VARIoT IoT vulnerabilities database

The ARP implementation in Cisco NX-OS on Nexus 1000V devices for VMware vSphere 5.2(1)SV3(1.4), Nexus 3000 devices 7.3(0)ZD(0.47), Nexus 4000 devices 4.1(2)E1, Nexus 9000 devices 7.3(0)ZD(0.61), and MDS 9000 devices 7.0(0)HSK(0.353) and SAN-OS NX-OS on MDS 9000 devices 7.0(0)HSK(0.353) allows remote attackers to cause a denial of service (ARP process restart) via crafted packet-header fields, aka Bug ID CSCut25292. Vendors have confirmed this vulnerability Bug ID CSCut25292 It is released as.Denial of service via a crafted packet header field by a third party (ARP Process restart ) There is a possibility of being put into a state. Cisco NX-OS software is a data center-level operating system that reflects modular design, resiliency, and maintainability. A security vulnerability exists in the Cisco NX-OS. The attacker is allowed to submit a special ARP packet to restart the target ARP service. This issue is being tracked by Cisco Bug IDs CSCut25292, CSCuw02034, CSCuw02035, CSCuw02037, and CSCuw02038. are all products of Cisco (Cisco). Cisco Nexus 1000V Switch is a virtual switch product running on the virtual machine platform (VMware vSphere), 3000, 4000, 7000 and 9000 series switches. Cisco MDS SAN-OS Software is an operating system running on fiber optic switches. The following products and versions are affected: Cisco MDS 9000 NX-OS and SAN-OS Software running Cisco NX-OS 7.0(0)HSK(0.353), Cisco NX-OS 5.2(1)SV3(1.4) Nexus 1000V Switches for VMware vSphere, Cisco Nexus 3000 Series Switches running Cisco NX-OS Release 7.3(0)ZD(0.47), Cisco Nexus 9000 Series Switches running Cisco NX-OS Release 7.3(0)ZD(0.61), running Cisco Nexus 4000 Series Switches with Cisco NX-OS 4.1(2)E1 release

Unrestricted file upload vulnerability on Seagate GoFlex Satellite, Seagate Wireless Mobile Storage, Seagate Wireless Plus Mobile Storage, and LaCie FUEL devices with firmware before 3.4.1.105 allows remote attackers to execute arbitrary code by uploading a file to /media/sda2 during a Wi-Fi session. Seagate There are multiple vulnerabilities in the wireless storage products offered by. Authentication information ( password ) Is hard-coded (CWE-798) - CVE-2015-2874 Not described in manual telnet Service is up and username "root" , Accessible using the default password. CWE-798: Use of Hard-coded Credentials https://cwe.mitre.org/data/definitions/798.html In addition, National Vulnerability Database (NVD) Then CWE-255 It is published as Send request directly (Forced Browsing) (CWE-425) - CVE-2015-2875 By default, anyone can download files when accessing the device wirelessly. Any file on the file system can be downloaded directly. CWE-425: Direct Request ('Forced Browsing') https://cwe.mitre.org/data/definitions/425.html In addition, National Vulnerability Database (NVD) Then CWE-22 It is published as Unlimited upload of dangerous types of files (CWE-434) - CVE-2015-2876 When accessing the device wirelessly with default settings, /media/sda2 You can upload files to the file system. This file system is prepared for file sharing. CWE-434: Unrestricted Upload of File with Dangerous Type https://cwe.mitre.org/data/definitions/434.htmlA remote attacker can access arbitrary files on the product, root It may be operated with authority. Seagate 36C running firmware versions 2.2.0.005 and 2.3.0.014 are vulnerable

Absolute path traversal vulnerability on Seagate GoFlex Satellite, Seagate Wireless Mobile Storage, Seagate Wireless Plus Mobile Storage, and LaCie FUEL devices with firmware before 3.4.1.105 allows remote attackers to read arbitrary files via a full pathname in a download request during a Wi-Fi session. Seagate There are multiple vulnerabilities in the wireless storage products offered by. Authentication information ( password ) Is hard-coded (CWE-798) - CVE-2015-2874 Not described in manual telnet Service is up and username "root" , Accessible using the default password. CWE-798: Use of Hard-coded Credentials https://cwe.mitre.org/data/definitions/798.html In addition, National Vulnerability Database (NVD) Then CWE-255 It is published as Send request directly (Forced Browsing) (CWE-425) - CVE-2015-2875 By default, anyone can download files when accessing the device wirelessly. Any file on the file system can be downloaded directly. CWE-425: Direct Request ('Forced Browsing') https://cwe.mitre.org/data/definitions/425.html In addition, National Vulnerability Database (NVD) Then CWE-22 It is published as Unlimited upload of dangerous types of files (CWE-434) - CVE-2015-2876 When accessing the device wirelessly with default settings, /media/sda2 You can upload files to the file system. This file system is prepared for file sharing. CWE-434: Unrestricted Upload of File with Dangerous Type https://cwe.mitre.org/data/definitions/434.htmlA remote attacker can access arbitrary files on the product, root It may be operated with authority. Seagate 36C running firmware versions 2.2.0.005 and 2.3.0.014 are vulnerable

