VARIoT IoT vulnerabilities database

Cross-site request forgery (CSRF) vulnerability on ReadyNet WRT300N-DD devices with firmware 1.0.26 allows remote attackers to hijack the authentication of arbitrary users. ReadyNet WRT300N-DD Wireless Router, firmware version 1.0.26, uses default credentials, is vulnerable to cross-site request forgery, and uses insufficiently random values for DNS queries. ReadyNetWRT300N-DDdeviceswithfirmware is a wireless router product from ReadyNet, New Zealand. An attacker can exploit these issues to bypass certain security restrictions, allowing attackers to perform certain unauthorized actions or by tricking a victim into following a specially crafted HTTP request designed to perform some action on the attacker's behalf using a victim's currently active session. A remote attacker could exploit this vulnerability to perform unauthorized operations

Amped Wireless R10000 devices with firmware 2.5.2.11 use an improper algorithm for selecting the ID value in the header of a DNS query, which makes it easier for remote attackers to spoof responses by predicting this value. Supplementary information : CWE Vulnerability type by CWE-331: Insufficient Entropy ( Lack of entropy ) Has been identified. AmpedWirelessR10000deviceswithfirmware is the R10000 series router from AmpedWireless. An attacker can exploit these issues to bypass certain security restrictions, allowing attackers to perform certain unauthorized actions or by tricking a victim into following a specially crafted HTTP request designed to perform some action on the attacker's behalf using a victim's currently active session. A remote attacker can exploit this vulnerability to forge response information

The web administration interface on Amped Wireless R10000 devices with firmware 2.5.2.11 has a default password of admin for the admin account, which allows remote attackers to obtain administrative privileges by leveraging a LAN session. Amped Wireless R10000 router, firmware version 2.5.2.11, uses default credentials, is vulnerable to cross-site request forgery, and uses insufficiently random values for DNS queries. AmpedWirelessR10000deviceswithfirmware is the R10000 series router from AmpedWireless. A credential management vulnerability exists in AmpedWirelessR10000deviceswithfirmware2.5.2.11. An attacker can exploit these issues to bypass certain security restrictions, allowing attackers to perform certain unauthorized actions or by tricking a victim into following a specially crafted HTTP request designed to perform some action on the attacker's behalf using a victim's currently active session. The vulnerability is due to the use of 'admin' as the password for the admin account

The HIFI driver in Huawei P8 phones with software GRA-TL00 before GRA-TL00C01B220SP01, GRA-CL00 before GRA-CL00C92B220, GRA-CL10 before GRA-CL10C92B220, GRA-UL00 before GRA-UL00C00B220, GRA-UL10 before GRA-UL10C00B220 and Mate7 phones with software MT7-UL00 before MT7-UL00C17B354, MT7-TL10 before MT7-TL10C00B354, MT7-TL00 before MT7-TL00C01B354, and MT7-CL00 before MT7-CL00C92B354 allows remote attackers to cause a denial of service (invalid memory access and reboot) via unspecified vectors related to "input null pointer as parameter.". Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. HuaweiMate7 and P8 are both Huawei's smartphone products. HIFIdriver is one of the HIFI sound drivers. Huawei Smart Phones are prone to multiple local denial-of-service vulnerabilities. An attacker can exploit these issues to cause an affected system to reload, denying service to legitimate users. The Huawei Mate 7 and P8 are smartphones from the Chinese company Huawei. The following products and versions are affected: Huawei Mate7 using software versions prior to MT7-UL00C17B354, versions prior to MT7-TL10C00B354, versions prior to MT7-TL00C01B354, and versions prior to MT7-CL00C92B354, using versions prior to GRA-TL00C01B220SP01, versions prior to GRA-CL00C92B220, and GRA - P8 of software prior to CL10C92B220, prior to GRA-UL00C00B220, and prior to GRA-UL10C00B220

Cisco Prime Collaboration Assurance before 11.0 has a hardcoded cmuser account, which allows remote attackers to obtain access by establishing an SSH session and leveraging knowledge of this account's password, aka Bug ID CSCus62707. Remote attackers with knowledge of the default credentials may exploit this vulnerability to gain unauthorized access and perform unauthorized actions. This may aid in further attacks. This issue being tracked by Cisco Bug ID CSCus62707. This solution supports simplified unified communication and video collaboration network management through a unified management console, and rapid deployment of communication sites

Cisco TelePresence Video Communication Server (VCS) Expressway X8.6 allows remote authenticated users to bypass intended read-only restrictions and upload Tandberg Linux Package (TLP) files by visiting an administrative page, aka Bug ID CSCuw55651. Cisco TelePresence Video Communication Server is a telepresence video communication server from Cisco Systems, USA. Attackers can exploit this issue to gain unauthorized access to the affected application. This may help in further attacks. This issue is being tracked by Cisco bug ID CSCuw55651

Cross-site request forgery (CSRF) vulnerability in Cisco Unity Connection 11.5(0.98) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCux24578. Cisco Unity Connection is a voice messaging platform that runs on the same Linux-based Cisco Unified Communications Operating System. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCux24578. The platform can use voice commands to make calls or listen to messages "hands-free"

The TFTP implementation on Cisco Small Business SPA30x, SPA50x, SPA51x phones 7.5.7 improperly validates firmware-image file integrity, which allows local users to load a Trojan horse image by leveraging shell access, aka Bug ID CSCut67400. Multiple Cisco IP Phones are prone to a local arbitrary file-upload vulnerability. A local attacker may leverage this issue to upload arbitrary files to the affected device. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCut67400. Cisco Small Business SPA30x, SPA50x and SPA51x are the S series IP telephone products of Cisco (Cisco). The vulnerability is caused by the fact that the program does not correctly verify the integrity of the firmware-image file. The following products are affected: Cisco SPA30X Series IP Phones, SPA50X Series IP Phones, SPA51X Series IP Phones

Cisco FirePOWER Management Center 5.4.1.3, 6.0.0, and 6.0.1 provides verbose responses to requests for help files, which allows remote attackers to obtain potentially sensitive version information by reading an unspecified field, aka Bug ID CSCux37061. Vendors have confirmed this vulnerability Bug ID CSCux37061 It is released as.By reading unspecified fields by a third party, important version information may be obtained. The Cisco FirePOWER Management Center is the next-generation firewall management center software from Cisco. An attacker could exploit the vulnerability to gain access to sensitive information. This issue being tracked by Cisco Bug ID CSCux37061

The Mobile and Remote Access (MRA) services implementation in Cisco Unified Communications Manager mishandles edge-device identity validation, which allows remote attackers to bypass intended call-reception and call-setup restrictions by spoofing a user, aka Bug ID CSCuu97283. Vendors have confirmed this vulnerability Bug ID CSCuu97283 It is released as.By impersonating a user by a third party, it may be possible to circumvent restrictions on receiving calls and settings. Cisco Unified Communications Manager is prone to a security-bypass vulnerability. Successful exploits may allow an attacker to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCuu97283. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. The vulnerability stems from the fact that the program does not properly handle edge-device authentication. Remote attackers can exploit this vulnerability by forging user identities to bypass established call-reception and call-setup restrictions

ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remote attackers to cause a denial of service via unspecified vectors. WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a denial-of-service (DoS) vulnerability. TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An attacker who can access the product may be able to cause a denial-of-service (DoS). There is a denial of service vulnerability in WL-330NUL. WL-330NUL Firmware versions prior to 3.0.0.42 are vulnerable

Cross-site scripting (XSS) vulnerability on ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a stored cross-site scripting vulnerability. TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary script may be executed on the user's web browser. ASUS WL-330NUL router is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks

ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remote attackers to discover the WPA2-PSK passphrase via unspecified vectors. WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains an issue in information management. TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An attacker that can access the product may obtain the WPA2-PSK passphrase. WL-330NUL has an information disclosure vulnerability. Allows an attacker to discover WPA2-PSK passwords using unidentified vectors. Asus WL-330NUL is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. WL-330NUL Firmware versions prior to 3.0.0.42 are vulnerable

ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remote attackers to execute arbitrary commands via unspecified vectors. WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a remote command execution vulnerability. TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An attacker that can access the product may execute an arbitrary command with administrative privileges. Asus WL-330NUL is prone to an unspecified remote command-execution vulnerability because it fails to sufficiently validate user-input supplied

Stack-based buffer overflow in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-8407. This vulnerability CVE-2015-8407 Is a different vulnerability.An attacker could execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of HTTP Live Streaming. The issue lies in the failure to validate the size of a user-supplied buffer prior to copying it to a stack buffer. Failed exploit attempts will likely result in denial-of-service conditions. The following products and versions are affected: Adobe Flash Player Desktop Runtime 19.0.0.245 and earlier versions based on Windows and Macintosh platforms and Adobe Flash Player Extended Support Release 18.0.0.261 and earlier versions, Adobe Flash based on Windows, Macintosh, Linux and ChromeOS platforms Player for Google Chrome 19.0.0.245 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 19.0.0.245 and earlier versions based on Windows 10, Adobe Flash Player for Internet Explorer 10 and 11 19.0 based on Windows 8.0 and 8.1 platforms .0.245 and earlier versions, Adobe Flash Player for Linux 11.2.202.548 and earlier versions based on Linux platforms, AIR Desktop Runtime 19.0.0.241 and earlier versions based on Windows and Macintosh platforms, AIR SDK based on Windows, Macintosh, Android and iOS platforms 19.0.0.241 and earlier versions and AIR SDK & Compiler 19.0.0

Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-8439. This vulnerability CVE-2015-8439 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-843:Access of Resource Using Incompatible Type ( Mixing of molds ) Has been identified. http://cwe.mitre.org/data/definitions/843.htmlUnspecified by attacker " Mixing of molds (type confusion)" May be used to execute arbitrary code. Failed exploit attempts will likely result in denial-of-service conditions. Security flaws exist in several Adobe products. The following products and versions are affected: Adobe Flash Player Desktop Runtime 19.0.0.245 and earlier versions based on Windows and Macintosh platforms and Adobe Flash Player Extended Support Release 18.0.0.261 and earlier versions, Adobe Flash based on Windows, Macintosh, Linux and ChromeOS platforms Player for Google Chrome 19.0.0.245 and earlier versions, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 19.0.0.245 and earlier versions based on Windows 10, Adobe Flash Player for Internet Explorer 10 and 11 19.0 based on Windows 8.0 and 8.1 platforms .0.245 and earlier versions, Adobe Flash Player for Linux 11.2.202.548 and earlier versions based on Linux platforms, AIR Desktop Runtime 19.0.0.241 and earlier versions based on Windows and Macintosh platforms, AIR SDK based on Windows, Macintosh, Android and iOS platforms 19.0.0.241 and earlier versions and AIR SDK & Compiler 19.0.0

Siri in Apple iOS before 9.2 allows physically proximate attackers to bypass an intended client-side protection mechanism and obtain sensitive content-notification information by listening to a device in the lock-screen state. Apple iOS is an operating system developed by Apple for mobile phones and the like. Apple iOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to bypass security restrictions, execute arbitrary code, spoof the source URI of a site presented to an unsuspecting user. Failed exploit attempts may cause a denial-of-service condition. Versions prior to iOS 9.2 are vulnerable. Siri is one of the voice control components

Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography. The Pacom 1000 CCU and RTU are products of Pacom, Sweden. The former is a network security panel for controlling, monitoring and maintaining remote sites, and the latter is a security panel that controls the access control alarm system. There are security vulnerabilities in the Pacom 1000 CCU and RTU encryption algorithms. The vulnerability can be exploited by an attacker to control communication between the program and the base station. Pacom RTU, EMCS and 1000 CCU are prone to multiple cryptography weaknesses. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 XPD - XPD Advisory https://xpd.se Crypto implementation flaws in Pacom GMS System Advisory ID: XPD-2015-001 CVE reference: CVE-2014-3260 Affected platforms: Pacom 1000 CCU ("Base Station") and Controllers (RTU) Version: All versions are affected Date: 2013-Oktober-10 Security risk: High Vulnerability: Crypto implementation flaws in Pacom GMS System Researcher: Joachim Strombergson, Fredrik Soderblom, Peter Norin Vendor Status: Notified / Patch available Vulnerability Disclosure Policy: https://xpd.se/advisories/xpd-disclosure-policy-01.txt Permanent URL: https://xpd.se/advisories/XPD-2015-001.txt ===================================================================== Summary: The Pacom 1000 CCU and controllers (RTU) is used in security alarm installations all over the world. The flaws we have found can bypass the security of any unpatched installation. It is located at the site itself and performs all alarm and door control functions." - http://www.pacom.com/field-controllers.php "Pacom security solutions are installed in over twenty countries on seven continents." - http://www.pacom.com/our-customers.php Detailed description: The Pacom 1000 implementation have several serious implementation flaws. These vulnerabilities could in a worst case scenario lead to a full compromise of the protocol between the controller and the base station, rendering an alarm system useless. Potentially a large number of sites could be affected by the described flaws. PRNG: The PRNG used is of a type known as a Linear Congruential Generator. This type of generator are known to provide random numbers with less than perfect uniform distribution. The PRNG is a 16-bit generator. This means that the generator can only generate 2**16 numbers in a sequence before it must be reseeded. There is no information about how the generator is seeded from start nor how it is reseeded. A simulation in Dieharder shows that the used algorithm fails every test except for one, where it receives the result 'Weak'. The Linear Congruential Generator can be broken by observing values generated by consecutive iterations of the PRNG. The system creates 32-bit random numbers by extracting 8-bits from four consecutive 16-bit words numbers generated by the PRNG. This means that by observing a single 32-bit word, an attacker has in fact half the state information (8 out of 16 bits) from four iterations of the generator. MAC: A Message Authentication Code (MAC) is generated and added to each message sent between CCU and Controller. The MAC generator generator used is not based on any well-known secure MAC functionality such as HMAC or OMAC. Furthermore the generated MAC is only 32 bit. Master Code: There is a functionality for substitution detection. According to Pacom the functionality is based on a proprietary Pacom encryption method. Key to the functionality is a a 24-bit randomly generated value called Master Code. The Master Code is also used to generate the 128-bit AES key used with the substitution detection algorithm. Hence the effective strength of the key is not 128 bits, nor 104 bits (128 - 24) but 24 bits. A very short key with low security. Unfortunately it appears that the aforementioned (16 bit only), less than optimal, PRNG is used to generate the Master Code, thus reducing it's effective strength to 16 bit. The Master Code is distributed from CCU to CPU-cards and other CCUs as well as GMS units (for logging purposes) in clear text. This means that the code potentially is sent unprotected over private networks, corporate networks, public networks etc. Substitution detection: According to Pacom documentation the "substitution detection involves appending a 128-bit check code to the controller heartbeat response messages. The check code is calculated from a combination of a hard-coded constant value, the controllers master code, and the message data. In essence it is another type of MAC, but one that employs the master code." The implementation of the substitution detection uses a "check code" which is said to be 128-bits long and is appended to response messages. However due to a design flaw, the code is only 64 bit. In total the heartbeat response message is 5 bytes (40 bits) long: Byte 1: The message type (e.g. heartbeat response) Byte 2: A value based on random numbers sent in the heartbeat command from the CCU Byte 3: The controller summary status Byte 4: The heartbeat sequence number (zero or one) Byte 5: Always zero Of the five bytes in the heartbeat response message, two bytes (4 and 5) are either one or zero, or always zero. Byte 3 is a simple status. So, of 40 bits, 32 bits are most likely predictable and the remaining 8 bits is probably choosen based on the weak PRNG. This means that a big part of the response message can be guessed. The so called "128-bit check code" is then calculated over these 5 bytes using the aforementioned flawed Master Code and a 2 byte address of the controller, forming a 40 bit key, which is used with a hard coded constant to form an AES-128 key. The resulting "128-bit check code" from the AES encryption is XOR:ed with its own cleartext. This means that there is a direct path from cleartext to ciphertext bypassing the AES encryption. This leaks information about the cleartext as well as opening up for chosen plaintext attacks. Hard coded constants: The security functionality uses several hard coded, secret constants for random number generation, MAC calculation, Substitution detection algorithm etc. Unfortunately, the way these constants are used, information about them are leaked through the very messages, which opens up for recovery of the constants. If the constants are recovered and thus system security is lost, the units must be reprogrammed in the field or even replaced. ===================================================================== Conclusion: We do not recommend relying on the security features in the system and the system should be viewed as an unprotected system. If the system is to be used, separate communication security mechanism should be added. However, the usage of hard coded constants in the units and the associated need for field service or replacement if a breach occurs, makes us recommend that the system needs severe redesign before it is ready for production use. We questions if the system has been designed with any knowledge of what has been known good security practices since at least 30 years, nor good engineering practice. ===================================================================== Versions affected: All versions of Pacom 1000 (CCU & RTU) - According to Pacom, this firmware will not be fixed. Customers are advised to switch to the EMCS platform instead. All versions of EMCS (Pacom .is) prior to 1.3 The vendor reports that the following versions are patched: EMCS (Pacom .is) version 1.3 and above ===================================================================== Credits This vulnerability was discovered and researched by Joachim Strombergson from Assured AB, Fredrik Soderblom and Peter Norin from XPD AB. ===================================================================== References https://en.wikipedia.org/wiki/Linear_congruential_generator https://en.wikipedia.org/wiki/Diehard_tests ===================================================================== History 2013-10-10 Initial Discovery 2013-10-22 Initial attempt to contact the vendor 2013-11-12 Reply from Niscayah, case is assigned to internal resource 2014-05-07 CVE-2014-3260 is assigned 2014-06-05 Draft of the advisory sent to the vendor 2014-09-01 Pacom notifies us that fixed firmware (EMCS only) is ready 2015-12-08 Public disclosure ===================================================================== About Assured Assured AB is a privately held company with headquarters in Gothenburg, Sweden. Established in 2015, Assured is an independant security consultancy firm that provides expert knowledge, advisory and design of IT- security solutions. http://assured.se About XPD XPD AB is a privately held company with Headquarters in Stockholm, Sweden. Established in 2002, XPD AB is an independent security consulting and research firm, with a focus on security and perimeter security solutions. https://xpd.se ===================================================================== Disclaimer and Copyright Copyright (c)2015 XPD AB and Assured AB. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given. The information provided in this advisory is provided "as is" without warranty of any kind. XPD AB and Assured AB disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall XPD AB or Assured AB, or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if XPD AB or Assured AB, or its suppliers have been advised of the possibility of such damages. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWYCTaAAoJEH47YPoA7U9kecIQAJP3eHCA6zdz3sq1bAPg4JOc SBmq/auoraVpcucBzjVkGy8qtCF12mu0Gf2Kn6zwCtUcBmfjAo97HZYFx582ofOy K0ZGkA06tfGWJthDZ1eyeotQq9yBRLl1un1hGmrM/CvyRMp7KDd2jUptBps6Ddrk dl5a8+tMcQkedSV+dNDLwVpLWn8/hsDL8YjbZCeVomNtgceTb07hMv6zqrf3TgYZ yyq7xlLNzEyQSXyF0qF+yKsQ0HQyAnzQyoyzzYjeSbBBhvjeb/6x0S8t0QuP2Hqy cM+zNn/zzPoaubHFVUMi0tluhr/mqagrdmugmWG5cEfStmZYKJLkM/1EkFZDmlUF fuWQ/YrIgYU8twBwqzO+9iUdMM6gqRNaKIO5nN+1ivlYwxoVJ5N+gYCUbEZCGQac JDWGuYtHUpEzL/E2WrLq6iTpxutn1iAuyDM67/vsJaucLngLHJdW/iCIx4OVNdn4 caXMo4UZbJUzzu1OOCtCuYpUZHIbLuuVZkmb3ihj5UL/Z9OXyGKv4XpFed8xqydx FnB+dsnaG1HKyKIfNUVl7uiODEe2qiPUdmdY7J/0UWksYmoAPq77rmqhfEIH9jaU 0nq3frmUk70XdEjPG9oIr1Mw02ugIS8cYPM7zn57TskNnBnrlnO2PkBzSBOGJy08 NzycvpVV7wdtvgKeZHum =b7KM -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in XZERES 442SR OS on 442SR wind turbines allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks

LOYTEC LIP-3ECTB 6.0.1, LINX-100, LVIS-3E100, and LIP-ME201 devices allow remote attackers to read a password-hash backup file via unspecified vectors. plural LOYTEC The device contains a vulnerability that allows it to read password hash backup files.A third party may be able to read password hash backup files. LOYTEC LIP devices are IP network router devices from LOYTEC, Germany. LOYTEC LIP-3ECTB 6.0.1, LINX-100, LVIS-3E100, LIP-ME201 devices have information disclosure vulnerabilities. LOYTEC Router is prone to an arbitrary file-download vulnerability. An attacker can exploit this issue to download backup files. Information obtained may aid in further attacks. The following products and versions are affected: LOYTEC LIP-3ECTB version 6.0.1, LINX-100, LVIS-3E100, LIP-ME201