VARIoT IoT vulnerabilities database

Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devices before 3.4.0 allows remote authenticated users to cause a denial of service (service interruption) via a crafted HTTP request, aka the ISAPI issue. Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 The device contains a buffer overflow vulnerability. Hikvision NVRDS-76xxNI-E1/2 and DS-77xxxNI-E4 are HDKvision's hard disk recorders. Hikvision NVR DS-77xxxNI-E4 etc. The following products and versions are affected: Hikvision NVR DS-77xxxNI-E4 prior to 3.4.0; DS-76xxNI-E1 prior to 3.4.0; DS-76xxNI-E2 prior to 3.4.0

Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devices before 3.4.0 allows remote authenticated users to cause a denial of service (service interruption) via a crafted HTTP request, aka the SDK issue. Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 The device contains a buffer overflow vulnerability. Hikvision NVRDS-76xxNI-E1/2 and DS-77xxxNI-E4 are HDKvision's hard disk recorders. Hikvision NVR DS-77xxxNI-E4 etc. The following products and versions are affected: Hikvision NVR DS-77xxxNI-E4 prior to 3.4.0; DS-76xxNI-E1 prior to 3.4.0; DS-76xxNI-E2 prior to 3.4.0

A vulnerability in a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models allows an attacker to craft a malformed HTTP ("GET system.ini HTTP/1.1\n\n" - note the lack of "/" in the path field of the request) request that will disclose the configuration file with the login password. Foscam is an intelligent network camera that can monitor mobile, voice and temperature, and can push messages to mobile phones. It also has functions such as mobile phone viewing and one-click sharing. Both Foscam and Vstarcam IP camera are network camera products. Goahead webserver is one of the cross-platform embedded webserver. Foscam, Vstarcam and white label IP camera are all IP camera products. Goahead webserver is one of the cross-platform embedded WebServer. There is a security vulnerability in the GoAhead web server used in the Foscam and Vstarcam IP cameras. An attacker can exploit this vulnerability to leak configuration files by sending malicious HTTP requests

A command-injection vulnerability exists in a web application on a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models. The mail-sending form in the mail.htm page allows an attacker to inject a command into the receiver1 field in the form; it will be executed with root privileges. Foscam is a webcam that can push messages to mobile phones and directly implement video Baidu cloud storage via WIFI. Both Foscam and Vstarcam IP camera are network camera products. Goahead webserver is one of the cross-platform embedded webserver

Keekoon KK002 devices 1.8.12 HD have a Cross Site Request Forgery Vulnerability affecting goform/formChnUserPwd and goform/formUserMng (and the entire set of other pages). Keekoon KK002 device HD Contains a cross-site request forgery vulnerability.Cross-site request forgery may be executed. Kaiguang KK002 is a wireless camera from Keekoon Corporation of China. An attacker could exploit the vulnerability to perform unauthorized operations

A Remote Arbitrary Code Execution vulnerability in HPE Intelligent Management Center (IMC) PLAT version 7.2 E0403P06 was found. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within CommonUtils. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute arbitrary code under the context of SYSTEM. The solution provides network-wide visibility for comprehensive management of resources, services and users

A Remote Arbitrary File Download vulnerability in HPE Intelligent Management Center (IMC) PLAT version 7.2 E0403P06 was found. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within FileUploadServlet. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute arbitrary code under the context of SYSTEM. The solution provides network-wide visibility for comprehensive management of resources, services and users

SamsungSmartCam is a security surveillance camera based on cloud services. There is a command injection vulnerability in SmartCamSNH-1011, which is caused by iWatch (a webcam monitoring service) about PHP scripts that allow users to update iWatch by uploading files and failing to effectively check the uploaded file names. An attacker can exploit the vulnerability to inject shell commands and gain root privileges to execute remote code.

A hard-coded cryptographic key vulnerability was identified in Red Lion Controls Sixnet-Managed Industrial Switches running firmware Version 5.0.196 and Stride-Managed Ethernet Switches running firmware Version 5.0.190. Vulnerable versions of Stride-Managed Ethernet switches and Sixnet-Managed Industrial switches use hard-coded HTTP SSL/SSH keys for secure communication. Because these keys cannot be regenerated by users, all products use the same key. The attacker could disrupt communication or compromise the system. CVSS v3 base score: 10, CVSS vector string: (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Red Lion Controls recommends updating to SLX firmware Version 5.3.174

On Cambium Networks cnPilot R200/201 devices before 4.3, there is a vulnerability involving the certificate of the device and its RSA keys, aka RBN-183. Vendors have confirmed this vulnerability RBN-183 It is released as.It may be affected unspecified. CambiumNetworkscnPilotR200/201 is a 2.4G802.11n single-frequency router supporting cloud management in Cambium Networks, USA. A security vulnerability exists in versions prior to CambiumNetworkscnPilotR200/2014.3. There are currently no detailed details of the vulnerability provided

On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest user, which contains the lowest privileges, can post to the idSourceFileName parameter found within the /download directory. This ability allows for an attacker to download sensitive system files from the host machine such as databases which contain information that can aid in further attacks. The system is used to monitor fuel storage and provides an intuitive and easy-to-read interface for alarm functions

On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the roleDiag user, which can be obtained by exploiting CVE-2013-7247, has the ability to upload files to the server hosting the web service. As no sanitization checks are in place, an attacker can upload a malicious payload. Franklin Fueling Systems TS-550 evo is a fuel management system from Franklin Fueling Systems in the United States. The system is used to monitor fuel storage and provides an intuitive and easy-to-read interface for alarm functions. A security vulnerability exists in Franklin Fueling Systems TS-550 evo version 2.3.0.7332

HPE LoadRunner before 12.53 Patch 4 and HPE Performance Center before 12.53 Patch 4 allow remote attackers to execute arbitrary code via unspecified vectors. At least in LoadRunner, this is a libxdrutil.dll mxdr_string heap-based buffer overflow. HPE LoadRunner and Performance Center Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the libxdrutil.dll mxdr_string method. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code under the context of the current process. HP Intelligent Management Center (iMC) is a network intelligent management center solution from Hewlett Packard (HP). A remote heap buffer overflow vulnerability exists in HP LoadRunner/Performance Center that was caused by insufficient boundary checking before copying user data to a memory buffer of insufficient size. A failed attack can result in a denial of service. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03712en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbgn03712en_us Version: 1 HPESBGN03712 rev.1 - HPE LoadRunner and Performance Center, Remote Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2017-03-07 Last Updated: 2017-03-07 Potential Security Impact: Remote: Code Execution Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HPE LoadRunner and Performance Center. References: - CVE-2017-5789 - Remote Code Execution SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE LoadRunner - v12.53.0 and earlier - HPE Performance Center - v12.53.0 and earlier BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2017-5789 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 Hewlett Packard Enterprise thanks Tenable Network Security working with Trend Micro's Zero Day Initiative (ZDI) for reporting this issue to security-alert@hpe.com RESOLUTION HPE has provided the following software updates to resolve the vulnerability in the impacted versions of HPE LoadRunner and Performance Center. **LoadRunner** - Please download and install v12.53 Patch 4 using following links: * LoadRunner Full: <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/LID/LR_03639> * Load Generator SA: <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/LID/LRLG_00131> * VuGen SA: <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/LID/LRVUG_00214> * Analysis SA: <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/LID/LRANLSYS_00110> * TruClient SA: <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/LID/LRTC_00005> Release notes for the LoadRunner patch is available at: <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02688589> **Performance Center** - Please download and install v12.53 Patch 4 using following link: * Performance Center Server and Host: <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/LID/PC_00312> Release notes for the Performance Center patch is available at: <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02690789> HISTORY Version:1 (rev.1) - 7 March 2017 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJYvySUAAoJELXhAxt7SZai2r4H+wSohWbdWZfY+1GVhhXcJhoI 9PrgkcoW6Bo2tJI8JCveAKrpJWqzXhx77zPb94Bf8ER3KyUiFTOhx/z5Kv2cW2a3 MswkriLaMzi1G8cihlmtqmTRFfrNn5AJZSOPKR12iuRgpUEnkxTf3727SKrp25uv 1ZD8xXigrEiF3i5KnXR4UJGzv8LZjcwv5ClO13SysR8oTBa0UTKIrvN9s6wkyIEX cMV9BWFknvuC4Nh2lo6uXWqT5mc8Ur5Z1XMMbP9AdVsqd4O1RC70BXBDJ7fvg6qb 0TsnnxyUi40ZqC3DxpFgOdxe0veWZ41wIpVypgyoD78QVi2AbGRDAV6l0R75zgg= =VjbZ -----END PGP SIGNATURE-----

Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 devices have an insufficiently large default value for the maximum IPv6 routing table size: it can be filled within minutes. An attacker can exploit this issue to render the affected system unresponsive, resulting in a denial-of-service condition for telephone, Internet, and TV services. Livebox3Sagemcom is a modem router. A denial of service vulnerability exists in Livebox3Sagemcom that could be exploited by an attacker to prevent a system from responding to normal requests and causing a denial of service. Livebox 3 Sagemcom is prone to a local denial-of-service vulnerability. Livebox 3 Sagemcom version SG30_sip-fr-5.15.8.1 is vulnerable; other versions may also be affected. A security vulnerability exists in Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 version

