VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201406-0393 CVE-2014-2151 Cisco Adaptive Security Appliance Software WebVPN Vulnerability in which important information is obtained in the portal CVSS V2: 4.0
CVSS V3: -
Severity: MEDIUM
The WebVPN portal in Cisco Adaptive Security Appliance (ASA) Software 8.4(.7.15) and earlier allows remote authenticated users to obtain sensitive information via a crafted JavaScript file, aka Bug ID CSCui04520. An attacker can leverage this issue to obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCui04520
VAR-201408-0027 CVE-2013-5759 Yealink VoIP Phone SIP-T38G Privilege Escalation Vulnerability

Related entries in the VARIoT exploits database: VAR-E-201406-0216, VAR-E-201406-0217
CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-5758. Reason: This candidate is not an independent vulnerability; it is resultant from CVE-2013-5758. Notes: All CVE users should reference CVE-2013-5758 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G has a privilege escalation vulnerability that can be exploited by remote attackers to gain elevated privileges
VAR-201406-0182 CVE-2014-1652 Symantec Web Gateway contains SQL injection and cross-site scripting vulnerabilities CVSS V2: 2.3
CVSS V3: -
Severity: LOW
Multiple cross-site scripting (XSS) vulnerabilities in the management console in Symantec Web Gateway (SWG) before 5.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified report parameters. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more
VAR-201406-0099 CVE-2014-2004 SEIL Series routers vulnerable to denial-of-service (DoS) CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The PPP Access Concentrator (PPPAC) on SEIL SEIL/x86 routers 1.00 through 3.10, SEIL/X1 routers 1.00 through 4.50, SEIL/X2 routers 1.00 through 4.50, SEIL/B1 routers 1.00 through 4.50, SEIL/Turbo routers 1.80 through 2.17, and SEIL/neu 2FE Plus routers 1.80 through 2.17 allows remote attackers to cause a denial of service (session termination or concentrator outage) via a crafted TCP packet. The PPP Access Concentrator (PPPAC) in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service (DoS) vulnerability due to an issue in processing certain packets. (CWE-119)By receiving a specially crafted TCP packet, a session established using PPPAC may be disconnected or stop accepting connections. SEIL is a series of router devices. SEIL Series Routers are prone to a remote denial-of-service vulnerability. An attacker can leverage this issue to cause denial-of-service conditions; denying service to legitimate users. The following are vulnerable: SEIL/x86 1.00 to 3.10 SEIL/X1 1.00 to 4.50 SEIL/X2 1.00 to 4.50 SEIL/B1 1.00 to 4.50 SEIL/Turbo 1.80 to 2.17 SEIL/neu 2FE Plus 1.80 to 2.17. The following router products are affected: SEIL SEIL/x86 Routers Versions 1.00 to 3.10, SEIL/X1 Routers Versions 1.00 to 4.50, SEIL/X2 Routers Versions 1.00 to 4.50, SEIL/B1 Routers Versions 1.00 to 4.50, SEIL/Turbo Routers 1.80 to 2.17 Version, SEIL/neu 2FE Plus router version 1.80 to 2.17
VAR-201406-0373 CVE-2014-3812 Juniper Junos Pulse Secure Access Service Device IVE OS and Junos Pulse Access Control Service Vulnerability in which important information is obtained CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The Juniper Junos Pulse Secure Access Service (SSL VPN) devices with IVE OS before 7.4r5 and 8.x before 8.0r1 and Junos Pulse Access Control Service (UAC) before 4.4r5 and 5.x before 5.0r1 enable cipher suites with weak encryption algorithms, which make it easier for remote attackers to obtain sensitive information by sniffing the network. Successfully exploiting this issue in conjunction with other latent vulnerabilities may allow attackers to gain access to sensitive information that may aid in further attacks. The former is a client that supports remote and mobile users to access corporate resources with various Web devices. The latter is a standards-based, scalable network access control solution. A remote attacker could exploit this vulnerability to obtain sensitive information by sniffing the network
VAR-201408-0025 CVE-2013-5757 Yealink VoIP Phone SIP-T38G Vulnerable to absolute path traversal

Related entries in the VARIoT exploits database: VAR-E-201406-0112
CVSS V2: 4.0
CVSS V3: -
Severity: MEDIUM
Absolute path traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a full pathname in the dumpConfigFile function in the command parameter to cgi-bin/cgiServer.exx. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G 'cgiServer.exx' has a file containing vulnerability. Since the Yealink VoIP Phone SIP-T38G 'cgiServer.exx' failed to properly filter the user-submitted input, the remote attacker was allowed to exploit the vulnerability to submit a special request to view the system file contents with WEB permissions. Yealink VoIP Phone SIP-T38G is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these issues using directory-traversal strings to view files and execute local script code in the context of the web server process. This may allow the attacker to compromise the application; other attacks are also possible
