VARIoT IoT vulnerabilities database

The (1) PPP Access Concentrator (PPPAC) and (2) Dial-Up Networking Internet Initiative Japan Inc. SEIL series routers SEIL/x86 Fuji 1.00 through 3.22; SEIL/X1, SEIL/X2, and SEIL/B1 1.00 through 4.62; SEIL/Turbo 1.82 through 2.18; and SEIL/neu 2FE Plus 1.82 through 2.18 allow remote attackers to cause a denial of service (restart) via crafted (a) GRE or (b) MPPE packets. contain a denial-of-service (DoS) vulnerability due to an issue in processing certain packets (CWE-119). Note that this vulnerability is different from JVN#21907573.By receiving a specially crafted packet, the device may be rebooted. SEIL is a series of router devices. SEIL Series Routers are prone to multiple remote denial-of-service vulnerabilities. SEIL routers. SEIL/x86 Fuji Version 1.00 to Version 3.22; SEIL/X1, SEIL/X2, SEIL/B1 Version 1.00 to Version 4.62; SEIL/Turbo Version 1.82 to Version 2.18; SEIL/X1 neu 2FE Plus version 1.82 to version 2.18

XML external entity (XXE) vulnerability in the WebHMI server in Yokogawa Electric Corporation FAST/TOOLS before R9.05-SP2 allows local users to cause a denial of service (CPU or network traffic consumption) or read arbitrary files via unspecified vectors. FAST/TOOLS provided by Yokogawa Electric Corporation contains a vulnerability where XML external entity (XXE) references are not properly restricted (CWE-611). Timur Yunusov, Alexey Osipov and Ilya Karpov of Positive Technologies reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.When opening a project with a specially crafted XML file, information managed by the product may be disclosed or may become a victim of a denial-of-service (DoS). The FAST/TOOLS software package is a distributed data acquisition and monitoring (SCADA) system. Yokogawa FAST/TOOLS has an XML external entity injection vulnerability that an attacker can exploit to obtain sensitive information or initiate a denial of service attack. This may lead to further attacks. Yokogawa FAST/TOOLS R9.01 through R9.05 are vulnerable. The system provides functions such as real-time event manager, data alarm management, data report and trend graph

Cross-site scripting (XSS) vulnerability in D-Link DAP-1360 router with firmware 2.5.4 and later allows remote attackers to inject arbitrary web script or HTML via the res_buf parameter to index.cgi when res_config_id is set to 41. D-Link DAP-1360 'index.cgi' has multiple cross-site request forgery vulnerabilities. An attacker can exploit a vulnerability to perform certain unauthorized actions. The D-Link DAP-1360 is a wireless router. D-Link DAP-1360 'index.cgi' has an HTML injection vulnerability. An attacker can exploit a vulnerability to execute arbitrary scripts or HTML code in the context of a browser, stealing cookie-based authentication credentials. Other attacks are also possible D-Link DAP-1360 firmware version 1.0.0 is vulnerable; other versions may also be affected. D-Link DAP-1360 is a wireless access point product (AP) of D-Link

The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to execute arbitrary code via crafted packets. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC WinCC, SIMATIC PCS 7 and TIA Portal (Botu) are all industrial automation products of German Siemens (Siemens). SIMATIC WinCC is an automated data acquisition and monitoring (SCADA) system; SIMATIC PCS 7 is a distributed process control system using WinCC; TIA Portal is a software platform that can quickly develop and debug automation systems. WinCC server is an option for it, which can operate multiple operating systems and monitoring stations in the network connected to the automation system. There are security vulnerabilities in the WinCC server of several Siemens products

The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC WinCC, SIMATIC PCS 7 and TIA Portal (Botu) are all industrial automation products of German Siemens (Siemens). SIMATIC WinCC is an automated data acquisition and monitoring (SCADA) system; SIMATIC PCS 7 is a distributed process control system using WinCC; TIA Portal is a software platform that can quickly develop and debug automation systems. WinCC server is an option for it, which can operate multiple operating systems and monitoring stations in the network connected to the automation system. There are security vulnerabilities in the WinCC server of several Siemens products

The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888. Vendors have confirmed this vulnerability Bug ID CSCuq68888 It is released as.Denial of service operation via a packet crafted by a third party ( Memory consumption ) There is a possibility of being put into a state. Cisco Adaptive Security Appliance (ASA) Software is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause the exhaustion of available memory, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCuq68888. The vulnerability originates from the incorrect allocation of memory blocks when the program processes HTTP packets

The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of access to the management portal. The issue lies in the failure to restrict access to configuration files. An attacker can leverage this vulnerability to leak credentials which can then be chained to execute code with root privileges. The Arris VAP2500 is a wireless access device from Arris, USA. An information disclosure vulnerability exists in Arris VAP2500. There is a security vulnerability in the management portal in the ARRIS VAP2500 with firmware 08.41 and earlier

ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of user authentication. The issue lies in the failure to compare the password when authenticating. An attacker can leverage this vulnerability to bypass authentication checks which can then be chained to execute code with root privileges. The Arris VAP2500 is a wireless access device from Arris, USA. Arris VAP2500 is prone to an authentication-bypass vulnerability

Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors. Supplementary information : CWE Vulnerability type by CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ( injection ) Has been identified. http://cwe.mitre.org/data/definitions/74.htmlAn arbitrary command may be executed by a third party. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of access to the management portal. The issue lies in the ability to execute arbitrary commands without any sanitization. An attacker can leverage this vulnerability to execute code with root privileges. The Arris VAP2500 is a wireless access device from Arris, USA

Stack-based buffer overflow in UltraCamLib in the UltraCam ActiveX Control (UltraCamX.ocx) for the TRENDnet SecurView camera TV-IP422WN allows remote attackers to execute arbitrary code via a long string to the (1) CGI_ParamSet, (2) OpenFileDlg, (3) SnapFileName, (4) Password, (5) SetCGIAPNAME, (6) AccountCode, or (7) RemoteHost function. TRENDnet TEW-818DRU is a routing device. TRENDnet TV-IP422WN 'UltraCamX.ocx' has multiple stack buffer overflow vulnerabilities because it cannot properly check user-supplied data before copying it to a full-size memory buffer. An attacker could exploit these vulnerabilities to execute arbitrary code in the context of an affected application. Failed exploit attempts will result in denial-of-service conditions. SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerfuldual-codec wireless network camera with the 2-way audio function that providesthe high-quality image and on-the-spot audio via the Internet connection.The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack bufferoverflow vulnerability when parsing large amount of bytes to several functionsin UltraCamLib, resulting in memory corruption overwriting severeal registersincluding the SEH. An attacker can gain access to the system of the affectednode and execute arbitrary code.<br/><br/>--------------------------------------------------------------------------------<br/><br/><code>0:000&gt; r<br/>eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc<br/>eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0 nv up ei pl nz ac po nc<br/>cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212<br/>UltraCamX!DllUnregisterServer+0xeb2b:<br/>100203fb 8b48e0 mov ecx,dword ptr [eax-20h] ds:002b:41414121=????????<br/>0:000&gt; !exchain<br/>0042eda8: 41414141<br/>Invalid exception stack at 41414141<br/></code><br/> --------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows 7 Professional SP1 (EN). TRENDnet SecurView camera TV-IP422WN is a wireless IP camera product from TRENDnet. UltraCam ActiveX Control (UltraCamX.ocx) is one of the digital aerial camera controls

Race condition in the lighttpd module in Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (process reload) by establishing many TCP sessions, aka Bug ID CSCuq45239. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family. This issue is being tracked by Cisco Bug ID CSCuq45239. Lighttpd is one of the web server modules

Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file. The specific flaw exists within the decoder logic. By providing malformed H.264 data to the decoder, an attacker can overwrite a heap buffer. This could result in the execution of arbitrary code in the context of the application. The Cisco OpenH264 is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds-check user supplied input. Cisco OpenH264 1.0.0, 1.1.1, and 1.2.2 are vulnerable. Cisco OpenH264 is an open source H.264 (video codec technology) encoder and decoder from Cisco

Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file. By providing malformed H.264 data to the decoder, an attacker can force a dangling pointer to be referenced after it has been freed. The Cisco OpenH264 is prone to a memory corruption vulnerability. Cisco OpenH264 1.0.0, 1.1.1, and 1.2.2 are vulnerable. Cisco OpenH264 is an open source H.264 (video codec technology) encoder and decoder from Cisco

Buffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an RTSP PLAY request with a long Authorization header. The Hikvision DVR is a hard disk recorder. Hikvision DVR DS-7204 has a remote buffer overflow vulnerability because it fails to adequately check the boundaries of the user-supplied data. An attacker could exploit this vulnerability to execute arbitrary code in the context of an affected device. Failed exploit attempts may result in a denial-of-service condition. Hikvision DVR DS-7204 running firmware 2.2.10 is vulnerable; other devices may also be affected

Cisco IOS XR allows remote attackers to cause a denial of service (LISP process reload) by establishing many LISP TCP sessions, aka Bug ID CSCuq90378. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family. This issue is being tracked by Cisco Bug ID CSCuq90378

Wibu-Systems CodeMeter Runtime before 5.20 uses weak permissions (read and write access for all users) for codemeter.exe, which allows local users to gain privileges via a Trojan horse file. Wibu-Systems CodeMeter is a hardware-based software, file, access and media protection solution. CodeMeter has a local privilege escalation vulnerability that can be exploited by local attackers to enforce arbitrary code with system privileges. CodeMeter is prone to a local privilege-escalation vulnerability. CodeMeter Weak Service Permissions Vendor Website : http://www.codemeter.com INDEX --------------------------------------- 1. Background 2. Description 3. Affected Products 4. Solution 6. Credit 7. Disclosure Timeline 8. CVE 1. BACKGROUND --------------------------------------- CodeMeter from Wibu-Systems provides maximum protection against software piracy and is bundled with multiple open-source products. 2. DESCRIPTION --------------------------------------- When the CodeMeter runtime is installed on a Microsoft Windows operating system, it creates a service named "codemeter.exe". When installed with the default settings, this service allows Read/Write access to any user, meaning any user can modify the location of the binary executed by the service with SYSTEM privileges. It should be noted that this vulnerability is not present in the most recent version of Codemeter runtime (currently 5.20). 3. AFFECTED PRODUCTS --------------------------------------- Only the following versions have been confirmed vulnerable: CodeMeter Runtime 4.50b CodeMeter Runtime 4.40 CodeMeter Runtime 4.20b 4. VULNERABILITIES --------------------------------------- 4.1 codemeter.exe 5. SOLUTION --------------------------------------- Vendor contacted and approved for disclosure as most recent version is not vulnerable. 6. CREDIT --------------------------------------- This vulnerability was discovered by Andrew Smith and Matt Smith of Sword & Shield Enterprise Security. 7. DISCLOSURE TIMELINE --------------------------------------- 7-16-2014 - Vulnerability Discovered 8-11-2014 - Vendor Informed 11-20-2014 - Public Disclosure 8. CVE --------------------------------------- CVE-2014-8419

TP-Link TL-WR740N 4 with firmware 3.17.0 Build 140520, 3.16.6 Build 130529, and 3.16.4 Build 130205 allows remote attackers to cause a denial of service (httpd crash) via vectors involving a "new" value in the isNew parameter to PingIframeRpm.htm. Supplementary information : CWE Vulnerability type by CWE-19: Data Handling ( Data processing ) Has been identified. http://cwe.mitre.org/data/definitions/19.htmlService disruption by a third party (httpd crash ) There is a possibility of being put into a state. The TP-LINK TL-WR740N is a wireless router device. TP-Link TL-WR740N is prone to a denial-of-service vulnerability. The TL-WR740N is a combined wired/wireless network connection device integrated with internet-sharing router and 4-port switch. The wireless N Router is 802.11b&amp;g compatible based on 802.11n technology and gives you 802.11n performance up to 150Mbps at an even more affordable price. Bordering on 11n and surpassing 11g speed enables high bandwidth consuming applications like video streaming to be more fluid.The TP-Link WR740N Wireless N Router network device is exposed to adenial of service vulnerability when processing a HTTP GET request. Thisissue occurs when the web server (httpd) fails to handle a HTTP GET requestover a given default TCP port 80. Resending the value 'new' to the 'isNew'parameter in 'PingIframeRpm.htm' script to the router thru a proxy willcrash its httpd service denying the legitimate users access to the admincontrol panel management interface. To bring back the http srv and theadmin UI, a user must physically reboot the router.Tested on: Router Webserver. A security vulnerability exists in the PingIframeRpm.htm script of TP-LINK TL-WR740N. The following versions are affected: TP-LINK TL-WR740N version 4 using firmware versions 3.17.0 Build 140520, 3.16.6 Build 130529 and 3.16.4 Build 130205

Netgear WNR500 is a wireless router product from NetGear. A local file inclusion vulnerability exists in the Netgear WNR500 Router, which is caused by the program's insufficient filtering of user-submitted input. An attacker could use this vulnerability to obtain sensitive information and execute arbitrary local scripts to control applications and computers. Vulnerabilities in Netgear WNR500 using firmware version 1.0.7.2, other versions may also be affected. This could allow the attacker to compromise the application and the computer; other attacks are also possible. It is a simple, secure way to share yourInternet connection and allows you to easily surf the Internet, use email,and have online chats. The quick, CD-less setup can be done through a webbrowser. The small, efficient design fits perfectly into your home.The router suffers from an authenticated file inclusion vulnerability(LFI) when input passed thru the 'getpage' parameter to 'webproc' script isnot properly verified before being used to include files. This can be exploitedto include files from local resources with directory traversal attacks.Tested on: mini_httpd/1.19 19dec2003

The ViewPoint web application in Dell SonicWALL Global Management System (GMS) before 7.2 SP2, SonicWALL Analyzer before 7.2 SP2, and SonicWALL UMA before 7.2 SP2 allows remote authenticated users to execute arbitrary code via unspecified vectors. Authentication is required to exploit this vulnerability.The specific flaw exists within the GMS ViewPoint (GMSVP) web application. The issue lies in the handling of configuration input due to a failure to safely sanitize user data before executing a command. An attacker could leverage this vulnerability to execute code with root privileges on the underlying operating system. Multiple Dell SonicWALL Products are prone to multiple remote code-execution vulnerabilities. Successful exploitation can completely compromise the vulnerable device. GMS is a global management system for rapid deployment and centralized management of SonicWALL infrastructure. Analyzer is a set of network analyzer software for SonicWALL infrastructure. UMA is a set of universal management device software

The PackageInstaller module in Huawei P7-L10 smartphones before V100R001C00B136 allows remote attackers to spoof the origin website and bypass the website whitelist protection mechanism via a crafted package. Huawei P7-L10 is a mobile phone developed by Huawei. Huawei P7-L10 has a security bypass vulnerability that an attacker can use to bypass certain security restrictions and perform unauthorized operations. Huawei P7-L10 is prone to a remote security-bypass vulnerability. This may aid in further attacks. The Huawei P7 is a smartphone from the Chinese company Huawei. Security vulnerabilities exist in the PackageInstaller module of Huawei P7-L10 smartphones in versions earlier than V100R001C00B136