VARIoT IoT vulnerabilities database

An issue was discovered in Lush 2 through 2020-02-25. Due to the lack of Bluetooth traffic encryption, it is possible to hijack an ongoing Bluetooth connection between the Lush 2 and a mobile phone. This allows an attacker to gain full control over the device. This attack hijacks the connection, even when someone else was actively using the device before. Note that the user of the device remains capable of simply shutting it down. In order to exploit this vulnerability, the attacker must be present in a certain radius in which the Bluetooth connection can be intercepted. This attack vector also requires specific hardware like the Micro:bit. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Lovense ------------------------------------------ [Affected Product Code Base] Lush 2 - Cannot be determined. ------------------------------------------ [Affected Component] Lush 2, Bluetooth interface ------------------------------------------ [Attack Type] Local ------------------------------------------ [CVE Impact Other] Take over normal device functionality from the original owner. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Roan Engelbert, Ilona de Bruin from Qbit cyber security in assignment of the Consumentenbond. Use CVE-2020-11921

An issue was discovered on Brother MFC-J491DW C1806180757 devices. The printer's web-interface password hash can be retrieved without authentication, because the response header of any failed login attempt returns an incomplete authorization cookie. The value of the authorization cookie is the MD5 hash of the password in hexadecimal. An attacker can easily derive the true MD5 hash from this, and use offline cracking attacks to obtain administrative access to the device. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Brother ------------------------------------------ [Affected Product Code Base] MFC-J491DW - C1806180757 ------------------------------------------ [Affected Component] Web admin panel ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker needs to have access to the web interface running on TCP/80 on the device. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszcynski, intern at Qbit in cooperation with the Dutch Consumer Organisation ------------------------------------------ [Reference] https://global.brother Use CVE-2019-20457

An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. By default, the device comes (and functions) without a password. The user is at no point prompted to set up a password on the device (leaving a number of devices without a password). In this case, anyone connecting to the web admin panel is capable of becoming admin without using any credentials. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Epson ------------------------------------------ [Affected Product Code Base] Expression Home XP255 - 20.08.FM10I8 ------------------------------------------ [Affected Component] Web admin panel ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Attack Vectors] The attacker needs to have access to port 80/TCP (the webserver) of the device. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation. ------------------------------------------ [Reference] https://epson.com/Support/sl/s Use CVE-2019-20458

An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device comes with a serial interface at the board level. By attaching to this serial interface and rebooting the device, a large amount of information is disclosed. This includes the view password and the password of the Wi-Fi access point that the device used. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Alecto ------------------------------------------ [Affected Product Code Base] Alecto IVM-100 - unknown. ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker needs to open up the device and physically attach wires as well as reboot the device. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with The Dutch consumer organisation ------------------------------------------ [Reference] https://www.alecto.nl Use CVE-2019-20462

An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. With the SNMPv1 public community, all values can be read, and with the epson community, all the changeable values can be written/updated, as demonstrated by permanently disabling the network card or changing the DNS servers. ------------------------------------------ [Vulnerability Type] Insecure Permissions ------------------------------------------ [Vendor of Product] Epson ------------------------------------------ [Affected Product Code Base] Expression Home XP255 - 20.08.FM10I8 ------------------------------------------ [Affected Component] SNMP agent ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] The attacker must be able to connect to the devices on port 515/UDP. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation. ------------------------------------------ [Reference] https://epson.com/Support/sl/s Use CVE-2019-20459

An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests don't require (anti-)CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CSRF attacks can be used to send text directly to the RAW printer interface. For example, an attack could deliver a worrisome printout to an end user. ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Epson ------------------------------------------ [Affected Product Code Base] Expression Home XP255 - 20.08.FM10I8 ------------------------------------------ [Affected Component] Web admin panel, RAW printing protocol ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Attack Vectors] Using a CSRF attack, the web admin panel is attacked. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation. ------------------------------------------ [Reference] https://epson.com/Support/sl/s Use CVE-2019-20460

An issue was discovered on One2Track 2019-12-08 devices. Confidential information is needlessly stored on the smartwatch. Audio files are stored in .amr format, in the audior directory. An attacker who has physical access can retrieve all audio files by connecting via a USB cable. ------------------------------------------ [VulnerabilityType Other] Voice conversations leaked to physical attackers. ------------------------------------------ [Vendor of Product] One2Track ------------------------------------------ [Affected Product Code Base] one2track - up to-date version as of 12-8-2019 (no exact version number) ------------------------------------------ [Affected Component] Local smartwatch storage ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker must physically have access to the One2track software. Once this access has been obtained audio messages send to the smartwatch can be retrieved from the local storage. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Dennis van Warmerdam, Jasper Nota, Jim Blankendaal ------------------------------------------ [Reference] https://www.one2track.nl Use CVE-2019-20469