VAR-201408-0024 CVE-2013-5756 Yealink VoIP Phone SIP-T38G Vulnerable to directory traversal

Related entries in the VARIoT exploits database: VAR-E-201406-0112
CVSS V2: 4.0
CVSS V3: -
Severity: MEDIUM
Directory traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a .. (dot dot) in the page parameter to cgi-bin/cgiServer.exx. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G 'cgiServer.exx' has a file containing vulnerability. Since the Yealink VoIP Phone SIP-T38G 'cgiServer.exx' failed to properly filter the user-submitted input, the remote attacker was allowed to exploit the vulnerability to submit a special request to view the system file contents with WEB permissions. Yealink VoIP Phone SIP-T38G is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these issues using directory-traversal strings to view files and execute local script code in the context of the web server process. This may allow the attacker to compromise the application; other attacks are also possible
VAR-201408-0026 CVE-2013-5758 Yealink VoIP Phone SIP-T38G of cgi-bin/cgiServer.exx Vulnerable to arbitrary command execution

Related entries in the VARIoT exploits database: VAR-E-201406-0216, VAR-E-201406-0217
CVSS V2: 9.0
CVSS V3: -
Severity: HIGH
cgi-bin/cgiServer.exx in Yealink VoIP Phone SIP-T38G allows remote authenticated users to execute arbitrary commands by calling the system method in the body of a request, as demonstrated by running unauthorized services, changing directory permissions, and modifying files. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. The remote attacker is allowed to exploit the vulnerability to submit a special request and execute arbitrary commands with WEB privileges because the user-submitted input is not properly filtered. An attacker may leverage this issue to execute arbitrary commands in the context of the affected application
VAR-201406-0490 No CVE Parallels Plesk Panel XML External entity injection vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Parallels Plesk Panel is a host control panel solution from Parallels, USA. The solution supports web tools, built-in virtualization, customer experience, and more. An XML external entity injection vulnerability exists in Parallels Plesk Panel. An attacker could use this vulnerability to obtain sensitive information. Vulnerabilities exist in Parallels Plesk Panel 10.4.4 and 11.0.9. Other versions may also be affected. Attackers can exploit these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks
VAR-201407-0011 CVE-2013-5755 Yealink IP Phone SIP-T38G of config/.htpasswd Vulnerabilities that gain access

Related entries in the VARIoT exploits database: VAR-E-201406-0133
CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password of (1) user (s7C9Cx.rLsWFA) for the user account, (2) admin (uoCbM.VEiKQto) for the admin account, and (3) var (jhl3iZAe./qXM) for the var account, which makes it easier for remote attackers to obtain access via unspecified vectors. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G has a security credential security bypass vulnerability. The Yealink VoIP Phone SIP-T38G WEB interface uses authentication credentials in /config/.htpasswd, such as: user:user, admin:admin, var:var, to allow attacks. These credentials are used for unauthorized access. Successful attacks can allow a remote attacker to gain access to the vulnerable device
VAR-201406-0374 CVE-2014-3813 Juniper Networks NetScreen Firewall Product ScreenOS Service disruption in (DoS) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the Juniper Networks NetScreen Firewall products with ScreenOS before 6.3r17, when configured to use the internal DNS lookup client, allows remote attackers to cause a denial of service (crash and reboot) via vectors related to a DNS lookup. Multiple Juniper NetScreen Firewall products are prone to a denial-of-service vulnerability. Successfully exploiting this issue may allow an attacker to cause denial-of-service conditions
