VARIoT IoT vulnerabilities database
| VAR-201406-0393 | CVE-2014-2151 | Cisco Adaptive Security Appliance Software WebVPN Vulnerability in which important information is obtained in the portal |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The WebVPN portal in Cisco Adaptive Security Appliance (ASA) Software 8.4(.7.15) and earlier allows remote authenticated users to obtain sensitive information via a crafted JavaScript file, aka Bug ID CSCui04520.
An attacker can leverage this issue to obtain sensitive information that may aid in further attacks.
This issue is being tracked by Cisco Bug ID CSCui04520
| VAR-201408-0027 | CVE-2013-5759 |
Yealink VoIP Phone SIP-T38G Privilege Escalation Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201406-0216, VAR-E-201406-0217 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-5758. Reason: This candidate is not an independent vulnerability; it is resultant from CVE-2013-5758. Notes: All CVE users should reference CVE-2013-5758 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G has a privilege escalation vulnerability that can be exploited by remote attackers to gain elevated privileges
| VAR-201406-0182 | CVE-2014-1652 | Symantec Web Gateway contains SQL injection and cross-site scripting vulnerabilities |
CVSS V2: 2.3 CVSS V3: - Severity: LOW |
Multiple cross-site scripting (XSS) vulnerabilities in the management console in Symantec Web Gateway (SWG) before 5.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified report parameters.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more
| VAR-201406-0099 | CVE-2014-2004 | SEIL Series routers vulnerable to denial-of-service (DoS) |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The PPP Access Concentrator (PPPAC) on SEIL SEIL/x86 routers 1.00 through 3.10, SEIL/X1 routers 1.00 through 4.50, SEIL/X2 routers 1.00 through 4.50, SEIL/B1 routers 1.00 through 4.50, SEIL/Turbo routers 1.80 through 2.17, and SEIL/neu 2FE Plus routers 1.80 through 2.17 allows remote attackers to cause a denial of service (session termination or concentrator outage) via a crafted TCP packet. The PPP Access Concentrator (PPPAC) in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service (DoS) vulnerability due to an issue in processing certain packets. (CWE-119)By receiving a specially crafted TCP packet, a session established using PPPAC may be disconnected or stop accepting connections. SEIL is a series of router devices. SEIL Series Routers are prone to a remote denial-of-service vulnerability.
An attacker can leverage this issue to cause denial-of-service conditions; denying service to legitimate users.
The following are vulnerable:
SEIL/x86 1.00 to 3.10
SEIL/X1 1.00 to 4.50
SEIL/X2 1.00 to 4.50
SEIL/B1 1.00 to 4.50
SEIL/Turbo 1.80 to 2.17
SEIL/neu 2FE Plus 1.80 to 2.17. The following router products are affected: SEIL SEIL/x86 Routers Versions 1.00 to 3.10, SEIL/X1 Routers Versions 1.00 to 4.50, SEIL/X2 Routers Versions 1.00 to 4.50, SEIL/B1 Routers Versions 1.00 to 4.50, SEIL/Turbo Routers 1.80 to 2.17 Version, SEIL/neu 2FE Plus router version 1.80 to 2.17
| VAR-201406-0373 | CVE-2014-3812 | Juniper Junos Pulse Secure Access Service Device IVE OS and Junos Pulse Access Control Service Vulnerability in which important information is obtained |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Juniper Junos Pulse Secure Access Service (SSL VPN) devices with IVE OS before 7.4r5 and 8.x before 8.0r1 and Junos Pulse Access Control Service (UAC) before 4.4r5 and 5.x before 5.0r1 enable cipher suites with weak encryption algorithms, which make it easier for remote attackers to obtain sensitive information by sniffing the network.
Successfully exploiting this issue in conjunction with other latent vulnerabilities may allow attackers to gain access to sensitive information that may aid in further attacks. The former is a client that supports remote and mobile users to access corporate resources with various Web devices. The latter is a standards-based, scalable network access control solution. A remote attacker could exploit this vulnerability to obtain sensitive information by sniffing the network
| VAR-201408-0025 | CVE-2013-5757 |
Yealink VoIP Phone SIP-T38G Vulnerable to absolute path traversal
Related entries in the VARIoT exploits database: VAR-E-201406-0112 |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Absolute path traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a full pathname in the dumpConfigFile function in the command parameter to cgi-bin/cgiServer.exx. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G 'cgiServer.exx' has a file containing vulnerability. Since the Yealink VoIP Phone SIP-T38G 'cgiServer.exx' failed to properly filter the user-submitted input, the remote attacker was allowed to exploit the vulnerability to submit a special request to view the system file contents with WEB permissions. Yealink VoIP Phone SIP-T38G is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues using directory-traversal strings to view files and execute local script code in the context of the web server process. This may allow the attacker to compromise the application; other attacks are also possible
| VAR-201408-0024 | CVE-2013-5756 |
Yealink VoIP Phone SIP-T38G Vulnerable to directory traversal
Related entries in the VARIoT exploits database: VAR-E-201406-0112 |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a .. (dot dot) in the page parameter to cgi-bin/cgiServer.exx. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G 'cgiServer.exx' has a file containing vulnerability. Since the Yealink VoIP Phone SIP-T38G 'cgiServer.exx' failed to properly filter the user-submitted input, the remote attacker was allowed to exploit the vulnerability to submit a special request to view the system file contents with WEB permissions. Yealink VoIP Phone SIP-T38G is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues using directory-traversal strings to view files and execute local script code in the context of the web server process. This may allow the attacker to compromise the application; other attacks are also possible
| VAR-201408-0026 | CVE-2013-5758 |
Yealink VoIP Phone SIP-T38G of cgi-bin/cgiServer.exx Vulnerable to arbitrary command execution
Related entries in the VARIoT exploits database: VAR-E-201406-0216, VAR-E-201406-0217 |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
cgi-bin/cgiServer.exx in Yealink VoIP Phone SIP-T38G allows remote authenticated users to execute arbitrary commands by calling the system method in the body of a request, as demonstrated by running unauthorized services, changing directory permissions, and modifying files. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. The remote attacker is allowed to exploit the vulnerability to submit a special request and execute arbitrary commands with WEB privileges because the user-submitted input is not properly filtered.
An attacker may leverage this issue to execute arbitrary commands in the context of the affected application
| VAR-201406-0490 | No CVE | Parallels Plesk Panel XML External entity injection vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Parallels Plesk Panel is a host control panel solution from Parallels, USA. The solution supports web tools, built-in virtualization, customer experience, and more.
An XML external entity injection vulnerability exists in Parallels Plesk Panel. An attacker could use this vulnerability to obtain sensitive information. Vulnerabilities exist in Parallels Plesk Panel 10.4.4 and 11.0.9. Other versions may also be affected.
Attackers can exploit these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks
| VAR-201407-0011 | CVE-2013-5755 |
Yealink IP Phone SIP-T38G of config/.htpasswd Vulnerabilities that gain access
Related entries in the VARIoT exploits database: VAR-E-201406-0133 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password of (1) user (s7C9Cx.rLsWFA) for the user account, (2) admin (uoCbM.VEiKQto) for the admin account, and (3) var (jhl3iZAe./qXM) for the var account, which makes it easier for remote attackers to obtain access via unspecified vectors. Yealink VoIP Phone SIP-T38G is an enterprise HD IP phone. Yealink VoIP Phone SIP-T38G has a security credential security bypass vulnerability. The Yealink VoIP Phone SIP-T38G WEB interface uses authentication credentials in /config/.htpasswd, such as: user:user, admin:admin, var:var, to allow attacks. These credentials are used for unauthorized access.
Successful attacks can allow a remote attacker to gain access to the vulnerable device
| VAR-201406-0374 | CVE-2014-3813 | Juniper Networks NetScreen Firewall Product ScreenOS Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Juniper Networks NetScreen Firewall products with ScreenOS before 6.3r17, when configured to use the internal DNS lookup client, allows remote attackers to cause a denial of service (crash and reboot) via vectors related to a DNS lookup. Multiple Juniper NetScreen Firewall products are prone to a denial-of-service vulnerability.
Successfully exploiting this issue may allow an attacker to cause denial-of-service conditions
| VAR-201407-0034 | CVE-2014-3427 | Yealink VoIP Phone In the firmware CRLF Injection vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet. Yealink VoIP Phone The firmware of CRLF An injection vulnerability exists. Supplementary information : CWE Vulnerability type by CWE-93: Improper Neutralization of CRLF Sequences (CRLF injection ) Has been identified. Yealink VoIP Phones are prone to an HTTP-response-splitting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. Yealink VoIP Phones are IP phone products of China YeaLink Company. The product supports caller avatar display, call recording and anonymous calling, etc.
I. BACKGROUND
Yealink is a manufacturer of VoIP and Video products. To
minimize noise read more at:
http://www.yealink.com/Companyprofile.aspx
III. Validated on
Firmware Version 28.72.0.2
Hardware Version 28.2.0.128.0.0.0
CRLF Injection (Header Splitting) proof of concept:
Request
GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1
In the above request, attackers can shove in code, webpages,
etc. In my tests, I have used javascript, redirects, and even
an entire web page shoved into the CRLF vulnerable inputs.
-----
The XSS vulnerability
GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1
Typical Cross Site Scripting.
IV. SOLUTION
Minimize accessibility to the phone's interface.
V. VENDOR CONTACT AND RESPONSE
05/08/2014 E-mailed security@yealink.com (bounced)
05/08/2014 Created an account on Yealink's forum and
sent message (no response for weeks)
05/26/2014 Response via e-mail from Yealink
05/26/2014 Replied to vendor I would disclose in June
06/01/2014 Reached back out to vendor for update
06/08/2014 Reached back out to vendor for update
06/11/2014 Rouched out one last time... Crickets
06/12/2014 Advisory
VI. TOOLS USED
Burpsuite, WVS, Firefox
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
| VAR-201406-0123 | CVE-2014-3428 | Yealink VoIP Phone Firmware cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Yealink VoIP Phones firmware 28.72.0.2 and hardware 28.2.0.128.0.0.0 are vulnerable; other versions may also be affected. Yealink VoIP P are IP phone products of China YeaLink Company. The product supports caller avatar display, call recording and anonymous calling, etc.
I. ADVISORY
CVE-2014-3427 CRLF Injection in Yealink VoIP Phones
CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones
Date published: 06/12/2014
Vendor Contacted: 05/08/2014
II. BACKGROUND
Yealink is a manufacturer of VoIP and Video products. To
minimize noise read more at:
http://www.yealink.com/Companyprofile.aspx
III. DESCRIPTION
There are CRLF Injection and XSS vulnerabilities in Yealink
VoIP telephones. Validated on
Firmware Version 28.72.0.2
Hardware Version 28.2.0.128.0.0.0
CRLF Injection (Header Splitting) proof of concept:
Request
GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1
In the above request, attackers can shove in code, webpages,
etc. In my tests, I have used javascript, redirects, and even
an entire web page shoved into the CRLF vulnerable inputs.
-----
The XSS vulnerability
GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1
Typical Cross Site Scripting.
IV. SOLUTION
Minimize accessibility to the phone's interface.
V. VENDOR CONTACT AND RESPONSE
05/08/2014 E-mailed security@yealink.com (bounced)
05/08/2014 Created an account on Yealink's forum and
sent message (no response for weeks)
05/26/2014 Response via e-mail from Yealink
05/26/2014 Replied to vendor I would disclose in June
06/01/2014 Reached back out to vendor for update
06/08/2014 Reached back out to vendor for update
06/11/2014 Rouched out one last time... Crickets
06/12/2014 Advisory
VI. TOOLS USED
Burpsuite, WVS, Firefox
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
| VAR-201406-0307 | CVE-2014-3290 | Cisco IOS XE of mDNS Vulnerability in obtaining important network service information in the implementation of |
CVSS V2: 4.8 CVSS V3: - Severity: MEDIUM |
The mDNS implementation in Cisco IOS XE 3.12S does not properly interact with autonomic networking, which allows remote attackers to obtain sensitive networking-services information by sniffing the network or overwrite networking-services data via a crafted mDNS response, aka Bug ID CSCun64867. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco Autonomic Networking infrastructure is prone to a security-bypass vulnerability.
An attacker can leverage this issue to perform unauthorized actions and obtain sensitive information that may aid in further attacks.
This issue is being tracked by Cisco Bug ID CSCun64867. The vulnerability stems from the fact that the program does not properly restrict mDNS from handling autonomous networks
| VAR-201406-0507 | No CVE | Xml eXternal Entity Vulnerability in XML link function of Hitachi COBOL2002 |
CVSS V2: 4.0 CVSS V3: - Severity: Medium |
XML link function of Hitachi COBOL2002 contains vulnerabilities to conduct information leakage or cause a denial of service (DoS) condition.A remote attacker could conduct information leakage or cause a denial of service (DoS) condition via untrusted XML document loading unexpected external entities.
| VAR-201406-0392 | CVE-2014-2176 | ASR 9000 Runs on the device Cisco IOS XR Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco IOS XR 4.1.2 through 5.1.1 on ASR 9000 devices, when a Trident-based line card is used, allows remote attackers to cause a denial of service (NP chip and line card reload) via malformed IPv6 packets, aka Bug ID CSCun71928. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS XR Software for ASR 9000 Series Aggregation Services Routers have security vulnerabilities in resolving malformed IPv6 packets. Cisco IOS XR is prone to a remote denial-of-service vulnerability.
This issue is being tracked by Cisco Bug ID CSCun71928
| VAR-201406-0375 | CVE-2014-3814 | Juniper Networks NetScreen Firewall Product ScreenOS Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Juniper Networks NetScreen Firewall devices with ScreenOS before 6.3r17, when configured to use the internal DNS lookup client, allows remote attackers to cause a denial of service (crash and reboot) via a sequence of malformed packets to the device IP. Juniper NetScreen Firewall is prone to a denial-of-service vulnerability.
Successful exploits may allow the attacker to cause denial-of-service conditions.
Juniper NetScreen Firewall 3.0 is vulnerable; other versions may also be affected
| VAR-201406-0311 | CVE-2014-3295 | Cisco NX-OS Software HSRP Packet Parsing Denial of Service Vulnerability |
CVSS V2: 4.8 CVSS V3: - Severity: MEDIUM |
The HSRP implementation in Cisco NX-OS 6.2(2a) and earlier allows remote attackers to bypass authentication and cause a denial of service (group-member state modification and traffic blackholing) via malformed HSRP packets, aka Bug ID CSCup11309. Vendors have confirmed this vulnerability Bug ID CSCup11309 It is released as.Malformed by a third party HSRP Authentication is avoided and service operation is interrupted via packets. ( Group member state changes and traffic black holes ) There is a possibility of being put into a state. Cisco NX-OS is a data center-level operating system. An attacker could exploit this vulnerability to bypass authentication and convert the status of a group member to SPEAK, causing a denial of service.
An attacker can leverage this issue to cause a denial-of-service condition; denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCup11309
| VAR-201406-0305 | CVE-2014-3287 | Cisco Unified Communications Domain Manager of Java In the interface SQL Injection vulnerability |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in BulkViewFileContentsAction.java in the Java interface in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to execute arbitrary SQL commands via crafted filename parameters in a URL, aka Bug ID CSCuo17337.
An authenticated attacker can leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue is tracked by Cisco Bug ID CSCuo17337. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution
| VAR-201406-0310 | CVE-2014-3294 | Cisco WebEx Meeting Server Vulnerability in which important information is obtained |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Cisco WebEx Meeting Server does not properly restrict the content of URLs, which allows remote authenticated users to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug ID CSCuj81691. Cisco WebEx Meeting Server Is URL There is a vulnerability that can retrieve important information because it does not properly limit the content of. Cisco WebEx Meetings Server is a Cisco Conference Center implementation from Cisco.
An attacker can leverage this issue to obtain sensitive information that may aid in further attacks.
This issue is being tracked by Cisco bug ID CSCuj81691. Cisco WebEx Meeting Server is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution