VARIoT IoT vulnerabilities database

Kernel can inject faults in computations during the execution of TrustZone leading to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SM7150, Snapdragon_High_Med_2016, SXR1130. plural Snapdragon The product contains an authorization vulnerability.Information may be obtained. Qualcomm MDM9206 and others are products of Qualcomm (Qualcomm). MDM9206 is a central processing unit (CPU) product. MDM9607 is a central processing unit (CPU) product. MDM9640 is a central processing unit (CPU) product. A race condition vulnerability exists in several Qualcomm products. The vulnerability stems from the improper handling of concurrent access when concurrent codes need to access shared resources mutually exclusive during the running of the network system or product. The following products and versions are affected: IPQ4019; IPQ8074; MDM9150; MDM9206; MDM9607; MDM9615; MDM9635M; MDM9640; MDM9650; MDM9655; MSM8909W; 12; SD 425; SD 427; SD 430; SD 435; SD 439; SD 429; SD 450; SD 615/16; SD 415; SD 625; SD 632; SD 636; SD 710; SD 670; SD 820; SD 820A; SD 835; SD 845; SD 850; SD 855; SD 8CX;

TIT-AL00C583B211 has a directory traversal vulnerability which allows an attacker to obtain the files in email application. Huawei Smartphones have a path traversal vulnerability.Information may be obtained. Huawei Enjoy 5 (TIT-AL00) is the smartphone of China Huawei. The attacker lures the user to install a malicious mobile app and modify a particular URI to get the file information in the email application. Huawei TIT-AL00 is a smart phone product of China Huawei (Huawei)

A buffer overflow may occur in the processing of a downlink NAS message in Qualcomm Telephony as used in Apple iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation. Qualcomm Closed-Source Components are prone to multiple unspecified vulnerabilities. An attacker can exploit these issues to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Android Bug IDs A-78135902, A-66913713, A-67712316, A-79419833, A-109678200, A-78283451, A-78285196, A-78284194, A-78284753, A-78284517, A-78240177, A-78239686, A-78284545, A-109660689, A-78240324, A-68141338, A-78286046, A-73539037, A-73539235, A-71501115, A-33757308, A-74236942, A-77485184, A-77484529, A-33385206, A-79419639, A-79420511, A-109678338, and A-112279564. Successful exploits will allow attackers to perform unauthorized actions, execute arbitrary code in the context of the affected device or cause denial-of-service conditions; other attacks may also be possible. Apple iPhone, iPad and iPod touch are all products of the American company Apple (Apple). The Apple iPhone is a smartphone; the Apple iPad is a tablet computer; and the Apple iPod Touch is a portable mobile product. iOS is an operating system that runs on it. Telephony component is one of the components that provides telephony functions

In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, an access control vulnerability exists in Core. plural Qualcomm Run on product Android Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. Android is a Linux-based open source operating system jointly developed by Google and the Open Handheld Alliance (OHA). Qualcomm MDM9206, etc. are the central processing unit (CPU) products of Qualcomm (Qualcomm) applied to different platforms. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. The following products (used in phones and watches) are affected: Qualcomm MDM9206; Qualcomm MDM9607; Qualcomm MSM8909W; Qualcomm SD 210; Qualcomm SD 212; Qualcomm SD 205; Qualcomm SD 425; Qualcomm SD 430; SD 650/52

Improper authorization involving a fuse in TrustZone in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016. snapdragon automobile , snapdragon mobile , snapdragon wear Contains an authorization vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm Closed-Source Components are prone to multiple unspecified vulnerabilities. An attacker can exploit these issues to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Android Bug IDs A-78135902, A-66913713, A-67712316, A-79419833, A-109678200, A-78283451, A-78285196, A-78284194, A-78284753, A-78284517, A-78240177, A-78239686, A-78284545, A-109660689, A-78240324, A-68141338, A-78286046, A-73539037, A-73539235, A-71501115, A-33757308, A-74236942, A-77485184, A-77484529, A-33385206, A-79419639, A-79420511, A-109678338, and A-112279564. Qualcomm MDM9206, etc. are the central processing unit (CPU) products of Qualcomm (Qualcomm) applied to different platforms. TrustZone is one of the system security components. A security vulnerability exists in TrustZone in several Qualcomm snapdragon products. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile SD 210/SD 212/SD 205, SD 400, SD 430, SD 450, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 820, SD 835, an integer overflow vulnerability exists in a video library. plural Qualcomm Run on product Android Contains an integer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. Android is a Linux-based open source operating system jointly developed by Google and the Open Handheld Alliance (OHA). are the central processing unit (CPU) products of Qualcomm (Qualcomm). The video library in Android versions prior to 2018-04-05 has an integer overflow vulnerability. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

In OxygenOS before 4.0.3 on OnePlus 3 and 3T devices, an unauthorized attacker can cause a locked bootloader to partially dump the ciphertext content of an arbitrary partition (except 'keystore') by issuing the 'fastboot oem dump <partition>' fastboot command. OnePlus 3 and 3T Run on device OxygenOS Is NULL A vulnerability related to pointer dereference exists.Information may be obtained. OnePlus3 and 3T are the smartphones of OnePlus. OxygenOS is its own operating system. There are security vulnerabilities in versions of OxygenOS 4.0.3 on OnePlus3 and 3T devices. An unauthorized attacker could exploit the vulnerability to obtain sensitive information on the device

On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by providing an empty loginuse parameter and an empty loginpas parameter in the URI. WirelessIPCamera (P2P) WIFICAM is a remote network camera

Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS Push Services" private RSA key and certificate stored in /system/www/pem/ck.pem inside the firmware, which allows attackers to obtain sensitive information. Wireless IP Camera (P2P) WIFICAM The device contains a vulnerability related to key management errors.Information may be obtained. WirelessIPCamera (P2P) WIFICAM is a remote network camera. A security vulnerability exists in the WirelessIPCamera (P2P) WIFICAM device. The vulnerability stems from the /system/www/pem/ck.pem in the firmware storing the \342\200\230AppleProductionIOSPushServices\342\200\231 RSA key and certificate. An attacker could exploit this vulnerability to obtain sensitive information

Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network. WirelessIPCamera (P2P) WIFICAM is a remote network camera. There is a security hole in the WirelessIPCamera (P2P) WIFICAM device. A remote attacker can exploit the vulnerability to gain sensitive information by sniffing the network

Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with Firmware versions Fritz!OS 6.80 and 6.83 allows physically proximate attackers to view slices of previously transmitted packets or portions of memory via via unspecified vectors. AVM Fritz!Box 7490 Contains an information disclosure vulnerability.Information may be obtained. Deutsche Telekom CERT Advisory [DTC-A-20170323-001] Summary: Information leakage found in FRITZ!OS 6.83 & 6.80 (AVM DSL Router Fritz!Box 7490) Recommendation: Update to the newest Version of FRITZ!OS Details: a) application b) problem c) CVSS d) detailed description e) credits ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ a) FRITZ!OS 6.83 & 6.80 (AVM DSL Router Fritz!Box 7490) b) Memory leakage within the PPPoE/PPP padding c) 4.7 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/RL:U d) Multiple DSL access router (aka Homegateway / CPE) handle PPPoE frame padding incorrectly. This seems to be similar to http://www.securiteam.com/securitynews/5BP01208UO.html. AVM DSL Router Fritz!Box 7490 (tested with FRITZ!OS 6.83 & 6.80) sends portion of memory within PPPoE Discovery protocol PADT frames because arbitrary memory is used in the padding to reach the minimum Ethernet frame length. Further research shows that \x93short\x94 PPP LCP frames are also padded with random memory. e) Christian Kagerhuber

A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. Communication channel endpoints are not verified, which may allow a remote attacker to access or influence communications between the identified endpoints. Blue Link Contains vulnerabilities related to authorization, permissions, and access control.Information may be obtained and information may be altered. HyundaiMotorBlueLink is a new car from Hyundai Motor. A security bypass vulnerability exists in HyundaiMotorAmericaBlueLink 3.9.5 and 3.9.4. An information disclosure vulnerability 2. A security-bypass vulnerability An attacker may leverage these issues to gain sensitive information and bypass certain security restrictions and perform unauthorized actions. Blue Link version 3.9.5 and 3.9.4 are vulnerable

A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. The application uses a hard-coded decryption password to protect sensitive user information. HyundaiMotorAmericaBlueLink is a remote wireless remote control device for use in cars. An attacker could exploit this vulnerability to obtain sensitive information

An Uncontrolled Search Path Element issue was discovered in BLF-Tech LLC VisualView HMI Version 9.9.14.0 and prior. The uncontrolled search path element vulnerability has been identified, which may allow an attacker to run a malicious DLL file within the search path resulting in execution of arbitrary code. BLF-Tech LLC VisualView HMI Contains a vulnerability related to uncontrolled search path elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. BLF-Tech LLC VisualView HMI is a human-machine interface interactive program from BLF-Tech LLC. BLF-Tech LLC VisualView HMI has a security vulnerability that allows local attackers to exploit arbitrary requests, execute arbitrary code, and increase privileges. VisualView HMI 9.9.14.0 and prior versions are vulnerable

An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Several files and directories can be accessed without authentication, which may allow a remote attacker to perform sensitive functions including arbitrary file upload, file download, and device reboot. SierraWirelessAirLinkRavenXE and XT are wireless gateway products from Sierra Wireless, Canada. A successful exploit may allow an attacker to obtain sensitive information, and perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible

A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request. SierraWirelessAirLinkRavenXE and XT are wireless gateway products from Sierra Wireless, Canada. A cross-site request forgery vulnerability exists in SierraWirelessAirLinkRavenXE and XT because the program failed to verify that the request came from a logged in user. A remote attacker could exploit this vulnerability to perform unauthorized operations. Other attacks are also possible

An Insufficiently Protected Credentials issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Sensitive information is insufficiently protected during transmission and vulnerable to sniffing, which could lead to information disclosure. SierraWirelessAirLinkRavenXE and XT are wireless gateway products from Sierra Wireless, Canada. An information disclosure vulnerability exists in SierraWirelessAirLinkRavenXE and XT. An attacker could exploit this vulnerability to obtain sensitive information. Other attacks are also possible

CompuLab Intense PC and MintBox 2 devices with BIOS before 2017-05-21 do not use the CloseMnf protection mechanism for write protection of flash memory regions, which allows local users to install a firmware rootkit by leveraging administrative privileges. CompuLabIntensePC and MintBox2 are mini PC devices from CompuLab, Israel. The BIOS is an application on a ROM chip. A BIOS permission vulnerability exists in CompuLabIntensePC and MintBox2 versions prior to BIOS2017-05-21. The vulnerability stems from the program failing to implement write protection using the CloseMnf protection mechanism for the flash region. Credits: Hal Martin Website: watchmysys.com Source: https://watchmysys.com/blog/2017/06/cve-2017-8083-compulab-intensepc-lacks-bios-wp/ Vendor: ==================== CompuLab (compulab.com) Product: ==================== Intense PC / MintBox 2 Vulnerability type: ==================== Write-protection not enabled on system firmware CVE Reference: ==================== CVE-2017-8083 Summary: ==================== Since 2013 CompuLab manufactures and sells the IntensePC/MintBox 2, which is a small Intel-based fanless PC sold to end-users and industrial customers. It was discovered that in the default configuration write-protection is not enabled for the BIOS/ME/GbE regions of flash. CompuLab have created a patch to resolve the issue, however they have not yet released the patch publicly. This vulnerability is being published as the 90 day disclosure deadline has been reached. Affected versions: ==================== All firmware versions since product release (latest public firmware is 21 June 2016) Attack Vector: ==================== An attacker tricks the user into running a malicious executable with local administrator privileges, which updates the system firmware to include the attacker's code. Proof of concept: ==================== I have created a modified firmware update which replaces the stock UEFI shell with the UEFI shell from EDK2. The update can be flashed from within Windows without any user interaction or notification. Firmware updates are not signed by CompuLab or verified by the existing firmware before upgrade. The modified update can be downloaded here: https://watchmysys.com/blog/wp-content/uploads/2017/06/update-IPC-20160621-edk2.zip Details of the full proof of concept can be found at the Source link above. Disclosure timeline: ==================== 1 March 2017: Vulnerability is reported to CompuLab via their support email address 2 March 2017: CompuLab replies they will create a beta BIOS to address the vulnerability 6 March 2017: I request a timeline to fix the issue 7 March 2017: CompuLab replies they will create a beta BIOS for testing and they awill provide an official public release in the futurea 8 March 2017: CompuLab replies with instructions to run closemnf via the Intel FPT tool 8 March 2017: I inform CompuLab I am waiting for the official BIOS update to resolve the issue 8 March 2017: CompuLab replies with copy of Intel FPT tool and requests anot to publish or disclose this informationa 8 March 2017: CompuLab is informed that details of the vulnerability will be published on 4 June 2017 23 April 2017: Issue is reported to MITRE 24 April 2017: Vulnerability is assigned CVE-2017-8083 3 May 2017: CompuLab communicates that they will delay fixing this vulnerability until Intel provides an updated ME firmware to address CVE-2017-5689 4 May 2017: I inform CompuLab that details of this vulnerability will be published on 4 June 2017 as previously discussed 11 May 2017: CompuLab sends a proposed fix for testing, the update script fails due to invalid command syntax for flashrom 14 May 2017: I inform CompuLab of the invalid syntax and provide the correct usage, and confirm that the fix enables write-protection on the ME/BIOS/GbE regions of flash 15 May 2017: CompuLab replies with a revised update script 15 May 2017: I inform CompuLab that the syntax of the revised script is correct, however my unit has already been updated so I cannot re-test 4 June 2017: Details of the vulnerability are published

On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the RTSP server on port 10554/tcp to watch the streaming without authentication via tcp/av0_1 or tcp/av0_0. WirelessIPCamera (P2P) WIFICAM is a remote network camera. An information disclosure vulnerability exists in the WirelessIPCamera (P2P) WIFICAM device. An attacker could exploit the vulnerability to gain unauthorized access to traffic with tcp/av0_1ortcp/av0_0

Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET. Wireless IP Camera (P2P) WIFICAM The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. WirelessIPCamera (P2P) WIFICAM is a remote network camera. There is a security hole in the WirelessIPCamera (P2P) WIFICAM device. An attacker could exploit the vulnerability to access the root account through remote access