VAR-201407-0034 CVE-2014-3427 Yealink VoIP Phone In the firmware CRLF Injection vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet. Yealink VoIP Phone The firmware of CRLF An injection vulnerability exists. Supplementary information : CWE Vulnerability type by CWE-93: Improper Neutralization of CRLF Sequences (CRLF injection ) Has been identified. Yealink VoIP Phones are prone to an HTTP-response-splitting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. Yealink VoIP Phones are IP phone products of China YeaLink Company. The product supports caller avatar display, call recording and anonymous calling, etc. I. BACKGROUND Yealink is a manufacturer of VoIP and Video products. To minimize noise read more at: http://www.yealink.com/Companyprofile.aspx III. Validated on Firmware Version 28.72.0.2 Hardware Version 28.2.0.128.0.0.0 CRLF Injection (Header Splitting) proof of concept: Request GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1 In the above request, attackers can shove in code, webpages, etc. In my tests, I have used javascript, redirects, and even an entire web page shoved into the CRLF vulnerable inputs. ----- The XSS vulnerability GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1 Typical Cross Site Scripting. IV. SOLUTION Minimize accessibility to the phone's interface. V. VENDOR CONTACT AND RESPONSE 05/08/2014 E-mailed security@yealink.com (bounced) 05/08/2014 Created an account on Yealink's forum and sent message (no response for weeks) 05/26/2014 Response via e-mail from Yealink 05/26/2014 Replied to vendor I would disclose in June 06/01/2014 Reached back out to vendor for update 06/08/2014 Reached back out to vendor for update 06/11/2014 Rouched out one last time... Crickets 06/12/2014 Advisory VI. TOOLS USED Burpsuite, WVS, Firefox -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
VAR-201406-0123 CVE-2014-3428 Yealink VoIP Phone Firmware cross-site scripting vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Yealink VoIP Phones firmware 28.72.0.2 and hardware 28.2.0.128.0.0.0 are vulnerable; other versions may also be affected. Yealink VoIP P are IP phone products of China YeaLink Company. The product supports caller avatar display, call recording and anonymous calling, etc. I. ADVISORY CVE-2014-3427 CRLF Injection in Yealink VoIP Phones CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones Date published: 06/12/2014 Vendor Contacted: 05/08/2014 II. BACKGROUND Yealink is a manufacturer of VoIP and Video products. To minimize noise read more at: http://www.yealink.com/Companyprofile.aspx III. DESCRIPTION There are CRLF Injection and XSS vulnerabilities in Yealink VoIP telephones. Validated on Firmware Version 28.72.0.2 Hardware Version 28.2.0.128.0.0.0 CRLF Injection (Header Splitting) proof of concept: Request GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1 In the above request, attackers can shove in code, webpages, etc. In my tests, I have used javascript, redirects, and even an entire web page shoved into the CRLF vulnerable inputs. ----- The XSS vulnerability GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1 Typical Cross Site Scripting. IV. SOLUTION Minimize accessibility to the phone's interface. V. VENDOR CONTACT AND RESPONSE 05/08/2014 E-mailed security@yealink.com (bounced) 05/08/2014 Created an account on Yealink's forum and sent message (no response for weeks) 05/26/2014 Response via e-mail from Yealink 05/26/2014 Replied to vendor I would disclose in June 06/01/2014 Reached back out to vendor for update 06/08/2014 Reached back out to vendor for update 06/11/2014 Rouched out one last time... Crickets 06/12/2014 Advisory VI. TOOLS USED Burpsuite, WVS, Firefox -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
VAR-201406-0307 CVE-2014-3290 Cisco IOS XE of mDNS Vulnerability in obtaining important network service information in the implementation of CVSS V2: 4.8
CVSS V3: -
Severity: MEDIUM
The mDNS implementation in Cisco IOS XE 3.12S does not properly interact with autonomic networking, which allows remote attackers to obtain sensitive networking-services information by sniffing the network or overwrite networking-services data via a crafted mDNS response, aka Bug ID CSCun64867. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco Autonomic Networking infrastructure is prone to a security-bypass vulnerability. An attacker can leverage this issue to perform unauthorized actions and obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCun64867. The vulnerability stems from the fact that the program does not properly restrict mDNS from handling autonomous networks
VAR-201406-0507 No CVE Xml eXternal Entity Vulnerability in XML link function of Hitachi COBOL2002 CVSS V2: 4.0
CVSS V3: -
Severity: Medium
XML link function of Hitachi COBOL2002 contains vulnerabilities to conduct information leakage or cause a denial of service (DoS) condition.A remote attacker could conduct information leakage or cause a denial of service (DoS) condition via untrusted XML document loading unexpected external entities.
