VARIoT IoT vulnerabilities database

Memory leak in Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3 allows remote attackers to cause a denial of service (memory consumption) via crafted Common Industrial Protocol (CIP) TCP packets, aka Bug ID CSCun49658. Cisco IOS is a popular Internet operating system. Cisco IOS Software is prone to multiple denial-of-service vulnerabilities. Successful exploits may allow an attacker to cause memory leak or reload of an affected device, resulting in denial-of-service conditions. These issues are being tracked by Cisco Bug IDs CSCum98371, CSCun49658 and CSCun63514. The following releases are affected: Cisco IOS Release 12.2, Release 12.4, Release 15.0, Release 15.2, Release 15.3

Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3 allows remote attackers to cause a denial of service (device reload) via malformed Common Industrial Protocol (CIP) TCP packets, aka Bug ID CSCun63514. Cisco IOS There is a service disruption ( Device reload ) There are vulnerabilities that are put into a state. Cisco IOS is a popular Internet operating system. Successful exploits may allow an attacker to cause memory leak or reload of an affected device, resulting in denial-of-service conditions. These issues are being tracked by Cisco Bug IDs CSCum98371, CSCun49658 and CSCun63514. The following releases are affected: Cisco IOS Release 12.2, Release 12.4, Release 15.0, Release 15.2, Release 15.3

AppNav in Cisco IOS XE 3.8 through 3.10 before 3.10.3S, 3.11 before 3.11.3S, 3.12 before 3.12.1S, 3.13 before 3.13.0S, 3.14 before 3.14.0S, and 3.15 before 3.15.0S allows remote attackers to execute arbitrary code or cause a denial of service (device reload) via a crafted TCP packet, aka Bug ID CSCuo53622. Cisco IOS is a popular Internet operating system. Cisco IOS XE Software is prone to a remote code-execution vulnerability. This issue being tracked by Cisco Bug ID CSCuo53622. The following versions are affected: Cisco IOS XE versions 3.8 through 3.10, 3.11 prior to 3.11.3S, 3.12 prior to 3.12.1S, 3.13 prior to 3.13.0S, 3.14 prior to 3.14.0S, and 3.15 prior to 3.15.0S

The Service Discovery Gateway (aka mDNS Gateway) in Cisco IOS 12.2, 12.4, 15.0, 15.1, 15.2, 15.3, and 15.4 and IOS XE 3.9.xS and 3.10.xS before 3.10.4S, 3.11.xS before 3.11.3S, 3.12.xS before 3.12.2S, and 3.13.xS before 3.13.1S allows remote attackers to cause a denial of service (device reload) by sending malformed mDNS UDP packets over (1) IPv4 or (2) IPv6, aka Bug ID CSCup70579. Cisco IOS is a popular Internet operating system. Cisco IOS and IOS XE Software are prone to a remote denial-of-service vulnerability. Successful exploits may allow attackers to cause the device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCup70579. Service Discovery Gateway (also known as mDNS Gateway, multicast DNS) is a gateway used to provide how to use common DNS programming interfaces (package format and operation semantics) in a small network without DNS services. The following products and versions are affected: Cisco IOS Releases 12.2, 12.4, 15.0, 15.2, 15.3, 15.4 and IOS XE 3.9.xS, 3.10.xS prior to 3.10.4S, 3.11.xS prior to 3.11.3S Version, 3.12.xS version before 3.12.2S, 3.13.xS version before 3.13.1S

The browsing feature in the server in CUPS does not filter ANSI escape sequences from shared printer names, which might allow remote attackers to execute arbitrary code via a crafted printer name. CUPS Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AppleCUPS (CommonUnix Printing System) is an open source printing system for OSX and Unix-like systems from Apple. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. There is an arbitrary code execution vulnerability in AppleCUPS. An attacker could exploit the vulnerability to execute arbitrary code in the context of an affected application or to cause a denial of service. Failed attempts will likely cause a denial-of-service condition

Lenovo ThinkServer RD350, RD450, RD550, RD650, and TD350 servers before 1.26.0 use weak encryption to store (1) user and (2) administrator BIOS passwords, which allows attackers to decrypt the passwords via unspecified vectors. The Lenovo ThinkServer RD350, RD450, RD550, RD650 and TD350 are all rack-mounted server products from Lenovo. An attacker could exploit the vulnerability to crack a password. Multiple Lenovo products are prone to a BIOS password encryption weakness. A security vulnerability exists in several Lenovo ThinkServer product servers. The following products are affected: Lenovo ThinkServer RD350 prior to 1.26.0, RD450 prior to 1.26.0, RD550 prior to 1.26.0, RD650 prior to 1.26.0, TD350 prior to 1.26.0

The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 allows remote attackers to cause a denial of service (web interface crash) via a malformed HTTP request during authentication. Lenovo ThinkServer System Manager is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause the web-interface to crash, resulting in a denial-of-service condition. Lenovo ThinkServer System Manager (TSM) Baseboard Management Controller (BMC) for ThinkServer RD350, etc. is a controller embedded in the hardware devices of ThinkServer RD350 and other servers from China Lenovo to manage and monitor server status. There are security vulnerabilities in the TSM BMC of several ThinkServer products using firmware versions earlier than 1.27.73476. The following products are affected: ThinkServer RD350, RD450, RD550, RD650, TD350

The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 does not validate server certificates during an "encrypted remote KVM session," which allows man-in-the-middle attackers to spoof servers. Lenovo ThinkServer System Manager is prone to a security-bypass vulnerability. Attackers can exploit this issue through man-in-the-middle attacks to gain access to sensitive information, which may lead to further attacks. Lenovo ThinkServer System Manager (TSM) Baseboard Management Controller (BMC) for ThinkServer RD350, etc. is a controller embedded in the hardware devices of ThinkServer RD350 and other servers from China Lenovo to manage and monitor server status. There is a security vulnerability in the TSM BMC of several Lenovo ThinkServer products using firmware versions earlier than 1.27.73476. An attacker can use this vulnerability to implement a man-in-the-middle attack to deceive the server. The following products are affected: ThinkServer RD350, RD450, RD550, RD650, TD350

Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 2 before 2.27 and 4 before 2.03 and iLO Chassis Management (CM) firmware before 1.30 allows remote attackers to gain privileges, execute arbitrary code, or cause a denial of service via unknown vectors. Multiple HP Products are prone to an unspecified code-execution vulnerability. A remote attacker may be able to execute arbitrary code with elevated privileges. Failed exploit attempts will result in denial-of-service conditions. iLO 2 and iLO 4 are embedded server management technologies that monitor and maintain server health, remotely manage servers, and more through an integrated remote management port. iLO CM is a set of automated chassis management tools. A security vulnerability exists in HP iLO and iLO CM. The vulnerabilities could be exploited remotely resulting in Denial of Service (DoS) remote execution of code, and elevation of privilege References: CVE-2014-7876 (SSRT101745) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please visit the following location to obtain the firmware updates: www.hp.com/go/ilo HISTORY Version:1 (rev.1) - 17 March 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlUIbIkACgkQ4B86/C0qfVmFmACgrfeGsb1X7V95mAv1Bc7ApmFQ 8msAnAo40GwKlZoehDGfXQzL+4gBq72U =dGZX -----END PGP SIGNATURE-----

The DHCPv4 server in Cisco IOS XR 5.2.2 on ASR 9000 devices allows remote attackers to cause a denial of service (service outage) via a flood of crafted DHCP packets, aka Bug ID CSCup67822. Vendors have confirmed this vulnerability Bug ID CSCup67822 It is released as.A great deal of crafting by a third party DHCP Service disruption via packets ( Service stop ) There is a possibility of being in the state of. Cisco IOS XR is a member of the Cisco IOS Software family that uses a microkernel-based operating system architecture. Cisco ASR 9000 Series Aggregation Services Routers are prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the affected device to crash, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCup67822

Cisco Mobility Services Engine (MSE) 8.0(110.0) allows remote authenticated users to discover the passwords of arbitrary users by (1) reading log files or (2) using an unspecified GUI feature, aka Bug ID CSCut24792. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. This issue being tracked by Cisco Bug ID CSCut24792. The platform collects, stores and manages data from wireless clients, Cisco access points and controllers. A security vulnerability exists in Cisco MSE 8.0(110.0)

Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 2 before 2.27, 3 before 1.82, and 4 before 2.10 allows remote attackers to bypass intended access restrictions or cause a denial of service via unknown vectors. HP Integrated Lights-Out is prone to an unspecified vulnerability. An attacker can exploit this issue to gain unauthorized access or cause denial-of-service conditions. operating status, remote management and control of servers, etc. A security vulnerability exists in HP iLO. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04582368 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04582368 Version: 1 HPSBHF03276 rev.1 - HP Integrated Lights-Out 2, 3, and 4 (iLO 2, iLO 3, iLO 4), Remote Unauthorized Access, Denial of Service (Dos) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. The vulnerability could be exploited remotely resulting in unauthorized access or Denial of Service. References: CVE-2015-2106 (SSRT101886) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please visit the following location to obtain the firmware updates: www.hp.com/go/ilo HISTORY Version:1 (rev.1) - 17 March 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlUIZ2gACgkQ4B86/C0qfVnZBQCfZ4FHB7RWVvIk1yY4iYsjUffC 92oAoJDXSUi7TyKBzxviF9SrtfBtlj1t =MT4c -----END PGP SIGNATURE-----

Directory traversal vulnerability in the FTP server on Honeywell Excel Web XL1000C50 52 I/O, XL1000C100 104 I/O, XL1000C500 300 I/O, XL1000C1000 600 I/O, XL1000C50U 52 I/O UUKL, XL1000C100U 104 I/O UUKL, XL1000C500U 300 I/O UUKL, and XL1000C1000U 600 I/O UUKL controllers before 2.04.01 allows remote attackers to read files under the web root, and consequently obtain administrative login access, via a crafted pathname. Honeywell XL Web Controller is a web-based SCADA system

Untrusted search path vulnerability in the Clean Utility application in Rockwell Automation FactoryTalk Services Platform before 2.71.00 and FactoryTalk View Studio 8.00.00 and earlier allows local users to gain privileges via a Trojan horse DLL in an unspecified directory. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. http://cwe.mitre.org/data/definitions/426.htmlLocal users can detect Trojans in unspecified directories DLL You may get permission through. The FactoryTalk Services Platform provides routine services (such as diagnostics, health monitoring services, and real-time data access) for products and applications in the FactoryTalk system. FactoryTalk View Studio is a configuration software for developing or testing machine-level or monitoring management-level Human Machine Interface (HMI) applications. Multiple native code execution vulnerabilities exist in multiple Rockwell Automation product DLL loads. An attacker can exploit arbitrary exploits and system privileges to execute arbitrary code. Failed attempts may lead to denial-of-service conditions. The following products are affected: FactoryTalk Services Platform prior to 2.71.00 FactoryTalk View Studio versions 8.00.00 and prior. A local attacker can use the Trojan horse DLL file to exploit this vulnerability to gain permissions

hosttracker in OpenDaylight l2switch allows remote attackers to change the host location information by spoofing the MAC address, aka "topology spoofing.". OpenDaylight l2switch of hosttracker Contains a vulnerability that changes the location of the host. OpenDaylight l2switch is prone to a security-bypass vulnerability. Successfully exploiting this issue will allow attackers to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks. OpenDaylight is a project of the Linux Foundation in the United States. It is a community-led open source software-defined network framework. It includes a set of modules that can perform network tasks that need to be completed quickly. l2switch is one of the projects that provides layer 2 switch functionality

Multiple cross-site scripting (XSS) vulnerabilities in the Investigative Reports in Websense TRITON AP-WEB before 8.0.0 and Web Security and Filter, Web Security Gateway, and Web Security Gateway Anywhere 7.8.3 before Hotfix 02 and 7.8.4 before Hotfix 01 allow remote attackers to inject arbitrary web script or HTML via the (1) ReportName (Job Name) parameter to the Explorer report scheduler (cgi-bin/WsCgiExplorerSchedule.exe) in the Job Queue or the col parameter to the (2) Names or (3) Anonymous (explorer_wse/explorer_anon.exe) summary report page. TRITON AP-WEB provides real-time protection against advanced threats and data theft for local and remote users; Web Security and Filter (Web security and filtering) prevents network attacks and reduces malware infections. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. ------------------------------------------------------------------------ Multiple Cross-Site Scripting vulnerabilities in Websense Reporting ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It has been found that Websense Reporting is affected by multiple Cross-Site Scripting issues. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.html One example of a vulnerable request parameter is the col. Its value is copied into the value of an HTML tag attribute; encapsulated in double quotation marks. The value echoed unmodified (without output encoding) in the application's response. This vulnerability can be reproduced using the following steps: - login into Admin GUI; - open the proof of concept below; - hover over 'Risk Class' in left corner. https://<target>:9443/explorer_wse/explorer_anon.exe?col=a86de%27onmouseover%3d%27alert%28document.cookie%29%27de90f&delAdmin=0&startDate=2014-07-31&endDate=2014-08-01 An attacker must trick victims into opening the attacker's specially crafted link. This is for example possible by sending a victim a link in an email or instant message. Once a victim opens the specially crafted link, arbitrary client-side scripting code will be executed in the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes

The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS 15.4S and 15.4(3)S allows remote attackers to modify configuration settings or cause a denial of service (partial service outage) by sending crafted Autonomic Networking (AN) messages on an intranet network, aka Bug ID CSCup62167. Cisco IOS is an operating system developed by Cisco Systems for its network devices. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCup62167

The default configuration of Cisco Small Business IP phones SPA 300 7.5.5 and SPA 500 7.5.5 does not properly support authentication, which allows remote attackers to read audio-stream data or originate telephone calls via a crafted XML request, aka Bug ID CSCuo52482. Vendors have confirmed this vulnerability Bug ID CSCuo52482 It is released as.Skillfully crafted by a third party XML Depending on the request, the audio stream data may be read or an outgoing call may be initiated. Cisco Small Business IP phones SPA 300 and SPA 500 are Cisco 300 and SPA 500 series IP telephony products from Cisco. The program failed to set the authentication correctly. An attacker can exploit this issue to gain unauthorized access to the affected devices. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCuo52482

Cross-site scripting (XSS) vulnerability in the administration portal in Cisco WebEx Meetings Server 2.5 and 2.5.99.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCuq66737. Vendors have confirmed this vulnerability Bug ID CSCuq66737 It is released as.By any third party Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuq66737. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution. The administration portal page of CWMS version 2.5 and version 2.5.99.2 has a cross-site scripting vulnerability, which is caused by the program not adequately filtering the input submitted by the user

The DNS implementation in Cisco Videoscape Distribution Suite for Internet Streaming (VDS-IS) 3.2(1) allows remote attackers to cause a denial of service (CPU consumption and network-resource consumption) via crafted packets, aka Bug ID CSCun15911. Cisco Internet Streamer for VideoScape Delivery System is prone to a remote denial-of-service vulnerability. A remote attacker may exploit this issue to trigger denial-of-service condition due to excessive CPU and network resource utilization. This issue is being tracked by Cisco Bug ID CSCun15911 . The solution supports streaming media live broadcast, dynamic acquisition of content library and content caching, etc. A security vulnerability exists in the DNS implementation of Cisco VDS-IS version 3.2(1)