VARIoT IoT vulnerabilities database

The BlackBerry PlayBook service on the Research In Motion (RIM) BlackBerry PlayBook tablet with software before 1.0.8.6067 allows local users to gain privileges via a crafted configuration file in a backup archive. The BlackBerry PlayBook Tablet is a tablet from BlackBerry. This service is used for file sharing on a tablet with a computer running BlackBerry desktop software via a USB connection. This vulnerability cannot be used by remote attackers, but can increase privileges. Local attackers can exploit this issue to gain elevated privileges on affected tablets. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: BlackBerry Tablet OS File Sharing Service Security Bypass Vulnerability SECUNIA ADVISORY ID: SA47132 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47132/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47132 RELEASE DATE: 2011-12-07 DISCUSS ADVISORY: http://secunia.com/advisories/47132/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47132/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47132 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in BlackBerry Tablet OS, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to an error in the File Sharing service when processing a backup archive file of the file system. The vulnerability is reported in versions 1.0.8.4985 and prior. SOLUTION: Update to version 1.0.8.6067. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://blackberry.com/btsc/KB29191 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Portech MV-372 has a WEB management verification bypass vulnerability. An attacker submits a malicious POST request without having to verify the username and password of the changed device: POST http://<device address>/change.cgi HTTP/1.1Host: <device address >User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 5.0) Gecko/20100101Firefox/5.0Accept: text/html, application/xhtml+xml, application/xml; q=0.9,*/*;q= 0.8Accept-Language: hu-hu, hu; q=0.8, en-us; q=0.5, en; q=0.3Accept-Encoding: gzip, deflateAccept-Charset: ISO-8859-2, utf-8; q= 0.7,*;q=0.7Connection: keep-aliveReferer: http://192.168.0.100/change.htmContent-Type: application/x-www-form-urlencodedContent-Length: 50Nuser=admin&Npass=admin&Nrpass=admin&submit=Submit to save These username and password changes can be submitted as follows: POST http://<device address>/save.cgiHost: <device address>User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 5.0) Gecko/20100101Firefox /5.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5 ,en;q=0.3Accept-E Ncoding: gzip, deflateAccept-Charset: ISO-8859-2, utf-8; q=0.7, *; q=0.7Connection: keep-aliveReferer: http://192.168.0.100/save.htmContent-Type: application/x -www-form-urlencodedContent-Length: 11submit=Save. Portech MV-372 is a VoIP network management device. The Portech MV-372 Telnet service has a remote denial of service vulnerability. Providing a very long password such as 5000 characters can cause the telnet service to crash. You need to restart the device for normal functions. The Portech MV-372 VoIP Gateway is prone to multiple security vulnerabilities. An attacker may leverage these issues to obtain potentially sensitive information, cause vulnerable devices to crash (resulting in a denial-of-service condition), or bypass certain security restrictions by sending a specially crafted HTTP POST request

IBM Rational Build Forge 7.1.2 relies on client-side JavaScript code to enforce the EditSecurity permission requirement for the Export Key File function, which allows remote authenticated users to read a key file by removing a disable attribute in the Security sub-menu. IBM Rational Build Forge is an automated process execution software that helps customers build, test and publish automated software. An information disclosure vulnerability exists in IBM Rational Build Forge that could allow an attacker to exploit sensitive information. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. A memory corruption vulnerability exists in Siemens SIMATIC WinCC Flexible. Due to an unspecified error in the tag emulator, an attacker can cause memory corruption by opening a specially crafted file, and the exploit can successfully execute arbitrary code. Remote attackers can exploit this issue to gain access to sensitive information that may aid in further attacks. Failed exploit attempts will likely result in denial-of-service conditions. The following versions are affected: The following products are affected: ProTool 6.0 SP3 WinCC flexible 2004 WinCC flexible 2005 WinCC flexible 2005 SP1 WinCC flexible 2007 WinCC flexible 2008 WinCC flexible 2008 SP1 WinCC flexible 2008 SP2. Successful exploitation of the vulnerability can execute arbitrary code. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Siemens SIMATIC WinCC Flexible Tag Simulator Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA45770 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45770/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45770 RELEASE DATE: 2011-09-01 DISCUSS ADVISORY: http://secunia.com/advisories/45770/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45770/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45770 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Siemens SIMATIC WinCC Flexible, which can be exploited by malicious people to compromise a user's system. The vulnerability are reported in versions 2005 SP1, 2007, 2008, 2008 SP1, and 2008 SP2. SOLUTION: Apply patches. Please see vendor's advisory for details. PROVIDED AND/OR DISCOVERED BY: Billy Rios and Terry McCorkle via ICS-CERT. ORIGINAL ADVISORY: Siemens: http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=50182361 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-175-02.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The security issue is caused due to the web application not checking the "EditSecurity" permissions when performing certain actions. This can be exploited to e.g. export a key file from the security sub-menu

