If a logged-in user accesses a specially crafted page, an arbitrary script may be executed on the user's web browser - CVE-2017-2274. Both the BUFFALOWAPM-1166D and the WAPM-APG600H are wireless LAN access point devices from Japan's BUFFALO Corporation

The D-LinkDSL-2640U is a wireless router. The D-LinkDSL-2640U has an unauthenticated DNS change vulnerability. An attacker could exploit the vulnerability to access the sites and devices of a vulnerable system and redirect to a malicious site.

Beetel BCM96338 is a router. A DNS change vulnerability exists in the Beetel BCM96338 router. An attacker could exploit the vulnerability to access the sites and devices of a vulnerable system and redirect to a malicious site.

The D-LinkDSL-2640B is a router device. There is a security hole in D-LinkDSL-2640B. The vulnerability exists in the web interface that an attacker could use to access the sites and devices of a vulnerable system and redirect to a malicious site.

Technicolor DPC3928AD DOCSIS devices allow remote attackers to read arbitrary files via a request starting with "GET /../" on TCP port 4321. TechnicolorDPC3928ADDOCSIS is a wireless router from Technicolor, France. An information disclosure vulnerability exists in TechnicolorDPC3928ADDOCSIS