VARIoT IoT vulnerabilities database

An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation. This is caused by an Unrestricted Externally Accessible Lock. Using incomplete or dangerous encryption algorithms (CWE-327) - CVE-2016-8370 The password included in the communication data is encrypted with a weak encryption algorithm. Inappropriate restrictions on external operations (CWE-412) - CVE-2016-8368 Port by remote third party 5002/TCP via PLC Resulting in service disruption (DoS) There is a possibility of being attacked.A password may be obtained by a remote party or service operation may be interrupted (DoS) There is a possibility of being attacked. Mitsubishi Electric is a Japanese company. An attacker exploiting a vulnerability can result in a denial of service condition. Attackers can exploit these issues to perform unauthorized actions or cause denial-of-service conditions

An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. Weakly encrypted passwords are transmitted to a MELSEC-Q PLC. Using incomplete or dangerous encryption algorithms (CWE-327) - CVE-2016-8370 The password included in the communication data is encrypted with a weak encryption algorithm. Inappropriate restrictions on external operations (CWE-412) - CVE-2016-8368 Port by remote third party 5002/TCP via PLC Resulting in service disruption (DoS) There is a possibility of being attacked.A password may be obtained by a remote party or service operation may be interrupted (DoS) There is a possibility of being attacked. Mitsubishi Electric is a Japanese company. An attacker exploits a vulnerability to perform an unauthorized operation

Huawei CloudEngine 6800 V100R006C00, CloudEngine 7800 V100R006C00, CloudEngine 8800 V100R006C00, and CloudEngine 12800 V100R006C00 allow remote attackers with specific permission to store massive files to exhaust the shared storage space, leading to a DoS condition. plural Huawei CloudEngine The product is vulnerable to resource exhaustion.Service operation interruption (DoS) An attack may be carried out. HuaweiCloudEngine12800, CloudEngine6800, CloudEngine7800, and CloudEngine8800 are Huawei switch devices. A number of Huawei switches have a denial of service vulnerability. Multiple Huawei CloudEngine products are prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause denial-of-service condition. Huawei CloudEngine 8800 and others are data center switches of China's Huawei (Huawei). The following products are affected: Huawei CloudEngine 8800 V100R006C00, Huawei CloudEngine 7800 V100R006C00, Huawei CloudEngine 6800 V100R006C00, and Huawei CloudEngine 12800 V100R006C00

Huawei eSpace Integrated Access Device (IAD) with software V300R001C03, V300R001C04, V300R001C06, V300R001C20, and V300R001C07 allows an attacker to trick a user into clicking a URL containing malicious scripts to obtain user information or hijack the session, aka XSS. HuaweieSpaceIAD is a comprehensive access device for Huawei's IP voice and unified communications solutions. A reflective cross-site scripting vulnerability exists in Huawei eSpaceIAD products. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials and launch other attacks. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. The following versions are affected: Huawei eSpace IAD V300R001C20, Huawei eSpace IAD V300R001C07, Huawei eSpace IAD V300R001C06, Huawei eSpace IAD V300R001C04, Huawei eSpace IAD V300R001C03

An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. The admin password is stored in the system and is encrypted with a static key hard-coded in the program. Attackers could reverse the admin account password for use. This vulnerability allows attackers to escalate privileges on vulnerable installations of Advantech SUSIAccess Server. Authentication is not required to exploit this vulnerability. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM. SUSIAccess is an easy-to-use remote device management software solution. Advantech SUSIAccess Server has a local privilege elevation vulnerability. Advantech SUISAccess Server is a set of Advantech's Platform as a Service (PaaS) products for cloud and Internet of Things (IoT) devices

Scada-OS is a SCADA system developed by multiple SCADA configuration software engineers. Scada-os configuration software version 6.1.0.0 project has a buffer overflow vulnerability. Because the software failed to detect the length of the name tag content in the project file, an attacker could use this vulnerability to execute arbitrary code or cause a denial of service attack

I-O DATA DEVICE TS-WRLP firmware version 1.01.02 and earlier and TS-WRLA firmware version 1.01.02 and earlier allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors. Multiple network camera products provided by I-O DATA DEVICE, INC. contain OS command injection vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary OS command may be executed. Attackers may leverage these issues to execute arbitrary code and commands in the context of the affected device. Failed exploits may result in denial-of-service conditions. The following products are affected : TS-WRLP firmware version 1.01.02 and prior. TS-WRLA firmware version 1.01.02 and prior

Buffer overflow in I-O DATA DEVICE TS-WRLP firmware version 1.01.02 and earlier and TS-WRLA firmware version 1.01.02 and earlier allows an attacker with administrator rights to cause a denial-of-service (DoS) or execute arbitrary code via unspecified vectors. Multiple network camera products provided by I-O DATA DEVICE, INC. contain buffer overflow vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Arbitrary code may be executed or a denial-of-service (DoS) condition may be caused. Attackers may leverage these issues to execute arbitrary code and commands in the context of the affected device. Failed exploits may result in denial-of-service conditions. The following products are affected : TS-WRLP firmware version 1.01.02 and prior. TS-WRLA firmware version 1.01.02 and prior

Administrative Server in Micro Focus Host Access Management and Security Server (MSS) and Reflection for the Web (RWeb) and Reflection Security Gateway (RSG) and Reflection ZFE (ZFE) allows remote unauthenticated attackers to read arbitrary files via a specially crafted URL that allows limited directory traversal. Applies to MSS 12.3 before 12.3.326 and MSS 12.2 before 12.2.342 and RSG 12.1 before 12.1.362 and RWeb 12.3 before 12.3.312 and RWeb 12.2 before 12.2.342 and RWeb 12.1 before 12.1.362 and ZFE 2.0.1 before 2.0.1.18 and ZFE 2.0.0 before 2.0.0.52 and ZFE 1.4.0 before 1.4.0.14. Authentication is not required to exploit this vulnerability.The specific flaw exists within the PassThru resource. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information under the context of the current process. Multiple Micro Focus Products are prone to an directory-traversal vulnerability. Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to read arbitrary files in the context of the application. This may aid in further attacks. The following versions are affected: 12.3 prior to MSS 12.3.326, 12.2 prior to MSS 12.2.342; 12.1 prior to RSG 12.1.362; 12.3 prior to RWeb 12.3.312, 12.2 prior to RWeb 12.2.342, RWeb 12.1 before 12.1.362; ZFE 2.0.1.18 before 2.0.1, Reflection ZFE (ZFE) 2.0.0 before ZFE 2.0.0.52, ZFE 1.4.0 before 1.4.0.14

An issue was discovered in Emerson DeltaV Easy Security Management DeltaV V12.3, DeltaV V12.3.1, and DeltaV V13.3. Critical vulnerabilities may allow a local attacker to elevate privileges within the DeltaV control system. Emerson DeltaV is a digital automation system from Emerson, USA. The system provides I/O on-demand configuration, embedded intelligent control and alarm panel functions. There is an elevation of privilege vulnerability in Emerson DeltaV

An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. Emerson Liebert SiteScan Web is a web-based data center monitoring application. Emerson Liebert SiteScan Web has an information disclosure vulnerability that can be used by remote attackers to submit special requests to obtain sensitive information. Emerson Liebert SiteScan is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. SiteScan Web 6.5 and prior versions are vulnerable

Dell iDRAC7 and iDRAC8 devices with firmware before 2.40.40.40 allow authenticated users to gain Bash shell access through a string injection. Supplementary information : CWE Vulnerability type by CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ( injection ) Has been identified. Dell iDRAC7 and iDRAC8 devices are prone to a code-injection vulnerability. An attacker can exploit this issue to inject arbitrary code in the context of the affected device. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Dell iDRAC7 and iDRAC8 devices running firmware versions prior to 2.40.40.4 are vulnerable. Dell Integrated Remote Access Controller (iDRAC) 7 and 8 are remote access control cards of Dell (Dell). Attackers can exploit this vulnerability to gain Bash shell privileges

A vulnerability has been identified in some Lenovo Notebook and ThinkServer systems where an attacker with administrative privileges on a system could install a program that circumvents Intel Management Engine (ME) protections. This could result in a denial of service or privilege escalation attack on the system. LenovoNotebook and ThinkServer are products of China Lenovo. The former is the notebook series, the latter is the server series. A local elevation of privilege vulnerability exists in the LenovoNotebook and ThinkServer systems. A local attacker can leverage this issue to gain elevated privileges. There are security vulnerabilities in Lenovo Notebook and ThinkServer systems

An issue was discovered in Emerson SE4801T0X Redundant Wireless I/O Card V13.3, and SE4801T1X Simplex Wireless I/O Card V13.3. DeltaV Wireless I/O Cards (WIOC) running the firmware available in the DeltaV system, release v13.3, have the SSH (Secure Shell) functionality enabled unnecessarily. EmersonSE4801T0XRedundantWirelessI/OCard and SE4801T1XSimplexWirelessI/OCard are wireless I/O cards from Emerson Electric, Inc., which are used to connect workstations and servers in DeltaV (software for process control) networks. A security vulnerability exists in EmersonSE4801T0XRedundantWirelessI/OCardV13.3 and SE4801T1XSimplexWirelessI/OCardV13.3. A remote attacker could exploit the vulnerability to access the device's file system by using an open port. Multiple Emerson products are prone to a security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks

SONY SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C network cameras with firmware before Ver.1.86.00 and SONY SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL network cameras with firmware before Ver.2.7.2 are prone to sensitive information disclosure. This may allow an attacker on the same local network segment to login to the device with administrative privileges and perform operations on the device. SEC Consult reported this vulnerability to Sony, and Sony reported this vulnerability to JPCERT/CC to notify the solution to users through JVN. JPCERT/CC and Sony coordinated for the publication of this case.Authentication information may be obtained by an unauthenticated user who can access the device. As a result, the user can log in as an administrator and conduct any administrative operations. SONYSNC-CH115 and so on are Sony's network camera products. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. SONY SNC-CH115, etc. The following devices are affected: SONY SNC-CH115; SNC-CH120; SNC-CH160; SNC-CH220; SNC-CH260; SNC-DH120; SNC-EB520; SNC-EM520; SNC-EM521; SNC-ZB550; SNC-ZM550; SNC-ZM551; SNC-EP550; SNC-EP580; SNC-ER550; ER585H; SNC-ZP550; SNC-ZR550; SNC-EP520; SNC-EP521; SNC-ER520; SNC-ER521;

An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "Thunderbolt" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via a crafted app. Apple macOS is prone to an arbitrary code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code with kernel privileges. Failed exploit attempts will likely result in denial-of-service conditions. Versions prior to macOS 10.12.1 are vulnerable. Apple macOS Sierra is a dedicated operating system developed by Apple for Mac computers. Thunderbolt is one of the general-purpose IO interfaces

During an internal security review, Lenovo identified a local privilege escalation vulnerability in Lenovo System Interface Foundation software installed on some Windows 10 PCs where a user with local privileges could run arbitrary code with administrator level privileges. A local attacker can leverage this issue to gain administrative privileges. Lenovo System Interface Foundation is a set of computer system interaction programs developed by China Lenovo (Lenovo)

A Remote Code Execution vulnerability in HPE Network Automation using RPCServlet and Java Deserialization version v9.1x, v9.2x, v10.00, v10.00.01, v10.00.02, v10.10, v10.11, v10.11.01, v10.20 was found. HPE Network Automation Contains a vulnerability in the deserialization of unreliable data.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the exposed RPCServlet. By sending a crafted request, the application can be made to deserialize untrusted data. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process. HP Network Automation is an automated network configuration management tool from Hewlett Packard (HP). The tool automates configuration changes, software updates, compliance audits, and tracking and control across a wide range of multi-vendor network devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05344849 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05344849 Version: 1 HPSBGN03677 rev.1 - HPE Network Automation using RPCServlet and Java Deserialization, Remote Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. The vulnerabilities could be remotely exploited to allow code execution. References: - CVE-2016-8511 - RPCServlet, Deserialization of Untrusted Data SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HP Network Automation Software v9.1x, v9.2x, v10.00, v10.00.01, v10.00.02, v10.10, v10.11, v10.11.01, v10.20 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2016-8511 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 Hewlett Packard Enterprise thanks Jacob Baines of Tenable Network Security for working with Trend Micro's Zero Day Initiative (ZDI) for reporting this issue to security-alert@hpe.com RESOLUTION HPE has made the following software updates and mitigation information to resolve the vulnerability in HPE Network Automation. Customers using v9.1x or v9.2x, please upgrade to v10.0x, or v10.1x or v10.2x as follows: For v10.0x, first apply patch 10.00.02, and then apply the patch 10.00.021. The patches are available at the following location: * <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/LID/NA_00039> A After applying the above patches, please follow the steps provided in the aEnable Secure Communication with Satellitesa section of the Hardening Guide published at this location: * <https://softwaresupport.hpe.com/km/KM02615679> A For v10.10, customers should first install and upgrade to v10.11 using the following link: * <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/LID/NA_00030> and then apply the 10.11 patch. For v10.11, first install patch v10.11.01 and then download and apply patch v10.11.011 using following location: * <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/LID/NA_00038> In addition follow the steps given in the aEnable Secure Communication with Satellitesa section of the Hardening Guide published at this location: * <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM01964007> For 10.20, apply the patch 10.20.001 available for download the following location: * <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/LID/NA_00037> In addition follow the steps given in the aEnable Secure Communication with Satellitesa section of the Hardening Guide published at the following location: * <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02501298> **Note:** * v10.00.021 would supersede already released patch 10.00.02.01 * v10.20.001 would supersede already released patch 10.20.00.01 HISTORY Version:1 (rev.1) - 28 November 2016 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJYPvVCAAoJELXhAxt7SZaiz6AH/Ap8Nr437Vu8PYcyU7GNgkhQ r8MPOO4Ebd3bhUlh9+JN9gl4j0/8cIVjxrvD+MrHkFqbMH+rEZpQLXxzEws7StaG wqkHf9Tycu+uqL9EsNqjzVhcbLlXc9YA+DUs2nard7CAAZURA3s4Ba2SDquapoFV YvFfU4XHEUopl54s8BX61QSoeXHqBYqEcVeWntcX2wWVinWqUqevIV/uBXof8Zwr wKyk951aC9DpzrO8MpYOONsDYknlmE9EtoOnG5uS5JGdlqMswtCd7GGcC2YFmyjn qX38j4PLFpzHt4Y900SoZPrVoJ31mhl4ZcFG3XBEcJVKRCi/XYhFcDK0+owqVlg= =Umzd -----END PGP SIGNATURE-----

Directory traversal vulnerability in scgi-bin/platform.cgi on NETGEAR FVS336Gv3, FVS318N, FVS318Gv2, and SRX5308 devices with firmware before 4.3.3-8 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the thispage parameter, as demonstrated by reading the /etc/shadow file. NETGEAR is a US NETGEAR company, a computer network equipment and other computer hardware manufacturers. Multiple NETGEAR products are prone to a directory-traversal vulnerability because they fail to sufficiently sanitize user-supplied input. Remote attackers can use a specially crafted request with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. Information obtained could aid in further attacks. NETGEAR FVS336Gv3, FVS318N, FVS318Gv2, and SRX5308 devices running firmware versions prior to 4.3.3-8 are vulnerable. The following products are affected: NETGEAR FVS336Gv3; FVS318N; FVS318Gv2; SRX5308

An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "AppleMobileFileIntegrity" component, which allows remote attackers to spoof signed code by using a matching team ID. Apple macOS is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. Apple macOS Sierra is a dedicated operating system developed by Apple for Mac computers. AppleMobileFileIntegrity (AMFI) is one of the kernel components used to check the integrity of Apple mobile phone files. The vulnerability stems from the program's failure to verify code signatures. An attacker could exploit this vulnerability to execute arbitrary code. The following products and versions are affected: Apple iOS prior to 10.1; macOS Sierra prior to 10.12.1; tvOS prior to 10.0.1; watchOS prior to 3.1