The GENESIS32 IcoSetServer ActiveX control in ICONICS GENESIS32 9.21 and BizViz 9.21 configures the trusted zone on the basis of user input, which allows remote attackers to execute arbitrary code via a crafted web site, related to a "Workbench32/WebHMI component SetTrustedZone Policy vulnerability.". ICONICS is a company specializing in providing OPC-based visualization software. GENESIS32 is prone to a remote security vulnerability. Failed exploit attempts will likely cause denial-of-service conditions. This may potentially allow for the execution of arbitrary code. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: ICONICS IcoSetServer ActiveX Control Trusted Zone Policy Manipulation SECUNIA ADVISORY ID: SA45847 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45847/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45847 RELEASE DATE: 2011-09-02 DISCUSS ADVISORY: http://secunia.com/advisories/45847/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45847/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45847 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in the ICONICS IcoSetServer ActiveX Control, which can be exploited by malicious people to manipulate certain data. The vulnerability is reported in version 9.21. Other versions may also be affected. SOLUTION: Apply patch or update to version 9.22. PROVIDED AND/OR DISCOVERED BY: Billy Rios and Terry McCorkle via ICS-CERT. ORIGINAL ADVISORY: ICONICS: http://www.iconics.com/certs ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-182-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Parallels Plesk Panel is prone to multiple cross-site scripting vulnerabilities and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

WellinTech KingSCADA 3.0 uses a cleartext base64 format for storage of passwords in user.db, which allows context-dependent attackers to obtain sensitive information by reading this file. KingSCADA is a SCADA product for the high and mid-end markets. KingSCADA stores the password in the user64 file in Base64 format, and the user can easily decode and access the SCADA server. KingSCADA is prone to a remote information-disclosure vulnerability. Remote attackers can exploit this issue to obtain the password of the affected device. KingSCADA 3.0 is vulnerable; other versions may also be affected

HTC HD7 is a mobile phone equipped with Windows Phone platform. HTC HD7 has an error in the HTCUtility.dll driver when processing 0x9020002C IOCTL. An attacker can exploit the vulnerability to read data from any kernel memory or write data to any kernel memory. HTC HD7 is prone to a security-bypass vulnerability. This may allow the attacker to execute code in the context of kernel by bypassing security restrictions

Multiple buffer overflows in 7-Technologies (7T) Interactive Graphical SCADA System (IGSS) 9.0.0.11355 and earlier allow remote attackers to execute arbitrary code or cause a denial of service via a crafted packet to TCP port (1) 12397 or (2) 12399. The 7T Interactive Graphical SCADA System is an automated monitoring and control system. This vulnerability can be triggered by sending more than a specially crafted data message to TCP 12399 or 12397. 7-Technologies Interactive Graphical SCADA System is prone to a buffer-overflow vulnerability. Failed exploit attempts likely result in denial-of-service conditions. 7-Technologies Interactive Graphical SCADA System 9.0.0.11355 and prior versions are vulnerable