A Remote Cross Site Request Forgery (CSRF) vulnerability in HPE 2620 Series Network Switches version RA.15.05.0006 was found. The HP2620 Series NetworkSwitches is a 2620 series switch from Hewlett Packard (HP). This series of switches supports IPV4/IPv6 static and RIP routing. A cross-site request forgery vulnerability exists in HP2620SeriesNetworkSwitches due to a program failing to properly validate HTTP requests. A remote attacker could exploit this vulnerability to perform unauthorized operations. Other attacks are also possible. References: - CVE-2017-5796 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HP MSR2000 Router Series RA.15.05.0006 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2017-5796 9.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has made the following software updates and mitigation information to resolve the vulnerability in HPE 2620 Series Network Switches: * Install RA.15.15.0014 or a subsequent version. **Note:** Please contact HPE Technical Support if any assistance is needed acquiring the software updates HISTORY Version:1 (rev.1) - 10 March 2017 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJYwvKVAAoJELXhAxt7SZaiEN4H/jo7Yam0hzb8p5LC8Ug88Tl/ aq+9WnL/ABCM8MWZG22fel7EPJaaudseVTCnBOshBcBhSX79xbTnzWUguOAPstaY VIZ8w+rNNm0d8Z6gNF/prLahHGbkLLczvBiOm0YHk7Z7PdmvV7CUpY3go3FKcdbu kgvZGDDvoztyoVeuvbTn7YONALQevJSvu4SvCjHFWyVTJNs6cwBBHwVp4uY/vPfZ PqwE1+scT10Y3NeQyv1H+LyyV5px4HK37PTwJ8NoAx0jPHDCqfuST6HXfWhJvVeb AejMcDPWDxvhwn7H6mkG4Q7EJNMdE8ZawAUcoVFCzGl70AxTyWr8cZaykA8vS2s= =nJ3A -----END PGP SIGNATURE-----

Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20 do not check password.shtml authorization, leading to Arbitrary password change. Televes COAXDATA GATEWAY 1Gbps The device password.shtml There is a vulnerability related to certificate / password management because authentication is not checked.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TelevesCOAXDATAGATEWAY1Gbpsdevices is a wireless router device from Televes, Spain. A security vulnerability exists in the TelevesCOAXDATAGATEWAY 1Gbps device due to lack of access control and detection on the client side. An attacker could use this vulnerability to change the password of an administrator user

On Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20, the backup/restore feature lacks access control, related to ReadFile.cgi and LoadCfgFile. Televes COAXDATA GATEWAY 1Gbps Devices have vulnerabilities related to certificate and password management because the backup / restore function lacks access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TelevesCOAXDATAGATEWAY1Gbpsdevices is a wireless router device from Televes, Spain. An attacker could exploit this vulnerability to modify the configuration

Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20 have cleartext credentials in /mib.db. Televes COAXDATA GATEWAY 1Gbps The device /mib.db Vulnerabilities related to certificate and password management exist because it has clear text credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TelevesCOAXDATAGATEWAY1Gbpsdevices is a wireless router device from Televes, Spain. A security vulnerability exists in the TelevesCOAXDATAGATEWAY 1Gbps device. An attacker could use this vulnerability to access a backup file that contains a clear text certificate. An attacker could exploit this vulnerability to obtain sensitive information

Buffer overflows in networkmap on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-AC1900P, RT-N300, and RT-AC750 routers with firmware before 3.0.0.4.380.7378; RT-AC68W routers with firmware before 3.0.0.4.380.7266; and RT-N600, RT-N12+ B1, RT-N11P B1, RT-N12VP B1, RT-N12E C1, RT-N300 B1, and RT-N12+ Pro routers with firmware before 3.0.0.4.380.9488; and Asuswrt-Merlin firmware before 380.65_2 allow remote attackers to execute arbitrary code on the router via a long host or port in crafted multicast messages. ASUSWRT is the ASUS router firmware. A remote execution code vulnerability exists in ASUSWRTRT-AC53. An attacker could exploit the vulnerability to execute arbitrary code in the context of the user running the affected application. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Asus ASUSWRT is prone to the following multiple security vulnerabilities. 1. A buffer-overflow vulnerability 2. A cross-site-scripting vulnerability. 3. A session-hijacking vulnerability. Failed exploit attempts will likely cause denial-of-service conditions. There is a buffer overflow vulnerability in the networkmap of ASUS ASUSWRT in RT-AC53 with firmware version 3.0.0.4.380.6038

Cross-site scripting (XSS) vulnerability in httpd on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-AC1900P, RT-N300, and RT-AC750 routers with firmware before 3.0.0.4.380.7378; RT-AC68W routers with firmware before 3.0.0.4.380.7266; and RT-N600, RT-N12+ B1, RT-N11P B1, RT-N12VP B1, RT-N12E C1, RT-N300 B1, and RT-N12+ Pro routers with firmware before 3.0.0.4.380.9488 allows remote attackers to inject arbitrary JavaScript by requesting filenames longer than 50 characters. ASUS RT-AC53 Run on device ASUSWRT of httpd Contains a cross-site scripting vulnerability.By a remote attacker, 50 By requesting a file name longer than 1 character, JavaScript May be inserted. Asus ASUSWRT is prone to the following multiple security vulnerabilities. 1. A buffer-overflow vulnerability 2. A cross-site-scripting vulnerability. 3. A session-hijacking vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or steal cookie-based authentication credentials and gain unauthorized access. Failed exploit attempts will likely cause denial-of-service conditions. ASUS RT-AC53 is a wireless router made by ASUS. ASUS ASUSWRT is one of the wireless connection firmware. The httpd of ASUS ASUSWRT in RT-AC53 with firmware version 3.0.0.4.380.6038 has a cross-site scripting vulnerability