VARIoT IoT vulnerabilities database

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 do not properly restrict file types and extensions, which allows remote authenticated users to bypass intended access restrictions via a crafted filename. Attackers can exploit this issue to bypass certain intended security restrictions and perform unauthorized actions on the affected system. This may aid in further attacks. The vulnerability stems from the fact that the program does not restrict the use of file types and extensions

Alstom Grid MiCOM S1 Agile before 1.0.3 and Alstom Grid MiCOM S1 Studio use weak permissions for the MiCOM S1 %PROGRAMFILES% directory, which allows local users to gain privileges via a Trojan horse executable file. The MiCOM S1 software does not restrict user access to the installer. When the MiCOM S1 application runs, the malicious program is executed, and the successful exploitation of the vulnerability can improve the user. Permissions. Multiple Alstom Grid products are prone to a local access-bypass vulnerability. Local attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. Note: An attacker can further exploit this issue to gain administrator privileges to the system

The Nokia 1280 has a security vulnerability when processing SMS messages, allowing remote attackers to exploit the vulnerability to trigger a buffer overflow, resulting in a denial of service attack. Nokia 1280 is a mobile phone from Nokia Corporation of Finland. A denial of service vulnerability exists in Nokia 1280. An attacker could use this vulnerability to cause a denial of service. Successful exploits will allow attackers to cause a denial-of-service condition

Cross-site scripting (XSS) vulnerability in the search form in the administration/monitoring panel on the Cisco Identity Services Engine (ISE) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCuh87036. Vendors have confirmed this vulnerability Bug ID CSCuh87036 It is released as.By any third party Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuh87036. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. Intelligent Platform Management Interface is prone to an information-disclosure vulnerability. Intelligent Platform Management Interface 2.0 is vulnerable; other versions may also be affected. , which provides the ability to monitor, control, and automatically report on the health of a large number of servers. There is a vulnerability in the RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication supported by the IPMI version 2.0 specification. HP Integrated Lights-Out 2, 3, and 4 (iLO2, iLO3, iLO4) BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4786 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION There is no resolution to this issue. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04197764 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04197764 Version: 2 HPSBHF02981 rev.2 - HPE Integrated Lights-Out 2, 3, 4 (iLO2, iLO3, iLO4) and HPE Superdome Flex RMC - IPMI 2.0 RCMP+ Authentication Remote Password Hash Vulnerability (RAKP) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-02-08 Last Updated: 2018-02-07 Potential Security Impact: Remote: Disclosure of Information Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HPE Integrated Lights-Out 2, 3, 4 (iLO2, iLO3, iLO4) and HPE Superdome Flex RMC. The vulnerability could be exploited to allow an attacker to gain unauthorized privileges and unauthorized access to privileged information. **Note:** - This vulnerability also impacts the RMC of the "Superdome Flex" Server. References: - CVE-2013-4786 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE Superdome Flex Server 1.0 - HPE Integrated Lights-Out 4 (iLO 4) Firmware for ProLiant Gen8 Servers - All, when IPMI is enabled - HPE Integrated Lights-Out 3 (iLO 3) Firmware for ProLiant G7 Servers - All, when IPMI is enabled - HPE Integrated Lights-Out 2 (iLO 2) Firmware for ProLiant G6 Servers - All, when IPMI is enabled BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2013-4786 8.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION There is no resolution to this issue. The authentication process for the IPMI 2.0 specification mandates that the server send a salted SHA1 or MD5 hash of the requested user's password to the client, prior to the client authenticating. The BMC returns the password hash for any valid user account requested. This password hash can be broken using an offline brute force or dictionary attack. Because this functionality is a key part of the IPMI 2.0 specification, there is no way to fix the problem without deviating from the IPMI 2.0 specification. HP recommends the following actions to mitigate the risk this introduces: 1. If you do not need to use IPMI, disable it. You can disable IPMI on iLO2/3/4 using the Disable IPMI over LAN command. 2. Maintain the latest iLO firmware that contains the most recent security patches. 3. Employ best practices in the management of the protocols and passwords on your systems and networks. Use strong passwords wherever possible. 4. If you must use IPMI, use a separate management LAN or VLAN, Access Control Lists (ACLs), or VPN to limit and restrict access to your iLO management interfaces. For Superdome Flex's RMC: * Refer to the below link for the details: <https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00026813en_us> HISTORY Version:1 (rev.1) - 1 April 2014 Initial release Version:2 (rev.2) - 7 February 2018 Include RMC of HPE Superdome Flex as an affected product Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJae19eAAoJELXhAxt7SZaiCHcIAIcbsq0qjJxbuj5bBTnPOQnN yVq6HDHoQf401UTZQj0rcL3TFkn7VlpsNza9D2q5wK6Zsq2cuMYAC482yzWRu5bR HJjXdNmtU0orrz4TnnWRffIUHt1zxFNhjNp9YbnTeoZ9kakW81G+ut7U7vDiK4z+ zubjasa3B33vdOJCBRoUdr6a6xhU4F530JYoBCI0frMjiMwjM+e3KUls0R/rrpIS FYIPbgCDki8+KAMBzIqKz47udyV0DX3Wl3URjaK5YMLqPpu/01GvrCa4QU87r6QS XI/foHXZ4Hb4ThCJP4WvZhHI0t3C3Xtyt4uJEKFzvftyp8sxmxxmElbO8NhLq8w= =NNZA -----END PGP SIGNATURE-----

Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the index and substituted variables. FreeSWITCH is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. Successful exploits may allow attackers to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. FreeSWITCH is a set of free and open source communication software developed by American software developer Anthony Minesale. The software can be used to create audio, video and short message products and applications. A buffer overflow vulnerability exists in the 'switch_perform_substitution' function in the switch_regex.c file in FreeSWITCH version 1.2

Cisco Linksys Routers EA2700, EA3500, E4200, EA4500: A bug can cause an unsafe TCP port to open which leads to unauthenticated access. Cisco Linksys The router contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. The affected versions are as follows: Cisco Linksys EA2700 running firmware 1.0.14 Cisco Linksys EA3500 running firmware 1.0.30 Cisco Linksys EA4200 running firmware 2.0.36 Cisco Linksys EA4500 running firmware 2.0.36. Linksys E-series routers are popular router devices. Multiple Linksys E-series routers have multiple security vulnerabilities that allow malicious users to bypass some of the security restrictions: 1. The device fails to properly restrict access to tmUnblock.cgi and hndUnblock.cgi, allowing an attacker to exploit the vulnerability to inject and execute arbitrary shell commands. 2. The device fails to properly restrict access to the console, allowing an attacker to access restricted functionality through the TCP port 8083. ----------------------------------------------------------------------------- Vulnerabilities: An unspecified bug can cause an unsafe/undocumented TCP port to open allowing for: - Unauthenticated remote access to all pages of the router administration GUI, bypassing any credential prompts under certain common configurations - Direct access to several critical system files CVE-ID 2013-5122 CWE-288: Authentication Bypass Using an Alternate Path or Channel CVSS Base Score 10 CVSS Temporal Score 8.1 Exploitability Subscore: 10.0 Affected models and firmware: Linksys SMART Wi-Fi Router N600 - EA2700 Firmware Version: 1.0.14 Linksys SMART Wi-Fi Router N750 Smooth Stream EA3500 Firmware Version: 1.0.30 Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.36 Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.37 Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.36 Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.37 -Web Server Lighttpd 1.4.28 -Running - Linux 2.6.22 ----------------------------------------------------------------------------- Vulnerability Conditions seen in all variations, though not limited too: - Classic GUI has been enabled/installed - Remote Management - Disabled - UPnP - Enabled - IPv4 SPI Firewall Protection - Disabled Fixes and workarounds: *** It is strongly advised to those that have the classic GUI firmware installed to do a full WAN side scan for unusual ports that are open that weren't specifically opened by the end user. It is recommend to upgrade to firmware 2.1.39 on the E4200v2 and EA4500, though it is uncertain if this resolves the problem in all cases. It is recommend to upgrade to firmware 1.1.39 on the EA2700 and EA3500.though it is uncertain if this resolves the problem in all cases. Vendor: We have been working with Linksys/Belkin Engineers on this problem, and they are still investigating the root cause. We hope to have additional information on this bug soon. ----------------------------------------------------------------------------- External Links Misc: http://www.osvdb.org/show/osvdb/94768 http://www.securityfocus.com/archive/1/527027 http://securityvulns.com/news/Linksys/EA/1307.html http://www.scip.ch/en/?vuldb.9326 http://www.mobzine.ro/ionut-balan/2013/07/vulnerabilitate-majora-in-linksys-ea2700-ea3500-e4200-ea4500/ Vendor product links: http://support.linksys.com/en-us/support/routers/EA2700 http://support.linksys.com/en-us/support/routers/EA3500 http://support.linksys.com/en-us/support/routers/E4200 http://support.linksys.com/en-us/support/routers/EA4500 Discovered - 07-01-2013 Updated - 08-15-2013 Research Contact - K Lovett, M Claunch Affiliation - SUSnet . Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 Vulnerability: Due to an unknown bug, which occurs by every indication during the installation and/or upgrade process, port 8083 will often open, allowing for direct bypass of authentication to the "classic Linksys GUI" administrative console for remote unauthenticated users. If vulnerable, an attacker would have complete control of the routers administrative features and functions. On affected models by simply browsing to: http://<IP>:8083/ a user will be placed into the admin console, with no prompt for authentication. Moreover, by browsing to: http://<IP>:8083/cgi-bin/ the following four cgi scripts (often there are more depending on the firmware and model) can also be found. fw_sys_up.cgi override.cgi share_editor.cgi switch_boot.cgi It has been observed that Port 443 will show as open to external scans when the vulnerability exists, though not all routers with this open port are affected. On the http header for port 8083, for those affected, "Basic Setup" is the only item of note observed. An end user should not rely on the router's GUI interface for the status of remote access, as this bug is present when the console shows remote access as disabled. CVE ID: 2013-5122 CWE-288: Authentication Bypass Using an Alternate Path or Channel CVSS Base Score 10 CVSS Temporal Score 8.1 Exploitability Subscore: 10.0 Timeline: The vendor was first notified of this bug in July 2013, and several follow-up conversations have occurred since that time. Patches/Workaround: No known patches or official fixes exist, though some workaround fixes, including reinstallation of the firmware have been often shown to solve the issue. This is not an official workaround and it is strongly advised to contact Linksys support for additional information. Recommendations: - Scan for an open port 8083 from the WAN side of the router to check for this particular vulnerability. - Since an attacker has access to enable FTP service, USB drives mounted on those routers which have them, should be removed until an official fix is out or vulnerability of the router has been ruled out. Research Contacts: Kyle Lovett and Matt Claunch Discovered - July 2013 Updated - February 2014

Cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-2983. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-2987, CVE-2013-3020, CVE-2013-0568, and CVE-2013-0567. Multiple IBM products are prone to an unspecified information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2012-5766. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-2987, CVE-2013-3020, CVE-2013-0568, and CVE-2013-0475. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. IBM Sterling B2B Integrator is a set of software that integrates B2B processes, transactions and relationships of different partner communities

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-2987, CVE-2013-3020, CVE-2013-0475, and CVE-2013-0567. Multiple IBM products are prone to an unspecified information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to upload arbitrary files via unspecified vectors. Multiple IBM product are prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2987, CVE-2013-3020, CVE-2013-0568, CVE-2013-0475, and CVE-2013-0567. Multiple IBM products are prone to an unspecified information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-3020, CVE-2013-0568, CVE-2013-0475, and CVE-2013-0567. Multiple IBM products are prone to an unspecified information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-2987, CVE-2013-0568, CVE-2013-0475, and CVE-2013-0567. Multiple IBM products are prone to an unspecified information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

Buffer overflow in an unspecified Android API on the Cisco Desktop Collaboration Experience DX650 allows attackers to execute arbitrary code via vectors that leverage incorrect memory allocation, aka Bug IDs CSCuf93957, CSCug22352, and CSCug22462. Vendors have confirmed this vulnerability Bug ID CSCuf93957 , CSCug22352 ,and CSCug22462 It is released as.An attacker could execute arbitrary code by exploiting improper memory allocation. Local attackers can exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts can result in a denial-of-service condition. This issue is being tracked by Cisco Bug IDs CSCuf93957, CSCug22352, and CSCug22462. The product provides uninterrupted, highly secure and integrated unified communications, high-definition (HD) video, network collaboration and more

SQL injection vulnerability in the News system (news) extension before 1.3.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. MSM camera driver for the Linux kernel is a Qualcomm platform camera driver project based on the Linux kernel. A stack-based buffer overflow vulnerability exists in the MSM camera driver used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products. An attacker could exploit this vulnerability to gain elevated privileges when processing parameters passed to the VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO or VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO ioctl subdev handlers. TYPO3 is a free and open source content management system (framework) (CMS/CMF) maintained by the Swiss TYPO3 Association. News system (news) is one of the extended components that provides news release functions

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-2985, CVE-2013-2987, CVE-2013-3020, CVE-2013-0568, CVE-2013-0475, and CVE-2013-0567. Multiple IBM products are prone to an unspecified information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote attackers to obtain sensitive information about application implementation via unspecified vectors. Multiple IBM products are prone to an unspecified information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network