VARIoT IoT vulnerabilities database

The kernel in Juniper Junos 10.4 before 10.4R14, 11.4 before 11.4R8, 11.4X27 before 11.4X27.43, 12.1 before 12.1R6, 12.1X44 before 12.1X44-D20, 12.2 before 12.2R4, and 12.3 before 12.3R2, in certain VLAN configurations with unrestricted arp-resp and proxy-arp settings, allows remote attackers to cause a denial of service (device crash) via a crafted ARP request, aka PR 842091. Juniper Networks Junos is prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause the host system to crash, resulting in a denial-of-service condition. Junos 10.4, 11.4, 11.4X27, 12.1X44, 12.1, 12.2 and 12.3 are vulnerable. The operating system provides a secure programming interface and Junos SDK. Juniper Junos 10.4 before 10.4R14, 11.4 before 11.4R8, 11.4X27 before 11.4X27.43, 12.1 before 12.1R6, 12.1X44 before 12.1X44-D20, 12.2 before 12.2R4, There is a denial of service vulnerability in the 12.3 kernel before 12.3R2. The vulnerability stems from the lack of restrictions on the settings of arp-resp and proxy-arp in the VLAN configuration of the program

Buffer overflow in flowd in Juniper Junos 10.4 before 10.4S14, 11.4 before 11.4R7, 12.1 before 12.1R6, and 12.1X44 before 12.1X44-D15 on SRX devices, when Captive Portal is enabled with the UAC enforcer role, allows remote attackers to execute arbitrary code via crafted HTTP requests, aka PR 849100. Vendors have confirmed this vulnerability PR 849100 It is released as.Skillfully crafted by a third party HTTP Arbitrary code may be executed via a request. Juniper Networks Junos is prone to a remote buffer-overflow vulnerability. Attackers may leverage this issue to execute arbitrary code in the context of the affected device. Failed exploit attempts may result in a denial-of-service condition. The operating system provides a secure programming interface and Junos SDK. Buffering exists in flowd (Flow Daemon) in Juniper Junos 10.4 releases prior to 10.4S14, 11.4 releases prior to 11.4R7, 12.1 releases prior to 12.1R6, and 12.1X44 releases prior to 12.1X44-D15 on SRX Series Server Gateway devices area overflow vulnerability

flowd in Juniper Junos 10.4 before 10.4S14, 11.4 before 11.4R8, 12.1 before 12.1R7, and 12.1X44 before 12.1X44-D15 on SRX devices, when PIM and NAT are enabled, allows remote attackers to cause a denial of service (daemon crash) via crafted PIM packets, aka PR 842253. Juniper Networks Junos is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue will result in denial-of-service conditions. The operating system provides a secure programming interface and Junos SDK. Denial of service exists in flowd (Flow Daemon) in Juniper Junos 10.4 releases prior to 10.4S14, 11.4 releases prior to 11.4R8, 12.1 releases prior to 12.1R7, and 12.1X44 releases prior to 12.1X44-D15 on SRX Series Server Gateway devices loophole

Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified Communications Domain Manager allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) IptAccountMgmt, (2) IptFeatureConfigTemplateMgmt, (3) IptFeatureDisplayPolicyMgmt, or (4) IptProviderMgmt page, aka Bug IDs CSCud69972, CSCud70193, and CSCud70261. Vendors report this vulnerability CSCud69972 , CSCud70193 ,and CSCud70261 Published as.By a third party, due to issues with the pages below, Web Script or HTML May be inserted. (1) IptAccountMgmt page (2) IptFeatureConfigTemplateMgmt page (3) IptFeatureDisplayPolicyMgmt page (4) IptProviderMgmt page. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. These issues are being tracked by Cisco Bug IDs CSCud69972, CSCud70193, and CSCud70261. This component features scalable, distributed, and highly available enterprise Voice over IP call processing

Cross-site scripting (XSS) vulnerability in the web framework in the unified-communications management implementation in Cisco Unified Operations Manager and Unified Service Monitor allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug IDs CSCuh47574 and CSCuh95997. Vendors have confirmed this vulnerability Bug ID CSCuh47574 and CSCuh95997 It is released as.By any third party through unspecified parameters Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco bug IDs CSCuh47574 and CSCuh95997

The web portal in TC software on Cisco TelePresence endpoints does not require an exact password match during a login attempt by a user who has not configured a password, which allows remote attackers to bypass authentication by sending an arbitrary password, aka Bug ID CSCud96071. Vendors have confirmed this vulnerability Bug ID CSCud96071 It is released as.Authentication may be bypassed by sending arbitrary passwords by a third party. Cisco TelePresence TC Software is prone to a remote authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and gain access to vulnerable devices. This may lead to further attacks. This issue is tracked by Cisco Bug ID CSCud96071. Cisco TelePresence is a set of video conferencing solutions called "TelePresence" system of Cisco (Cisco). The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect

RSLinx Enterprise is a standard OPC server software that bridges the communication between RSView Server and PLC. There is an out-of-bounds read error in the RSLinx Enterprise LogReceiver service. When the record size field in the received packet is larger than the actual number of received data, the service program will crash, causing a denial of service attack

RSLinx Enterprise is a standard OPC server software that bridges the communication between RSView Server and PLC. The RSLinx Enterprise LogReceiver service does not properly check the record data size field when parsing received packets. The remote attacker can use this vulnerability to submit a specially crafted request to trigger an integer overflow, which can crash the service and cause a denial of service attack

Cisco WebEx is a set of Web conferencing tools from Cisco in the United States. This tool can assist remote office staff to coordinate and cooperate. WebEx services include Web conferencing, telepresence video conferencing, and enterprise instant messaging (IM). An information disclosure vulnerability exists in the Cisco WebEx One-Click Client. An attacker could use this vulnerability to gain sensitive information, such as stored passwords, which can help launch further attacks

The GetComputerSystem method in the HostControl service in SAP Netweaver 7.03 allows remote attackers to obtain sensitive information via a crafted SOAP request to TCP port 1128. SAP Netweaver is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. SAP Netweaver 7.03 and prior are vulnerable

The license-installation module in Cisco NX-OS on Nexus 1000V devices allows local users to execute arbitrary commands via crafted "install license" arguments, aka Bug ID CSCuh30824. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Successful exploits may compromise the affected computer. This issue being tracked by Cisco Bug ID CSCuh30824

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: A public posting on 20130831 referenced this ID for a specific issue, but that issue had not been assigned this ID by any CNA. Notes: The posting will later have IDs assigned in accordance with CVE content decisions. Zoom X4 and X5 are ADSL router devices. Multiple Zoom Telephonics devices have information leaks, verification bypasses and SQL injection vulnerabilities that allow remote attackers to exploit these vulnerabilities to gain unauthorized access, obtain sensitive information, and modify and access device data. Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability. They were first reported on June 28th, 2013 and partial disclosure was made on July 9, 2013. ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Directory Traversal/Unauthenticated access to administrative panels CVSS Base Score 9.7 Impact Subscore 9.5 Temporal Score: 8.3 (AV:N/AC:L/Au:N/C:P/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-22: Improper Limitation of a Pathname to a Restricted Directory CVE-2013-5622 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5627 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5624 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X By simply placing the following two URLs into a web browser, a vulnerability will all models and firmware versions allow for bypass of administrative credential challenge. All models and firmware versions can access these pages with no authentication. An un-authenticated user can preform almost all administrative tasks once the authentication is bypassed. http://<IP>/hag/pages/toc.htm (--Menu Banner) http://<IP>/hag/pages/toolbox.htm (-Advanced Options Menu) ---------------------------------------------------------------------------------------------------------------- Improper handling of unexpected characters/data CVSS Base Score 8.3 Impact Subscore 8.5 Temporal Score: 6.7 (AV:N/AC:M/Au:N/C:P/I:P/A:C/E:POC/RL:W/RC:UR) CWE-241: Improper Handling of Unexpected Data Type CVE-2013-5623 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5628 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5631 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X CVE-2013-5632 - Zoom ADSL Bridge Modem Model 5715; all firmware versions CVE-2013-5633 - Zoom USB ADSL Modem Model 5510B; all firmware versions When an unexpected/illegal character is added to the end of any URL which calls a value, such as http://<IP>/MainPage?id=25' the browser will immediately redirect the browser to the "System Status" page without authentication, where links to each interface (i.e. eth-0,usb-0,etc) is both selectable whose properties can be edited. ---------------------------------------------------------------------------------------------------------------- Plain text storage of ISP/PPPoe usernames/passwords CVSS Base Score 6.8 Impact Subscore 6.4 Temporal Score: 8.6 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR) CWE-311: Missing Encryption of Sensitive Data CVE-2013-5620 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5626 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5629 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X The following command will display the ISP usernames and passwords. (The print value may vary slightly based on firmware.) Proof of Concept curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanPasswd'|awk '{ print $8 }' value="wanpasswd1" ('or similar') curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanUsrName'|awk '{ print $21 }' value="user@usersisp.net" ('or similar') ---------------------------------------------------------------------------------------------------------------- Unauthenticated direct execution of administrative tasks CVSS Base Score 10.0 Impact Subscore 10.0 Temporal Score: 8.6 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-285: Improper Authorization CVE-2013-5621 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X CVE-2013-5625 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X CVE-2013-5630 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X Administrative authentication can be bypassed and commands directly executed with specially crafted commands. Proofs of Concept - Create New Acct Admin or Intermediate - (all PW and admin names are 'or similar') http://<IP>/hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateaccount"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes Clear Logs http://<IP>/Action?id=76&cmdClear+Log=Clear+Log ---------------------------------------------------------------------------------------------------------------- Fixes/Patches: There are no known patches or fixes for these vulnerabilities at this time. Workaround: It is advised to turn off all remote administrative access to the router. This workaround however, will not prevent local attacks. ---------------------------------------------------------------------------------------------------------------- External Links http://www.osvdb.org/show/osvdb/95071 http://xforce.iss.net/xforce/xfdb/85612 http://www.idappcom.com/db/?7819 Vendor Links http://www.zoomtel.com/products/5715.html http://www.zoomtel.com/graphics/datasheets/adsl/USB_3104_5510B.pdf http://www.zoomtel.com/products/adsl_overview.html http://www.zoomtel.com/products/5760.html http://www.zoomtel.com/products/5751.html http://www.zoomtel.com/products/5754.html Discovered - 06-28-2013 Updated - 09/01/2013 Research Contact - K Lovett Affiliation - QuattroSG

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: A public posting on 20130831 referenced this ID for a specific issue, but that issue had not been assigned this ID by any CNA. Notes: The posting will later have IDs assigned in accordance with CVE content decisions. Zoom X4 and X5 are ADSL router devices. Multiple Zoom Telephonics devices have information leaks, verification bypasses and SQL injection vulnerabilities that allow remote attackers to exploit these vulnerabilities to gain unauthorized access, obtain sensitive information, and modify and access device data. Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability. They were first reported on June 28th, 2013 and partial disclosure was made on July 9, 2013. ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Directory Traversal/Unauthenticated access to administrative panels CVSS Base Score 9.7 Impact Subscore 9.5 Temporal Score: 8.3 (AV:N/AC:L/Au:N/C:P/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-22: Improper Limitation of a Pathname to a Restricted Directory CVE-2013-5622 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5627 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5624 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X By simply placing the following two URLs into a web browser, a vulnerability will all models and firmware versions allow for bypass of administrative credential challenge. All models and firmware versions can access these pages with no authentication. An un-authenticated user can preform almost all administrative tasks once the authentication is bypassed. http://<IP>/hag/pages/toc.htm (--Menu Banner) http://<IP>/hag/pages/toolbox.htm (-Advanced Options Menu) ---------------------------------------------------------------------------------------------------------------- Improper handling of unexpected characters/data CVSS Base Score 8.3 Impact Subscore 8.5 Temporal Score: 6.7 (AV:N/AC:M/Au:N/C:P/I:P/A:C/E:POC/RL:W/RC:UR) CWE-241: Improper Handling of Unexpected Data Type CVE-2013-5623 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5628 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5631 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X CVE-2013-5632 - Zoom ADSL Bridge Modem Model 5715; all firmware versions CVE-2013-5633 - Zoom USB ADSL Modem Model 5510B; all firmware versions When an unexpected/illegal character is added to the end of any URL which calls a value, such as http://<IP>/MainPage?id=25' the browser will immediately redirect the browser to the "System Status" page without authentication, where links to each interface (i.e. eth-0,usb-0,etc) is both selectable whose properties can be edited. ---------------------------------------------------------------------------------------------------------------- Plain text storage of ISP/PPPoe usernames/passwords CVSS Base Score 6.8 Impact Subscore 6.4 Temporal Score: 8.6 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR) CWE-311: Missing Encryption of Sensitive Data CVE-2013-5620 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5626 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5629 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X The following command will display the ISP usernames and passwords. (The print value may vary slightly based on firmware.) Proof of Concept curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanPasswd'|awk '{ print $8 }' value="wanpasswd1" ('or similar') curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanUsrName'|awk '{ print $21 }' value="user@usersisp.net" ('or similar') ---------------------------------------------------------------------------------------------------------------- Unauthenticated direct execution of administrative tasks CVSS Base Score 10.0 Impact Subscore 10.0 Temporal Score: 8.6 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-285: Improper Authorization CVE-2013-5621 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X CVE-2013-5625 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X CVE-2013-5630 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X Administrative authentication can be bypassed and commands directly executed with specially crafted commands. Proofs of Concept - Create New Acct Admin or Intermediate - (all PW and admin names are 'or similar') http://<IP>/hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateaccount"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes Clear Logs http://<IP>/Action?id=76&cmdClear+Log=Clear+Log ---------------------------------------------------------------------------------------------------------------- Fixes/Patches: There are no known patches or fixes for these vulnerabilities at this time. Workaround: It is advised to turn off all remote administrative access to the router. This workaround however, will not prevent local attacks. ---------------------------------------------------------------------------------------------------------------- External Links http://www.osvdb.org/show/osvdb/95071 http://xforce.iss.net/xforce/xfdb/85612 http://www.idappcom.com/db/?7819 Vendor Links http://www.zoomtel.com/products/5715.html http://www.zoomtel.com/graphics/datasheets/adsl/USB_3104_5510B.pdf http://www.zoomtel.com/products/adsl_overview.html http://www.zoomtel.com/products/5760.html http://www.zoomtel.com/products/5751.html http://www.zoomtel.com/products/5754.html Discovered - 06-28-2013 Updated - 09/01/2013 Research Contact - K Lovett Affiliation - QuattroSG

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: A public posting on 20130831 referenced this ID for a specific issue, but that issue had not been assigned this ID by any CNA. Notes: The posting will later have IDs assigned in accordance with CVE content decisions. Zoom X4 and X5 are ADSL router devices. Multiple Zoom Telephonics devices have information leaks, verification bypasses and SQL injection vulnerabilities that allow remote attackers to exploit these vulnerabilities to gain unauthorized access, obtain sensitive information, and modify and access device data. Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability. They were first reported on June 28th, 2013 and partial disclosure was made on July 9, 2013. ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Directory Traversal/Unauthenticated access to administrative panels CVSS Base Score 9.7 Impact Subscore 9.5 Temporal Score: 8.3 (AV:N/AC:L/Au:N/C:P/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-22: Improper Limitation of a Pathname to a Restricted Directory CVE-2013-5622 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5627 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5624 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X By simply placing the following two URLs into a web browser, a vulnerability will all models and firmware versions allow for bypass of administrative credential challenge. All models and firmware versions can access these pages with no authentication. An un-authenticated user can preform almost all administrative tasks once the authentication is bypassed. http://<IP>/hag/pages/toc.htm (--Menu Banner) http://<IP>/hag/pages/toolbox.htm (-Advanced Options Menu) ---------------------------------------------------------------------------------------------------------------- Improper handling of unexpected characters/data CVSS Base Score 8.3 Impact Subscore 8.5 Temporal Score: 6.7 (AV:N/AC:M/Au:N/C:P/I:P/A:C/E:POC/RL:W/RC:UR) CWE-241: Improper Handling of Unexpected Data Type CVE-2013-5623 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5628 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5631 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X CVE-2013-5632 - Zoom ADSL Bridge Modem Model 5715; all firmware versions CVE-2013-5633 - Zoom USB ADSL Modem Model 5510B; all firmware versions When an unexpected/illegal character is added to the end of any URL which calls a value, such as http://<IP>/MainPage?id=25' the browser will immediately redirect the browser to the "System Status" page without authentication, where links to each interface (i.e. eth-0,usb-0,etc) is both selectable whose properties can be edited. ---------------------------------------------------------------------------------------------------------------- Plain text storage of ISP/PPPoe usernames/passwords CVSS Base Score 6.8 Impact Subscore 6.4 Temporal Score: 8.6 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR) CWE-311: Missing Encryption of Sensitive Data CVE-2013-5620 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5626 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5629 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X The following command will display the ISP usernames and passwords. (The print value may vary slightly based on firmware.) Proof of Concept curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanPasswd'|awk '{ print $8 }' value="wanpasswd1" ('or similar') curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanUsrName'|awk '{ print $21 }' value="user@usersisp.net" ('or similar') ---------------------------------------------------------------------------------------------------------------- Unauthenticated direct execution of administrative tasks CVSS Base Score 10.0 Impact Subscore 10.0 Temporal Score: 8.6 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-285: Improper Authorization CVE-2013-5621 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X CVE-2013-5625 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X CVE-2013-5630 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X Administrative authentication can be bypassed and commands directly executed with specially crafted commands. Proofs of Concept - Create New Acct Admin or Intermediate - (all PW and admin names are 'or similar') http://<IP>/hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateaccount"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes Clear Logs http://<IP>/Action?id=76&cmdClear+Log=Clear+Log ---------------------------------------------------------------------------------------------------------------- Fixes/Patches: There are no known patches or fixes for these vulnerabilities at this time. Workaround: It is advised to turn off all remote administrative access to the router. This workaround however, will not prevent local attacks. ---------------------------------------------------------------------------------------------------------------- External Links http://www.osvdb.org/show/osvdb/95071 http://xforce.iss.net/xforce/xfdb/85612 http://www.idappcom.com/db/?7819 Vendor Links http://www.zoomtel.com/products/5715.html http://www.zoomtel.com/graphics/datasheets/adsl/USB_3104_5510B.pdf http://www.zoomtel.com/products/adsl_overview.html http://www.zoomtel.com/products/5760.html http://www.zoomtel.com/products/5751.html http://www.zoomtel.com/products/5754.html Discovered - 06-28-2013 Updated - 09/01/2013 Research Contact - K Lovett Affiliation - QuattroSG

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: A public posting on 20130831 referenced this ID for a specific issue, but that issue had not been assigned this ID by any CNA. Notes: The posting will later have IDs assigned in accordance with CVE content decisions. Zoom X4 and X5 are ADSL router devices. Multiple Zoom Telephonics devices have information leaks, verification bypasses and SQL injection vulnerabilities that allow remote attackers to exploit these vulnerabilities to gain unauthorized access, obtain sensitive information, and modify and access device data. Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability. They were first reported on June 28th, 2013 and partial disclosure was made on July 9, 2013. ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Directory Traversal/Unauthenticated access to administrative panels CVSS Base Score 9.7 Impact Subscore 9.5 Temporal Score: 8.3 (AV:N/AC:L/Au:N/C:P/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-22: Improper Limitation of a Pathname to a Restricted Directory CVE-2013-5622 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5627 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5624 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X By simply placing the following two URLs into a web browser, a vulnerability will all models and firmware versions allow for bypass of administrative credential challenge. All models and firmware versions can access these pages with no authentication. An un-authenticated user can preform almost all administrative tasks once the authentication is bypassed. http://<IP>/hag/pages/toc.htm (--Menu Banner) http://<IP>/hag/pages/toolbox.htm (-Advanced Options Menu) ---------------------------------------------------------------------------------------------------------------- Improper handling of unexpected characters/data CVSS Base Score 8.3 Impact Subscore 8.5 Temporal Score: 6.7 (AV:N/AC:M/Au:N/C:P/I:P/A:C/E:POC/RL:W/RC:UR) CWE-241: Improper Handling of Unexpected Data Type CVE-2013-5623 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5628 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5631 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X CVE-2013-5632 - Zoom ADSL Bridge Modem Model 5715; all firmware versions CVE-2013-5633 - Zoom USB ADSL Modem Model 5510B; all firmware versions When an unexpected/illegal character is added to the end of any URL which calls a value, such as http://<IP>/MainPage?id=25' the browser will immediately redirect the browser to the "System Status" page without authentication, where links to each interface (i.e. eth-0,usb-0,etc) is both selectable whose properties can be edited. ---------------------------------------------------------------------------------------------------------------- Plain text storage of ISP/PPPoe usernames/passwords CVSS Base Score 6.8 Impact Subscore 6.4 Temporal Score: 8.6 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR) CWE-311: Missing Encryption of Sensitive Data CVE-2013-5620 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5626 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5629 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X The following command will display the ISP usernames and passwords. (The print value may vary slightly based on firmware.) Proof of Concept curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanPasswd'|awk '{ print $8 }' value="wanpasswd1" ('or similar') curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanUsrName'|awk '{ print $21 }' value="user@usersisp.net" ('or similar') ---------------------------------------------------------------------------------------------------------------- Unauthenticated direct execution of administrative tasks CVSS Base Score 10.0 Impact Subscore 10.0 Temporal Score: 8.6 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-285: Improper Authorization CVE-2013-5621 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X CVE-2013-5625 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X CVE-2013-5630 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X Administrative authentication can be bypassed and commands directly executed with specially crafted commands. Proofs of Concept - Create New Acct Admin or Intermediate - (all PW and admin names are 'or similar') http://<IP>/hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateaccount"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes Clear Logs http://<IP>/Action?id=76&cmdClear+Log=Clear+Log ---------------------------------------------------------------------------------------------------------------- Fixes/Patches: There are no known patches or fixes for these vulnerabilities at this time. Workaround: It is advised to turn off all remote administrative access to the router. This workaround however, will not prevent local attacks. ---------------------------------------------------------------------------------------------------------------- External Links http://www.osvdb.org/show/osvdb/95071 http://xforce.iss.net/xforce/xfdb/85612 http://www.idappcom.com/db/?7819 Vendor Links http://www.zoomtel.com/products/5715.html http://www.zoomtel.com/graphics/datasheets/adsl/USB_3104_5510B.pdf http://www.zoomtel.com/products/adsl_overview.html http://www.zoomtel.com/products/5760.html http://www.zoomtel.com/products/5751.html http://www.zoomtel.com/products/5754.html Discovered - 06-28-2013 Updated - 09/01/2013 Research Contact - K Lovett Affiliation - QuattroSG

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: A public posting on 20130831 referenced this ID for a specific issue, but that issue had not been assigned this ID by any CNA. Notes: The posting will later have IDs assigned in accordance with CVE content decisions. Zoom X4 and X5 are ADSL router devices. Multiple Zoom Telephonics devices have information leaks, verification bypasses and SQL injection vulnerabilities that allow remote attackers to exploit these vulnerabilities to gain unauthorized access, obtain sensitive information, and modify and access device data. Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability. They were first reported on June 28th, 2013 and partial disclosure was made on July 9, 2013. ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Directory Traversal/Unauthenticated access to administrative panels CVSS Base Score 9.7 Impact Subscore 9.5 Temporal Score: 8.3 (AV:N/AC:L/Au:N/C:P/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-22: Improper Limitation of a Pathname to a Restricted Directory CVE-2013-5622 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5627 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5624 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X By simply placing the following two URLs into a web browser, a vulnerability will all models and firmware versions allow for bypass of administrative credential challenge. All models and firmware versions can access these pages with no authentication. An un-authenticated user can preform almost all administrative tasks once the authentication is bypassed. http://<IP>/hag/pages/toc.htm (--Menu Banner) http://<IP>/hag/pages/toolbox.htm (-Advanced Options Menu) ---------------------------------------------------------------------------------------------------------------- Improper handling of unexpected characters/data CVSS Base Score 8.3 Impact Subscore 8.5 Temporal Score: 6.7 (AV:N/AC:M/Au:N/C:P/I:P/A:C/E:POC/RL:W/RC:UR) CWE-241: Improper Handling of Unexpected Data Type CVE-2013-5623 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5628 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5631 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X CVE-2013-5632 - Zoom ADSL Bridge Modem Model 5715; all firmware versions CVE-2013-5633 - Zoom USB ADSL Modem Model 5510B; all firmware versions When an unexpected/illegal character is added to the end of any URL which calls a value, such as http://<IP>/MainPage?id=25' the browser will immediately redirect the browser to the "System Status" page without authentication, where links to each interface (i.e. eth-0,usb-0,etc) is both selectable whose properties can be edited. ---------------------------------------------------------------------------------------------------------------- Plain text storage of ISP/PPPoe usernames/passwords CVSS Base Score 6.8 Impact Subscore 6.4 Temporal Score: 8.6 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR) CWE-311: Missing Encryption of Sensitive Data CVE-2013-5620 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5626 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5629 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X The following command will display the ISP usernames and passwords. (The print value may vary slightly based on firmware.) Proof of Concept curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanPasswd'|awk '{ print $8 }' value="wanpasswd1" ('or similar') curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanUsrName'|awk '{ print $21 }' value="user@usersisp.net" ('or similar') ---------------------------------------------------------------------------------------------------------------- Unauthenticated direct execution of administrative tasks CVSS Base Score 10.0 Impact Subscore 10.0 Temporal Score: 8.6 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-285: Improper Authorization CVE-2013-5621 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X CVE-2013-5625 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X CVE-2013-5630 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X Administrative authentication can be bypassed and commands directly executed with specially crafted commands. Proofs of Concept - Create New Acct Admin or Intermediate - (all PW and admin names are 'or similar') http://<IP>/hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateaccount"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes Clear Logs http://<IP>/Action?id=76&cmdClear+Log=Clear+Log ---------------------------------------------------------------------------------------------------------------- Fixes/Patches: There are no known patches or fixes for these vulnerabilities at this time. Workaround: It is advised to turn off all remote administrative access to the router. This workaround however, will not prevent local attacks. ---------------------------------------------------------------------------------------------------------------- External Links http://www.osvdb.org/show/osvdb/95071 http://xforce.iss.net/xforce/xfdb/85612 http://www.idappcom.com/db/?7819 Vendor Links http://www.zoomtel.com/products/5715.html http://www.zoomtel.com/graphics/datasheets/adsl/USB_3104_5510B.pdf http://www.zoomtel.com/products/adsl_overview.html http://www.zoomtel.com/products/5760.html http://www.zoomtel.com/products/5751.html http://www.zoomtel.com/products/5754.html Discovered - 06-28-2013 Updated - 09/01/2013 Research Contact - K Lovett Affiliation - QuattroSG

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: A public posting on 20130831 referenced this ID for a specific issue, but that issue had not been assigned this ID by any CNA. Notes: The posting will later have IDs assigned in accordance with CVE content decisions. Zoom X4 and X5 are ADSL router devices. Multiple Zoom Telephonics devices have information leaks, verification bypasses and SQL injection vulnerabilities that allow remote attackers to exploit these vulnerabilities to gain unauthorized access, obtain sensitive information, and modify and access device data. Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability. They were first reported on June 28th, 2013 and partial disclosure was made on July 9, 2013. ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Directory Traversal/Unauthenticated access to administrative panels CVSS Base Score 9.7 Impact Subscore 9.5 Temporal Score: 8.3 (AV:N/AC:L/Au:N/C:P/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-22: Improper Limitation of a Pathname to a Restricted Directory CVE-2013-5622 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5627 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5624 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X By simply placing the following two URLs into a web browser, a vulnerability will all models and firmware versions allow for bypass of administrative credential challenge. All models and firmware versions can access these pages with no authentication. An un-authenticated user can preform almost all administrative tasks once the authentication is bypassed. http://<IP>/hag/pages/toc.htm (--Menu Banner) http://<IP>/hag/pages/toolbox.htm (-Advanced Options Menu) ---------------------------------------------------------------------------------------------------------------- Improper handling of unexpected characters/data CVSS Base Score 8.3 Impact Subscore 8.5 Temporal Score: 6.7 (AV:N/AC:M/Au:N/C:P/I:P/A:C/E:POC/RL:W/RC:UR) CWE-241: Improper Handling of Unexpected Data Type CVE-2013-5623 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5628 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5631 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X CVE-2013-5632 - Zoom ADSL Bridge Modem Model 5715; all firmware versions CVE-2013-5633 - Zoom USB ADSL Modem Model 5510B; all firmware versions When an unexpected/illegal character is added to the end of any URL which calls a value, such as http://<IP>/MainPage?id=25' the browser will immediately redirect the browser to the "System Status" page without authentication, where links to each interface (i.e. eth-0,usb-0,etc) is both selectable whose properties can be edited. ---------------------------------------------------------------------------------------------------------------- Plain text storage of ISP/PPPoe usernames/passwords CVSS Base Score 6.8 Impact Subscore 6.4 Temporal Score: 8.6 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR) CWE-311: Missing Encryption of Sensitive Data CVE-2013-5620 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5626 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5629 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X The following command will display the ISP usernames and passwords. (The print value may vary slightly based on firmware.) Proof of Concept curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanPasswd'|awk '{ print $8 }' value="wanpasswd1" ('or similar') curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanUsrName'|awk '{ print $21 }' value="user@usersisp.net" ('or similar') ---------------------------------------------------------------------------------------------------------------- Unauthenticated direct execution of administrative tasks CVSS Base Score 10.0 Impact Subscore 10.0 Temporal Score: 8.6 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-285: Improper Authorization CVE-2013-5621 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X CVE-2013-5625 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X CVE-2013-5630 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X Administrative authentication can be bypassed and commands directly executed with specially crafted commands. Proofs of Concept - Create New Acct Admin or Intermediate - (all PW and admin names are 'or similar') http://<IP>/hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateaccount"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes Clear Logs http://<IP>/Action?id=76&cmdClear+Log=Clear+Log ---------------------------------------------------------------------------------------------------------------- Fixes/Patches: There are no known patches or fixes for these vulnerabilities at this time. Workaround: It is advised to turn off all remote administrative access to the router. This workaround however, will not prevent local attacks. ---------------------------------------------------------------------------------------------------------------- External Links http://www.osvdb.org/show/osvdb/95071 http://xforce.iss.net/xforce/xfdb/85612 http://www.idappcom.com/db/?7819 Vendor Links http://www.zoomtel.com/products/5715.html http://www.zoomtel.com/graphics/datasheets/adsl/USB_3104_5510B.pdf http://www.zoomtel.com/products/adsl_overview.html http://www.zoomtel.com/products/5760.html http://www.zoomtel.com/products/5751.html http://www.zoomtel.com/products/5754.html Discovered - 06-28-2013 Updated - 09/01/2013 Research Contact - K Lovett Affiliation - QuattroSG

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: A public posting on 20130831 referenced this ID for a specific issue, but that issue had not been assigned this ID by any CNA. Notes: The posting will later have IDs assigned in accordance with CVE content decisions. Zoom X4 and X5 are ADSL router devices. Multiple Zoom Telephonics devices have information leaks, verification bypasses and SQL injection vulnerabilities that allow remote attackers to exploit these vulnerabilities to gain unauthorized access, obtain sensitive information, and modify and access device data. Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability. They were first reported on June 28th, 2013 and partial disclosure was made on July 9, 2013. ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Directory Traversal/Unauthenticated access to administrative panels CVSS Base Score 9.7 Impact Subscore 9.5 Temporal Score: 8.3 (AV:N/AC:L/Au:N/C:P/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-22: Improper Limitation of a Pathname to a Restricted Directory CVE-2013-5622 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5627 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5624 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X By simply placing the following two URLs into a web browser, a vulnerability will all models and firmware versions allow for bypass of administrative credential challenge. All models and firmware versions can access these pages with no authentication. An un-authenticated user can preform almost all administrative tasks once the authentication is bypassed. http://<IP>/hag/pages/toc.htm (--Menu Banner) http://<IP>/hag/pages/toolbox.htm (-Advanced Options Menu) ---------------------------------------------------------------------------------------------------------------- Improper handling of unexpected characters/data CVSS Base Score 8.3 Impact Subscore 8.5 Temporal Score: 6.7 (AV:N/AC:M/Au:N/C:P/I:P/A:C/E:POC/RL:W/RC:UR) CWE-241: Improper Handling of Unexpected Data Type CVE-2013-5623 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5628 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5631 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X CVE-2013-5632 - Zoom ADSL Bridge Modem Model 5715; all firmware versions CVE-2013-5633 - Zoom USB ADSL Modem Model 5510B; all firmware versions When an unexpected/illegal character is added to the end of any URL which calls a value, such as http://<IP>/MainPage?id=25' the browser will immediately redirect the browser to the "System Status" page without authentication, where links to each interface (i.e. eth-0,usb-0,etc) is both selectable whose properties can be edited. ---------------------------------------------------------------------------------------------------------------- Plain text storage of ISP/PPPoe usernames/passwords CVSS Base Score 6.8 Impact Subscore 6.4 Temporal Score: 8.6 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR) CWE-311: Missing Encryption of Sensitive Data CVE-2013-5620 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5626 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5629 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X The following command will display the ISP usernames and passwords. (The print value may vary slightly based on firmware.) Proof of Concept curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanPasswd'|awk '{ print $8 }' value="wanpasswd1" ('or similar') curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanUsrName'|awk '{ print $21 }' value="user@usersisp.net" ('or similar') ---------------------------------------------------------------------------------------------------------------- Unauthenticated direct execution of administrative tasks CVSS Base Score 10.0 Impact Subscore 10.0 Temporal Score: 8.6 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-285: Improper Authorization CVE-2013-5621 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X CVE-2013-5625 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X CVE-2013-5630 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X Administrative authentication can be bypassed and commands directly executed with specially crafted commands. Proofs of Concept - Create New Acct Admin or Intermediate - (all PW and admin names are 'or similar') http://<IP>/hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateaccount"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes Clear Logs http://<IP>/Action?id=76&cmdClear+Log=Clear+Log ---------------------------------------------------------------------------------------------------------------- Fixes/Patches: There are no known patches or fixes for these vulnerabilities at this time. Workaround: It is advised to turn off all remote administrative access to the router. This workaround however, will not prevent local attacks. ---------------------------------------------------------------------------------------------------------------- External Links http://www.osvdb.org/show/osvdb/95071 http://xforce.iss.net/xforce/xfdb/85612 http://www.idappcom.com/db/?7819 Vendor Links http://www.zoomtel.com/products/5715.html http://www.zoomtel.com/graphics/datasheets/adsl/USB_3104_5510B.pdf http://www.zoomtel.com/products/adsl_overview.html http://www.zoomtel.com/products/5760.html http://www.zoomtel.com/products/5751.html http://www.zoomtel.com/products/5754.html Discovered - 06-28-2013 Updated - 09/01/2013 Research Contact - K Lovett Affiliation - QuattroSG

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: A public posting on 20130831 referenced this ID for a specific issue, but that issue had not been assigned this ID by any CNA. Notes: The posting will later have IDs assigned in accordance with CVE content decisions. Zoom X4 and X5 are ADSL router devices. Multiple Zoom Telephonics devices have information leaks, verification bypasses and SQL injection vulnerabilities that allow remote attackers to exploit these vulnerabilities to gain unauthorized access, obtain sensitive information, and modify and access device data. Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability. They were first reported on June 28th, 2013 and partial disclosure was made on July 9, 2013. ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Directory Traversal/Unauthenticated access to administrative panels CVSS Base Score 9.7 Impact Subscore 9.5 Temporal Score: 8.3 (AV:N/AC:L/Au:N/C:P/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-22: Improper Limitation of a Pathname to a Restricted Directory CVE-2013-5622 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5627 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5624 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X By simply placing the following two URLs into a web browser, a vulnerability will all models and firmware versions allow for bypass of administrative credential challenge. All models and firmware versions can access these pages with no authentication. An un-authenticated user can preform almost all administrative tasks once the authentication is bypassed. http://<IP>/hag/pages/toc.htm (--Menu Banner) http://<IP>/hag/pages/toolbox.htm (-Advanced Options Menu) ---------------------------------------------------------------------------------------------------------------- Improper handling of unexpected characters/data CVSS Base Score 8.3 Impact Subscore 8.5 Temporal Score: 6.7 (AV:N/AC:M/Au:N/C:P/I:P/A:C/E:POC/RL:W/RC:UR) CWE-241: Improper Handling of Unexpected Data Type CVE-2013-5623 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5628 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5631 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X CVE-2013-5632 - Zoom ADSL Bridge Modem Model 5715; all firmware versions CVE-2013-5633 - Zoom USB ADSL Modem Model 5510B; all firmware versions When an unexpected/illegal character is added to the end of any URL which calls a value, such as http://<IP>/MainPage?id=25' the browser will immediately redirect the browser to the "System Status" page without authentication, where links to each interface (i.e. eth-0,usb-0,etc) is both selectable whose properties can be edited. ---------------------------------------------------------------------------------------------------------------- Plain text storage of ISP/PPPoe usernames/passwords CVSS Base Score 6.8 Impact Subscore 6.4 Temporal Score: 8.6 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR) CWE-311: Missing Encryption of Sensitive Data CVE-2013-5620 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5626 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5629 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X The following command will display the ISP usernames and passwords. (The print value may vary slightly based on firmware.) Proof of Concept curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanPasswd'|awk '{ print $8 }' value="wanpasswd1" ('or similar') curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanUsrName'|awk '{ print $21 }' value="user@usersisp.net" ('or similar') ---------------------------------------------------------------------------------------------------------------- Unauthenticated direct execution of administrative tasks CVSS Base Score 10.0 Impact Subscore 10.0 Temporal Score: 8.6 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-285: Improper Authorization CVE-2013-5621 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X CVE-2013-5625 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X CVE-2013-5630 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X Administrative authentication can be bypassed and commands directly executed with specially crafted commands. Proofs of Concept - Create New Acct Admin or Intermediate - (all PW and admin names are 'or similar') http://<IP>/hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateaccount"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes Clear Logs http://<IP>/Action?id=76&cmdClear+Log=Clear+Log ---------------------------------------------------------------------------------------------------------------- Fixes/Patches: There are no known patches or fixes for these vulnerabilities at this time. Workaround: It is advised to turn off all remote administrative access to the router. This workaround however, will not prevent local attacks. ---------------------------------------------------------------------------------------------------------------- External Links http://www.osvdb.org/show/osvdb/95071 http://xforce.iss.net/xforce/xfdb/85612 http://www.idappcom.com/db/?7819 Vendor Links http://www.zoomtel.com/products/5715.html http://www.zoomtel.com/graphics/datasheets/adsl/USB_3104_5510B.pdf http://www.zoomtel.com/products/adsl_overview.html http://www.zoomtel.com/products/5760.html http://www.zoomtel.com/products/5751.html http://www.zoomtel.com/products/5754.html Discovered - 06-28-2013 Updated - 09/01/2013 Research Contact - K Lovett Affiliation - QuattroSG

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: A public posting on 20130831 referenced this ID for a specific issue, but that issue had not been assigned this ID by any CNA. Notes: The posting will later have IDs assigned in accordance with CVE content decisions. Zoom X4 and X5 are ADSL router devices. Multiple Zoom Telephonics devices have information leaks, verification bypasses and SQL injection vulnerabilities that allow remote attackers to exploit these vulnerabilities to gain unauthorized access, obtain sensitive information, and modify and access device data. Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability. They were first reported on June 28th, 2013 and partial disclosure was made on July 9, 2013. ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Directory Traversal/Unauthenticated access to administrative panels CVSS Base Score 9.7 Impact Subscore 9.5 Temporal Score: 8.3 (AV:N/AC:L/Au:N/C:P/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-22: Improper Limitation of a Pathname to a Restricted Directory CVE-2013-5622 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5627 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5624 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X By simply placing the following two URLs into a web browser, a vulnerability will all models and firmware versions allow for bypass of administrative credential challenge. All models and firmware versions can access these pages with no authentication. An un-authenticated user can preform almost all administrative tasks once the authentication is bypassed. http://<IP>/hag/pages/toc.htm (--Menu Banner) http://<IP>/hag/pages/toolbox.htm (-Advanced Options Menu) ---------------------------------------------------------------------------------------------------------------- Improper handling of unexpected characters/data CVSS Base Score 8.3 Impact Subscore 8.5 Temporal Score: 6.7 (AV:N/AC:M/Au:N/C:P/I:P/A:C/E:POC/RL:W/RC:UR) CWE-241: Improper Handling of Unexpected Data Type CVE-2013-5623 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5628 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5631 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X CVE-2013-5632 - Zoom ADSL Bridge Modem Model 5715; all firmware versions CVE-2013-5633 - Zoom USB ADSL Modem Model 5510B; all firmware versions When an unexpected/illegal character is added to the end of any URL which calls a value, such as http://<IP>/MainPage?id=25' the browser will immediately redirect the browser to the "System Status" page without authentication, where links to each interface (i.e. eth-0,usb-0,etc) is both selectable whose properties can be edited. ---------------------------------------------------------------------------------------------------------------- Plain text storage of ISP/PPPoe usernames/passwords CVSS Base Score 6.8 Impact Subscore 6.4 Temporal Score: 8.6 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR) CWE-311: Missing Encryption of Sensitive Data CVE-2013-5620 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.2 CVE-2013-5626 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X CVE-2013-5629 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X 3.0.X The following command will display the ISP usernames and passwords. (The print value may vary slightly based on firmware.) Proof of Concept curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanPasswd'|awk '{ print $8 }' value="wanpasswd1" ('or similar') curl -s http://<IP>/MainPage?id=25 |egrep -i 'MacWanUsrName'|awk '{ print $21 }' value="user@usersisp.net" ('or similar') ---------------------------------------------------------------------------------------------------------------- Unauthenticated direct execution of administrative tasks CVSS Base Score 10.0 Impact Subscore 10.0 Temporal Score: 8.6 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) CWE-285: Improper Authorization CVE-2013-5621 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X CVE-2013-5625 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X CVE-2013-5630 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X Administrative authentication can be bypassed and commands directly executed with specially crafted commands. Proofs of Concept - Create New Acct Admin or Intermediate - (all PW and admin names are 'or similar') http://<IP>/hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateaccount"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes Clear Logs http://<IP>/Action?id=76&cmdClear+Log=Clear+Log ---------------------------------------------------------------------------------------------------------------- Fixes/Patches: There are no known patches or fixes for these vulnerabilities at this time. Workaround: It is advised to turn off all remote administrative access to the router. This workaround however, will not prevent local attacks. ---------------------------------------------------------------------------------------------------------------- External Links http://www.osvdb.org/show/osvdb/95071 http://xforce.iss.net/xforce/xfdb/85612 http://www.idappcom.com/db/?7819 Vendor Links http://www.zoomtel.com/products/5715.html http://www.zoomtel.com/graphics/datasheets/adsl/USB_3104_5510B.pdf http://www.zoomtel.com/products/adsl_overview.html http://www.zoomtel.com/products/5760.html http://www.zoomtel.com/products/5751.html http://www.zoomtel.com/products/5754.html Discovered - 06-28-2013 Updated - 09/01/2013 Research Contact - K Lovett Affiliation - QuattroSG