VARIoT IoT vulnerabilities database

A vulnerability in the file system of Cisco Elastic Services Controllers could allow an authenticated, local attacker to gain access to sensitive user credentials that are stored in an affected system. More Information: CSCvd73677. Known Affected Releases: 2.3(2). An attacker can exploit this issue to obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco bug ID CSCvd73677

A vulnerability in the web interface of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive system credentials that are stored in an affected system. More Information: CSCvd76339. Known Affected Releases: 2.2(9.76). Successful exploits will allow attackers to obtain sensitive information. This may result in further attacks. This issue is tracked by Cisco Bug ID CSCvd76339

A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol implementation in Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition when an FCoE-related process unexpectedly reloads. This vulnerability affects Cisco NX-OS Software on the following Cisco devices when they are configured for FCoE: Multilayer Director Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches. More Information: CSCvc91729. Known Affected Releases: 8.3(0)CV(0.833). Known Fixed Releases: 8.3(0)ISH(0.62) 8.3(0)CV(0.944) 8.1(1) 8.1(0.8)S0 7.3(2)D1(0.47). Vendors have confirmed this vulnerability CSCvc91729 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. Cisco NX-OS Software is a data center-oriented operating system from Cisco. An attacker could exploit the vulnerability by sending a specially crafted FCoE frame to the target device. This issue is being tracked by Cisco bug ID CSCvc91729. The vulnerability stems from the fact that the program does not perform sufficient inspection on FCoE frames

A vulnerability in Session Initiation Protocol (SIP) call handling of Cisco IP Phone 8800 Series devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the SIP process unexpectedly restarting. All active phone calls are dropped as the SIP process restarts. More Information: CSCvc29353. Known Affected Releases: 11.0(0.1). Known Fixed Releases: 11.0(0)MP2.153 11.0(0)MP2.62. Vendors have confirmed this vulnerability CSCvc29353 It is released as.Remote attacker could disrupt service operation (DoS) There is a possibility of being put into a state. The Cisco IP Phone 8800 Series is a telephone product that provides video and VoIP communication capabilities at Cisco. This issue is tracked by Cisco Bug ID CSCvc29353

A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. More Information: CSCvc91800. Known Affected Releases: 11.5(0) 11.6. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCvc91800. This solution supports simplified unified communication and video collaboration network management through a unified management console, and rapid deployment of communication sites. A remote attacker could exploit this vulnerability by convincing a UI user to open a specially crafted link

A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) and Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device, aka Message Tracking XSS. More Information: CSCvd30805 CSCvd34861. Known Affected Releases: 10.0.0-203 10.1.0-049. Vendors have confirmed this vulnerability Bug ID CSCvd30805 and CSCvd34861 It is released as.A remote attacker could conduct a cross-site scripting attack. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issues are being tracked by Cisco Bug ID's CSCvd30805 and CSCvd34861. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges. The vulnerability exists because the affected software has a default user account that has a default, static password. The user account is created automatically when the software is installed. An attacker could exploit this vulnerability by connecting remotely to an affected system and logging in to the affected software by using the credentials for this default user account. A successful exploit could allow the attacker to use this default user account to log in to the affected software and gain access to the administrative console of a DCNM server. This vulnerability affects Cisco Prime Data Center Network Manager (DCNM) Software releases prior to Release 10.2(1) for Microsoft Windows, Linux, and Virtual Appliance platforms. Cisco Bug IDs: CSCvd95346. The manager provides multi-protocol management of the network and provides troubleshooting capabilities for switch health and performance

A vulnerability in the Session Initiation Protocol (SIP) of the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, remote attacker to cause a TelePresence endpoint to reload unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of flow-control mechanisms within the software. An attacker could exploit this vulnerability by sending a flood of SIP INVITE packets to the affected device. An exploit could allow the attacker to impact the availability of services and data of the device, including a complete DoS condition. This vulnerability affects the following Cisco TC and CE platforms when running software versions prior to TC 7.3.8 and CE 8.3.0. Cisco Bug IDs: CSCux94002. Cisco TelePresence Endpoint is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. Cisco TelePresence is a set of video conferencing solutions called "TelePresence" system of Cisco (Cisco)

An XSS vulnerability allows remote attackers to execute arbitrary client side script on vulnerable installations of Sophos Cyberoam firewall devices with firmware through 10.6.4. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a request to the "LiveConnectionDetail.jsp" application. GET parameters "applicationname" and "username" are improperly sanitized allowing an attacker to inject arbitrary JavaScript into the page. This can be abused by an attacker to perform a cross-site scripting attack on the user. A vulnerable URI is /corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp. Sophos Cyberoam A firmware firewall device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Sophos Cyberoam firewall devices is a set of firewall devices of British Sophos Company, which provides online application detection and control, web filtering, HTTPS inspection, intrusion prevention and other functions. The vulnerability stems from the fact that the program does not filter the 'applicationname' and 'username' GET parameters correctly

A vulnerability in how DLL files are loaded with Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to install and run an executable file with privileges equivalent to the Microsoft Windows SYSTEM account. The vulnerability is due to incomplete input validation of path and file names of a DLL file before it is loaded. An attacker could exploit this vulnerability by creating a malicious DLL file and installing it in a specific system directory. A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account. The attacker would need valid user credentials to exploit this vulnerability. This vulnerability affects all Cisco AnyConnect Secure Mobility Client for Windows software versions prior to 4.4.02034. Cisco Bug IDs: CSCvc97928. Vendors report this vulnerability Bug ID CSCvc97928 Published as.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Cisco AnyConnectSecureMobilityClient is the Cisco Next Generation VPN Client. Remote attackers can use system privileges to install and run executable files

A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected system, aka an Authentication Request Processing Arbitrary Command Execution Vulnerability. More Information: CSCvc76642. Known Affected Releases: 2.2(9.76). Cisco Elastic Services Controller of esc_listener.py Is OS A command injection vulnerability exists. Vendors have confirmed this vulnerability Bug ID CSCvc76642 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to execute arbitrary command on the affected system. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCvc76642

WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to gain administrator access to the device by performing an administrator password change on the device via a crafted POST request. libmtk For httpd Multiple using plug-ins WiMAX The router contains an authentication bypass vulnerability. In particular commit2.cgi Against ADMIN_PASSWD A parameter was set POST You can change the administrator password by sending a request. According to the reporter, some of the surveyed products are initially enabled for remote management. In this case, there is a possibility of being attacked from the Internet side. MediaTek According to the company, the vulnerable file MediaTek SDK It is not included in itself, SDK It is speculated that it was provided by the developer who developed the firmware using. Details of the reporter blog See article. As a result, you may gain administrative privileges on the device. WiMAX (Worldwide Interoperability for Microwave Access) is a communication technology based on the IEEE-802.16 standard and can be used as an alternative to wired broadband services. The following products and versions are affected: ZyXEL MAX338M; ZyXEL MAX318M; ZyXEL MAX308M Version 2.00(UUA.3)D0; ZyXEL MAX218MW Version 2.00(UXD.2)D0; ZyXEL MAX218M1W Version 2.00(UXE.3)D0; ZyXEL MAX218M Version 2.00( UXG.0)D0 version; ZTE OX-330P; Mada Soho Wireless Router 2.10.13; Huawei HES-339M; Huawei HES-319M2W; Huawei HES-319M; Huawei HES-309M; Huawei BM2022 version 2.10.14; Green Packet OX-350

Intense PC Phoenix SecureCore UEFI firmware does not perform capsule signature validation before upgrading the system firmware. The absence of signature validation allows an attacker with administrator privileges to flash a modified UEFI BIOS. Intense PC Phoenix SecureCore UEFI The firmware contains a vulnerability related to input validation.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CompuLabIntensePC is a mini PC device from CompuLab, Israel. An attacker could exploit this vulnerability to read and write to any system firmware. Credits: Hal Martin Website: watchmysys.com Source: https://watchmysys.com/blog/2017/07/cve-2017-9457-compulab-intense-pc-lacks-firmware-validation/ Vendor: ==================== CompuLab (compulab.com) Product: ==================== Intense PC / MintBox 2 Vulnerability type: ==================== Platform lacks signature verification and does not validate firmware update before flashing CVE Reference: ==================== CVE-2017-9457 Summary: ==================== Since 2013 CompuLab manufactures and sells the Intense PC (also sold under the name "MintBox 2"), which is a small Intel-based fanless PC sold to end-users and industrial customers. No timeline was provided to implement capsule signature verification. Affected versions: ==================== All firmware versions since product release (latest public firmware is 21 May 2017) Attack Vector: ==================== An attacker tricks the user into running a malicious executable with local administrator privileges, which updates the system firmware to include the attacker's code. The attacker may instead use a known OS exploit to perform the upgrade remotely (without user interaction or notification). Proof of concept: ==================== I have created a modified firmware update which replaces the stock UEFI shell with the UEFI shell from EDK2. The update can be flashed from within Windows without any user interaction or notification. Firmware updates are not signed by CompuLab or verified by the existing firmware before upgrade. The modified update, based on the 21 May 2017 firmware, can be downloaded here: https://watchmysys.com/blog/wp-content/uploads/2017/07/update-IPC-20170521-edk2.zip Details of the full proof of concept can be found at the Source link above. Mitigation: ==================== At this time there is no means for the end user to enable Capsule Signature verification or to prevent the Phoenix update utility from updating the system firmware. Therefore Intense PC owners should consider the following options: - Ensure your operating system is up to date with the latest security patches. Do not run software from untrusted sources. - Do not connect your Intense PC to any networks with internet access (i.e. air-gap the computer). Disclosure timeline: ==================== 6 June 2017: Issue reported to CompuLab 6 June 2017: CompuLab confirms that aDefault settings of this source tree [Phoenix SecureCore Tiano Enhanced Intel Ivy Bridge CPU Panther Point M] has disabled Capsule Signature option.a 6 June 2017: Issue is reported to MITRE 6 June 2017: Vulnerability is assigned CVE-2017-9457 7 June 2017: CompuLab are informed that the vulnerability has been assigned CVE-2017-9457 and details of the vulnerability will be published after 45 days 22 July 2017: Details of the vulnerability are published

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interface allows any user to write his/her application in the Lua language. However, this functionality is not protected by authentication and this allows an attacker to run arbitrary Lua code on the device. The POST request is forwarded to LuaUPNP daemon on the device. This binary handles the received Lua code in the function "LU::JobHandler_LuaUPnP::RunLua(LU::JobHandler_LuaUPnP *__hidden this, LU::UPnPActionWrapper *)". The value in the "code" parameter is then passed to the function "LU::LuaInterface::RunCode(char const*)" which actually loads the Lua engine and runs the code. Vera VeraEdge and Veralite The device contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device firmware file contains a file known as relay.sh which allows the device to create relay ports and connect the device to Vera servers. This is primarily used as a method of communication between the device and Vera servers so the devices can be communicated with even when the user is not at home. One of the parameters retrieved by this specific script is "remote_host". This parameter is not sanitized by the script correctly and is passed in a call to "eval" to execute another script where remote_host is concatenated to be passed a parameter to the second script. This allows an attacker to escape from the executed command and then execute any commands of his/her choice. Vera VeraEdge and Veralite The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device firmware file contains a file known as proxy.sh which allows the device to proxy a specific request to and from from another website. This is primarily used as a method of communication between the device and Vera website when the user is logged in to the https://home.getvera.com and allows the device to communicate between the device and website. One of the parameters retrieved by this specific script is "url". This parameter is not sanitized by the script correctly and is passed in a call to "eval" to execute "curl" functionality. This allows an attacker to escape from the executed command and then execute any commands of his/her choice. Vera VeraEdge and Veralite The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This number has been reserved for identifying a security breach

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called relay.sh which is used for creating new SSH relays for the device so that the device connects to Vera servers. All the parameters passed in this specific script are logged to a log file called log.relay in the /tmp folder. The user can also read all the log files from the device using a script called log.sh. However, when the script loads the log files it displays them with content-type text/html and passes all the logs through the ansi2html binary which converts all the character text including HTML meta-characters correctly to be displayed in the browser. This allows an attacker to use the log files as a storing mechanism for the XSS payload and thus whenever a user navigates to that log.sh script, it enables the XSS payload and allows an attacker to execute his malicious payload on the user's browser. Vera VeraEdge and Veralite The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. This number has been reserved for identifying a security breach

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called connect.sh which is supposed to return a specific cookie for the user when the user is authenticated to https://home.getvera.com. One of the parameters retrieved by this script is "RedirectURL". However, the application lacks strict input validation of this parameter and this allows an attacker to execute the client-side code on this application. Vera VeraEdge and Veralite The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the service actions for a normal user to retrieve an image from a camera that is controlled by the controller. It seems that the "URL" parameter passed in the query string is not sanitized and is stored on the stack which allows an attacker to overflow the buffer. The function "LU::Generic_IP_Camera_Manager::REQ_Image" is activated when the lu_request_image is passed as the "id" parameter in query string. This function then calls "LU::Generic_IP_Camera_Manager::GetUrlFromArguments" and passes a "pointer" to the function where it will be allowed to store the value from the URL parameter. This pointer is passed as the second parameter $a2 to the function "LU::Generic_IP_Camera_Manager::GetUrlFromArguments". However, neither the callee or the caller in this case performs a simple length check and as a result an attacker who is able to send more than 1336 characters can easily overflow the values stored on the stack including the $RA value and thus execute code on the device. Vera VeraEdge and Veralite The device contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker could exploit this vulnerability to execute code on the device

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the service actions for a normal user to retrieve an image from a camera that is controlled by the controller. It seems that the "res" (resolution) parameter passed in the query string is not sanitized and is stored on the stack which allows an attacker to overflow the buffer. The function "LU::Generic_IP_Camera_Manager::REQ_Image" is activated when the lu_request_image is passed as the "id" parameter in the query string. This function then calls "LU::Generic_IP_Camera_Manager::GetUrlFromArguments". This function retrieves all the parameters passed in the query string including "res" and then uses the value passed in it to fill up buffer using the sprintf function. However, the function in this case lacks a simple length check and as a result an attacker who is able to send more than 184 characters can easily overflow the values stored on the stack including the $RA value and thus execute code on the device. Vera VeraEdge and Veralite The device contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker could exploit this vulnerability to execute code on the device