An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Clients can authenticate themselves to the device using a username and password. These credentials can be obtained through an unauthenticated web request, e.g., for a JavaScript file. Also, the disclosed information includes the SSID and WPA2 key for the Wi-Fi network the device is connected to. ------------------------------------------ [Additional Information] The disclosed information can be functionally used by an attacker to remotely gain access to normal camera functionality. (e.g. watch in someone's room over the internet) ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Luvion ------------------------------------------ [Affected Product Code Base] Luvion Grand elite 3 connect - Cannot be determined ------------------------------------------ [Affected Component] Webserver running on the device. ------------------------------------------ [Attack Type] Remote ------------------------------------------ [CVE Impact Other] Authentication bypass ------------------------------------------ [Attack Vectors] An attacker can simply browse to the device and retrieve the passwords. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman from Qbit in assignment of the Consumentenbond ------------------------------------------ [Reference] N/A Use CVE-2020-11926

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection. Svakom of Siime Eye A cross-site request forgery vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ------------------------------------------ [Additional Information] The default settings make this attack theoretical rather than practical. A lot of interaction takes place between the application and the end user. For correct functioning, it is important to verify that requests coming from the user actually represent the user's intention. The application must therefore be able to distinguish forged requests from legitimate ones. Currently no measures against Cross-Site Request Forgery have been implemented and therefore users can be tricked into submitting requests without their knowledge or consent. From the application's point of view, these requests are legitimate requests from the user and they will be processed as such. This can result in the creation of additional (administrative) user accounts, without the user’s knowledge or consent. In order to execute a CSRF attack, a user must be tricked into visiting an attacker controlled page, using the same browser that is authenticated to the Siime Eye. As mostly the Hotspot from Siime Eye will be used, users are unlikely to (be able to) access such pages simultaneously. ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye, web interface ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [CVE Impact Other] Full device compromise. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond. Use CVE-2020-11919

An issue was discovered on One2Track 2019-12-08 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a "Remove PIN and restart!" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device. ------------------------------------------ [VulnerabilityType Other] recommendation to disable common security measures ------------------------------------------ [Vendor of Product] One2Track ------------------------------------------ [Affected Product Code Base] One2Track - up to-date version as of 12-8-2019 (no exact version number) ------------------------------------------ [Affected Component] SIM card security PIN ------------------------------------------ [Attack Type] Physical ------------------------------------------ [CVE Impact Other] recommendation to disable common security measures ------------------------------------------ [Attack Vectors] Local ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Dennis van Warmerdam, Jim Blankendaal, Jasper Nota ------------------------------------------ [Reference] https://www.one2track.nl Use CVE-2019-20472

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. The password for the root user is hashed using an old and deprecated hashing technique. Because of this deprecated hashing, the success probability of an attacker in an offline cracking attack is greatly increased. Svakom of Siime Eye A vulnerability exists in the firmware regarding the use of cryptographic algorithms.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye linux password hashes ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] The hash can be obtained using various techniques (e.g.) through command injection. ------------------------------------------ [Reference] N/A ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond. Use CVE-2020-11916

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. When a backup file is created through the web interface, information on all users, including passwords, can be found in cleartext in the backup file. An attacker capable of accessing the web interface can create the backup file. Svakom of Siime Eye The firmware contains a vulnerability related to plaintext storage of sensitive information.Information may be obtained and information may be tampered with. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] A backup file must be found or created by an attacker in order to exploit this vulnerability. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond Use CVE-2020-11918

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router's firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext FTP credentials from the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of default username and password credentials in plaintext within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext default credentials on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system. syrotech of sy-gpon-1110-wdont The firmware contains a vulnerability related to plaintext storage of sensitive information.Information may be obtained. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to unencrypted storing of WPA/ WPS credentials within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext WPA/ WPS credentials on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to bypass WPA/ WPS and gain access to the Wi-Fi network of the targeted system. syrotech of sy-gpon-1110-wdont The firmware contains a vulnerability related to plaintext storage of sensitive information.Information may be obtained. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech. Attackers can exploit this vulnerability to obtain WPA/WPS credential information and use this information to launch further attacks on the affected system

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due lack of encryption in storing of usernames and passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext credentials on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system. syrotech of sy-gpon-1110-wdont The firmware contains a vulnerability related to plaintext storage of sensitive information.Information may be obtained. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to transmission of password in plain text. A remote attacker could exploit this vulnerability by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech. An attacker can exploit this vulnerability to obtain password information and use this information to launch further attacks on the affected system

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to improper implementation of password policies. A local attacker could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats. syrotech of sy-gpon-1110-wdont There are unspecified vulnerabilities in the firmware.Information may be tampered with. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech. Attackers can exploit this vulnerability to launch further attacks on the system

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system. syrotech of sy-gpon-1110-wdont A firmware vulnerability related to improper assignment of permissions to critical resources.Information may be obtained. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and compromise the targeted system. syrotech of sy-gpon-1110-wdont There are unspecified vulnerabilities in the firmware.Information may be obtained. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech. An attacker could exploit this vulnerability to obtain sensitive cookie information and use this information to launch further attacks on the affected system