VARIoT IoT vulnerabilities database

The Cisco Unified IP Phone 8945 with software 9.3(2) allows remote attackers to cause a denial of service (device hang) via a malformed PNG file, aka Bug ID CSCud04270. A remote attacker may exploit this issue to cause denial-of-service conditions. This issue is tracked by Cisco Bug ID CSCud04270. The device provides functions such as voice and video

The captive portal application in Cisco Identity Services Engine (ISE) allows remote attackers to discover cleartext usernames and passwords by leveraging unspecified use of hidden form fields in an HTML document, aka Bug ID CSCug02515. An attacker can exploit this issue to obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCug02515. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Cross-site request forgery (CSRF) vulnerability in the Enterprise License Manager (ELM) in Cisco Unified Communications Manager (CM) allows remote attackers to hijack the authentication of arbitrary users for requests that make ELM modifications, aka Bug ID CSCui58210. Vendors have confirmed this vulnerability Bug ID CSCui58210 It is released as.A third party is hijacking the authentication of any user, ELM Changes may be made. Attackers can exploit this issue to perform certain administrative actions and to gain unauthorized access to the affected application. This issue is being tracked by Cisco bug IDs CSCui58210 and CSCul33890. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

The Belkin F5D7234-4 G is a wireless router product. Belkin F5D7234-4 G Wireless Router, firmware version 5.00.12, has an authentication bypass vulnerability and a remote code execution vulnerability. An attacker could exploit these vulnerabilities to obtain a device administrator login password, cause a denial of service, and perform unauthorized operations. The authentication bypass vulnerability stems from a problem with the handler for http://$ip/login.stm that can result in a leaked administrator login password hash. The remote code execution vulnerability stems from a problem with the handler for http://$ip/cgi-bin/wireless_WPS_Enroll.exe, which can cause a buffer overflow. Failed exploit attempts may result in a denial-of-service condition

Multiple cross-site request forgery (CSRF) vulnerabilities in the Loftek Nexus 543 IP Camera allow remote attackers to hijack the authentication of unspecified victims for requests that change (1) passwords or (2) firewall configuration, as demonstrated by a request to set_users.cgi. Loftek Nexus 543 Ip Camera is a webcam product. Such as changing the password and so on

Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. Schneider Electric OFS software has errors in parsing XML external entities, allowing attackers to exploit the specially crafted XML data to obtain local resource information or consume a large amount of server resources. Schneider Electric OFS (OPC Factory Server) is a set of client applications that access data in real time from Schneider Electric (France). The application has features such as easy integration and custom interfaces. An XML external entity injection vulnerability exists in Schneider Electric OFS 3.40 and earlier. A local attacker could use this vulnerability to gain sensitive information or cause a denial of service

Directory traversal vulnerability in the Loftek Nexus 543 IP Camera allows remote attackers to read arbitrary files via a .. (dot dot) in the URL of an HTTP GET request. The Loftek Nexus 543 is an outdoor waterproof webcam. Loftek Nexus 543 is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input

The Loftek Nexus 543 IP Camera stores passwords in cleartext, which allows remote attackers to obtain sensitive information via an HTTP GET request to check_users.cgi. NOTE: cleartext passwords can also be obtained from proc/kcore when leveraging the directory traversal vulnerability in CVE-2013-3311. Loftek Nexus 543 IP Camera Contains a vulnerability related to information disclosure from the cache. This vulnerability CVE-2013-3311 Vulnerability associated with.Information may be obtained. The Loftek Nexus 543 is an outdoor waterproof webcam. Attackers can exploit vulnerabilities to get sensitive information

Samsung Web Viewer for Samsung DVR devices allows remote attackers to bypass authentication via an arbitrary SessionID value in a cookie. Samsung DVR is prone to an authentication-bypass vulnerability. Attackers can exploit this vulnerability to gain access to internal pages, including camera controls and account settings, which may aid in further attacks

Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (disk consumption) via a flood of TCP packets to port 5400, leading to large error-log files, aka Bug ID CSCua42724. Vendors have confirmed this vulnerability Bug ID CSCua42724 It is released as.Port by third party 5400 Large amount to TCP A large error log file is generated via a packet, which disrupts service operation. ( Disk consumption ) There is a possibility of being put into a state. Attackers can exploit this issue to trigger a disk exhaustion that results in a denial of service condition. This issue is being tracked by Cisco Bug ID CSCua42724. The platform provides functions such as secure access authentication and real-time fault analysis

Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (memory consumption) via a flood of TCP packets to port (1) 61615 or (2) 61616, aka Bug ID CSCtz90114. Successfully exploiting this issue allows remote attackers to consume excessive memory resources, potentially denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtz90114. The platform provides functions such as secure access authentication and real-time fault analysis

Memory leak in Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (memory consumption) via a flood of TCP packets, aka Bug ID CSCub59158. The Cisco Prime Central for HCS Assurance is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause a denial of service condition. This issue is being tracked by Cisco Bug ID CSCub59158. Cisco Prime Central for HCS Assurance 9.1 and prior are vulnerable. The platform provides functions such as secure access authentication and real-time fault analysis

Cisco Unified Communications Manager (Unified CM) 7.1(x) before 7.1(5b)su6a does not properly handle errors, which allows remote attackers to cause a denial of service (service disruption) via malformed registration messages, aka Bug ID CSCuf93466. Vendors have confirmed this vulnerability Bug ID CSCuf93466 It is released as.Denial of service by a third party via a malformed registration message ( Service interruption ) There is a possibility of being put into a state. Attackers can exploit this issue to cause a denial of service condition. This issue is being tracked by Cisco Bug ID CSCuf93466. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. The vulnerability is caused by the program's improper handling of exception conditions

Cisco Unified Communications Manager (Unified CM) 8.5(x) and 8.6(x) before 8.6(2a)su3 and 9.x before 9.1(1) does not properly restrict the rate of SIP packets, which allows remote attackers to cause a denial of service (memory and CPU consumption, and service disruption) via a flood of UDP packets to port 5060, aka Bug ID CSCub35869. Cisco Unified Communications Manager is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause a denial of service condition. This issue is being tracked by Cisco Bug ID CSCub35869. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. The following versions are affected: Cisco Unified CM 8.5(x) and 8.6(2a) su3 prior to 8.6(x), 9.x prior to 9.1(1)

Buffer overflow in Cisco Unified Communications Manager (Unified CM) 7.1(x) before 7.1(5b)su6, 8.5(x) before 8.5(1)su6, 8.6(x) before 8.6(2a)su3, and 9.x before 9.1(2) allows remote authenticated users to execute arbitrary code via unspecified vectors, aka Bug ID CSCud54358. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCud54358. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. The following releases are affected: Cisco Unified CM 7.1(x) prior to 7.1(5b)su6, 8.5(x) prior to 8.5(1)su6, 8.6(x) prior to 8.6(2a)su3, 9.1(2 ) prior to 9.x versions

Memory leak in Cisco Unified Communications Manager IM and Presence Service before 8.6(5)SU1 and 9.x before 9.1(2), and Cisco Unified Presence, allows remote attackers to cause a denial of service (memory and CPU consumption) by making many TCP connections to port (1) 5060 or (2) 5061, aka Bug ID CSCud84959. Attackers can exploit this issue to cause a denial of service condition. This issue is being tracked by Cisco Bug ID CSCud84959. CUCM is a call processing component in a unified communication system

NETGEAR ProSafe GS724Tv3 and GS716Tv2 with firmware 5.4.1.13 and earlier; GS748Tv4 with firmware 5.4.1.14; GS510TP with firmware 5.4.0.6; GS752TPS, GS728TPS, GS728TS, and GS725TS with firmware 5.3.0.17; and GS752TXS and GS728TXS with firmware 6.1.0.12 allows remote attackers to read encrypted administrator credentials and other startup configurations via a direct request to filesystem/startup-config. NetGear ProSafe is a smart switch product that monitors and configures the network. An information disclosure vulnerability exists in multiple NetGear ProSafe switches. An attacker can exploit a vulnerability to download a configuration file and reveal sensitive information. The information obtained may be helpful for further attacks. 1. BACKGROUND According to the vendor, Netgear ProSafe is a cost-effective line of smart switches for Small and Medium Businesses (SMBs). The products cover an essential set of network features and easy-to-use web-based management. Power over Ethernet (PoE) and Stacking versions are also available. 2. CVE-2013-4776: Denial of Service vulnerability. 3. AFFECTED PRODUCTS AND SOFTWARE CVE-2013-4775 GS724Tv3 and GS716Tv2 - firmware 5.4.1.13 GS724Tv3 and GS716Tv2 - firmware 5.4.1.10 GS748Tv4 - firmware 5.4.1.14 GS510TP - firmware 5.4.0.6 GS752TPS and GS728TPS - firmware 5.3.0.17 GS728TS and GS725TS - firmware 5.3.0.17 GS752TXS and GS728TXS - firmware 6.1.0.12 CVE-2013-4776 GS724Tv3 and GS716Tv2 - firmware 5.4.1.13 GS724Tv3 and GS716Tv2 - firmware 5.4.1.10 GS748Tv4 - firmware 5.4.1.14 GS510TP - firmware 5.0.4.4 4. VULNERABILITIES The list below describes the vulnerabilities discovered in the affected software. 4.1 CVE-2013-4775: Unauthenticated startup-config disclosure The web management application fails to restrict URL access to different application areas. [Proof of Concept] The vulnerability can be exploited with a simple HTTP (GET) request. Open a browser and visit http://Target-IP/filesystem/startup-config 4.2 CVE-2013-4776: Denial of Service vulnerability The affected products are prone to a Denial of Service vulnerability. Remote, unauthenticated attackers could exploit this issue to cause a switch reboot or crash, resulting in a loss of network connectivity for all devices connected to the switch. [Proof of Concept] The vulnerability can be exploited with a simple HTTP (GET) request. Open a browser and visit http://Target-IP/filesystem/ Implementation of a Proof of Concept for both vulnerabilities can be found here: http://www.encripto.no/tools/netgear-prosafe-PoC.tar.gz 5. REMEDIATION No firmware updates or fixes have been released yet. As a mitigation, the vendor recommends configuring a separate management VLAN and configure access control via \x93Security::Access::Access Control\x94 or \x93Security::ACL::Advanced::IP Extended Rules\x94. 6. CREDIT The vulnerabilities were originally discovered in a GS724Tv3 device, by Juan J. G\xfcelfo at Encripto AS. E-mail: post [at] encripto [dot] no Web: http://www.encripto.no Special thanks to Maarten Hoogcarspel and the Netgear Support Team for verifying other switch models, and considering possible fixes. For more information about Encripto\x92s research policy, please visit http://www.encripto.no/forskning/ 7. REFERENCES http://www.encripto.no/forskning/whitepapers/Netgear_prosafe_advisory_aug_2013.pdf http://www.encripto.no/tools/netgear-prosafe-PoC.tar.gz DISCLAIMER The material presented in this document is for educational purposes only. Encripto AS cannot be responsible for any loss or damage carried out by any technique presented in this material. The reader is the only one responsible for applying this knowledge, which is at his / her own risk. Any of the trademarks, service marks, collective marks, design rights, personality rights or similar rights that are mentioned, used or cited in this document is property of their respective owners

NETGEAR ProSafe GS724Tv3 and GS716Tv2 with firmware 5.4.1.13 and earlier, GS748Tv4 5.4.1.14, and GS510TP 5.0.4.4 allows remote attackers to cause a denial of service (reboot or crash) via a crafted HTTP request to filesystem/. NetGear ProSafe is a smart switch product that monitors and configures the network. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. The following ProSafe products are vulnerable: GS724Tv3 firmware version 5.4.1.13 GS716Tv2 firmware version 5.4.1.13 GS724Tv3 firmware version 5.4.1.10 GS716Tv2 firmware version 5.4.1.10 GS748Tv4 firmware version 5.4.1.14 GS510TP firmware version 5.0.4.4. 1. BACKGROUND According to the vendor, Netgear ProSafe is a cost-effective line of smart switches for Small and Medium Businesses (SMBs). The products cover an essential set of network features and easy-to-use web-based management. Power over Ethernet (PoE) and Stacking versions are also available. 2. SUMMARY A range of ProSafe switches are affected by two different vulnerabilities: CVE-2013-4775: Unauthenticated startup-config disclosure. CVE-2013-4776: Denial of Service vulnerability. 3. VULNERABILITIES The list below describes the vulnerabilities discovered in the affected software. 4.1 CVE-2013-4775: Unauthenticated startup-config disclosure The web management application fails to restrict URL access to different application areas. [Proof of Concept] The vulnerability can be exploited with a simple HTTP (GET) request. Open a browser and visit http://Target-IP/filesystem/startup-config 4.2 CVE-2013-4776: Denial of Service vulnerability The affected products are prone to a Denial of Service vulnerability. [Proof of Concept] The vulnerability can be exploited with a simple HTTP (GET) request. Open a browser and visit http://Target-IP/filesystem/ Implementation of a Proof of Concept for both vulnerabilities can be found here: http://www.encripto.no/tools/netgear-prosafe-PoC.tar.gz 5. REMEDIATION No firmware updates or fixes have been released yet. As a mitigation, the vendor recommends configuring a separate management VLAN and configure access control via \x93Security::Access::Access Control\x94 or \x93Security::ACL::Advanced::IP Extended Rules\x94. 6. CREDIT The vulnerabilities were originally discovered in a GS724Tv3 device, by Juan J. G\xfcelfo at Encripto AS. E-mail: post [at] encripto [dot] no Web: http://www.encripto.no Special thanks to Maarten Hoogcarspel and the Netgear Support Team for verifying other switch models, and considering possible fixes. For more information about Encripto\x92s research policy, please visit http://www.encripto.no/forskning/ 7. REFERENCES http://www.encripto.no/forskning/whitepapers/Netgear_prosafe_advisory_aug_2013.pdf http://www.encripto.no/tools/netgear-prosafe-PoC.tar.gz DISCLAIMER The material presented in this document is for educational purposes only. Encripto AS cannot be responsible for any loss or damage carried out by any technique presented in this material. The reader is the only one responsible for applying this knowledge, which is at his / her own risk. Any of the trademarks, service marks, collective marks, design rights, personality rights or similar rights that are mentioned, used or cited in this document is property of their respective owners

Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (memory consumption) via a flood of TCP packets to port 44444, aka Bug ID CSCtz92776. Attackers can exploit this issue to cause excessive memory consumption, resulting in denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCtz92776. The platform provides functions such as secure access authentication and real-time fault analysis

Memory leak in Cisco Unified Communications Manager (Unified CM) 8.5(x) before 8.5(1)su6, 8.6(x) before 8.6(2a)su3, and 9.x before 9.1(1) allows remote attackers to cause a denial of service (service disruption) via a high rate of UDP packets, aka Bug ID CSCub85597. Vendors have confirmed this vulnerability Bug ID CSCub85597 It is released as.High load by a third party UDP Service disruption via packets ( Stop service ) There is a possibility of being put into a state. A remote attacker may exploit this issue to cause denial-of-service conditions. This issue is tracked by Cisco Bug ID CSCub85597. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. The following releases are affected: Cisco Unified CM 8.5(x) prior to 8.5(1)su6, 8.6(x) prior to 8.6(2a)su3, 9.x prior to 9.1(1)