VARIoT IoT vulnerabilities database

An attacker can exploit the vulnerability to execute arbitrary commands. Cambium Networks ePMP 1000 is a wireless network access platform from Cambium Networks. The platform provides features such as video surveillance, Wi-Fi hotspots, and sensor connectivity. Cambium Networks ePMP 1000 has a command injection vulnerability and an authentication bypass vulnerability. Attackers can use these vulnerabilities to execute arbitrary commands, or bypass security restrictions, perform unauthorized operations, gain full control of affected devices, or cause denial of service. Failed exploit attempts will likely result in denial-of-service conditions

Huawei Document Security Management (DSM) with software before V100R002C05SPC661 does not clear the clipboard when closing a secure file, which allows local users to obtain sensitive information by pasting the contents to another file. Huawei DSM is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information which may aid in further attacks. Huawei Document Security Management (DSM) is a set of document rights management software from Huawei, China. The software is characterized by high stability, reliability and scalability. The vulnerability is caused by the clipboard not being cleared correctly when the program closes the security file

The fts3_tokenizer function in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a SQL command that triggers an API call with a crafted pointer value in the second argument. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SQLite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of the fts3_tokenizer function. The issue lies in the optional second argument which is expected to be a pointer into a structure. An attacker can leverage this vulnerability to achieve code execution under the context of the current process. Both Apple iOS and OS X are operating systems of Apple Inc. in the United States. Apple iOS was developed for mobile devices; OS X was developed for Mac computers. SQLite is an open source embedded relational database management system based on C language developed by American software developer D.Richard Hipp. A security vulnerability exists in the 'fts3_tokenizer' function in SQLite used in Apple iOS versions prior to 8.4 and OS X versions prior to 10.10.4. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201612-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SQLite: Multiple vulnerabilities Date: December 08, 2016 Bugs: #549258, #574420 ID: 201612-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in SQLite, the worst of which may allow execution of arbitrary code. Background ========== SQLite is a C library that implements an SQL database engine. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/sqlite < 3.11.1 >= 3.11.1 Description =========== Multiple vulnerabilities have been discovered in SQLite. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All sqlite users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.11.1" References ========== [ 1 ] CVE-2015-7036 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7036 [ 2 ] Two invalid read errors / heap overflows in SQLite (TFPA 006/2015) http://blog.fuzzing-project.org/10-Two-invalid-read-errors-heap-ove= rflows-in-SQLite-TFPA-0062015.html Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201612-21 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Exemys Telemetry Web Server relies on an HTTP Location header to indicate that a client is unauthorized, which allows remote attackers to bypass intended access restrictions by disregarding this header and processing the response body. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. Exemys Telemetry Web Server is a web-based SCADA system from Exemys, Argentina. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks

Cross-site scripting (XSS) vulnerability in the web-based management interface in Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows remote attackers to inject arbitrary web script or HTML via a crafted value, aka Bug ID CSCux10614. The Cisco Firepower 9000 Series Switches are Cisco 9000 Series Switches. An HTML injection vulnerability exists in Cisco Firepower 9000 Series Switches. Allows a remote attacker to exploit this vulnerability to execute arbitrary HTML or script code in the context of an affected browser, stealing cookie-based certificates. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCux10614

Cross-site request forgery (CSRF) vulnerability in Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCux10611. Vendors have confirmed this vulnerability Bug ID CSCux10611 It is released as.A third party may be able to hijack the authentication of any user. The Cisco Firepower 9000 is a set of operating systems running on the 9000 Series firewall appliances from Cisco. Allows a remote attacker to exploit this vulnerability to perform unauthorized operations or to access affected applications. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCux10611

Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before Update 7 and LiveCycle Data Services 3.0.x before 3.0.0.354175, 3.1.x before 3.1.0.354180, 4.5.x before 4.5.1.354177, 4.6.2.x before 4.6.2.354178, and 4.7.x before 4.7.0.354178, allows remote attackers to send HTTP traffic to intranet servers via a crafted XML document, related to a Server-Side Request Forgery (SSRF) issue. Multiple Adobe products are prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c05073670 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05073670 Version: 1 HPSBST03568 rev.1 - HP XP7 Command View Advanced Edition Suite including Device Manager and Hitachi Automation Director (HAD), Remote Server-Side Request Forgery (SSRF) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-04-06 Last Updated: 2016-04-06 Potential Security Impact: Remote Server-Side Request Forgery (SSRF) Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP XP7 Command View Advanced Edition Suite and HP XP P9000 Command View Advanced Edition Software including Device Manager and Hitachi Automation Director (HAD). The vulnerability could be remotely exploited resulting in Server-Side Request Forgery (SSRF). References: CVE-2015-5255 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP XP P9000 Command View Advanced Edition Software and HP XP7 Command View Advanced Edition Suite: HP Device Manager Software v7.0.0-00 to earlier than v8.4.0-00 Hitachi Automation Director (HAD) for Windows and Linux v8.1.1-00 to earlier than 8.4.0-00 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2015-5255 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HPE has released the following software updates to resolve the vulnerability in HP XP7 Command View Advanced Edition Suite and HP XP P9000 Command View Advanced Edition: - HP Device Manager Software v8.4.0-00 - Hitachi Automation Director (HAD) for Windows and Linux v8.4.0-00 HISTORY Version:1 (rev.1) - 6 April 2016 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXBUdsAAoJEGIGBBYqRO9/QR0H/1n7MvC34yG/bAynnPVOwwun d7+PjDWg6S3zm0X3TTODxNw5XvKtSPW5gsj+ugdkj0MnooGP+ETOLkJgKro6xx+c FvVQChknCB03/Ul+ZED4RXG4XxPAXfrEYisGQ8DogqT8szAEGvkq4AA/aStXYOjT F+yAEJPTMsNZkAeyzWsvJnqxQ7/7BUESJrV5akJvjs7BvArGFWn8FPDjAJuyHGoM D7UD7HLutYaR25TIaqLaVoNokgMq6wLXzLntxM5cB3X98ThYEI23M3XNmxfbhXKQ Q8rAsVpXeGMgObS/nURFMSSPNU7boGZFtSU9mZQilb59V4Xko5wsauUKjP4r8Dk= =xRCI -----END PGP SIGNATURE-----

The Management I/O (MIO) component in Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows local users to execute arbitrary OS commands as root via crafted CLI input, aka Bug ID CSCux10578. The Cisco Firepower 9000 is a set of operating systems running on the 9000 Series firewall appliances from Cisco. A local command injection vulnerability exists in the Cisco Firepower 9000 Series. Allows a local attacker to exploit this vulnerability to execute arbitrary commands with root privileges. This issue being tracked by Cisco Bug ID's CSCux10576 and CSCux10578

Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows remote authenticated users to read arbitrary files via crafted parameters to unspecified scripts, aka Bug ID CSCux10621. The Cisco Firepower 9000 is a set of operating systems running on the 9000 Series firewall appliances from Cisco. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCux10621

The USB driver in Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows physically proximate attackers to cause a denial of service via a crafted USB device that triggers invalid USB commands, aka Bug ID CSCux10531. The Cisco Firepower 9000 is a set of operating systems running on the 9000 Series firewall appliances from Cisco. A local denial of service vulnerability exists in the Cisco Firepower 9000 Series. Allows a local attacker to exploit this vulnerability to cause a denial of service. This issue is tracked by Cisco Bug ID CSCux10531

The web interface in Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, aka Bug ID CSCux10604. The Cisco Firepower 9000 Series Switches are Cisco 9000 Series Switches. A clickjacking vulnerability exists in Cisco Firepower 9000 Series Switches. Allow remote attackers to exploit this vulnerability to compromise affected devices and obtain sensitive information. Other attacks are also possible. This issue being tracked by Cisco Bug ID CSCux10604

Cross-site request forgery (CSRF) vulnerability in Cisco Prime Collaboration Assurance 10.5(1) and 10.6 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCus62712. Vendors have confirmed this vulnerability Bug ID CSCus62712 It is released as.A third party may be able to hijack the authentication of any user. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCus62712. This solution supports simplified unified communication and video collaboration network management through a unified management console, and rapid deployment of communication sites

The rule-update feature in Cisco FireSIGHT Management Center (MC) 5.2 through 5.4.0.1 does not verify the X.509 certificate of the support.sourcefire.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide an invalid package, and consequently execute arbitrary code, via a crafted certificate, aka Bug ID CSCuw06444. The Cisco FireSIGHT Management Center centrally manages the network security and operational features of Cisco ASA with FirePOWER Services and Cisco FirePOWER appliances. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. This issue is being tracked by Cisco Bug ID CSCuw06444. The vulnerability is caused by the fact that the program does not verify the X.509 certificate of the support.sourcefire.com SSL server

Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows remote attackers to read files via a crafted HTTP request, aka Bug ID CSCux10608. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. This issue being tracked by Cisco Bug ID CSCux10608

Buffer overflow in Schneider Electric IMT25 Magnetic Flow DTM before 1.500.004 for the HART Protocol allows remote authenticated users to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HART reply. Schneider Electric IMT25 Magnetic Flow DTM (Device Type Manager) is a device type management software library from Schneider Electric, France

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid username and password pairs, which allows remote authenticated users to login to a target account via any of its username and password pairs. ZTE ADSL ZXV10 W300 Modems contain vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTEADSLZXV10W300 is an ADSL modem (Modem) product from China ZTE Corporation (ZTE). A security vulnerability exists in the ZTEADSLZXV10W300W300V2.1.0f_ER7_PE_O57 version and the W300V2.1.0h_ER7_PE_O57 version. There are security vulnerabilities in ZTE ADSL ZXV10 W300 W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57. Other functions may be vulnerable as well. *Expected behavior:* Only administrative 'admin' user should be able to change password for all the device users. 'support' is a diagnostic user with restricted privileges. It can change only its own password. *Vulnerability:* Any non-admin user can change 'admin' password. *Steps to reproduce:* a. Login as user 'support' password XXX b. Access Password Change page - http://<IP>/password.htm c. Submit request d. Intercept and Tamper the parameter ­ username ­ change from 'support' to 'admin' e. Enter the new password ­> old password is not requested ­> Submit ­> Login as admin -> Pwn! 2 *Sensitive information disclosure - clear-text passwords* Displaying user information over Telnet connection, shows all valid users and their passwords in clear­-text. *CVE-ID*: CVE-2015-7258 *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. It is possible to log in to device with either of the username/password combination. *CVE-ID*: CVE-2015-7259 It is considered as a (redundant) login support *feature*. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification User Access Verification Username: admin Password: <­--­­ admin/password3 $sh ADSL#login show Username Password Priority admin password1 2 support password2 0 admin password3 1 +++++ Best Regards, Karn Ganeshen -- Best Regards, Karn Ganeshen

