VARIoT IoT vulnerabilities database

GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not protected from arbitrary write access and may permit modifications to the SPI flash. It also is not cryptographically signed. These issues can be used to run rootkits at the firmware level or permanently disrupt service to the system. (DoS) It is possible to execute an attack. Failure of protection mechanism (CWE-693) - CVE-2017-3197 GIGABYTE BRIX Platform to protect firmware writing BIOSWE , BLE , SMM_BWP , PRx There is a problem where the bits are not set properly. as a result, SPI flash May be tampered with. Inadequate verification of data reliability (CWE-345) - CVE-2017-3198 GIGABYTE BRIX of UEFI Firmware update is not signed. Also, from the support page without checksum HTTP Is provided via. As a result, even if the firmware is tampered with, it cannot be detected. For more information, Cylance Advisory for CLVA-2017-01-001 and CLVA-2017-01-002 Please refer to. CLVA-2017-01-001 https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.md CLVA-2017-01-002 https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.mdAn attacker could run a rootkit at the firmware level or permanently disrupt service to the system (DoS) An attack may be executed. Multiple GIGABYTE Products are prone to multiple security-bypass vulnerabilities. A local attacker may exploit these issues to bypass certain security restrictions and perform unauthorized actions

fastping.c in MRLG (aka Multi-Router Looking Glass) before 5.5.0 allows remote attackers to cause an arbitrary memory write and memory corruption. MRLG (also known as Multi-Router Looking Glass) is a set of tools for network operators to query network elements. The fastping.c file in versions prior to MRLG 5.5.0 has a security vulnerability

GIGABYTE BRIX UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP. An attacker can make arbitrary modifications to firmware images without being detected. It also is not cryptographically signed. These issues can be used to run rootkits at the firmware level or permanently disrupt service to the system. (DoS) It is possible to execute an attack. Failure of protection mechanism (CWE-693) - CVE-2017-3197 GIGABYTE BRIX Platform to protect firmware writing BIOSWE , BLE , SMM_BWP , PRx There is a problem where the bits are not set properly. as a result, SPI flash May be tampered with. Also, from the support page without checksum HTTP Is provided via. For more information, Cylance Advisory for CLVA-2017-01-001 and CLVA-2017-01-002 Please refer to. CLVA-2017-01-001 https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.md CLVA-2017-01-002 https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.mdAn attacker could run a rootkit at the firmware level or permanently disrupt service to the system (DoS) An attack may be executed. Multiple GIGABYTE Products are prone to multiple security-bypass vulnerabilities. A local attacker may exploit these issues to bypass certain security restrictions and perform unauthorized actions

A weak password recovery process vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via a hidden Close button. Fortinet FortiPortal Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FortiPortal is prone to the following multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass security restriction and perform unauthorized actions, redirect users to an attacker-controlled site or obtain sensitive information. Versions prior to FortiPortal 4.0.1 are vulnerable

A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via the applicationSearch parameter in the FortiView functionality. Fortinet FortiPortal Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. FortiPortal is prone to the following multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass security restriction and perform unauthorized actions, redirect users to an attacker-controlled site or obtain sensitive information. Versions prior to FortiPortal 4.0.1 are vulnerable

A privilege escalation in Fortinet FortiClient Windows 5.4.3 and earlier as well as 5.6.0 allows attacker to gain privilege via exploiting the Windows "security alert" dialog thereby popping up when the "VPN before logon" feature is enabled and an untrusted certificate chain. Fortinet FortiClient Windows Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Fortinet FortiClient is prone to a privilege-escalation vulnerability. An attacker can exploit this issue to execute arbitrary code with elevated privileges. The following products are vulnerable: FortiClient Windows 5.6.0 FortiClient Windows 5.4.3 and prior. Fortinet FortiClient WindowsFortinet FortiClient for Windows is a set of mobile terminal security solutions based on the Windows platform from Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances. An escalation of privilege vulnerability exists in Fortinet FortiClient Windows 5.4.3 and earlier versions and 5.6.0

A hard-coded account named 'upgrade' in Fortinet FortiWLM 8.3.0 and lower versions allows a remote attacker to log-in and execute commands with 'upgrade' account privileges. FortiWLM is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass the authentication mechanism and gain unauthorized access to the device. FortiWLM versions 8.3.0 and prior are vulnerable. Fortinet FortiWLM is a wireless network device management platform developed by Fortinet

An open redirect vulnerability in Fortinet FortiPortal 4.0.0 and below allows attacker to execute unauthorized code or commands via the url parameter. Fortinet FortiPortal Contains an open redirect vulnerability.Information may be obtained and information may be altered. FortiPortal is prone to the following multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass security restriction and perform unauthorized actions, redirect users to an attacker-controlled site or obtain sensitive information. Versions prior to FortiPortal 4.0.1 are vulnerable. Fortinet FortiPortal is a product developed by Fortinet to help Managed Security Service Provider (MSSP) operate cloud-based security management and log retention services

A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via the 'Name' and 'Description' inputs in the 'Add Revision Backup' functionality. Fortinet FortiPortal Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiPortal is prone to the following multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass security restriction and perform unauthorized actions, redirect users to an attacker-controlled site or obtain sensitive information. Versions prior to FortiPortal 4.0.1 are vulnerable. Fortinet FortiPortal is a product developed by Fortinet to help Managed Security Service Provider (MSSP) operate cloud-based security management and log retention services

A password management vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to carry out information disclosure via the FortiAnalyzer Management View. Fortinet FortiPortal Contains an information disclosure vulnerability.Information may be obtained. FortiPortal is prone to the following multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass security restriction and perform unauthorized actions, redirect users to an attacker-controlled site or obtain sensitive information. Versions prior to FortiPortal 4.0.1 are vulnerable. Fortinet FortiPortal is a product developed by Fortinet to help Managed Security Service Provider (MSSP) operate cloud-based security management and log retention services

An improper Access Control vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to interact with unauthorized VDOMs or enumerate other ADOMs via another user's stolen session and CSRF tokens or the adomName parameter in the /fpc/sec/customer/policy/getAdomVersion request. Fortinet FortiPortal Contains an access control vulnerability.Information may be obtained and information may be altered. FortiPortal is prone to the following multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass security restriction and perform unauthorized actions, redirect users to an attacker-controlled site or obtain sensitive information. Versions prior to FortiPortal 4.0.1 are vulnerable. Fortinet FortiPortal is a product developed by Fortinet to help Managed Security Service Provider (MSSP) operate cloud-based security management and log retention services. An access control error vulnerability exists in Fortinet FortiPortal 4.0.0 and earlier versions

An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to obtain sensitive information from kernel memory via a crafted app. Apple macOS is prone to an information-disclosure vulnerability. Apple macOS Sierra is a dedicated operating system developed by Apple for Mac computers

In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's configuration utilities for adding (and detecting) Active Directory servers was vulnerable to remote command injection, aka NSWA-1314. Vendors have confirmed this vulnerability NSWA-1314 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. The product supports real-time network threat protection, custom web filtering and dynamic control applications. A remote attacker can exploit this vulnerability to inject commands. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected application or hijack an arbitrary session and gain unauthorized access to the affected application

In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304. Vendors have confirmed this vulnerability NSWA-1304 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. The product supports real-time network threat protection, custom web filtering and dynamic control applications. A remote attacker can exploit this vulnerability to inject commands. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected application or hijack an arbitrary session and gain unauthorized access to the affected application

Secure Download Links is an application that provides secure downloads. The 'dc' parameter of Secure Download Links has a SQL injection vulnerability that allows remote unauthenticated attackers to obtain sensitive information through this vulnerability.

An issue was discovered on Humax Digital HG100 2.0.6 devices. The attacker can find the root credentials in the backup file, aka GatewaySettings.bin. Humax Digital HG100 Contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The HumaxDigitalHG100R is a router from Humax Digital, Korea. A security vulnerability exists in the HumaxDigitalHG100R version 2.0.6

An issue was discovered on Humax Digital HG100R 2.0.6 devices. There is XSS on the 404 page. Humax Digital HG100R Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The HumaxDigitalHG100R is a router from Humax Digital, Korea. A cross-site scripting vulnerability exists in the 404 page in the HumaxDigitalHG100R version 2.0.6. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML. Humax Digital HG100R multiple vulnerabilities Device: Humax HG100R Software Version: VER 2.0.6 - Backup file download (CVE-2017-7315) An issue was discovered on Humax Digital HG100R 2.0.6 devices, a modem commonly used by ISPs to provide ADSL internet service to household and small business users. (CHECA ESSA INFO) To download the backup file it's not required the use of credentials or any authentication, and the router credentials are stored in plaintext inside the backup. PoC wget http://192.168.0.1/view/basic/GatewaySettings.bin strings GatewaySettings.bin | grep -A 1 admin -------------------------------------------------------------------------------- - XSS Reflected(CVE-2017-7316) An issue was discovered on Humax Digital HG100R 2.0.6 devices. DESCREVE BREVEMENTE O QUE A XSS REFLECTED E FALA O QUE PODE FAZER COM O USUARIO USANDO ISSO. PoC http://192.168.0.1<script>alert('XSS')</script> -------------------------------------------------------------------------------- - Default credentials to router's web application not declared in the manual(CVE-2017-7317) NAO ENTENDI ESSA FRASE. The attacker can find the root credentials in the backup file. PoC wget http://192.168.0.1/view/basic/GatewaySettings.bin strings GatewaySettings.bin | grep -A 1 root Timeline 2017-03-15 - First contact. Ignored by the vendor. 2017-03-21 - Second contact. 2017-03-22 - The vendor answered asking about the vulnerability. 2017-03-27 - Asked the vendor about his security team contact informarion to report the vulnerability. 2017-03-28 - The vendor answered saying that it is an old product, and they will check this vulnerabilities in the news products. 2017-03-28 - Ask the vendor about a patch. 2017-03-30 - Ask the vendor again about the patch. 2017-04-03 - Notified the vendor about the disclousure after 90 days, even without a patch. 2017-04-19 - Ask the vendor about a patch. 2017-05-08 - Ask the vendor about a patch. 2017-06-29 - Disclosure

An issue was discovered on Humax Digital HG100R 2.0.6 devices. To download the backup file it's not necessary to use credentials, and the router credentials are stored in plaintext inside the backup, aka GatewaySettings.bin. Humax Digital HG100R Contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The HumaxDigitalHG100R is a router from Humax Digital, Korea. A security vulnerability exists in the HumaxDigitalHG100R version 2.0.6. Humax Digital HG100R multiple vulnerabilities Device: Humax HG100R Software Version: VER 2.0.6 - Backup file download (CVE-2017-7315) An issue was discovered on Humax Digital HG100R 2.0.6 devices, a modem commonly used by ISPs to provide ADSL internet service to household and small business users. PoC wget http://192.168.0.1/view/basic/GatewaySettings.bin strings GatewaySettings.bin | grep -A 1 admin -------------------------------------------------------------------------------- - XSS Reflected(CVE-2017-7316) An issue was discovered on Humax Digital HG100R 2.0.6 devices. DESCREVE BREVEMENTE O QUE A XSS REFLECTED E FALA O QUE PODE FAZER COM O USUARIO USANDO ISSO. There is XSS reflected on the 404 page. PoC http://192.168.0.1<script>alert('XSS')</script> -------------------------------------------------------------------------------- - Default credentials to router's web application not declared in the manual(CVE-2017-7317) NAO ENTENDI ESSA FRASE. PoC wget http://192.168.0.1/view/basic/GatewaySettings.bin strings GatewaySettings.bin | grep -A 1 root Timeline 2017-03-15 - First contact. Ignored by the vendor. 2017-03-21 - Second contact. 2017-03-22 - The vendor answered asking about the vulnerability. 2017-03-27 - Asked the vendor about his security team contact informarion to report the vulnerability. 2017-03-28 - The vendor answered saying that it is an old product, and they will check this vulnerabilities in the news products. 2017-03-28 - Ask the vendor about a patch. 2017-03-30 - Ask the vendor again about the patch. 2017-04-03 - Notified the vendor about the disclousure after 90 days, even without a patch. 2017-04-19 - Ask the vendor about a patch. 2017-05-08 - Ask the vendor about a patch. 2017-06-29 - Disclosure

Privilege escalation vulnerability in CentreCOM AR260S V2 remote authenticated attackers to gain privileges via the guest account. CentreCOM AR260S V2 provided by Allied Telesis K.K. is a wired LAN router. Ziv Chang of Trend Micro Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Unintended operations may be performed with administrative privileges by a user who can log into the produt with "guest" account

Trango Apex <= 2.1.1, ApexLynx < 2.0, ApexOrion < 2.0, ApexPlus <= 3.2.0, Giga <= 2.6.1, GigaLynx < 2.0, GigaOrion < 2.0, GigaPlus <= 3.2.3, GigaPro <= 1.4.1, StrataLink < 3.0, and StrataPro devices have a built-in, hidden root account, with a default password that was once stored in cleartext within a software update package on a Trango FTP server. This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it. plural Trango The product contains a vulnerability involving the use of hard-coded credentials.Information is acquired, information is falsified, and denial of service (DoS) An attack could be made. Prologix Trango Apex Lynx, etc. are all products of UAE Prologix company. Apex Lynx is an outdoor microwave backhaul system. Apex Orion is a full-duplex point-to-point radio link for use in Apex Lynx. A security vulnerability exists in several Prologix Trango products. The following products and versions are affected: Prologix Trango Apex 2.1.1 and prior; Apex Lynx 2.0 and prior; Apex Orion 2.0 and prior; ApexPlus 3.2.0 and prior; Giga 2.6.1 and prior; Giga Lynx 2.0 and earlier; Giga Orion 2.0 and earlier; GigaPlus 3.2.3 and earlier; GigaPro 1.4.1 and earlier; StrataLink 3.0 and earlier; StrataPro