VARIoT IoT vulnerabilities database

D-Link DIR-505L SharePort Mobile Companion 1.01 and DIR-826L Wireless N600 Cloud Router 1.02 allows remote attackers to bypass authentication via a direct request when an authorized session is active. The DIR-505L is a versatile mini wireless router and the DIR-826L is a dual-band Gigabit wireless cloud router. During this window, the application does not verify the session COOKIE, and the administrator can view or change the device configuration. Multiple D-Link products are prone to a remote authentication-bypass vulnerability. An attacker can exploit these issues to bypass the authentication mechanism and perform unauthorized actions on the affected device. This may aid in further attacks. This is not possible once a legitimate session has expired

Triangle Research International (aka Tri) Nano-10 PLC devices with firmware before r81 use an incorrect algorithm for bounds checking of data in Modbus/TCP packets, which allows remote attackers to cause a denial of service (networking outage) via a crafted packet to TCP port 502. The Triangle Research Nano-10 PLC is a controller for automated manufacturing. Attack, you need to manually restart to get normal functionality. Nano-10 PLC is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the affected device to crash, denying service to legitimate users. Nano-10 PLC running firmware versions prior to r81 are vulnerable. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq24002

The firmware on Cisco Virtualization Experience Client 6000 devices sets incorrect operating-system permissions, which allows local users to gain privileges via an unspecified sequence of commands, aka Bug ID CSCuc31764. Local attackers can exploit this issue to gain elevated privileges, which may aid in further attacks. This issue is being tracked by Cisco bug ID CSCuc31764. The administrative web interface is a web management interface running on it

The web interface on the Dell iDRAC6 with firmware before 1.95 allows remote attackers to modify the CLP interface for arbitrary users and possibly have other impact via a request to an unspecified form that is accessible from testurls.html. NOTE: the vendor disputes the significance of this issue, stating "DRAC's are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the Internet.". Dell Integrated Remote Access Controller (iDRAC) 6 is a system management solution including hardware and software from Dell. This solution provides functions such as remote management, crash recovery and power control for Dell PowerEdge systems. A vulnerability exists in the web interface in Dell iDRAC 6 Firewall version 1.7

The Dell iDRAC6 with firmware 1.x before 1.92 and 2.x and 3.x before 3.42, and iDRAC7 with firmware before 1.23.23, allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. NOTE: the vendor disputes the significance of this issue, stating "DRAC's are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the Internet.". Dell Integrated Remote Access Controller ( iDRAC ) 6 is the US Dell ( Dell ) company's system management solution that includes hardware and software. The program is Dell PowerEdge The system provides functions such as remote management, crashed system recovery, and power control. Dell iDRAC6 BMC There is a loophole in the implementation

DIR-300, DIR-600, DIR-645, DIR-845 and DIR-865 The UPnP SOAP interface does not properly filter XML parameters, allowing remote attackers to exploit and exploit arbitrary commands, including: NewInternalClient, NewInternalClient, NewInternalPort. D-Link DIR-300, DIR-600, DIR-645, DIR-845, and DIR-865 are all wireless router products from Taiwan D-Link Corporation. Multiple command injection vulnerabilities exist in multiple D-Link products. An attacker could use these vulnerabilities to execute arbitrary commands in the context of an affected device. The following devices have vulnerabilities: DIR-300 rev B firmware 2.14b01, DIR-600 firmware 2.16b01, DIR-645 firmware 1.04b01, DIR-845 firmware 1.01b02, DIR- The 865 runs firmware version 1.05b03

ASUS RT-N66U is a wireless router product. ASUS RT-N66U 3.0.0.4.270, 3.0.0.4.354 does not properly restrict access when processing certain HTTPS requests, can be exploited to gain unauthorized access, and reveals the contents of arbitrary files and directories. Successful exploitation of this vulnerability requires activation. AiCloud web service.

Eval injection vulnerability in frontview/lib/np_handler.pl in the FrontView web interface in NETGEAR ReadyNAS RAIDiator before 4.1.12 and 4.2.x before 4.2.24 allows remote attackers to execute arbitrary Perl code via a crafted request, related to the "forgot password workflow.". NetGear RAIDiator is a direct-hanging storage device based on Linux and debian-sparc platforms. A cross-site request forgery vulnerability exists in NetGear RAIDiator. Allow remote attackers to perform certain administrative actions. Other attacks are also possible. Following are vulnerable: RAIDiator versions prior to 4.1.12 running on SPARC RAIDiator-x86 versions prior to 4.2.24. There is an eval injection vulnerability in the FrontViewWeb interface in NETGEAR ReadyNAS RAIDiator 4.1 and 4.2.23 and earlier versions. The vulnerability is caused by the frontview/lib/np_handler.pl script not filtering the input submitted by the user

Cross-site request forgery (CSRF) vulnerability in frontview/lib/np_handler.pl in NETGEAR ReadyNAS RAIDiator before 4.1.12 and 4.2.x before 4.2.24 allows remote attackers to hijack the authentication of users. NetGear RAIDiator is a direct-hanging storage device based on Linux and debian-sparc platforms. There is a command injection vulnerability in NetGear RAIDiator. An attacker can exploit the vulnerability to execute arbitrary shell commands with root privileges. Other attacks are also possible. Following are vulnerable: RAIDiator versions prior to 4.1.12 running on SPARC RAIDiator-x86 versions prior to 4.2.24

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote attackers to inject arbitrary FTP commands via unspecified vectors. Exploiting this issue could allow an attacker to execute arbitrary FTP commands in the context of the affected application. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 do not properly restrict file types and extensions, which allows remote authenticated users to bypass intended access restrictions via a crafted filename. Attackers can exploit this issue to bypass certain intended security restrictions and perform unauthorized actions on the affected system. This may aid in further attacks. The vulnerability stems from the fact that the program does not restrict the use of file types and extensions

Alstom Grid MiCOM S1 Agile before 1.0.3 and Alstom Grid MiCOM S1 Studio use weak permissions for the MiCOM S1 %PROGRAMFILES% directory, which allows local users to gain privileges via a Trojan horse executable file. The MiCOM S1 software does not restrict user access to the installer. When the MiCOM S1 application runs, the malicious program is executed, and the successful exploitation of the vulnerability can improve the user. Permissions. Multiple Alstom Grid products are prone to a local access-bypass vulnerability. Local attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. Note: An attacker can further exploit this issue to gain administrator privileges to the system

The Nokia 1280 has a security vulnerability when processing SMS messages, allowing remote attackers to exploit the vulnerability to trigger a buffer overflow, resulting in a denial of service attack. Nokia 1280 is a mobile phone from Nokia Corporation of Finland. A denial of service vulnerability exists in Nokia 1280. An attacker could use this vulnerability to cause a denial of service. Successful exploits will allow attackers to cause a denial-of-service condition

Cross-site scripting (XSS) vulnerability in the search form in the administration/monitoring panel on the Cisco Identity Services Engine (ISE) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCuh87036. Vendors have confirmed this vulnerability Bug ID CSCuh87036 It is released as.By any third party Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuh87036. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. Intelligent Platform Management Interface is prone to an information-disclosure vulnerability. Intelligent Platform Management Interface 2.0 is vulnerable; other versions may also be affected. , which provides the ability to monitor, control, and automatically report on the health of a large number of servers. There is a vulnerability in the RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication supported by the IPMI version 2.0 specification. HP Integrated Lights-Out 2, 3, and 4 (iLO2, iLO3, iLO4) BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4786 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION There is no resolution to this issue. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04197764 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04197764 Version: 2 HPSBHF02981 rev.2 - HPE Integrated Lights-Out 2, 3, 4 (iLO2, iLO3, iLO4) and HPE Superdome Flex RMC - IPMI 2.0 RCMP+ Authentication Remote Password Hash Vulnerability (RAKP) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-02-08 Last Updated: 2018-02-07 Potential Security Impact: Remote: Disclosure of Information Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HPE Integrated Lights-Out 2, 3, 4 (iLO2, iLO3, iLO4) and HPE Superdome Flex RMC. The vulnerability could be exploited to allow an attacker to gain unauthorized privileges and unauthorized access to privileged information. **Note:** - This vulnerability also impacts the RMC of the "Superdome Flex" Server. References: - CVE-2013-4786 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE Superdome Flex Server 1.0 - HPE Integrated Lights-Out 4 (iLO 4) Firmware for ProLiant Gen8 Servers - All, when IPMI is enabled - HPE Integrated Lights-Out 3 (iLO 3) Firmware for ProLiant G7 Servers - All, when IPMI is enabled - HPE Integrated Lights-Out 2 (iLO 2) Firmware for ProLiant G6 Servers - All, when IPMI is enabled BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2013-4786 8.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION There is no resolution to this issue. The authentication process for the IPMI 2.0 specification mandates that the server send a salted SHA1 or MD5 hash of the requested user's password to the client, prior to the client authenticating. The BMC returns the password hash for any valid user account requested. This password hash can be broken using an offline brute force or dictionary attack. Because this functionality is a key part of the IPMI 2.0 specification, there is no way to fix the problem without deviating from the IPMI 2.0 specification. HP recommends the following actions to mitigate the risk this introduces: 1. If you do not need to use IPMI, disable it. You can disable IPMI on iLO2/3/4 using the Disable IPMI over LAN command. 2. Maintain the latest iLO firmware that contains the most recent security patches. 3. Employ best practices in the management of the protocols and passwords on your systems and networks. Use strong passwords wherever possible. 4. If you must use IPMI, use a separate management LAN or VLAN, Access Control Lists (ACLs), or VPN to limit and restrict access to your iLO management interfaces. For Superdome Flex's RMC: * Refer to the below link for the details: <https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00026813en_us> HISTORY Version:1 (rev.1) - 1 April 2014 Initial release Version:2 (rev.2) - 7 February 2018 Include RMC of HPE Superdome Flex as an affected product Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJae19eAAoJELXhAxt7SZaiCHcIAIcbsq0qjJxbuj5bBTnPOQnN yVq6HDHoQf401UTZQj0rcL3TFkn7VlpsNza9D2q5wK6Zsq2cuMYAC482yzWRu5bR HJjXdNmtU0orrz4TnnWRffIUHt1zxFNhjNp9YbnTeoZ9kakW81G+ut7U7vDiK4z+ zubjasa3B33vdOJCBRoUdr6a6xhU4F530JYoBCI0frMjiMwjM+e3KUls0R/rrpIS FYIPbgCDki8+KAMBzIqKz47udyV0DX3Wl3URjaK5YMLqPpu/01GvrCa4QU87r6QS XI/foHXZ4Hb4ThCJP4WvZhHI0t3C3Xtyt4uJEKFzvftyp8sxmxxmElbO8NhLq8w= =NNZA -----END PGP SIGNATURE-----

Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the index and substituted variables. FreeSWITCH is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. Successful exploits may allow attackers to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. FreeSWITCH is a set of free and open source communication software developed by American software developer Anthony Minesale. The software can be used to create audio, video and short message products and applications. A buffer overflow vulnerability exists in the 'switch_perform_substitution' function in the switch_regex.c file in FreeSWITCH version 1.2

Cisco Linksys Routers EA2700, EA3500, E4200, EA4500: A bug can cause an unsafe TCP port to open which leads to unauthenticated access. Cisco Linksys The router contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. The affected versions are as follows: Cisco Linksys EA2700 running firmware 1.0.14 Cisco Linksys EA3500 running firmware 1.0.30 Cisco Linksys EA4200 running firmware 2.0.36 Cisco Linksys EA4500 running firmware 2.0.36. Linksys E-series routers are popular router devices. Multiple Linksys E-series routers have multiple security vulnerabilities that allow malicious users to bypass some of the security restrictions: 1. The device fails to properly restrict access to tmUnblock.cgi and hndUnblock.cgi, allowing an attacker to exploit the vulnerability to inject and execute arbitrary shell commands. 2. The device fails to properly restrict access to the console, allowing an attacker to access restricted functionality through the TCP port 8083. ----------------------------------------------------------------------------- Vulnerabilities: An unspecified bug can cause an unsafe/undocumented TCP port to open allowing for: - Unauthenticated remote access to all pages of the router administration GUI, bypassing any credential prompts under certain common configurations - Direct access to several critical system files CVE-ID 2013-5122 CWE-288: Authentication Bypass Using an Alternate Path or Channel CVSS Base Score 10 CVSS Temporal Score 8.1 Exploitability Subscore: 10.0 Affected models and firmware: Linksys SMART Wi-Fi Router N600 - EA2700 Firmware Version: 1.0.14 Linksys SMART Wi-Fi Router N750 Smooth Stream EA3500 Firmware Version: 1.0.30 Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.36 Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.37 Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.36 Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.37 -Web Server Lighttpd 1.4.28 -Running - Linux 2.6.22 ----------------------------------------------------------------------------- Vulnerability Conditions seen in all variations, though not limited too: - Classic GUI has been enabled/installed - Remote Management - Disabled - UPnP - Enabled - IPv4 SPI Firewall Protection - Disabled Fixes and workarounds: *** It is strongly advised to those that have the classic GUI firmware installed to do a full WAN side scan for unusual ports that are open that weren't specifically opened by the end user. It is recommend to upgrade to firmware 2.1.39 on the E4200v2 and EA4500, though it is uncertain if this resolves the problem in all cases. It is recommend to upgrade to firmware 1.1.39 on the EA2700 and EA3500.though it is uncertain if this resolves the problem in all cases. Vendor: We have been working with Linksys/Belkin Engineers on this problem, and they are still investigating the root cause. We hope to have additional information on this bug soon. ----------------------------------------------------------------------------- External Links Misc: http://www.osvdb.org/show/osvdb/94768 http://www.securityfocus.com/archive/1/527027 http://securityvulns.com/news/Linksys/EA/1307.html http://www.scip.ch/en/?vuldb.9326 http://www.mobzine.ro/ionut-balan/2013/07/vulnerabilitate-majora-in-linksys-ea2700-ea3500-e4200-ea4500/ Vendor product links: http://support.linksys.com/en-us/support/routers/EA2700 http://support.linksys.com/en-us/support/routers/EA3500 http://support.linksys.com/en-us/support/routers/E4200 http://support.linksys.com/en-us/support/routers/EA4500 Discovered - 07-01-2013 Updated - 08-15-2013 Research Contact - K Lovett, M Claunch Affiliation - SUSnet . Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 Vulnerability: Due to an unknown bug, which occurs by every indication during the installation and/or upgrade process, port 8083 will often open, allowing for direct bypass of authentication to the "classic Linksys GUI" administrative console for remote unauthenticated users. If vulnerable, an attacker would have complete control of the routers administrative features and functions. On affected models by simply browsing to: http://<IP>:8083/ a user will be placed into the admin console, with no prompt for authentication. Moreover, by browsing to: http://<IP>:8083/cgi-bin/ the following four cgi scripts (often there are more depending on the firmware and model) can also be found. fw_sys_up.cgi override.cgi share_editor.cgi switch_boot.cgi It has been observed that Port 443 will show as open to external scans when the vulnerability exists, though not all routers with this open port are affected. On the http header for port 8083, for those affected, "Basic Setup" is the only item of note observed. An end user should not rely on the router's GUI interface for the status of remote access, as this bug is present when the console shows remote access as disabled. CVE ID: 2013-5122 CWE-288: Authentication Bypass Using an Alternate Path or Channel CVSS Base Score 10 CVSS Temporal Score 8.1 Exploitability Subscore: 10.0 Timeline: The vendor was first notified of this bug in July 2013, and several follow-up conversations have occurred since that time. Patches/Workaround: No known patches or official fixes exist, though some workaround fixes, including reinstallation of the firmware have been often shown to solve the issue. This is not an official workaround and it is strongly advised to contact Linksys support for additional information. Recommendations: - Scan for an open port 8083 from the WAN side of the router to check for this particular vulnerability. - Since an attacker has access to enable FTP service, USB drives mounted on those routers which have them, should be removed until an official fix is out or vulnerability of the router has been ruled out. Research Contacts: Kyle Lovett and Matt Claunch Discovered - July 2013 Updated - February 2014

Cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-2983. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-2987, CVE-2013-3020, CVE-2013-0568, and CVE-2013-0567. Multiple IBM products are prone to an unspecified information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2012-5766. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network