VARIoT IoT vulnerabilities database

NETWAVEIPCamera is a webcam product. NETWAVEIPCamera has a password leak vulnerability. The attacker can obtain the user name and password of the device through the POC code, which may result in password leakage.

The RG4332 is a wireless router. The TMRG4332 wireless router's web page has an arbitrary file disclosure vulnerability that can be exploited by an attacker to obtain sensitive information because the program does not adequately verify the user-supplied input.

An improper certificate validation vulnerability in Fortinet FortiManager 5.0.6 through 5.2.7 and 5.4.0 through 5.4.1 allows remote attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack via the Fortisandbox devices probing feature. FortiManager is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain potentially sensitive information. Information obtained may aid in further attacks. FortiManager 5.0.6 through 5.2.7 and 5.4.0 through 5.4.1 are vulnerable. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. A security vulnerability exists in Fortinet FortiManager due to the program not properly validating TLS certificates

A vulnerability in Common Internet Filesystem (CIFS) code in the Clientless SSL VPN functionality of Cisco ASA Software, Major Releases 9.0-9.6, could allow an authenticated, remote attacker to cause a heap overflow. The vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by sending a crafted URL to the affected system. An exploit could allow the remote attacker to cause a reload of the affected system or potentially execute code. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 or IPv6 traffic. A valid TCP connection is needed to perform the attack. The attacker needs to have valid credentials to log in to the Clientless SSL VPN portal. Vulnerable Cisco ASA Software running on the following products may be affected by this vulnerability: Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco ASA for Firepower 9300 Series, Cisco ASA for Firepower 4100 Series. Cisco Bug IDs: CSCvc23838. Failed exploit attempts will likely cause a denial-of-service condition. Cisco ASA: Buffer overflows in WebVPN cifs handling CVE-2017-3807 The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: <a href="https://portal/+webvpn+/CIFS_R/share_server/share_name/file" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/share_server/share_name/file</a>. When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct: http_cifs_context: +0x160 char* file_dir +0x168 char* file_name These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode: filename_copy_buf = calloc(1LL, 336LL); net_handle[10] = filename_copy_buf; if ( filename_copy_buf ) { src_len = _wrap_strlen(filename_from_request); if ( filename_from_request[src_len - 1] == ('|') ) { // wrong length (src length) strncpy((char *)filename_copy_buf, filename_from_request, src_len - 1); } In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow. There appear to be various other places where the copying is done in an unsafe way: http_cifs_context_to_name, which is called from ewaFile{Read,Write,Get}Cifs, and ewaFilePost, uses strcat to copy the file path and file name to a fixed size (stack) buffer. http_cifs_pre_fopen, which has a similar issue with passing the length of the src buffer to strncpy. Possibly http_add_query_str_from_context. There are probably others that I missed. Note that triggering this bug requires logging in to the WebVPN portal first, but the cifs share does not need to exist. Repro: Login to WebVPN portal, navigate to: <a href="https://portal/+webvpn+/CIFS_R/server/name/" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/server/name/</a> followed by 500 'A's. ("server" and "name" may be passed verbatim) *** Error in `lina': malloc(): memory corruption: 0x00007fa40c53f570 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x3f0486e74f)[0x7fa4139fc74f] /lib64/libc.so.6(+0x3f048783ee)[0x7fa413a063ee] /lib64/libc.so.6(+0x3f0487be99)[0x7fa413a09e99] /lib64/libc.so.6(__libc_malloc+0x60)[0x7fa413a0b5a0] lina(+0x321976a)[0x7fa41a2b276a] lina(mem_mh_calloc+0x123)[0x7fa41a2b4c83] lina(resMgrCalloc+0x100)[0x7fa419659410] lina(calloc+0x94)[0x7fa419589a34] lina(ewsFileSetupFilesystemDoc+0x28)[0x7fa41826a608] lina(ewsServeFindDocument+0x142)[0x7fa418278192] lina(ewsServeStart+0x114)[0x7fa4182784a4] lina(ewsParse+0x19a0)[0x7fa418272cc0] lina(ewsRun+0x9c)[0x7fa41826955c] lina(emweb_th+0x6ab)[0x7fa418286aeb] lina(+0xde58ab)[0x7fa417e7e8ab] This was tested on 9.6(2) This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: ochang

A vulnerability in the Start Before Logon (SBL) module of Cisco AnyConnect Secure Mobility Client Software for Windows could allow an unauthenticated, local attacker to open Internet Explorer with the privileges of the SYSTEM user. The vulnerability is due to insufficient implementation of the access controls. An attacker could exploit this vulnerability by opening the Internet Explorer browser. An exploit could allow the attacker to use Internet Explorer with the privileges of the SYSTEM user. This may allow the attacker to execute privileged commands on the targeted system. This vulnerability affects versions prior to released versions 4.4.00243 and later and 4.3.05017 and later. Cisco Bug IDs: CSCvc43976. Cisco AnyConnect Secure Mobility Client is prone to a local privilege-escalation vulnerability. Start Before Logon (SBL) is one of the login dialog modules

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402310. References: QC-CR#1092497. GoogleNexus/Pixel is a Google smartphone from the United States. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402604. References: QC-CR#1092497. GoogleNexus/Pixel is a Google smartphone from the United States. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An issue was discovered in Sielco Sistemi Winlog Lite SCADA Software, versions prior to Version 3.02.01, and Winlog Pro SCADA Software, versions prior to Version 3.02.01. An uncontrolled search path element (DLL Hijacking) vulnerability has been identified. Exploitation of this vulnerability could give an attacker access to the system with the same level of privilege as the application that utilizes the malicious DLL. SIELCO SISTEMI Winlog is an application for data acquisition and remote control of SCADA HMI monitoring software. A native code execution vulnerability exists in Sielco Sistemi Winlog Pro and Winlog Lite. An attacker exploited the vulnerability to execute arbitrary code or crash an application in an affected application, causing a denial of service

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience. The Alaris 8015 PC unit is the heart of the Alaris System, a US company's BD that provides a user-common interface for programming intravenous infusions. An information disclosure vulnerability exists in the Alaris 8015 PC unit. Attackers can exploit vulnerabilities to obtain sensitive information and launch further attacks

MyCloudMirror is the MyCloud personal cloud storage device from Western Digital. WDMyCloudMirror has authentication bypass and remote code execution vulnerabilities that allow an attacker to exploit a vulnerability to bypass an restriction, perform an unauthorized operation, or execute arbitrary code.

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32450647. References: QC-CR#1092059. GoogleNexus/Pixel is a Google smartphone from the United States. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32877494. References: QC-CR#1092497. GoogleNexus/Pixel is a Google smartphone from the United States. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device's flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection. The Alaris 8000 and 8015 PC units are at the heart of the BD Alaris system in the United States, providing a common user interface for programming intravenous fluids. An information disclosure vulnerability exists in Alaris 8000 and 8015 PC units. Attackers can exploit vulnerabilities to obtain sensitive information, leading to further attacks

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32879283. References: QC-CR#1091940. GoogleNexus/Pixel is a Google smartphone from the United States. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32871330. References: QC-CR#1092497. Android is a Linux-based open source operating system jointly developed by Google Inc. and the Open Handheld Alliance. QualcommWi-Fidriver in Android on several Google devices has security vulnerabilities that allow remote attackers to exploit vulnerabilities to escalate permissions through special malicious applications. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32454494. References: QC-CR#1087209. Qualcomm Wi-Fi The driver contains a privilege escalation vulnerability. GoogleNexus/Pixel is a Google smartphone from the United States. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

The IBM Security Access Manager appliance includes configuration files that contain obfuscated plaintext-passwords which authenticated users can access. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. The product enables access management control through integrated appliances for web, mobile and cloud computing

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33252788. References: QC-CR#1095770. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32872662. References: QC-CR#1095009. Google Nexus/ Pixel products are prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32402310, A-32402604, A-32450647, A-32454494, A-32451171, A-32451104, A-33252788, A-32872662, A-32871330, A-32877494 and A-32879283

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32636619. References: N-CVE-2017-0429. GoogleNexus9 is a tablet from Google Inc. in the United States. NVIDIA GPUDrivers is a graphics processor driver. Google Nexus is prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32401526 and A-32636619