VARIoT IoT vulnerabilities database

qis/QIS_finish.htm on the ASUS RT-N10E router with firmware before 2.0.0.25 does not require authentication, which allows remote attackers to discover the administrator password via a direct request. ASUS Wireless-N150 Router RT-N10E No authentication bypass (CWE-592) Vulnerabilities exist. CWE-592: Authentication Bypass Issues http://cwe.mitre.org/data/definitions/592.htmlAdministrator authentication information may be obtained by a third party who can access the product. As a result, arbitrary operations may be executed with administrator privileges for the product. Successful exploits will allow unauthenticated attackers to obtain sensitive information of the device such as administrative password, which may aid in further attacks. ASUS RT-N10E firmware version 2.0.0.24 is vulnerable

Directory traversal vulnerability in the CLI parser in Cisco NX-OS allows local users to create arbitrary script files via a relative pathname in the "file name" parameter, aka Bug IDs CSCua71557 and CSCua71551. Cisco NX-OS of CLI The parser contains a directory traversal vulnerability. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Cisco NX-OS is prone to an arbitrary file-write vulnerability. This may aid in further attacks. This issue is being tracked by Cisco bug IDs CSCua71557 and CSCua71551

Cisco NX-OS allows local users to gain privileges and execute arbitrary commands via shell metacharacters in a command that calls the system library function, aka Bug IDs CSCtf23559 and CSCtf27780. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. This issue is being tracked by Cisco bug IDs CSCtf23559 and CSCtf27780. The vulnerability is caused by the program not properly filtering parameters containing special characters

Cisco NX-OS allows local users to gain privileges and execute arbitrary commands via the sed e option, aka Bug IDs CSCtf25457 and CSCtf27651. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. This issue is being tracked by Cisco bug IDs CSCtf25457 and CSCtf27651. An input validation vulnerability exists in Cisco NX-OS Software

The BGP implementation in Cisco NX-OS does not properly filter segment types in AS paths, which allows remote attackers to cause a denial of service (BGP service reset) via a malformed UPDATE message, aka Bug ID CSCtn13043. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Cisco NX-OS is prone to a denial-of-service vulnerability. This issue is being tracked by Cisco bug ID CSCtn13043. The vulnerability is caused by the program not properly filtering invalid AS path segment types

The BGP implementation in Cisco NX-OS does not properly filter AS paths, which allows remote attackers to cause a denial of service (BGP service reset and resync) via a malformed UPDATE message, aka Bug ID CSCtn13065. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Cisco NX-OS is prone to a denial-of-service vulnerability. This issue is being tracked by Cisco bug ID CSCtn13065. The vulnerability is caused by the program not properly filtering invalid AS path values

Cisco NX-OS allows local users to gain privileges, and read or modify arbitrary files, via the sed (1) r and (2) w commands, aka Bug IDs CSCts56559, CSCts56565, CSCts56570, and CSCts56574. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Cisco NX-OS is prone to a local arbitrary file-access vulnerability. This may lead to further attacks. This issue is being tracked by Cisco bug IDs CSCts56559, CSCts56565, CSCts56570, and CSCts56574

The management interface in Cisco NX-OS on Nexus 7000 devices allows remote authenticated users to obtain sensitive configuration-file information by leveraging the network-operator role, aka Bug ID CSCti09089. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Users who have the network-operator role can view the configuration file and get sensitive information because the configuration file is not properly filtered. This may result in further attacks. This issue is being tracked by Cisco Bug ID CSCti09089

The RIP service engine in Cisco NX-OS allows remote attackers to cause a denial of service (engine restart) via a malformed (1) RIPv4 or (2) RIPv6 message, aka Bug ID CSCtj73415. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Cisco NX-OS is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCtj73415. The vulnerability is caused by the program not filtering RIP packets correctly

The CLI parser in Cisco NX-OS allows local users to bypass intended access restrictions, and overwrite or create arbitrary files, via shell output redirection, aka Bug IDs CSCts56672 and CSCts56669. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. An attacker can exploit this issue to create or overwrite arbitrary files on the affected device. This may aid in further attacks. This issue is being tracked by Cisco bug IDs CSCts56672 and CSCts56669

Heap-based buffer overflow in Xper in Philips Xper Information Management Physiomonitoring 5 components, Xper Information Management Vascular Monitoring 5 components, and Xper Information Management servers and workstations for Flex Cardio products before XperConnect 1.5.4.053 SP2 allows remote attackers to execute arbitrary code via a crafted HTTP request to the Connect broker on TCP port 6000. Xper is a physiological testing system that is mostly deployed in the medical and public health sectors. Xper Connect is prone to a heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. Versions prior to Xper Connect 1.5.4.053 SP2 is vulnerable. Philips Xper Information Management Physiomonitoring, etc. are all components in the healthcare information system (Xper Cardiovascular Workflow Solution) of Philips, the Netherlands. The solution provides workflow charting, registry management, real-time hemodynamic monitoring and reporting, and more. A heap-based buffer overflow vulnerability exists in the Philips Xper application

HP LaserJet M4555, M525, and M725; LaserJet flow MFP M525c; LaserJet Enterprise color flow MFP M575c; Color LaserJet CM4540, M575, and M775; and ScanJet Enterprise 8500fn1 FutureSmart devices do not properly encrypt PDF documents, which allows remote attackers to obtain sensitive information via unspecified vectors. HP FutureSmart LaserJet Printers are laser printer devices from Hewlett Packard. An attacker may exploit this issue to obtain sensitive information; this may lead to further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03888014 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03888014 Version: 1 HPSBPI02892 rev.1 - Certain HP FutureSmart MFP, Weak PDF Encryption, Local Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. The vulnerabilities might lead to weak encryption of PDF documents or local disclosure of scanned information. References: CVE-2013-4828 (SSRT101249) CVE-2013-4829 (SSRT101327) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please refer to the RESOLUTION below for the list of impacted HP FutureSmart products. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4828 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2013-4829 (AV:L/AC:M/Au:S/C:P/I:N/A:N) 1.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided updated printer firmware to resolve this issue, as referenced in the following table. Browse to www.hp.com/go/support and then: Select "Drivers & Software" Enter the HP product name listed in the table above into the search field Click on "Search" If the search returns a list of products click on the appropriate product Under "Select operating system select your operating system, click "Next" Under Select a Download Select "Firmware" Click "Download" to obtain the Firmware HISTORY Version:1 (rev.1) - 3 October 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlJNoO0ACgkQ4B86/C0qfVnWUwCg72K9DXFme7VlPjA6yROdlz+F cnAAoO0gEiP1K/DTFimE5+Qj55QJ2w3N =0mV7 -----END PGP SIGNATURE-----

Citrix NetScaler Application Delivery Controller (ADC) 10.0 before 10.0-76.7 allows remote attackers to cause a denial of service (nsconfigd crash and appliance reboot) via a crafted request. This solution is mainly used to optimize, protect and control the delivery of various enterprise services and cloud services. A denial of service vulnerability exists in versions prior to Citrix NetScaler 10.0-76.7, which is due to an error in the ADC. An attacker could use this vulnerability to cause a denial of service

The JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2 contain a vulnerability where arbitrary commands may be executed when they receive request messages from unexpected hosts in the network.Malicious users can exploit this vulnerability to execute arbitrary commands by sending request messages from an unexpected host.

The JP1/Base contains a vulnerability where arbitrary commands may be executed when it receives request messages from unexpected hosts in the network.Malicious users can exploit this vulnerability to execute arbitrary commands by sending request messages from an unexpected host.

HP LaserJet M4555, M525, and M725; LaserJet flow MFP M525c; LaserJet Enterprise color flow MFP M575c; Color LaserJet CM4540, M575, and M775; and ScanJet Enterprise 8500fn1 FutureSmart devices allow local users to read images of arbitrary scanned documents via unspecified vectors. HP FutureSmart LaserJet Printers are laser printer devices from Hewlett Packard. HP FutureSmart LaserJet Printers has an unexplained defect that allows local attackers to exploit vulnerabilities to obtain sensitive information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03888014 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03888014 Version: 1 HPSBPI02892 rev.1 - Certain HP FutureSmart MFP, Weak PDF Encryption, Local Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-10-03 Last Updated: 2013-10-03 Potential Security Impact: Weak PDF encryption and local disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with certain HP FutureSmart LaserJet printers. The vulnerabilities might lead to weak encryption of PDF documents or local disclosure of scanned information. References: CVE-2013-4828 (SSRT101249) CVE-2013-4829 (SSRT101327) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please refer to the RESOLUTION below for the list of impacted HP FutureSmart products. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4828 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2013-4829 (AV:L/AC:M/Au:S/C:P/I:N/A:N) 1.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided updated printer firmware to resolve this issue, as referenced in the following table. Browse to www.hp.com/go/support and then: Select "Drivers & Software" Enter the HP product name listed in the table above into the search field Click on "Search" If the search returns a list of products click on the appropriate product Under "Select operating system select your operating system, click "Next" Under Select a Download Select "Firmware" Click "Download" to obtain the Firmware HISTORY Version:1 (rev.1) - 3 October 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlJNoO0ACgkQ4B86/C0qfVnWUwCg72K9DXFme7VlPjA6yROdlz+F cnAAoO0gEiP1K/DTFimE5+Qj55QJ2w3N =0mV7 -----END PGP SIGNATURE-----

Directory Services in Apple Mac OS X before 10.8.5 Supplemental Update allows local users to bypass password-based authentication and modify arbitrary Directory Services records via unspecified vectors. Apple Mac OS X is prone to a local security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Apple Mac OS X 10.8 through versions 10.8.5 are vulnerable. The issue was addressed through improved credential validation. CVE-ID CVE-2013-5163 : the rookies of 42 OS X v10.8.5 Supplemental Update may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Fox OS X Mountain Lion v10.8.5 The download file is named: OSXUpd10.8.5Supp.dmg Its SHA-1 digest is: 18636c06f0db5b326752628fb7a2dfa3ce077ae1 For OS X Mountain Lion v10.8.4 The download file is named: OSXUpd10.8.5.dmg Its SHA-1 digest is: b115881f8541b2b80f89ff0e37563f2245be445b For OS X Mountain Lion v10.8 and v10.8.3 The download file is named: OSXUpdCombo10.8.5.dmg Its SHA-1 digest is: 5f574ec77678a965f4684d176ec13014d9ffac75 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSTc6mAAoJEPefwLHPlZEwnZIQAJePLWS/A44WfcbaARuIbWWH oBlV13t3iD6gEqsvICNb/XZU5EG/4zSfDKt9gBgpsHR/jcQ8+FNFL2wiu1q/POAv Ecnx8p0oZVFrdL7dVe19TOitc/AleAkgr7E0/efp7tvxcK2B035N+Dc5SHdUVX/9 S9z3pF178Pl0akiMWI2c+iYcAHt1a1SIqTHOLnJlNr1RpIHkZork5uTrpjLl3qs4 7m/fjBg2JLqb6q6IlmyBviFI4StMUd+tPHZ23qPwnUL8L/x2H36566yA03hghsEc 1ZPatK3O+FHoVVgE8q/9GTH/42dG8K5wtF/xqpbyLqTVO79swjmIxW6vhZPXbmqW LBDeZVEx6pvp7qWRlmqyvX2Bl3IuCRp4K8qHN4HsU8F8zko2wviHOyPU4TsB7gEI xsETCtvVLLhImVoJF2Y9vLeAkWazqPIOlFFepeKcNSrN3L02hT3qQXXtZa4fTLON xDYTnHVt8xjTmaApLLYc3jXaeRX03IekGW2cduEwkAvKuOZvh5lQI5OT22qWDgsN 3EaliNghCV7ActzQL8kTzkCOpSB9H34bkwGv5/rbEGQnOn6ROLB6JYuHX11lyJ/Z /Bxn2Jfao3+FR2e8Xp07Z9RHFocwOduGtJziAj3WKjCvw8JzBROqchupsXkVUp6+ v8MP/bVYJ8LepQJm81IK =VYQW -----END PGP SIGNATURE-----

Multiple SQL injection vulnerabilities in AlienVault Open Source Security Information Management (OSSIM) 4.3 and earlier allow remote attackers to execute arbitrary SQL commands via the date_from parameter to (1) radar-iso27001-potential.php, (2) radar-iso27001-A12IS_acquisition-pot.php, (3) radar-iso27001-A11AccessControl-pot.php, (4) radar-iso27001-A10Com_OP_Mgnt-pot.php, or (5) radar-pci-potential.php in RadarReport/. (1) radar-iso27001-potential.php (2) radar-iso27001-A12IS_acquisition-pot.php (3) radar-iso27001-A11AccessControl-pot.php (4) radar-iso27001-A10Com_OP_Mgnt-pot.php (5) radar-pci-potential.php. The Triangle Research Nano-10 PLC is a controller for automated manufacturing. The Triangle Research Nano-10 PLC has a remote denial of service attack when processing specially crafted messages, allowing remote attackers to crash applications. This vulnerability can be triggered when the firmware is processing a special length (over 0x200) MODBUS TCP message on TCP port 502. Open Source SIEM (OSSIM) is prone to multiple SQL-injection vulnerabilities. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Open Source SIEM (OSSIM) 4.3.0 and prior are vulnerable

The UDP process in Cisco IOS XR 4.3.1 does not free packet memory upon detecting full packet queues, which allows remote attackers to cause a denial of service (memory consumption) via UDP packets to listening ports, aka Bug ID CSCue69413. ( Memory consumption ) There is a vulnerability that can be exploited. Cisco IOS XR is a member of the Cisco IOS Software family that uses a microkernel-based operating system architecture. The device cannot allocate memory for packets, causing a denial of service attack. An attacker can exploit this issue to exhaust all available memory and cause a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCue69413

Cross-site request forgery (CSRF) vulnerability in TopAccess (aka the web-based management utility) on TOSHIBA TEC e-Studio 232, 233, 282, and 283 devices allows remote attackers to hijack the authentication of administrators for requests that change passwords. e-Studio provided by TOSHIBA TEC CORPORATION is a multi-function peripheral (MFP). As a result, a remote attacker may obtain the document assets such as scan data. TOSHIBA e-Studio is prone to a cross-site request-forgery vulnerability. Exploiting the issue will allow a remote attacker to use a victim's currently active session to change the victim's password. Successful exploits will compromise affected computers. TOSHIBA TEC e-Studio 232, 233, 282 and 283 are all printing and copying all-in-one products of Japan's Toshiba (TOSHIBA). TopAccess (also known as Web-based management tool) is the network management software used in these products