VAR-201406-0392 CVE-2014-2176 ASR 9000 Runs on the device Cisco IOS XR Service disruption in (DoS) Vulnerabilities CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Cisco IOS XR 4.1.2 through 5.1.1 on ASR 9000 devices, when a Trident-based line card is used, allows remote attackers to cause a denial of service (NP chip and line card reload) via malformed IPv6 packets, aka Bug ID CSCun71928. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS XR Software for ASR 9000 Series Aggregation Services Routers have security vulnerabilities in resolving malformed IPv6 packets. Cisco IOS XR is prone to a remote denial-of-service vulnerability. This issue is being tracked by Cisco Bug ID CSCun71928
VAR-201406-0375 CVE-2014-3814 Juniper Networks NetScreen Firewall Product ScreenOS Service disruption in (DoS) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
The Juniper Networks NetScreen Firewall devices with ScreenOS before 6.3r17, when configured to use the internal DNS lookup client, allows remote attackers to cause a denial of service (crash and reboot) via a sequence of malformed packets to the device IP. Juniper NetScreen Firewall is prone to a denial-of-service vulnerability. Successful exploits may allow the attacker to cause denial-of-service conditions. Juniper NetScreen Firewall 3.0 is vulnerable; other versions may also be affected
VAR-201406-0311 CVE-2014-3295 Cisco NX-OS Software HSRP Packet Parsing Denial of Service Vulnerability CVSS V2: 4.8
CVSS V3: -
Severity: MEDIUM
The HSRP implementation in Cisco NX-OS 6.2(2a) and earlier allows remote attackers to bypass authentication and cause a denial of service (group-member state modification and traffic blackholing) via malformed HSRP packets, aka Bug ID CSCup11309. Vendors have confirmed this vulnerability Bug ID CSCup11309 It is released as.Malformed by a third party HSRP Authentication is avoided and service operation is interrupted via packets. ( Group member state changes and traffic black holes ) There is a possibility of being put into a state. Cisco NX-OS is a data center-level operating system. An attacker could exploit this vulnerability to bypass authentication and convert the status of a group member to SPEAK, causing a denial of service. An attacker can leverage this issue to cause a denial-of-service condition; denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCup11309
VAR-201406-0305 CVE-2014-3287 Cisco Unified Communications Domain Manager of Java In the interface SQL Injection vulnerability CVSS V2: 4.0
CVSS V3: -
Severity: MEDIUM
SQL injection vulnerability in BulkViewFileContentsAction.java in the Java interface in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to execute arbitrary SQL commands via crafted filename parameters in a URL, aka Bug ID CSCuo17337. An authenticated attacker can leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is tracked by Cisco Bug ID CSCuo17337. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution
VAR-201406-0310 CVE-2014-3294 Cisco WebEx Meeting Server Vulnerability in which important information is obtained CVSS V2: 4.0
CVSS V3: -
Severity: MEDIUM
Cisco WebEx Meeting Server does not properly restrict the content of URLs, which allows remote authenticated users to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug ID CSCuj81691. Cisco WebEx Meeting Server Is URL There is a vulnerability that can retrieve important information because it does not properly limit the content of. Cisco WebEx Meetings Server is a Cisco Conference Center implementation from Cisco. An attacker can leverage this issue to obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco bug ID CSCuj81691. Cisco WebEx Meeting Server is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution