VARIoT IoT vulnerabilities database
| VAR-201312-0075 | CVE-2013-3622 | SuperMicro of X9 Run on generation motherboard IPMI Vulnerabilities that allow arbitrary code to be executed in firmware |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Buffer overflow in logout.cgi in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allows remote authenticated users to execute arbitrary code via the SID parameter. Supermicro IPMI is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may be able to execute arbitrary code with root privileges in the context of the affected firmware. Failed exploit attempts will likely result in denial-of-service conditions.
Supermicro IPMI running firmware versions prior to SMT_X9_315 are vulnerable. Supermicro Intelligent Platform Management Interface (IPMI) is an IPMI card (Intelligent Platform Management Interface) of Supermicro, which can remotely control the system, such as remote booting, entering BIOS, etc
| VAR-201311-0294 | CVE-2013-5553 | Cisco IOS Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Multiple memory leaks in Cisco IOS 15.1 before 15.1(4)M7 allow remote attackers to cause a denial of service (memory consumption or device reload) by sending a crafted SIP message over (1) IPv4 or (2) IPv6, aka Bug IDs CSCuc42558 and CSCug25383. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability is due to improper handling of specially crafted SIP messages. Cisco IOS is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected system to reload, resulting in a denial-of-service condition.
This issue is being tracked by Cisco Bug ID CSCuc42558. The following releases are affected: Cisco IOS 15.1(4)GC, 15.1(4)GC1, 15.1(4)M4, 15.1(4)M5, 15.1(4)M6
| VAR-201311-0298 | CVE-2013-5558 | Cisco TelePresence VX Clinical Assistant of WIL-A Module access vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The WIL-A module in Cisco TelePresence VX Clinical Assistant 1.2 before 1.21 changes the admin password to an empty password upon a reboot, which makes it easier for remote attackers to obtain access via the administrative interface, aka Bug ID CSCuj17238. Vendors have confirmed this vulnerability Bug ID CSCuj17238 It is released as.A third party may gain access through the administration interface.
Exploiting this issue could allow an attacker to bypass certain security restrictions and perform unauthorized actions on the device running the vulnerable application.
This issue is being tracked by Cisco Bug ID CSCuj17238. The system can provide remote diagnosis, virtual nursing, medical education and other functions through high-definition video. The vulnerability is caused by an error in the program's handling of administrative passwords. When the system is restarted, the software resets the admin password to an empty password. An attacker could exploit this vulnerability to gain administrative privileges by logging into the management interface
| VAR-201311-0305 | CVE-2013-5565 | Cisco IOS XR of OSPFv3 Service disruption in functionality (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The OSPFv3 functionality in Cisco IOS XR 5.1 allows remote attackers to cause a denial of service (process crash) via a malformed LSA Type-1 packet, aka Bug ID CSCuj82176. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches.
An attacker can exploit this issue to cause the OSPFv3 process to crash on an affected device, resulting in a denial-of-service condition.
This issue is being tracked by Cisco Bug IDs CSCuj82176. The vulnerability is caused by the program not correctly parsing LSA Type-1 packets
| VAR-201311-0306 | CVE-2013-5566 | Cisco MDS 9000 Runs on the device Cisco NX-OS Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco NX-OS 5.0 and earlier on MDS 9000 devices allows remote attackers to cause a denial of service (supervisor CPU consumption) via Authentication Header (AH) authentication in a Virtual Router Redundancy Protocol (VRRP) frame, aka Bug ID CSCte27874. Cisco MDS 9000 Runs on the device Cisco NX-OS There is a service disruption ( Supervisor CPU Resource consumption ) There are vulnerabilities that are put into a state. Cisco MDS 9000 NX-OS Software is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause the device to consume excessive CPU resources, resulting in denial-of-service conditions.
This issue is being tracked by Cisco bug ID CSCte27874. Cisco NX-OS is a data center-oriented operating system developed by Cisco. The vulnerability is caused by the program not correctly handling Virtual Router Redundancy Protocol (VRRP) packets
| VAR-201312-0076 | CVE-2013-3623 | SuperMicro of X9 Run on generation motherboard IPMI Stack-based buffer overflow vulnerability in FW firmware |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in cgi/close_window.cgi in the web interface in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allow remote attackers to execute arbitrary code via the (1) sess_sid or (2) ACT parameter. Supermicro IPMI is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.
Attackers may be able to execute arbitrary code in the context of the affected firmware. Failed exploit attempts will likely result in denial-of-service conditions.
Supermicro IPMI running firmware version SMT_X9_226 is vulnerable. Supermicro Intelligent Platform Management Interface (IPMI) is an IPMI card (Intelligent Platform Management Interface) of Supermicro, which can remotely control the system, such as remote booting, entering BIOS, etc. ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'uri'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Supermicro Onboard IPMI CGI Vulnerability Scanner',
'Description' => %q{
This module checks for known vulnerabilities in the CGI applications of
Supermicro Onboard IPMI controllers. These issues currently include
several unauthenticated buffer overflows in the login.cgi and close_window.cgi
components.
},
'Author' =>
[
'hdm', # Discovery and analysis
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-3621' ],
[ 'CVE', '2013-3623' ],
[ 'URL', 'https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/']
],
'DisclosureDate' => '2013-11-06'))
end
def is_supermicro?
res = send_request_cgi(
{
"uri" => "/",
"method" => "GET"
})
if res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./
return true
else
return false
end
end
def send_close_window_request(sess)
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi/close_window.cgi",
'encode_params' => false,
'vars_post' => {
'sess_sid' => sess
}
})
return res
end
def check_close_window
safe_check = Rex::Text.rand_text_alpha(20)
trigger_check = Rex::Text.rand_text_alpha(132)
res = send_close_window_request(safe_check)
unless res and res.code == 200 and res.body.to_s =~ /Can't find action/
return false
end
res = send_close_window_request(trigger_check)
unless res and res.code == 500
return false
end
return true
end
def send_login_request(name)
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi/login.cgi",
'encode_params' => false,
'vars_post' => {
'name' => name,
'pwd' => Rex::Text.rand_text_alpha(4)
}
})
return res
end
def check_login
safe_check = Rex::Text.rand_text_alpha(20)
trigger_check = Rex::Text.rand_text_alpha(300)
res = send_login_request(safe_check)
unless res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./ and res.body.to_s =~ /top\.location\.href = location\.href/
return false
end
res = send_login_request(trigger_check)
unless res and res.code == 500
return false
end
return true
end
def run_host(ip)
vprint_status("Checking if it's a Supermicro IPMI web interface...")
if is_supermicro?
vprint_good("Supermicro IPMI web interface found")
else
vprint_error("Supermicro IPMI web interface not found")
return
end
vprint_status("Checking CVE-2013-3621 (login.gi Buffer Overflow) ...")
result = check_login
if result
print_good("Vulnerable to CVE-2013-3621 (login.cgi Buffer Overflow)")
report_vuln({
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => "Supermicro Onboard IPMI login.cgi Buffer Overflow",
:refs => self.references.select do |ref| ref.ctx_val == "2013-3621" end
})
end
vprint_status("Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...")
result = check_close_window
if result
print_good("Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)")
report_vuln({
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => "Supermicro Onboard IPMI close_window.cgi Buffer Overflow",
:refs => self.references.select { |ref| ref.ctx_val == "2013-3623" }
})
end
end
end
| VAR-201912-1601 | CVE-2013-4985 | Vivotek IP Camera Vulnerable to unauthorized authentication |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream. Vivotek IP Camera Contains an incorrect authentication vulnerability.Information may be obtained. Vivotek IP cameras are webcam devices.
An attacker can exploit this issue to bypass the authentication mechanism and gain unauthorized access to the restricted functionality of the device
| VAR-201311-0515 | No CVE | Netgear WNDR3700 Security Restriction Bypass Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The Netgear WNDR3700 is a wireless router product. The NetGear WNDR3700 has an error in the web interface when processing the BRS_02_genieHelp.html request. Successful use can bypass certain security restrictions.
| VAR-201311-0302 | CVE-2013-5562 | Cisco Prime Central for HCS of ITM Web Service disruption at the server (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The ITM web server in Cisco Prime Central for Hosted Collaboration Solution (HCS) allows remote attackers to cause a denial of service (temporary HTTP service outage) via a flood of TCP packets, aka Bug ID CSCuh36313.
Attackers can exploit this issue to crash the affected application, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuh36313. The platform provides functions such as secure access authentication and real-time fault analysis
| VAR-201311-0303 | CVE-2013-5563 | Cisco Security Monitoring, Analysis and Response System of Query/NewQueryResult.jsp Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Query/NewQueryResult.jsp in Cisco Security Monitoring, Analysis and Response System (CS-MARS) allows remote attackers to inject arbitrary web script or HTML via the isnowLatency parameter, aka Bug ID CSCul16173.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
These issues are being tracked by Cisco Bug ID CSCul16173. The system combines security event monitoring with correlation rules, factor analysis, abnormal traffic detection and other functions to help accurately identify and eliminate network attacks
| VAR-201311-0299 | CVE-2013-5559 | Cisco AnyConnect Secure Mobility Client of VPNAPI COM Module buffer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Buffer overflow in the Active Template Library (ATL) framework in the VPNAPI COM module in Cisco AnyConnect Secure Mobility Client 2.x allows user-assisted remote attackers to execute arbitrary code via a crafted HTML document, aka Bug ID CSCuj58139. Vendors have confirmed this vulnerability Bug ID CSCuj58139 It is released as.Crafted by attackers HTML Arbitrary code may be executed through the documentation.
Attackers can exploit this issue to execute arbitrary commands with elevated privileges. Failed exploit attempts will result in denial-of-service conditions. Due to the nature of this issue, arbitrary code-execution may be possible; however this has not been confirmed.
This issue is being tracked by Cisco Bug ID CSCuj58139. Cisco AnyConnect Secure Mobility Client is a Cisco (Cisco) secure mobile client that can securely access networks and applications through any device
| VAR-201311-0301 | CVE-2013-5561 | Cisco ASA CX Remote Safe Search Policy Security Bypass Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Safe Search enforcement feature in Cisco Adaptive Security Appliance (ASA) CX Context-Aware Security Software does not properly perform filtering, which allows remote attackers to bypass intended policy restrictions via unspecified vectors, aka Bug ID CSCui94622. Vendors have confirmed this vulnerability Bug ID CSCui94622 It is released as.Third parties may be able to bypass policy restrictions. Cisco ASA CX is prone to a remote security-bypass vulnerability.
Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. The vulnerability is caused by the program not performing filtering operations correctly
| VAR-201311-0304 | CVE-2013-5564 | Cisco Prime Central for Hosted Collaboration Solution of Impact Service disruption at the server (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Java process in the Impact server in Cisco Prime Central for Hosted Collaboration Solution (HCS) allows remote attackers to cause a denial of service (process crash) via a flood of TCP packets, aka Bug ID CSCug57345.
Attackers can exploit this issue to crash the Java process, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCug57345. The platform provides functions such as secure access authentication and real-time fault analysis
| VAR-201311-0362 | CVE-2013-6816 | SAP NetWeaver of JavaDumpService and DataCollector Servlet cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the (1) JavaDumpService and (2) DataCollector servlets in SAP NetWeaver allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Since some unknown input related to the JavaDumpService servlet and the DataCollector servlet is not properly filtered before being returned to the user, the attacker can exploit the vulnerability to execute arbitrary HTML and script code in the user's browser session of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks
| VAR-201311-0360 | CVE-2013-6814 | SAP NetWeaver SAP Portal URI Redirection Vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
The J2EE Engine in SAP NetWeaver 6.40, 7.02, and earlier allows remote attackers to redirect users to arbitrary web sites, conduct phishing attacks, and obtain sensitive information (cookies and SAPPASSPORT) via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is a URI redirection vulnerability in SAP NetWeaver. SAP is prone to an open-redirection weakness because the application fails to properly sanitize user-supplied input.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. Other attacks are possible.
SAP NetWeaver J2EE 6.40 and 7.02 are vulnerable
| VAR-202002-0570 | CVE-2013-3591 |
vTiger CRM Vulnerability in unlimited upload of dangerous types of files in
Related entries in the VARIoT exploits database: VAR-E-201310-0073 |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability. vTiger CRM Exists in a vulnerability related to unlimited upload of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state.
An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
vTiger CRM 5.3.0 and 5.4.0 are vulnerable; other versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information
| VAR-201310-0651 | No CVE | Multiple Cross-Site Request Forgery Vulnerabilities in UNICORN WB-3300NR Router |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
UNICORN WB-3300NR Router Management Page has multiple cross-site request forgery vulnerabilities, allowing remote attackers to build malicious URIs, enticing users to resolve, and performing arbitrary operations in the target user context, such as resetting factory settings, changing DNS settings, and obtaining WPA passwords. UNICORN WB-3300NR Router is a wireless router product from UNICORN in Korea.
A cross-site request forgery vulnerability exists in the UNICORN WB-3300NR Router, which originates from a program that does not properly filter HTTP requests. A remote attacker could use this vulnerability to perform unauthorized operations and take control of an affected device. This may aid in other attacks
| VAR-201311-0394 | CVE-2013-6869 | SAP NetWeaver of SRTT_GET_COUNT_BEFORE_KEY_RFC In function SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in the SRTT_GET_COUNT_BEFORE_KEY_RFC function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. SAP NetWeaver is a set of service-oriented integrated application platform of German SAP company. The platform provides a development and runtime environment for SAP applications. The vulnerability stems from insufficient filtering of user-submitted input before the program constructs SQL query statements. Attackers can use this vulnerability to steal cookie-based authentication, control applications, access or modify data, or exploit potential vulnerabilities in the underlying database.
SAP NetWeaver 7.30 is vulnerable; other versions may also be affected
| VAR-201311-0361 | CVE-2013-6815 | SAP NetWeaver of ABAP Service interruption in application server (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The SHSTI_UPLOAD_XML function in the Application Server for ABAP (AS ABAP) in SAP NetWeaver 7.31 and earlier allows remote attackers to cause a denial of service via unspecified vectors, related to an XML External Entity (XXE) issue. This case XML External entity (XXE) Vulnerability related to the problem.Service disruption by a third party (DoS) There is a possibility of being put into a state.
Exploiting these issues may allow a remote attacker to bypass certain security restrictions and perform unauthorized actions or cause denial-of-service conditions. This may lead to further attacks
| VAR-201310-0804 | No CVE | NETGEAR WNDR3700 'sprintf()' function special host string buffer overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Netgear WNDR3700 is a router device. The Netgear WNDR3700 Router sprintf() function has a buffer overflow when processing a specially crafted host string, allowing a remote attacker to exploit a vulnerability to submit a specially crafted request, causing the application to crash or possibly execute arbitrary code.