The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call. Fortinet FortiClient is prone to multiple local information-disclosure vulnerabilities. Local attackers can exploit these issues to cause a kernel memory leak to obtain sensitive information that may lead to further attacks. Fortinet FortiClient 5.2.3.633 is vulnerable; other versions may also be affected. Fortinet FortiClient is a mobile terminal security solution developed by Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances. 1. Advisory Information Title: FortiClient Antivirus Multiple Vulnerabilities Advisory ID: CORE-2015-0013 Advisory URL: http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities Date published: 2015-09-01 Date of last update: 2015-09-01 Vendors contacted: Fortinet Release mode: Coordinated release 2. Vulnerability Information Class: Information Exposure [CWE-200], Write-what-where Condition [CWE-123], Exposed Dangerous Method or Function [CWE-749], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737 3. Vulnerability Description Fortinet FortiClient [1] extends the power of FortiGate's Unified threat management to endpoints on your network. Desktops, laptops, tablets and smartphones, FortiClient enables every device - local or remote, stationary or mobile - to integrate with your FortiGate. With no per-seat license fees, FortiClient takes the headaches out of managing multiple endpoints so your users and guests can work efficiently anywhere, without compromising your security. FortiClient drivers are prone to multiple attacks and expose a wide surface that allows users to easily get SYSTEM privileges. 4. 5. Vendor Information, Solutions and Workarounds Fortinet released an updated version of FortiClient 5.2.4.0650 [2] that fixes the reported issues. 6. Credits These vulnerabilities were discovered and researched by Enrique Nissim from Core Security's Consulting Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security's Advisories Team. 7. Technical Description / Proof of Concept Code [CVE-2015-4077] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". [CVE-2015-5735] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". [CVE-2015-5736] The vulnerability lies in "Fortishield.sys", which is a minifilter filesystem driver that hooks filesystem operations. IOCTL 0x220024 and 0x220028 both allow establishing callbacks that will be called during any IRP_MJ_WRITE and IRP_MJ_SET_INFORMATION, respectively. Consequently, any user in the system can set an arbitrary function as a callback and execute code with kernel privileges. [CVE-2015-5737] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys", "mdare64_52.sys" and "Fortishield.sys". All of these drivers expose an API to manage processes and the Windows registry. For instance, the IOCTL 0x2220c8 of the "mdareXX_XX.sys" driver returns a full privileged handle to a given process PID. This same function is replicated inside "Fortishield.sys". 8. Report Timeline 2015-06-25: Core Security notified Fortinet of the vulnerabilities. Publication date set for July 27th, 2015. 2015-06-30: Fortinet replied that they received Core Security's email and that they would like to receive the draft version of the advisory. 2015-07-01: Core Security sent Fortinet the draft version of the advisory and requested a tentative schedule for releasing the updates. 2015-07-01: Fortinet replied that they received the draft version of the advisory and that they would review it. 2015-07-15: Core Security requested an update from Fortinet regarding the reported vulnerabilities and a tentative schedule. 2015-07-19: Fortinet replied and confirmed the reported bugs, but stated that they were only able to trigger them with administrative privileges. They requested a PoC from Core Security. 2015-07-20: Core Security replied, explaining to Fortinet that they were able to trigger the vulnerabilities as a non-privileged user. They sent Fortinet a PoC code that opens a handle with read/write permissions to LSASS process and then uses it to allocate memory in its virtual address space. 2015-07-20: Fortinet replied that they would review the PoC. 2015-07-20: Fortinet asked if Core Security researchers could review an interim build when available. 2015-07-21: Core Security confirmed that they would be willing to review an interim build when available. 2015-08-03: Core Security requested an update from Fortinet regarding the availability of the interim build, and asked if there was a specific date Fortinet was planning to release the fix. 2015-08-04: Fortinet replied that their current release date was August 17. 2015-08-05: Fortinet updated the schedule, explaining that the interim build wouldn't include the MDARE fixes therefore delaying the release until the end of August. 2015-08-07: Core Security asked Fortinet if the interim build was going to be published by Fortinet, because if so, that would force Core Security to publish their findings as well. If that wasn't the case, Core Security recommended publishing everything together later that month. 2015-08-07: Fortinet replied that the interim build was private and therefore there wasn't a need to publish ahead of schedule. 2015-08-10: Fortinet sent Core Security a link to download the interim build and requested feedback. 2015-08-10: Core Security replied that they received and downloaded the interim build and would send feedback. Additionally, Core Security requested an updated ETA. 2015-08-18: Core Security requested the specific date Fortinet would release the patched version of their product so they could schedule their security advisory publication accordingly. 2015-08-20: Core Security again requested for a specific date for the publication of the updates and informed Fortinet them that if they didn't receive and answer in the following days they would be forced to schedule the advisory publication. 2015-08-20: Fortinet replied that the scheduled release date for the updated version of FortiClient was August 31. They asked if they had an opportunity to review the interim build andif they had any feedback. 2015-08-24: Core Security replied that they were able to review the interim build and that they could confirm that those bugs were no longer exploitable.Core Security requested and updated ETA of the updated version. 2015-08-24: Fortinet replied that the scheduled release seemed to be confirmed and that the estimated time of availability would be roughly 5 p.m. Pacific Time. 9. References [1] http://www.forticlient.com/. [2] http://docs.fortinet.com/d/forticlient-5.2.4-windows-release-notes.pdf. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, (4) mdare64_52.sys, and (5) Fortishield.sys drivers in Fortinet FortiClient before 5.2.4 do not properly restrict access to the API for management of processes and the Windows registry, which allows local users to obtain a privileged handle to a PID and possibly have unspecified other impact, as demonstrated by a 0x2220c8 ioctl call. FortiClient is prone to multiple local information-disclosure vulnerabilities. Local attackers can exploit these issues to obtain sensitive information and perform unauthorized actions. Other attacks may be possible. Fortinet FortiClient is a mobile terminal security solution developed by Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances. A local attacker could exploit this vulnerability to gain access to the PID. 1. Advisory Information Title: FortiClient Antivirus Multiple Vulnerabilities Advisory ID: CORE-2015-0013 Advisory URL: http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities Date published: 2015-09-01 Date of last update: 2015-09-01 Vendors contacted: Fortinet Release mode: Coordinated release 2. Vulnerability Information Class: Information Exposure [CWE-200], Write-what-where Condition [CWE-123], Exposed Dangerous Method or Function [CWE-749], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737 3. Vulnerability Description Fortinet FortiClient [1] extends the power of FortiGate's Unified threat management to endpoints on your network. Desktops, laptops, tablets and smartphones, FortiClient enables every device - local or remote, stationary or mobile - to integrate with your FortiGate. With no per-seat license fees, FortiClient takes the headaches out of managing multiple endpoints so your users and guests can work efficiently anywhere, without compromising your security. FortiClient drivers are prone to multiple attacks and expose a wide surface that allows users to easily get SYSTEM privileges. 4. Vulnerable packages FortiClient 5.2.3.633 Other versions may probably be affected too, but they were not checked. 5. Vendor Information, Solutions and Workarounds Fortinet released an updated version of FortiClient 5.2.4.0650 [2] that fixes the reported issues. 6. Credits These vulnerabilities were discovered and researched by Enrique Nissim from Core Security's Consulting Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security's Advisories Team. 7. Technical Description / Proof of Concept Code [CVE-2015-4077] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". By using the IOCTL 0x22608C with the proper parameters, an attacker is able to read arbitrary memory content from kernelspace. [CVE-2015-5735] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". By using the IOCTL 0x226108, the attacker is able to call ZwEnumerateValueKey and write its output to an arbitrary memory location. [CVE-2015-5736] The vulnerability lies in "Fortishield.sys", which is a minifilter filesystem driver that hooks filesystem operations. IOCTL 0x220024 and 0x220028 both allow establishing callbacks that will be called during any IRP_MJ_WRITE and IRP_MJ_SET_INFORMATION, respectively. Consequently, any user in the system can set an arbitrary function as a callback and execute code with kernel privileges. [CVE-2015-5737] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys", "mdare64_52.sys" and "Fortishield.sys". All of these drivers expose an API to manage processes and the Windows registry. For instance, the IOCTL 0x2220c8 of the "mdareXX_XX.sys" driver returns a full privileged handle to a given process PID. This same function is replicated inside "Fortishield.sys". 8. Report Timeline 2015-06-25: Core Security notified Fortinet of the vulnerabilities. Publication date set for July 27th, 2015. 2015-06-30: Fortinet replied that they received Core Security's email and that they would like to receive the draft version of the advisory. 2015-07-01: Core Security sent Fortinet the draft version of the advisory and requested a tentative schedule for releasing the updates. 2015-07-01: Fortinet replied that they received the draft version of the advisory and that they would review it. 2015-07-15: Core Security requested an update from Fortinet regarding the reported vulnerabilities and a tentative schedule. 2015-07-19: Fortinet replied and confirmed the reported bugs, but stated that they were only able to trigger them with administrative privileges. They requested a PoC from Core Security. 2015-07-20: Core Security replied, explaining to Fortinet that they were able to trigger the vulnerabilities as a non-privileged user. They sent Fortinet a PoC code that opens a handle with read/write permissions to LSASS process and then uses it to allocate memory in its virtual address space. 2015-07-20: Fortinet replied that they would review the PoC. 2015-07-20: Fortinet asked if Core Security researchers could review an interim build when available. 2015-07-21: Core Security confirmed that they would be willing to review an interim build when available. 2015-08-03: Core Security requested an update from Fortinet regarding the availability of the interim build, and asked if there was a specific date Fortinet was planning to release the fix. 2015-08-04: Fortinet replied that their current release date was August 17. 2015-08-05: Fortinet updated the schedule, explaining that the interim build wouldn't include the MDARE fixes therefore delaying the release until the end of August. 2015-08-07: Core Security asked Fortinet if the interim build was going to be published by Fortinet, because if so, that would force Core Security to publish their findings as well. If that wasn't the case, Core Security recommended publishing everything together later that month. 2015-08-07: Fortinet replied that the interim build was private and therefore there wasn't a need to publish ahead of schedule. 2015-08-10: Fortinet sent Core Security a link to download the interim build and requested feedback. 2015-08-10: Core Security replied that they received and downloaded the interim build and would send feedback. Additionally, Core Security requested an updated ETA. 2015-08-18: Core Security requested the specific date Fortinet would release the patched version of their product so they could schedule their security advisory publication accordingly. 2015-08-20: Core Security again requested for a specific date for the publication of the updates and informed Fortinet them that if they didn't receive and answer in the following days they would be forced to schedule the advisory publication. 2015-08-20: Fortinet replied that the scheduled release date for the updated version of FortiClient was August 31. They asked if they had an opportunity to review the interim build andif they had any feedback. 2015-08-24: Core Security replied that they were able to review the interim build and that they could confirm that those bugs were no longer exploitable.Core Security requested and updated ETA of the updated version. 2015-08-24: Fortinet replied that the scheduled release seemed to be confirmed and that the estimated time of availability would be roughly 5 p.m. Pacific Time. 9. References [1] http://www.forticlient.com/. [2] http://docs.fortinet.com/d/forticlient-5.2.4-windows-release-notes.pdf. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The Fortishield.sys driver in Fortinet FortiClient before 5.2.4 allows local users to execute arbitrary code with kernel privileges by setting the callback function in a (1) 0x220024 or (2) 0x220028 ioctl call. FortiClient is prone to a local privilege-escalation vulnerability. Fortinet FortiClient is a mobile terminal security solution developed by Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances. 1. Advisory Information Title: FortiClient Antivirus Multiple Vulnerabilities Advisory ID: CORE-2015-0013 Advisory URL: http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities Date published: 2015-09-01 Date of last update: 2015-09-01 Vendors contacted: Fortinet Release mode: Coordinated release 2. Vulnerability Information Class: Information Exposure [CWE-200], Write-what-where Condition [CWE-123], Exposed Dangerous Method or Function [CWE-749], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737 3. Vulnerability Description Fortinet FortiClient [1] extends the power of FortiGate's Unified threat management to endpoints on your network. Desktops, laptops, tablets and smartphones, FortiClient enables every device - local or remote, stationary or mobile - to integrate with your FortiGate. With no per-seat license fees, FortiClient takes the headaches out of managing multiple endpoints so your users and guests can work efficiently anywhere, without compromising your security. FortiClient drivers are prone to multiple attacks and expose a wide surface that allows users to easily get SYSTEM privileges. 4. Vulnerable packages FortiClient 5.2.3.633 Other versions may probably be affected too, but they were not checked. 5. Vendor Information, Solutions and Workarounds Fortinet released an updated version of FortiClient 5.2.4.0650 [2] that fixes the reported issues. 6. Credits These vulnerabilities were discovered and researched by Enrique Nissim from Core Security's Consulting Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security's Advisories Team. 7. Technical Description / Proof of Concept Code [CVE-2015-4077] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". By using the IOCTL 0x22608C with the proper parameters, an attacker is able to read arbitrary memory content from kernelspace. By using the IOCTL 0x226108, the attacker is able to call ZwEnumerateValueKey and write its output to an arbitrary memory location. [CVE-2015-5736] The vulnerability lies in "Fortishield.sys", which is a minifilter filesystem driver that hooks filesystem operations. IOCTL 0x220024 and 0x220028 both allow establishing callbacks that will be called during any IRP_MJ_WRITE and IRP_MJ_SET_INFORMATION, respectively. All of these drivers expose an API to manage processes and the Windows registry. For instance, the IOCTL 0x2220c8 of the "mdareXX_XX.sys" driver returns a full privileged handle to a given process PID. This same function is replicated inside "Fortishield.sys". 8. Report Timeline 2015-06-25: Core Security notified Fortinet of the vulnerabilities. Publication date set for July 27th, 2015. 2015-06-30: Fortinet replied that they received Core Security's email and that they would like to receive the draft version of the advisory. 2015-07-01: Core Security sent Fortinet the draft version of the advisory and requested a tentative schedule for releasing the updates. 2015-07-01: Fortinet replied that they received the draft version of the advisory and that they would review it. 2015-07-15: Core Security requested an update from Fortinet regarding the reported vulnerabilities and a tentative schedule. 2015-07-19: Fortinet replied and confirmed the reported bugs, but stated that they were only able to trigger them with administrative privileges. They requested a PoC from Core Security. 2015-07-20: Core Security replied, explaining to Fortinet that they were able to trigger the vulnerabilities as a non-privileged user. They sent Fortinet a PoC code that opens a handle with read/write permissions to LSASS process and then uses it to allocate memory in its virtual address space. 2015-07-20: Fortinet replied that they would review the PoC. 2015-07-20: Fortinet asked if Core Security researchers could review an interim build when available. 2015-07-21: Core Security confirmed that they would be willing to review an interim build when available. 2015-08-03: Core Security requested an update from Fortinet regarding the availability of the interim build, and asked if there was a specific date Fortinet was planning to release the fix. 2015-08-04: Fortinet replied that their current release date was August 17. 2015-08-05: Fortinet updated the schedule, explaining that the interim build wouldn't include the MDARE fixes therefore delaying the release until the end of August. 2015-08-07: Core Security asked Fortinet if the interim build was going to be published by Fortinet, because if so, that would force Core Security to publish their findings as well. If that wasn't the case, Core Security recommended publishing everything together later that month. 2015-08-07: Fortinet replied that the interim build was private and therefore there wasn't a need to publish ahead of schedule. 2015-08-10: Fortinet sent Core Security a link to download the interim build and requested feedback. 2015-08-10: Core Security replied that they received and downloaded the interim build and would send feedback. Additionally, Core Security requested an updated ETA. 2015-08-18: Core Security requested the specific date Fortinet would release the patched version of their product so they could schedule their security advisory publication accordingly. 2015-08-20: Core Security again requested for a specific date for the publication of the updates and informed Fortinet them that if they didn't receive and answer in the following days they would be forced to schedule the advisory publication. 2015-08-20: Fortinet replied that the scheduled release date for the updated version of FortiClient was August 31. They asked if they had an opportunity to review the interim build andif they had any feedback. 2015-08-24: Core Security replied that they were able to review the interim build and that they could confirm that those bugs were no longer exploitable.Core Security requested and updated ETA of the updated version. 2015-08-24: Fortinet replied that the scheduled release seemed to be confirmed and that the estimated time of availability would be roughly 5 p.m. Pacific Time. 9. References [1] http://www.forticlient.com/. [2] http://docs.fortinet.com/d/forticlient-5.2.4-windows-release-notes.pdf. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to write to arbitrary memory locations via a 0x226108 ioctl call. Fortinet FortiClient is prone to multiple local security-bypass vulnerabilities. Attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions in the affected application, which may aid in further attacks. Fortinet FortiClient 5.2.3.633 is vulnerable; other versions may also be affected. Fortinet FortiClient is a mobile terminal security solution developed by Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances. 