VARIoT IoT vulnerabilities database

Rugged Operating System is prone to multiple security vulnerabilities including: 1. A session-hijacking vulnerability 2. An unauthorized-access vulnerability Successfully exploiting these issues may allow an attacker to gain unauthorized access to the affected application, bypass certain security restrictions and perform unauthorized actions. Rugged Operating System versions prior to 3.12.1 are vulnerable.

The Carlo Gavazzi EOS-Box does not check the validity of the data before executing queries. By accessing the SQL table of certain pages that do not require authentication, attackers can leak information from the device. This could allow the attacker to compromise confidentiality. Carlo Gavazzi EOS-Box The firmware of SQL An injection vulnerability exists. This vulnerability CVE-2012-5861 Vulnerability similar to.By any third party SQL The command may be executed. Carlo Gavazzi EOS-Box is an embedded PC, and the CEOS-Box Photovoltaic Monitoring System is a photovoltaic monitoring system. EOS-Box is generally deployed in the renewable energy sector. Allow unauthorized attackers to exploit vulnerabilities to obtain device-sensitive information. Carlo Gavazzi EOS-BOX is prone to a security-bypass vulnerability because of hard coded passwords issue and an SQL-injection vulnerability. An attacker can exploit these issues to bypass certain security restrictions and perform unauthorized actions with administrative privileges, access or modify data, or exploit latent vulnerabilities in the underlying database. Carlo Gavazzi EOS-BOX versions prior to 1.0.0.1080_2.1.10 are vulnerable. Through an unknown vector, a remote attacker can exploit this vulnerability to execute arbitrary SQL commands. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Carlo Gavazzi Eos-Box Hard-Coded Credentials and SQL Injection SECUNIA ADVISORY ID: SA51641 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51641/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51641 RELEASE DATE: 2012-12-20 DISCUSS ADVISORY: http://secunia.com/advisories/51641/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51641/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51641 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue and a vulnerability have been reported in Carlo Gavazzi Eos-Box, which can be exploited by malicious people conduct SQL injection attacks and compromise a vulnerable system. 1) The security issue is caused due to the application using hard-coded credentials, which may allow full administrative access to the system. 2) Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The security issue and the vulnerability are reported in firmware versions prior to 1.0.0.1080_2.1.10. SOLUTION: Update to version 1.0.0.1080_2.1.10 (please contact the vendor for more information). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Carlo Gavazzi EOS-Box stores hard-coded passwords in the PHP file of the device. By using the hard-coded passwords, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access. Carlo Gavazzi EOS-Box Contains multiple hard-coded accounts that allow users to gain administrative access. This vulnerability is CVE-2012-5862 Vulnerability similar to.By a third party, PHP By reading the password in the script, you may gain administrative access. Carlo Gavazzi EOS-Box is an embedded PC, and the CEOS-Box Photovoltaic Monitoring System is a photovoltaic monitoring system. EOS-Box is generally deployed in the renewable energy sector. Carlo Gavazzi EOS-BOX is prone to a security-bypass vulnerability because of hard coded passwords issue and an SQL-injection vulnerability. An attacker can exploit these issues to bypass certain security restrictions and perform unauthorized actions with administrative privileges, access or modify data, or exploit latent vulnerabilities in the underlying database. Carlo Gavazzi EOS-BOX versions prior to 1.0.0.1080_2.1.10 are vulnerable. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Carlo Gavazzi Eos-Box Hard-Coded Credentials and SQL Injection SECUNIA ADVISORY ID: SA51641 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51641/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51641 RELEASE DATE: 2012-12-20 DISCUSS ADVISORY: http://secunia.com/advisories/51641/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51641/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51641 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue and a vulnerability have been reported in Carlo Gavazzi Eos-Box, which can be exploited by malicious people conduct SQL injection attacks and compromise a vulnerable system. 2) Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The security issue and the vulnerability are reported in firmware versions prior to 1.0.0.1080_2.1.10. SOLUTION: Update to version 1.0.0.1080_2.1.10 (please contact the vendor for more information). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

EMC Avamar Client 4.x, 5.x, and 6.x on HP-UX and Mac OS X, and the EMC Avamar plugin 4.x, 5.x, and 6.x for Oracle, uses world-writable permissions for cache directories, which allows local users to gain privileges via an unspecified symlink attack. EMC Avamar backup client is prone to an insecure file-permissions vulnerability. A local attacker can exploit this issue to gain escalated privileges. This may aid in further attacks. The following versions are affected: EMC Avamar version 4.x EMC Avamar version 5.x EMC Avamar version 6.x. The vulnerability stems from the fact that the cache directory uses world-writable permissions. Summary: Due to a vulnerability, described in detail below, the Avamar client leaves certain directories and files as world writable. The presence of world writable directories and files may inadvertently result in elevation of privileges by a user who has access to the local file system. Details: The Avamar affected client process runs as root and after each backup it leaves the cache files as world readable and writable. While the cache files themselves do not contain sensitive information, when the parent directory is world-writable, the cache files could be used by an attacker to elevate the privileges when a system-level backup is performed. The non-root user can create symbolic links to obtain unauthorized access to files on the affected system. Note: This vulnerability information is currently public. Resolution: The following workaround steps must be performed to mitigate the risk until the full fix is available from EMC. For HP-UX clients: The permissions of the /opt/AVMRclnt/var directory should be set to 0755. Log into the HP-UX client as the \x93root\x94 user and type the following command: chmod 0755 /opt/AVMRclnt/var For Mac OS clients: The permissions of the /var/avamar directory should be set to 0755. Log into the Mac client as the \x93root\x94 user and type the following command: chmod 0755 /var/avamar For Oracle clients: The following procedure only applies to clients where the directory permissions of the Avamar var directory (/usr/local/avamar/var or /opt/AVMRclnt/var) have been manually changed after installation of the Avamar plugin for Oracle: The permissions of the /usr/local/avamar/var should be set to 0775 with the group ownership set to the oracle group. Log into the Oracle client as the \x93root\x94 user and type either of the following pairs of commands: On Linux and Unix Oracle clients other than Solaris and HP-UX: chmod 0775 /usr/local/avamar/var chgrp oracle /usr/local/avamar/var On Solaris and HP-UX Oracle clients: chmod 0775 /opt/AVMRclnt/var chgrp oracle /opt/AVMRclnt/var Other Avamar clients: Verify that the permissions of the Avamar var directory (/usr/local/avamar/var or /opt/AVMRclnt/var) on Linux and Unix clients are not modified as a result of a support or locally-performed procedure. The permissions should be set to 0755. If you have any questions or concerns about running the above commands please contact EMC Technical Support at http://www.emc.com/contact. Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. EMC Product Security Response Center Security_Alert@EMC.COM http://www.emc.com/contact-us/contact/product-security-response-center.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Cygwin) iEYEARECAAYFAlD5pCUACgkQtjd2rKp+ALwMFACgnLq53HoHUZp9b+oWbL1Z6RHq ZakAnjedCQIEXto4r6dgCALoSkWBOQm5 =gIkA -----END PGP SIGNATURE-----

Loadbalancer Enterprise R16 is a load balancing device. Loadbalancer Enterprise R16 has multiple HTML injection vulnerabilities that allow an attacker to build malicious web pages, entice users to parse, get sensitive information, or hijack user sessions. Enterprise R16 is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible

The kernel in Samsung Galaxy S2, Galaxy Note 2, MEIZU MX, and possibly other Android devices, when running an Exynos 4210 or 4412 processor, uses weak permissions (0666) for /dev/exynos-mem, which allows attackers to read or write arbitrary physical memory and gain privileges via a crafted application, as demonstrated by ExynosAbuse. Samsung Galaxy S II, Galaxy S III, Galaxy Note II, etc. are Samsung-issued smartphone devices. Because the system does not properly set the /dev/exynos-mem privilege (the default is any user globally readable and writable) and the device maps all current physical memory space, allowing local attackers to exploit the vulnerability to gain root privileges

SAP NetWeaver is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. SAP NetWeaver 6.40 and 7.02 are vulnerable; other versions may also be affected.

An Information Disclosure vulnerability exists in the my config file in NEtGEAR WGR614 v7 and v9, which could let a malicious user recover all previously used passwords on the device, for both the control panel and WEP/WPA/WPA2, in plaintext. This is a different issue than CVE-2012-6340. NEtGEAR WGR614 v7 and v9 There is an information leakage vulnerability in. I've been reverse engineering the Netgear WGR614 wireless router, which has been one of the most popular devices shipped by major ISPs in the UK over the last ten years. After disassembling the device and identifying the components, I noticed that the firmware and all settings are stored on a single EEPROM (flash) chip, specifically a Macronix MX25L1605 SPI 16Mbit EEPROM. Other variants of the device may use slightly different chips, but they all seem to use SPI EEPROMs with identical I/O commands. I de-soldered the IC and hooked it up to a BusPirate, and used it to extract the entire contents of the chip. I quickly discovered two interesting things: First, I found a hard-coded credential used for direct serial programming. Using it requires direct physical access and you have to solder wires onto the board. Despite this not being particularly interesting, this issue has been assigned as CVE-2012-6340 anyway. It's always good to have the information out there. Second, I noticed that there were multiple copies of my config file, and all passwords (for both control panel and wifi) within them are plain-text. It turns out that, in order to prevent config file corruption, the router re-generates the entire config file and writes a new copy directly after the previous one. It then activates the new config, and soft-deletes the old file by removing its entry from a list. Once you've changed the config several times (about 11 on this device), it hits the end of the flash chip's storage and cycles back to the original address. However, it does not actually wipe the old config files. A factory reset does not fix this; it simply restores a default config file onto the lower address. As such, an attacker who steals the device may recover the last-used passwords and config, as well as many previous passwords and configuration data. There also seems to be some storage of DHCP client information, but the data I have is inconclusive due to it being partially overwritten. This has been confirmed on the WGR614v7 and WGR614v9 models, and is expected to be the case on all other revisions. It also looks like the WGR624 model has the same design, so other models in the same series may be affected too

An Authentication vulnerability exists in NETGEAR WGR614 v7 and v9 due to a hardcoded credential used for serial programming, a related issue to CVE-2006-1002. This vulnerability is CVE-2006-1002 Vulnerability related to.Information may be obtained. I've been reverse engineering the Netgear WGR614 wireless router, which has been one of the most popular devices shipped by major ISPs in the UK over the last ten years. After disassembling the device and identifying the components, I noticed that the firmware and all settings are stored on a single EEPROM (flash) chip, specifically a Macronix MX25L1605 SPI 16Mbit EEPROM. Other variants of the device may use slightly different chips, but they all seem to use SPI EEPROMs with identical I/O commands. I de-soldered the IC and hooked it up to a BusPirate, and used it to extract the entire contents of the chip. I quickly discovered two interesting things: First, I found a hard-coded credential used for direct serial programming. Using it requires direct physical access and you have to solder wires onto the board. Despite this not being particularly interesting, this issue has been assigned as CVE-2012-6340 anyway. It's always good to have the information out there. Second, I noticed that there were multiple copies of my config file, and all passwords (for both control panel and wifi) within them are plain-text. It turns out that, in order to prevent config file corruption, the router re-generates the entire config file and writes a new copy directly after the previous one. It then activates the new config, and soft-deletes the old file by removing its entry from a list. Once you've changed the config several times (about 11 on this device), it hits the end of the flash chip's storage and cycles back to the original address. However, it does not actually wipe the old config files. This issue, assigned CVE-2012-6341, results in the ability to recover all previously used passwords on the device, for both the control panel and WEP/WPA/WPA2, in plaintext. A factory reset does not fix this; it simply restores a default config file onto the lower address. As such, an attacker who steals the device may recover the last-used passwords and config, as well as many previous passwords and configuration data. There also seems to be some storage of DHCP client information, but the data I have is inconclusive due to it being partially overwritten. This has been confirmed on the WGR614v7 and WGR614v9 models, and is expected to be the case on all other revisions. It also looks like the WGR624 model has the same design, so other models in the same series may be affected too

The D-Link DCS-932L camera with firmware 1.02 allows remote attackers to discover the password via a UDP broadcast packet, as demonstrated by running the D-Link Setup Wizard and reading the _paramR["P"] value. D-Link DCS-932L Cloud Camera is a home infrared wireless network camera cloud camera. D-Link DCS-932L Cloud Camera has an error when processing UDP requests for device passwords. D-Link DCS-932L is prone to an information-disclosure vulnerability. D-Link DCS-932L 1.02 is vulnerable; other versions may also be affected. CVE-2012-4046 Details: http://www.fishnetsecurity.com/6labs/blog/password-disclosure-d-link-surveillance-cameras-cve-2012-4046 . ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: D-Link DCS-932L Password Request Handling Security Issue SECUNIA ADVISORY ID: SA51610 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51610/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51610 RELEASE DATE: 2012-12-20 DISCUSS ADVISORY: http://secunia.com/advisories/51610/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51610/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51610 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Jason Doyle has reported a security issue in D-Link DCS-932L, which can be exploited by malicious people to gain knowledge of sensitive information. The vulnerability is reported in firmware version 1.02. SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: Jason Doyle ORIGINAL ADVISORY: http://www.fishnetsecurity.com/6labs/blog/password-disclosure-d-link-surveillance-cameras-cve-2012-4046 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Memory leak in Siemens Automation License Manager (ALM) 4.x and 5.x before 5.2 allows remote attackers to cause a denial of service (memory consumption) via crafted packets. The Siemens Automation License Manager is the certificate management software used by various Siemens software products. The following products are affected by this vulnerability: SIMATIC (eg STEP 7) SIMATIC HMI (eg WinCC, WinCC flexible) SIMATIC PCS 7 SIMOTION (eg Scout) SIMATIC NET SINAMICS (eg Starter) SIMOCODE. Successful exploits will cause an affected application to cause a memory leakage and terminate the application, denying service to legitimate users

Samsung Smart TV is a new generation TV product that can receive program content from various channels such as network, AV equipment, PC, etc., and display the content most needed by consumers on the big screen through an easy-to-use integrated operation interface. A vulnerability exists in Samsung Smart TV LED 3D, which allows attackers to access sensitive information, monitor and remotely log in to the device.

The Huawei E585 device does not validate the status of admin sessions, which allows remote attackers to obtain sensitive user information and the session ID, and modify data, by leveraging access to the LAN network. The Huawei E585 pocket wifi 2 device contains multiple vulnerabilities which could allow an attacker to perform administrative functions on the device. Huawei E585 is a WiFi 3G wireless routing device. Huawei E585 failed to properly check the login status of the management session, which can cause an attacker to bypass management authorization authentication, access protected files, and configure devices. This vulnerability cannot be exploited through the WAN side. Huawei E585 is prone to a denial-of-service vulnerability, a directory-traversal vulnerability, and a security-bypass vulnerability. Attackers can exploit these issues to retrieve and overwrite arbitrary files, perform denial-of-service attacks, bypass certain security restrictions, and gain unauthorized access; this will aid in further attacks. Huawei E585 is a high-speed wireless network access modem produced by China Huawei (Huawei). A vulnerability exists in the Huawei E585 device due to the fact that the device does not authenticate the state of the management session. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Huawei E585 Management Interface Multiple Vulnerabilities SECUNIA ADVISORY ID: SA51596 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51596/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51596 RELEASE DATE: 2012-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/51596/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51596/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51596 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Huawei E585, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, and cause a DoS (Denial of Service). 2) An error within the web management interface when processing certain web requests can be exploited to access arbitrary files via directory traversal sequences. 3) A NULL pointer dereference error within the web management interface when processing certain web requests can be exploited to cause a crash. SOLUTION: Apply updates (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198239.htm http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198240.htm OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Invensys Wonderware InTouch 2012 R2 and earlier and Siemens ProcessSuite use a weak encryption algorithm for data in Ps_security.ini, which makes it easier for local users to discover passwords by reading this file. Siemens ProcessSuite/Invensys Wonderware InTouch is the distributed control system \"APACS\". ProcessSuite is mostly used in manufacturing, oil and gas, and chemical fields. InTouch is an HMI software. Since the user management system containing the password is stored in the file \"Ps_security.ini\" in a reversible format, users with read access can exploit this vulnerability to obtain password information and log in as a privileged user, affecting system integrity, availability, and confidentiality. Successful attacks can allow a local attacker to gain unauthorized access to the password file. Information obtained may lead to further attacks

screens/base/web_auth_custom.html on Cisco Wireless LAN Controller (WLC) devices with software 7.2.110.0 allows remote authenticated users to cause a denial of service (device reload) via a certain buttonClicked value in an internal webauth_type request, aka Bug ID CSCud50209. A cross-site request-forgery vulnerability 2. An HTML-injection vulnerability 3. A denial-of-service vulnerability These issues are being tracked by Cisco Bug IDs: CSCud50283, CSCud65187, and CSCud50209. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions, execute arbitrary script or HTML code within the context of the browser, steal cookie-based authentication credentials, and cause the application to crash, denying service to legitimate users. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Lan Controller Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA51546 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51546/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51546 RELEASE DATE: 2012-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/51546/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51546/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51546 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Wireless Lan Controller, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create an arbitrary user with administrative privileges if a logged-in administrative user visits a malicious web site. The vulnerability is reported in versions 5.x, 6.x, and 7.0 through 7.4. SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: Jacob Holcomb (Gimppy042) ORIGINAL ADVISORY: http://infosec42.blogspot.dk/2012/12/cisco-wlc-csrf-dos-and-persistent-xss.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site request forgery (CSRF) vulnerabilities on Cisco Wireless LAN Controller (WLC) devices with software 7.2.110.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add administrative accounts via screens/aaa/mgmtuser_create.html or (2) insert XSS sequences via the headline parameter to screens/base/web_auth_custom.html, aka Bug ID CSCud50283. Cisco Wireless LAN Controller (WLC) The device contains a cross-site request forgery vulnerability. The Cisco Wireless LAN Controller, because it does not adequately filter user-supplied input, allows unauthenticated remote attackers to exploit this vulnerability to build malicious URIs, entice users to resolve, and perform malicious actions in the target user context. A cross-site request-forgery vulnerability 2. An HTML-injection vulnerability 3. A denial-of-service vulnerability These issues are being tracked by Cisco Bug IDs: CSCud50283, CSCud65187, and CSCud50209. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions, execute arbitrary script or HTML code within the context of the browser, steal cookie-based authentication credentials, and cause the application to crash, denying service to legitimate users. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Lan Controller Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA51546 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51546/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51546 RELEASE DATE: 2012-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/51546/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51546/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51546 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Wireless Lan Controller, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create an arbitrary user with administrative privileges if a logged-in administrative user visits a malicious web site. The vulnerability is reported in versions 5.x, 6.x, and 7.0 through 7.4. SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: Jacob Holcomb (Gimppy042) ORIGINAL ADVISORY: http://infosec42.blogspot.dk/2012/12/cisco-wlc-csrf-dos-and-persistent-xss.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in screens/base/web_auth_custom.html on Cisco Wireless LAN Controller (WLC) devices with software 7.2.110.0 allows remote authenticated users to inject arbitrary web script or HTML via the headline parameter, aka Bug ID CSCud65187, a different vulnerability than CVE-2012-5992. The problem is Bug ID CSCud65187 It is a problem. A cross-site request-forgery vulnerability 2. An HTML-injection vulnerability 3. A denial-of-service vulnerability These issues are being tracked by Cisco Bug IDs: CSCud50283, CSCud65187, and CSCud50209. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions, execute arbitrary script or HTML code within the context of the browser, steal cookie-based authentication credentials, and cause the application to crash, denying service to legitimate users. An authenticated remote attacker could exploit this vulnerability to perform a cross-site scripting attack by sending a specially crafted HTTP POST request to an affected target system. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Lan Controller Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA51546 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51546/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51546 RELEASE DATE: 2012-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/51546/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51546/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51546 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Wireless Lan Controller, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create an arbitrary user with administrative privileges if a logged-in administrative user visits a malicious web site. The vulnerability is reported in versions 5.x, 6.x, and 7.0 through 7.4. SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: Jacob Holcomb (Gimppy042) ORIGINAL ADVISORY: http://infosec42.blogspot.dk/2012/12/cisco-wlc-csrf-dos-and-persistent-xss.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Adobe Photoshop Camera Raw before 7.3 allows attackers to execute arbitrary code via unspecified vectors. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Successful exploits will compromise the affected application and possibly the underlying computer. Failed exploit attempts may cause a denial-of-service condition. Adobe Photoshop (PS) is a set of image processing and drawing software from Adobe Corporation of the United States. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Adobe Camera Raw Plug-in TIFF Image Processing Two Vulnerabilities SECUNIA ADVISORY ID: SA49929 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49929/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49929 RELEASE DATE: 2012-12-13 DISCUSS ADVISORY: http://secunia.com/advisories/49929/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49929/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49929 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been discovered in Adobe Camera Raw Plug-in, which can be exploited by malicious people to compromise a user's system. 1) An error in the "Camera Raw.8bi" plug-in when processing a LZW compressed TIFF image can be exploited to cause a heap-based buffer underflow via a specially crafted LZW code within an image row strip. 2) An integer overflow error in the "Camera Raw.8bi" plug-in when allocating memory during TIFF image processing can be exploited to cause a heap-based buffer overflow via specially crafted image dimensions. Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file. The vulnerabilities are reported in the plug-in version 7.2 and prior, confirmed in: * Adobe Bridge CS6 version 5.0.0.399. SOLUTION: Update the plug-in to version 7.3 via the application's update mechanism. PROVIDED AND/OR DISCOVERED BY: 1) Francis Provencher via Secunia. 2) Dmitriy Pletnev, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2012-31/ Adobe (APSB12-28): http://www.adobe.com/support/security/bulletins/apsb12-28.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Huawei E585 device allows remote attackers to cause a denial of service (NULL pointer dereference and device outage) via crafted HTTP requests, as demonstrated by unspecified vulnerability-scanning software. The Huawei E585 pocket wifi 2 device contains multiple vulnerabilities which could allow an attacker to perform administrative functions on the device. Huawei E585 is a WiFi 3G wireless routing device. The Huawei E585 device has a security vulnerability when analyzing a specific packet, such as a packet sent by a vulnerability scanner. Huawei E585 is prone to a denial-of-service vulnerability, a directory-traversal vulnerability, and a security-bypass vulnerability. Attackers can exploit these issues to retrieve and overwrite arbitrary files, perform denial-of-service attacks, bypass certain security restrictions, and gain unauthorized access; this will aid in further attacks. Huawei E585 is a high-speed wireless network access modem produced by China Huawei (Huawei). Vulnerabilities exist in Huawei E585 devices. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Huawei E585 Management Interface Multiple Vulnerabilities SECUNIA ADVISORY ID: SA51596 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51596/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51596 RELEASE DATE: 2012-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/51596/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51596/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51596 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Huawei E585, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, and cause a DoS (Denial of Service). 1) An error within the web management interface when validating the status of a logged in session can be exploited to bypass the authentication process. 2) An error within the web management interface when processing certain web requests can be exploited to access arbitrary files via directory traversal sequences. SOLUTION: Apply updates (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198239.htm http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198240.htm OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple directory traversal vulnerabilities on the Huawei E585 device allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the PATH_INFO of an sdcard/ request or (2) modify arbitrary files via a .. (dot dot) in the req_page parameter to en/sms.cgi. Huawei E585 The device contains a directory traversal vulnerability.By a third party (1) sdcard/ Request .. Huawei E585 is a WiFi 3G wireless routing device. This vulnerability cannot be exploited through the WAN side. Huawei E585 is prone to a denial-of-service vulnerability, a directory-traversal vulnerability, and a security-bypass vulnerability. Huawei E585 is a high-speed wireless network access modem produced by China Huawei (Huawei). ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Huawei E585 Management Interface Multiple Vulnerabilities SECUNIA ADVISORY ID: SA51596 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51596/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51596 RELEASE DATE: 2012-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/51596/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51596/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51596 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Huawei E585, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, and cause a DoS (Denial of Service). 1) An error within the web management interface when validating the status of a logged in session can be exploited to bypass the authentication process. 3) A NULL pointer dereference error within the web management interface when processing certain web requests can be exploited to cause a crash. SOLUTION: Apply updates (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198239.htm http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198240.htm OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------