VARIoT IoT vulnerabilities database

The Serial Peripheral Interface driver in Android before 2016-08-05 on Nexus 5X and 6P devices allows attackers to gain privileges via a crafted application, aka internal bug 28817378. Vendors have confirmed this vulnerability Bug 28817378 It is released as.An attacker could gain privileges through a crafted application. GoogleNexus is a high-end mobile phone series powered by Google\342\200\231s original Android system. GoogleNexus has a privilege elevation vulnerability that could allow an attacker to execute arbitrary code using elevated kernel-wide permissions. Google Nexus is prone to a privilege-escalation vulnerability. Google Nexus versions Nexus 5X and Nexus 6P are vulnerable. This issue is being tracked by Android Bug ID A-28817378

drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges via an application that provides a crafted mask value, aka Android internal bug 28749721 and Qualcomm internal bug CR511976. Nexus 5 and 7 (2013) Run on device Android of Qualcomm Component drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c Contains a privileged vulnerability. AndroidonNexus is a high-end mobile phone series powered by Google's original Android system. Androidbefore2016-08-05onNexus5, 7devices has a privilege escalation vulnerability that allows an attacker to provide a well-defined mask value for access through the application. Google Nexus is prone to multiple privilege escalation vulnerabilities. Attackers can exploit these issues to execute arbitrary code with elevated privileges within the context of the kernel. These issues are being tracked by Android Bug IDs A-28768146, A-28747998, A-28748271, A-28747684, A-28749629, A-28749721, A-28749728, A-28749743, A-28749803, A-28750155, A-28750726, A-28751152, A-28767589, A-28767796, A-28768281, A-28769208, A-28769221, A-28769352, A-28769368, A-28769546, A-28769912, A-28769920, A-28769959, A-28815575, A-28804057, A-28803642, A-28803645, A-28803962, A-28804030, A-28398884, A-28813987, A-28814502, A-28814652, A-28815158, A-28749283, and A-28770207

The LG Electronics bootloader Android before 2016-08-05 on Nexus 5X devices allows attackers to gain privileges by leveraging access to a privileged process, aka internal bug 29189941. GoogleNexus is a high-end mobile phone series powered by Google\342\200\231s original Android system. GoogleNexus has a privilege elevation vulnerability that could allow an attacker to execute arbitrary code using elevated kernel-wide permissions. Google Nexus is prone to a privilege-escalation vulnerability. This issue is being tracked by Android Bug ID A-29189941

The video driver in the kernel in Android before 2016-08-05 on Nexus 5 devices allows attackers to gain privileges via a crafted application, aka internal bug 28399876. GoogleNexus is a high-end mobile phone series powered by Google\342\200\231s original Android system. GoogleNexus has a privilege elevation vulnerability that could allow an attacker to execute arbitrary code using elevated kernel-wide permissions. Google Nexus is prone to a privilege-escalation vulnerability. This issue is being tracked by Android Bug ID A-A-28399876

Directory traversal vulnerability in cgi-bin/rftest.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to execute arbitrary commands via a .. (dot dot) in the ATE_COMMAND parameter. The Crestron AirMedia AM-100 with firmware prior to version 1.4.0.13 is vulnerable to path traversal and command injection. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. http://cwe.mitre.org/data/definitions/77.htmlBy a third party .. Crestron AirMedia AM-100 is prone to a directory-traversal vulnerability and a command-injection vulnerability because it fails to sufficiently sanitize user-supplied input. Crestron AirMedia AM-100 running firmware versions 1.1.1.11 through 1.2.1 are vulnerable. Crestron AirMedia AM-100 is a smart home gateway product produced by Crestron Electronics in the United States

Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.3039.00040 allow remote attackers to bypass authentication via a direct request to a page other than index.html. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and earlier, has a web management interface which contains multiple vulnerabilities, including authentication bypass, failure to restrict access to authorized users, use of hard-coded certificate, default credentials, and cross-site request forgery (CSRF). These vulnerabilities may be leveraged to gain complete control of affected devices. Crestron Electronics DM-TXRX-100-STR The device firmware contains a vulnerability that prevents authentication. Supplementary information : CWE Vulnerability type by CWE-425: Direct Request ( Force viewing ) Has been identified. Crestron Electronics DM-TXRX-100-STR is prone to the following multiple security vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. Multiple security-bypass vulnerabilities 3. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform certain unauthorized actions , bypass the authentication mechanism and compromise the application; This may aid in further attacks. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and prior versions are vulnerable. Crestron Electronics DM-TXRX-100-STR is a stream encoder/decoder product from Crestron Electronics, USA

Cross-site scripting (XSS) vulnerability in Fortinet FortiAnalyzer 5.x before 5.0.12 and 5.2.x before 5.2.6 and FortiManager 5.x before 5.0.12 and 5.2.x before 5.2.6 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an image uploaded in the report section. Multiple Fortinet Products are prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. Both Fortinet FortiAnalyzer and FortiManager are products of Fortinet. The former is a centralized network security reporting solution, and the latter is a centralized network security management solution. A cross-site scripting vulnerability exists in Fortinet FortiAnalyzer 5.x prior to 5.2.6 and FortiManager 5.x prior to 5.2.6

Multiple cross-site request forgery (CSRF) vulnerabilities on Crestron Electronics DM-TXRX-100-STR devices with firmware through 1.3039.00040 allow remote attackers to hijack the authentication of arbitrary users. These vulnerabilities may be leveraged to gain complete control of affected devices. Crestron Electronics DM-TXRX-100-STR is prone to the following multiple security vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. Multiple security-bypass vulnerabilities 3. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform certain unauthorized actions , bypass the authentication mechanism and compromise the application; This may aid in further attacks. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and prior versions are vulnerable. Crestron Electronics DM-TXRX-100-STR is a stream encoder/decoder product from Crestron Electronics, USA. A remote attacker could exploit this vulnerability to perform unauthorized operations

Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.3039.00040 have a hardcoded password of admin for the admin account, which makes it easier for remote attackers to obtain access via the web management interface. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and earlier, has a web management interface which contains multiple vulnerabilities, including authentication bypass, failure to restrict access to authorized users, use of hard-coded certificate, default credentials, and cross-site request forgery (CSRF). These vulnerabilities may be leveraged to gain complete control of affected devices. Crestron Electronics DM-TXRX-100-STR is prone to the following multiple security vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. Multiple security-bypass vulnerabilities 3. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform certain unauthorized actions , bypass the authentication mechanism and compromise the application; This may aid in further attacks. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and prior versions are vulnerable. Crestron Electronics DM-TXRX-100-STR is a stream encoder/decoder product from Crestron Electronics, USA. A remote attacker can exploit this vulnerability to gain privileges through the web management interface

Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.3039.00040 use a hardcoded 0xb9eed4d955a59eb3 X.509 certificate from an OpenSSL Test Certification Authority, which makes it easier for remote attackers to conduct man-in-the-middle attacks against HTTPS sessions by leveraging the certificate's trust relationship. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and earlier, has a web management interface which contains multiple vulnerabilities, including authentication bypass, failure to restrict access to authorized users, use of hard-coded certificate, default credentials, and cross-site request forgery (CSRF). These vulnerabilities may be leveraged to gain complete control of affected devices. Supplementary information : CWE Vulnerability type by CWE-321: Use of Hard-coded Cryptographic Key ( Using hard-coded encryption keys ) Has been identified. Crestron Electronics DM-TXRX-100-STR is prone to the following multiple security vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. Multiple security-bypass vulnerabilities 3. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform certain unauthorized actions , bypass the authentication mechanism and compromise the application; This may aid in further attacks. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and prior versions are vulnerable. Crestron Electronics DM-TXRX-100-STR is a stream encoder/decoder product from Crestron Electronics, USA

Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.3039.00040 allow remote attackers to bypass authentication and change settings via a JSON API call. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and earlier, has a web management interface which contains multiple vulnerabilities, including authentication bypass, failure to restrict access to authorized users, use of hard-coded certificate, default credentials, and cross-site request forgery (CSRF). These vulnerabilities may be leveraged to gain complete control of affected devices. Supplementary information : CWE Vulnerability type by CWE-306: Missing Authentication for Critical Function ( Lack of authentication for critical functions ) Has been identified. Crestron Electronics DM-TXRX-100-STR is prone to the following multiple security vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. Multiple security-bypass vulnerabilities 3. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform certain unauthorized actions , bypass the authentication mechanism and compromise the application; This may aid in further attacks. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and prior versions are vulnerable. Crestron Electronics DM-TXRX-100-STR is a stream encoder/decoder product from Crestron Electronics, USA

Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.3039.00040 rely on the client to perform authentication, which allows remote attackers to obtain access by setting the value of objresp.authenabled to 1. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and earlier, has a web management interface which contains multiple vulnerabilities, including authentication bypass, failure to restrict access to authorized users, use of hard-coded certificate, default credentials, and cross-site request forgery (CSRF). These vulnerabilities may be leveraged to gain complete control of affected devices. Supplementary information : CWE Vulnerability type by CWE-603: Use of Client-Side Authentication ( Using client-side authentication ) Has been identified. http://cwe.mitre.org/data/definitions/603.htmlBy a third party objresp.authenabled The value 1 If set to, access rights may be obtained. Crestron Electronics DM-TXRX-100-STR is prone to the following multiple security vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. Multiple security-bypass vulnerabilities 3. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform certain unauthorized actions , bypass the authentication mechanism and compromise the application; This may aid in further attacks. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and prior versions are vulnerable. Crestron Electronics DM-TXRX-100-STR is a stream encoder/decoder product from Crestron Electronics, USA

Directory traversal vulnerability in cgi-bin/login.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter. The Crestron AirMedia AM-100 with firmware prior to version 1.4.0.13 is vulnerable to path traversal and command injection. CrestronAirMediaAM-100 is a gateway product from Crestron Electronics of the United States. Crestron AirMedia AM-100 is prone to a directory-traversal vulnerability and a command-injection vulnerability because it fails to sufficiently sanitize user-supplied input. Crestron AirMedia AM-100 running firmware versions 1.1.1.11 through 1.2.1 are vulnerable. ================================================================= # Crestron AM-100 (Multiple Vulnerabilities) ================================================================= # Date: 2016-08-01 # Exploit Author: Zach Lanier # Vendor Homepage: https://www.crestron.com/products/model/am-100 # Version: v1.1.1.11 - v1.2.1 # CVE: CVE-2016-5639 # References: # https://medium.com/@benichmt1/an-unwanted-wireless-guest-9433383b1673#.78tu9divi # https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md Description: The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues. 1) Path Traversal GET request: http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow 2) Hidden Management Console http://[AM-100-ADDRESS]/cgi-bin/login_rdtool.cgi The AM-100 has a hardcoded default credential of rdtool::mistral5885 This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode). 3) Hardcoded credentials The default root password for these devices is root::awind5885 Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files

Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x before 21.51.546.0, and 22.x before 22.51.549.0 interprets a user's acceptance of one invalid X.509 certificate to mean that all invalid X.509 certificates should be accepted without prompting, which makes it easier for man-in-the-middle attackers to spoof SSL servers and obtain sensitive information via a crafted certificate. Intel Crosswalk Project Is Android and iOS A framework for developing hybrid apps Crosswalk Project Is illegal SSL There is a problem in the processing when the user accepts the server certificate, and the application SSL Validation of all server certificates may be hindered. Issue that does not warn the user that the operation is unsafe (CWE-356) - CVE-2016-5672 Fraudulent SSL If a server certificate is detected, Crosswalk Project Apps created using show an error message. The user gets this error message "OK" If you select, the app SSL Server certificate verification will not be performed. The error message indicates that the app is permanently SSL It is not clearly stated that the server certificate will no longer be verified, and the same message will not be displayed again. CWE-356: Product UI does not Warn User of Unsafe Actions http://cwe.mitre.org/data/definitions/356.html Researchers are releasing more detailed information as security advisories. Also, Intel Corporation Has also created a blog post about this issue. Security advisory https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue/ Blog post http://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/Once you set to allow unauthorized server certificates, SSL Man-in-the-middle attacks where all server certificates are no longer verified (man-in-the-middle attack) May be done. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. The issue is fixed in following versions: Intel Crosswalk 19.49.514.5, 20.50.533.11, 21.51.546.0, and 22.51.549.0. Intel Crosswalk is a set of Web engines developed by Intel Corporation of the United States. [Original at: https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue/] Summary The Intel Crosswalk Project library for cross-platform mobile development did not properly handle SSL errors. This behaviour could subject applications developed using this library to SSL MITM attacks. Vulnerability Details The Crosswalk Project, created by Intels Open Source Technology Center, allows mobile developers to use HTML, CSS and Javascript to develop and deploy mobile apps across multiple platforms from the same codebase. The library packages the HTML assets provided by the developer and runs them inside a WebView on the device. The library also bridges some of the common APIs and services from the Javascript code in the WebView to the underlying platform. It is implemented in multiple apps, some of which can be found here. This applies even to connections over different WiFi hotspots and different certificates. This may allow a network-level attacker to mount MITM attack using invalid SSL certificate and capture sensitive data. This issue has been fixed in the following versions of Crosswalk and all users of the library are encouraged to upgrade: - 19.49.514.5 (stable) - 20.50.533.11 (beta) - 21.51.546.0 (beta) - 22.51.549.0 (canary) This issue was originally discovered while testing a third-party Android app using this library. References CERT/CC vulnerability note: https://www.kb.cert.org/vuls/id/217871 Crosswalk security advisory: https://lists.crosswalk-project.org/pipermail/crosswalk-help/2016-July/002167.html CVE - CVE-2016-5672: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5672 Intel blog post: https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/ Credits Thank you to CERT/CC for coordination on this issue, and to the Intel Open Source Technology Center for the fix. Timeline 2016-05-25: Reported issue to the Intel PSIRT, got an automated reply 2016-05-30: Reached out to CERT/CC for help reaching Intel 2016-06-01: Request from CERT/CC for more details, provided details via secure form 2016-06-15: Response from CERT/CC that Intel is planning a fix within 45 days 2016-06-23: Direct contact from Intel 2016-07-01: Asking CERT/CC to reserve a CVE, CERT/CC assigns a CVE 2016-07-22: Intel fix is finished and ready for testing 2016-07-25: We confirm the fix and coordinate disclosure dates 2016-07-29: Coordinated public disclosure

Vicon V920D and SN663V are all V9XX and SN6XX series network camera products from American Vicon Industries. Multiple Vicon Network Cameras products have an authentication bypass vulnerability. An attacker could use this vulnerability to bypass the authentication mechanism and perform unauthorized operations. The following products are affected: V-CELL-IP, V660V-P (Europe), V920D, V921D and other products. This may lead to further attacks

The agricultural internet of things perception platform system is an industrial control system. There is a SQL injection vulnerability in the agricultural Internet of Things Awareness Platform system, and an attacker can exploit the vulnerability to obtain database sensitive information

An information disclosure vulnerability exists in several Lenovo product SSD firmware. An attacker can exploit the vulnerability to gain sensitive information, which could lead to further attacks. Multiple Lenovo products are prone to a local information-disclosure vulnerability

The firmware in Lenovo Ultraslim dongles, as used with Lenovo Liteon SK-8861, Ultraslim Wireless, and Silver Silk keyboards and Liteon ZTM600 and Ultraslim Wireless mice, does not enforce incrementing AES counters, which allows remote attackers to inject encrypted keyboard input into the system by leveraging proximity to the dongle, aka a "KeyJack injection attack.". This vulnerability "KeyJack Injection attack " It is called.By using a dongle operation, a third party could insert encrypted keyboard input into the system. LenovoWirelessMouseBlack and others are products of Lenovo's wireless desktop package with mouse and keyboard. Remote security vulnerabilities exist in several Lenovo products, which can be exploited by an attacker using LenovoUltraslim Wireless's electronic dog to inject keyboard input. Multiple Lenovo Products are prone to a remote security vulnerability. Lenovo Liteon SK-8861, etc. are all products of China Lenovo. Lenovo Ultraslim dongles are a dongle

The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_params.shtml. (1) app_license.shtml (2) app_license_custom.shtml (3) app_index.shtml (4) app_params.shtml. Axis Communications V5915 and others are network camera products of Axis, Sweden. Multiple AXIS Products are prone to multiple remote command-execution vulnerabilities

Cisco AsyncOS on Email Security Appliance (ESA) devices through 9.7.0-125 allows remote attackers to bypass malware detection via a crafted attachment in an e-mail message, aka Bug ID CSCuz14932. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCuz14932