1. Advisory Information Title: FortiClient Antivirus Multiple Vulnerabilities Advisory ID: CORE-2015-0013 Advisory URL: http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities Date published: 2015-09-01 Date of last update: 2015-09-01 Vendors contacted: Fortinet Release mode: Coordinated release 2. Vulnerability Information Class: Information Exposure [CWE-200], Write-what-where Condition [CWE-123], Exposed Dangerous Method or Function [CWE-749], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737 3. Vulnerability Description Fortinet FortiClient [1] extends the power of FortiGate's Unified threat management to endpoints on your network. Desktops, laptops, tablets and smartphones, FortiClient enables every device - local or remote, stationary or mobile - to integrate with your FortiGate. With no per-seat license fees, FortiClient takes the headaches out of managing multiple endpoints so your users and guests can work efficiently anywhere, without compromising your security. FortiClient drivers are prone to multiple attacks and expose a wide surface that allows users to easily get SYSTEM privileges. 4. 5. Vendor Information, Solutions and Workarounds Fortinet released an updated version of FortiClient 5.2.4.0650 [2] that fixes the reported issues. 6. Credits These vulnerabilities were discovered and researched by Enrique Nissim from Core Security's Consulting Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security's Advisories Team. 7. Technical Description / Proof of Concept Code [CVE-2015-4077] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". [CVE-2015-5735] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". [CVE-2015-5736] The vulnerability lies in "Fortishield.sys", which is a minifilter filesystem driver that hooks filesystem operations. IOCTL 0x220024 and 0x220028 both allow establishing callbacks that will be called during any IRP_MJ_WRITE and IRP_MJ_SET_INFORMATION, respectively. Consequently, any user in the system can set an arbitrary function as a callback and execute code with kernel privileges. [CVE-2015-5737] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys", "mdare64_52.sys" and "Fortishield.sys". All of these drivers expose an API to manage processes and the Windows registry. For instance, the IOCTL 0x2220c8 of the "mdareXX_XX.sys" driver returns a full privileged handle to a given process PID. This same function is replicated inside "Fortishield.sys". 8. Report Timeline 2015-06-25: Core Security notified Fortinet of the vulnerabilities. Publication date set for July 27th, 2015. 2015-06-30: Fortinet replied that they received Core Security's email and that they would like to receive the draft version of the advisory. 2015-07-01: Core Security sent Fortinet the draft version of the advisory and requested a tentative schedule for releasing the updates. 2015-07-01: Fortinet replied that they received the draft version of the advisory and that they would review it. 2015-07-15: Core Security requested an update from Fortinet regarding the reported vulnerabilities and a tentative schedule. 2015-07-19: Fortinet replied and confirmed the reported bugs, but stated that they were only able to trigger them with administrative privileges. They requested a PoC from Core Security. 2015-07-20: Core Security replied, explaining to Fortinet that they were able to trigger the vulnerabilities as a non-privileged user. They sent Fortinet a PoC code that opens a handle with read/write permissions to LSASS process and then uses it to allocate memory in its virtual address space. 2015-07-20: Fortinet replied that they would review the PoC. 2015-07-20: Fortinet asked if Core Security researchers could review an interim build when available. 2015-07-21: Core Security confirmed that they would be willing to review an interim build when available. 2015-08-03: Core Security requested an update from Fortinet regarding the availability of the interim build, and asked if there was a specific date Fortinet was planning to release the fix. 2015-08-04: Fortinet replied that their current release date was August 17. 2015-08-05: Fortinet updated the schedule, explaining that the interim build wouldn't include the MDARE fixes therefore delaying the release until the end of August. 2015-08-07: Core Security asked Fortinet if the interim build was going to be published by Fortinet, because if so, that would force Core Security to publish their findings as well. If that wasn't the case, Core Security recommended publishing everything together later that month. 2015-08-07: Fortinet replied that the interim build was private and therefore there wasn't a need to publish ahead of schedule. 2015-08-10: Fortinet sent Core Security a link to download the interim build and requested feedback. 2015-08-10: Core Security replied that they received and downloaded the interim build and would send feedback. Additionally, Core Security requested an updated ETA. 2015-08-18: Core Security requested the specific date Fortinet would release the patched version of their product so they could schedule their security advisory publication accordingly. 2015-08-20: Core Security again requested for a specific date for the publication of the updates and informed Fortinet them that if they didn't receive and answer in the following days they would be forced to schedule the advisory publication. 2015-08-20: Fortinet replied that the scheduled release date for the updated version of FortiClient was August 31. They asked if they had an opportunity to review the interim build andif they had any feedback. 2015-08-24: Core Security replied that they were able to review the interim build and that they could confirm that those bugs were no longer exploitable.Core Security requested and updated ETA of the updated version. 2015-08-24: Fortinet replied that the scheduled release seemed to be confirmed and that the estimated time of availability would be roughly 5 p.m. Pacific Time. 9. References [1] http://www.forticlient.com/. [2] http://docs.fortinet.com/d/forticlient-5.2.4-windows-release-notes.pdf. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The Siemens COMPAS Mobile application before 1.6 for Android does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. Siemens COMPAS Mobile application for Android is a Siemens-based Android-based rapid search and view of existing quotations and orders and applications for generating reports and drawings. A security vulnerability exists in the Siemens COMPAS Mobile application 1.5 and earlier based on the Android platform. The vulnerability stems from the fact that the program does not correctly verify the X.509 certificate on the SSL server side

Belkin F9K1102 2 devices with firmware 2.10.17 use an improper algorithm for selecting the ID value in the header of a DNS query, which makes it easier for remote attackers to spoof responses by predicting this value. Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17 and possibly earlier, contains multiple vulnerabilities. The Belkin N600 is a wireless dual-band router product. This allows a remote attacker to exploit this vulnerability to respond to spoofing by predicting the value. Belkin N600 DB Wi-Fi Dual-Band N+ Router is prone to the following security vulnerabilities: 1. A Predictable Random Number Generator Weakness 2. An information-disclosure vulnerability 3. A security-bypass vulnerability 4. An authentication-bypass vulnerability 5. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass security restrictions and perform certain unauthorized actions, brute-force attacks, bypass-authentication mechanisms, or gain access to potentially sensitive information. This may lead to further attacks

The IPv4 implementation on Cisco ASR 1000 devices with software 15.5(3)S allows remote attackers to cause a denial of service (ESP QFP CPU consumption) by triggering packet fragmentation and reassembly, aka Bug ID CSCuv71273. The Cisco ASR1000 Series Aggregation Services Router provides a WAN edge solution that combines information, communications, collaboration and business. The Cisco ASR 1000 Series Router has a security vulnerability in the processing of 100,000 fragmented IPv4 packets. This allows a remote attacker to exploit a vulnerability to send a special packet to make the target device QFP CPU resource too high, causing a denial of service attack. An attacker can exploit this issue to consume CPU resources and cause a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCuv71273

Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers to cause a denial of service (Embedded Services Processor crash) via a crafted (1) IPv4 or (2) IPv6 packet, aka Bug ID CSCsw69990. The Cisco ASR1000 Series Aggregation Services Router provides a WAN edge solution that combines information, communications, collaboration and business. The Cisco ASR 1000 Series Router handles security vulnerabilities in IP v4 and IPv6 packets, allowing remote attackers to exploit vulnerabilities by sending special packets to crash the target ESP and overload the target device. Cisco IOS XE on ASR 1000 is an operating system developed by Cisco in the ASR 1000 series routers

Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers to cause a denial of service (Embedded Services Processor crash) via a crafted IPv6 packet, aka Bug ID CSCsv98555. The Cisco ASR1000 Series Aggregation Services Router provides a WAN edge solution that combines information, communications, collaboration and business. The Cisco ASR 1000 Series Router handles security vulnerabilities in IPv6 packets, allowing remote attackers to exploit vulnerabilities by sending special packets to crash the target ESP and overload the target device. Cisco IOS XE on ASR 1000 is an operating system developed by Cisco in the ASR 1000 series routers

Cisco IOS XE 2.1.0 through 2.4.3 and 2.5.0 on ASR 1000 devices, when NAT Application Layer Gateway is used, allows remote attackers to cause a denial of service (Embedded Services Processor crash) via a crafted SIP packet, aka Bug IDs CSCta74749 and CSCta77008. Vendors have confirmed this vulnerability Bug ID CSCta74749 ,and CSCta77008 It is released as.Skillfully crafted by a third party SIP Service disruption via packets ( Embedded service processor crash ) There is a possibility of being put into a state. The Cisco ASR1000 Series Aggregation Services Router provides a WAN edge solution that combines information, communications, collaboration and business. The Cisco ASR 1000 Series Router handles SIP packets with security vulnerabilities, allowing remote attackers to exploit vulnerabilities by sending special packets to crash the target ESP and overload the target device. Cisco IOS XE on ASR 1000 is an operating system developed by Cisco in the ASR 1000 series routers. A security vulnerability exists in Cisco IOS XE Releases 2.1.0 through 2.4.3 and 2.5.0 on Cisco ASR 1000 devices

Cisco IOS XE 2.1.0 through 2.2.3 and 2.3.0 on ASR 1000 devices, when NAT Application Layer Gateway is used, allows remote attackers to cause a denial of service (Embedded Services Processor crash) via a crafted H.323 packet, aka Bug ID CSCsx35393, CSCsx07094, and CSCsw93064. Vendors have confirmed this vulnerability Bug ID CSCsx35393 , CSCsx07094 ,and CSCsw93064 It is released as.Skillfully crafted by a third party H.323 Service disruption via packets ( Embedded service processor crash ) There is a possibility of being put into a state. The Cisco ASR1000 Series Aggregation Services Router provides a WAN edge solution that combines information, communications, collaboration and business. The Cisco ASR 1000 Series Router handles security vulnerabilities in H.323 messages, allowing remote attackers to exploit vulnerabilities by sending special messages to crash the target ESP and overload the target device. A system configured with a NAT ALG or firewall is affected by this vulnerability. Cisco IOS XE on ASR 1000 is an operating system developed by Cisco in the ASR 1000 series routers. A security vulnerability exists in Cisco IOS XE Releases 2.1.0 through 2.2.3 and 2.3.0 on Cisco ASR 1000 devices

Cross-site request forgery (CSRF) vulnerability on Belkin F9K1102 2 devices with firmware 2.10.17 allows remote attackers to hijack the authentication of arbitrary users. Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17 and possibly earlier, contains multiple vulnerabilities. A Predictable Random Number Generator Weakness 2. An information-disclosure vulnerability 3. A security-bypass vulnerability 4. An authentication-bypass vulnerability 5. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass security restrictions and perform certain unauthorized actions, brute-force attacks, bypass-authentication mechanisms, or gain access to potentially sensitive information. This may lead to further attacks