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrator users to change the admin password by intercepting an outgoing password change request, and changing the username parameter from "support" to "admin". ZTE ADSL ZXV10 W300 Modems are vulnerable to password management functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTEADSLZXV10W300 is an ADSL modem (Modem) product from China ZTE Corporation (ZTE). A security vulnerability exists in the ZTEADSLZXV10W300W300V2.1.0f_ER7_PE_O57 version and the W300V2.1.0h_ER7_PE_O57 version. There are security vulnerabilities in ZTE ADSL ZXV10 W300 W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57. *ZTE ADSL modems - Multiple vulnerabilities* Confirmed on 2 (of multiple) software versions - *W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57* 1 *Insufficient authorization controls* *CVE-ID*: CVE-2015-7257 Observed in Password Change functionality. Other functions may be vulnerable as well. 'support' is a diagnostic user with restricted privileges. *Steps to reproduce:* a. Login as user 'support' password XXX b. Access Password Change page - http://<IP>/password.htm c. Submit request d. Enter the new password ­> old password is not requested ­> Submit ­> Login as admin -> Pwn! 2 *Sensitive information disclosure - clear-text passwords* Displaying user information over Telnet connection, shows all valid users and their passwords in clear­-text. *CVE-ID*: CVE-2015-7258 *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification Username: admin Password: <­­­ admin/XXX1 $sh ADSL#login show <--­­­ shows user information Username Password Priority admin password1 2 support password2 0 admin password3 1 3 *(Potential) Backdoor account feature - **insecure account management* Same login account can exist on the device, multiple times, each with different priority#. It is possible to log in to device with either of the username/password combination. *CVE-ID*: CVE-2015-7259 It is considered as a (redundant) login support *feature*. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain user passwords by displaying user information in a Telnet connection. ZTE ADSL ZXV10 W300 Modems contain vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTEADSLZXV10W300 is an ADSL modem (Modem) product from China ZTE Corporation (ZTE). A security vulnerability exists in the ZTEADSLZXV10W300W300V2.1.0f_ER7_PE_O57 version and the W300V2.1.0h_ER7_PE_O57 version. There are security vulnerabilities in ZTE ADSL ZXV10 W300 W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57. Other functions may be vulnerable as well. *Expected behavior:* Only administrative 'admin' user should be able to change password for all the device users. 'support' is a diagnostic user with restricted privileges. It can change only its own password. *Steps to reproduce:* a. Login as user 'support' password XXX b. Access Password Change page - http://<IP>/password.htm c. Submit request d. Intercept and Tamper the parameter ­ username ­ change from 'support' to 'admin' e. *CVE-ID*: CVE-2015-7258 *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification Username: admin Password: <­­­ admin/XXX1 $sh ADSL#login show <--­­­ shows user information Username Password Priority admin password1 2 support password2 0 admin password3 1 3 *(Potential) Backdoor account feature - **insecure account management* Same login account can exist on the device, multiple times, each with different priority#. It is possible to log in to device with either of the username/password combination. *CVE-ID*: CVE-2015-7259 It is considered as a (redundant) login support *feature*. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification User Access Verification Username: admin Password: <­--­­ admin/password3 $sh ADSL#login show Username Password Priority admin password1 2 support password2 0 admin password3 1 +++++ Best Regards, Karn Ganeshen -- Best Regards, Karn Ganeshen

Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DIR-816L Wireless Router with firmware before 2.06.B09_BETA allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin password, (2) change the network policy, or (3) possibly have other unspecified impact via crafted requests to hedwig.cgi and pigwidgeon.cgi. The D-Link DIR-816L is a wireless router product from D-Link. D-Link DIR-816L is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. D-Link DIR-816L running firmware 2.06.B01 and prior are vulnerable

IBM DataPower Gateway appliances with firmware 6.x before 6.0.0.17, 6.0.1.x before 6.0.1.17, 7.x before 7.0.0.10, 7.1.0.x before 7.1.0.7, and 7.2.x before 7.2.0.1 do not set the secure flag for unspecified cookies in an https session, which makes it easier for remote attackers to capture these cookies by intercepting their transmission within an http session. IBM DataPower Gateways is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. IBM DataPower Gateway is a security and integration platform specially designed for mobile, cloud, application programming interface (API), network, service-oriented architecture (SOA), B2B and cloud workloads of IBM Corporation in the United States, which can utilize a dedicated gateway The platform secures, integrates and optimizes access across channels. The following versions are affected: IBM DataPower Gateway 6.0.0.16 and earlier, 6.0.1.12, 7.0.0.9, 7.1.0.6, 7.2.0.0