Belkin F9K1102 2 devices with firmware 2.10.17 rely on client-side JavaScript code for authorization, which allows remote attackers to obtain administrative privileges via certain changes to LockStatus and Login_Success values. Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17 and possibly earlier, contains multiple vulnerabilities. Belkin N600 DB Wireless Dual Band N+ has a security vulnerability that allows an attacker to intercept packets on the embedded server side containing 'LockStatus:1' and 'Login_Success:0' strings and set the values to '2' and '1 'Bypass authentication, no unauthorized access. A Predictable Random Number Generator Weakness 2. An information-disclosure vulnerability 3. A security-bypass vulnerability 4. An authentication-bypass vulnerability 5. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass security restrictions and perform certain unauthorized actions, brute-force attacks, bypass-authentication mechanisms, or gain access to potentially sensitive information. This may lead to further attacks. A remote attacker could exploit this vulnerability to gain administrator privileges

The web management interface on Belkin F9K1102 2 devices with firmware 2.10.17 has a blank password, which allows remote attackers to obtain administrative privileges by leveraging a LAN session. Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17 and possibly earlier, contains multiple vulnerabilities. Belkin N600 DB Wireless Dual Band N+ failed to set a default password for the web management interface, allowing an attacker to exploit the vulnerability to gain access to the web management interface or to implement cross-site request forgery attacks. A Predictable Random Number Generator Weakness 2. An information-disclosure vulnerability 3. A security-bypass vulnerability 4. An authentication-bypass vulnerability 5. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass security restrictions and perform certain unauthorized actions, brute-force attacks, bypass-authentication mechanisms, or gain access to potentially sensitive information. This may lead to further attacks

Buffer overflow in form2ping.cgi on Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN devices with firmware GAN9.8U26-4-TX-R6B018-PH.EN and Kasda KW58293 devices allows remote attackers to cause a denial of service (device outage) via a long ipaddr parameter. The Phillipine Long Distance Telephone (PLDT) company provides internet access in the Phillippines. The SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT contain multiple vulnerabilities. The BaudTec ADSL2+ Router may also be affected. PLDT SpeedSurf 504AN and Kasda KW58293 incorrectly use the form2ping.cgi page to send PING requests, allowing remote attackers to submit special \342\200\230ipaddr\342\200\231 parameters for denial of service attacks. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. The former is a product of the Philippine PLDT company. The latter is a product of China Hongcheng (Kasda) Digital Technology Co., Ltd. There is a buffer overflow vulnerability in the form2ping.cgi file of PLDT SpeedSurf 504AN device and Kasda KW58293 using GAN9.8U26-4-TX-R6B018-PH.EN firmware

Cross-site scripting (XSS) vulnerability in form2WlanSetup.cgi on Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN devices with firmware GAN9.8U26-4-TX-R6B018-PH.EN and Kasda KW58293 devices allows remote attackers to inject arbitrary web script or HTML via the ssid parameter. The Phillipine Long Distance Telephone (PLDT) company provides internet access in the Phillippines. The SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT contain multiple vulnerabilities. The BaudTec ADSL2+ Router may also be affected. The PLDT SpeedSurf 504AN and Kasda KW58293 form2WlanSetup.cgi pages fail to adequately filter the \342\200\230ssid\342\200\231 parameter, allowing remote attackers to exploit the vulnerability to inject malicious scripts or HTML code to obtain sensitive information or hijack user sessions when malicious data is viewed. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The former is a product of the Philippine PLDT company. The latter is a product of China Hongcheng (Kasda) Digital Technology Co., Ltd. There is a cross-site scripting vulnerability in the form2WlanSetup.cgi file of PLDT SpeedSurf 504AN devices and Kasda KW58293 using GAN9.8U26-4-TX-R6B018-PH.EN firmware

Cross-site request forgery (CSRF) vulnerability in form2WlanSetup.cgi on Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN devices with firmware GAN9.8U26-4-TX-R6B018-PH.EN and Kasda KW58293 devices allows remote attackers to hijack the authentication of administrators for requests that perform setup operations, as demonstrated by modifying network settings. The Phillipine Long Distance Telephone (PLDT) company provides internet access in the Phillippines. The SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT contain multiple vulnerabilities. The BaudTec ADSL2+ Router may also be affected. The PLDT SpeedSurf 504AN and Kasda KW58293 form2WlanSetup.cgi pages fail to perform authentication correctly, allowing remote attackers to build malicious URIs, entice users to resolve, and perform malicious actions in the target user context. This may aid in other attacks. The former is a product of the Philippine PLDT company. The latter is a product of China Hongcheng (Kasda) Digital Technology Co., Ltd