The modbus_125_handler function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) allows remote attackers to install arbitrary firmware updates via a MODBUS 125 function code to TCP port 502. Modbus is a communication protocol that defines the message structure that the controller can recognize and use. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Schneider Electric Ethernet Modules Undocumented Account Security Issues SECUNIA ADVISORY ID: SA47019 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47019/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47019 RELEASE DATE: 2011-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/47019/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47019/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47019 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Ruben Santamarta has reported some security issues in multiple Schneider Electric modules, which can be exploited by malicious people to bypass certain security restrictions. 1) The Telnet service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. 2) The Windriver Debug service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. 3) The FTP service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. modify HTTP passwords and upload malicious firmware. Please see the ICS-CERT's advisory for a list of affected products and versions. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Ruben Santamarta ORIGINAL ADVISORY: Ruben Santamarta: http://reversemode.com/index.php?option=com_content&task=view&id=80&Itemid=1 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The GE Energy D20/D200 Substation Controller has multiple security vulnerabilities that allow malicious users to disclose sensitive information and control devices. There is an unspecified error in the TFTP service, and a remote attacker can exploit the vulnerability to obtain sensitive information or execute arbitrary code. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: GE Energy D20/D200 Substation Controller TFTP Service Two Vulnerabilities SECUNIA ADVISORY ID: SA47632 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47632/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47632 RELEASE DATE: 2012-01-20 DISCUSS ADVISORY: http://secunia.com/advisories/47632/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47632/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47632 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in GE Energy D20/D200 Substation Controller, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable device. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Reid Wightman via Digital Bond\x92s SCADA Security Scientific Symposium (S4). ORIGINAL ADVISORY: ICS-CERT (ICS-ALERT-12-019-01): http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-019-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Advantech BroadWin is a fully browser-based Human Machine Interface (HMI) and Monitoring and Data Acquisition (SCADA) house arrest. The \"CloseFile()\" method (bwocxrun.ocx) has an error when the BroadWin WebAccess client handles opening a file descriptor. Passing an arbitrary integer value to the \"fpt\" method can cause memory corruption. Successful exploitation of a vulnerability can execute arbitrary code in the context of an application. BroadWin WebAccess Client is prone to multiple remote vulnerabilities, including: 1. A format-string vulnerability 2. Failed exploit attempts will likely result in denial-of-service conditions. BroadWin WebAccess Client 7.0 is vulnerable; other verisons may also bea ffected. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: BroadWin WebAccess Client Bwocxrun ActiveX Control Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45820 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45820/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45820 RELEASE DATE: 2011-09-02 DISCUSS ADVISORY: http://secunia.com/advisories/45820/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45820/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45820 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered multiple vulnerabilities in BroadWin WebAccess Client, which can be exploited by malicious people to compromise a user's system. Other versions may also be affected. SOLUTION: Set the kill-bit for the affected ActiveX control. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/bwocxrun_1-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long request. When the software runs the project, it will listen to the 12233 port to process the special \"EIDP\" protocol, and submit a special \"EIDP\" message (the field is too large) through the WEB service to crash the service program. Movicon is an Italian HMI/SCADA software. When the software runs the project, it will listen to port 808 to receive the HTTP request. The server incorrectly processes the negative Content-Length field to trigger the heap-based buffer overflow. The memory can be destroyed by \"memcpy(heap_buffer, input, content_length_size)\". In addition, submitting an incoming HTTP request containing 8192 bytes can trigger a heap-based overflow. Movicon is prone to multiple heap-based buffer-overflow vulnerabilities and a denial-of-service vulnerability. Movicon 11.2 Build 1085 is vulnerable; other versions may also be affected

Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an EIDP packet with a large size field, which writes a zero byte to an arbitrary memory location. When the software runs the project, it will listen to the 12233 port to process the special \"EIDP\" protocol, and submit a special \"EIDP\" message (the field is too large) through the WEB service to crash the service program. Movicon is an Italian HMI/SCADA software. When the software runs the project, it will listen to port 808 to receive the HTTP request. The server incorrectly processes the negative Content-Length field to trigger the heap-based buffer overflow. The memory can be destroyed by \"memcpy(heap_buffer, input, content_length_size)\". In addition, submitting an incoming HTTP request containing 8192 bytes can trigger a heap-based overflow. Movicon is prone to multiple heap-based buffer-overflow vulnerabilities and a denial-of-service vulnerability. Movicon 11.2 Build 1085 is vulnerable; other versions may also be affected

Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative Content-Length field. When the software runs the project, it will listen to the 12233 port to process the special \"EIDP\" protocol, and submit a special \"EIDP\" message (the field is too large) through the WEB service to crash the service program. Movicon is an Italian HMI/SCADA software. When the software runs the project, it will listen to port 808 to receive the HTTP request. The memory can be destroyed by \"memcpy(heap_buffer, input, content_length_size)\". In addition, submitting an incoming HTTP request containing 8192 bytes can trigger a heap-based overflow. Movicon is prone to multiple heap-based buffer-overflow vulnerabilities and a denial-of-service vulnerability. Movicon 11.2 Build 1085 is vulnerable; other versions may also be affected

Beckhoff TwinCAT 2.11.0.2004 and earlier allows remote attackers to cause a denial of service via a crafted request to UDP port 48899, which triggers an out-of-bounds read. Beckhoff TwinCAT is a PC-based software solution that provides complete CNC functionality. TwinCAT is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the application, denying service to legitimate users. TwinCAT 2.11 R2 Build 2032 is vulnerable. Other versions may also be affected

RnaUtility.dll in RsvcHost.exe 2.30.0.23 in Rockwell RSLogix 19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted rna packet with a long string to TCP port 4446 that triggers (1) "a memset zero overflow" or (2) an out-of-bounds read, related to improper handling of a 32-bit size field. RSLinx Classic connects RSLogix and RSNetWorx products to Rockwell Automation networks and devices, and is also an OPC server. RsvcHost.exe and RNADiagReceiver.exe listen to 4446 and other ports. Rockwell RSLogix is a programming software for industrial automation. An attacker could exploit this vulnerability to execute arbitrary code for an attack. RSLogix is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the application, denying service to legitimate users. RSLogix 5000 is vulnerable. Other versions may also be affected. A buffer overflow vulnerability exists in RnaUtility.dll in RsvcHost.exe version 2.30.0.23 of Rockwell RSLogix 19 and earlier

The H3C ER5100 is an enterprise-class dual-core broadband router. The H3C ER5100 Enterprise Broadband Router web management page has a verification vulnerability. Unauthorized visitors can modify, restart, and view most system configurations. The H3C ER5100 is prone to a remote authentication-bypass vulnerability. Attackers can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: H3C ER5100 Router Web Interface Authentication Bypass Vulnerability SECUNIA ADVISORY ID: SA44969 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44969/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44969 RELEASE DATE: 2011-06-23 DISCUSS ADVISORY: http://secunia.com/advisories/44969/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44969/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44969 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: 128bit has reported a vulnerability in H3C ER5100 Router, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the authentication mechanism of the administrative web interface. This can be exploited to bypass authentication checks and gain access to the administrative interface by e.g. appending "userLogin.asp" to the URL. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: 128bit ORIGINAL ADVISORY: http://www.wooyun.org/bugs/wooyun-2010-02268 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Barracuda Backup Service is a network backup solution. Barracudas Backup v2.x has multiple persistent input validation vulnerabilities, local low privileged user accounts or remote attackers (using user interaction) can implement/inject malicious persistent script code (Java/HTML) that can lead to sensitive information disclosure , access the intranet available server and operate part of the content. Affected Module: [+] E-Mail Message Browser - Filter[+] Expressions[+] Exclsuion Rules Image: ../ive1.png../ive2.png../ive3.png../ive4.png. Barracuda Backup Service is prone to multiple vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML or script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible

SAP Web Application Server (sometimes called WebAS) is the runtime environment for SAP applications - all mySAP Business Suite solutions (SRM, CRM, SCM, PLM, ERP) run on SAP WebAS. The SAP Web Application Server provides access to multiple services through the WEB engine, namely the SAP Internet Communication Framework (ICM). The SHORTCUT ICF service is a dangerous feature that can be performed anonymously by third-party programs for client attacks on end users. In addition, this service includes a parameter injection vulnerability that allows the attacker to gain further control over the system. There are currently no detailed details of the vulnerability provided. SAP WebAS is prone to a remote command injection vulnerability An attacker can exploit this issue inject arbitrary commands into the affected application and take over the generation of SAP shortcuts

The D-Link DNS-320 is a storage device for small business users. D-Link ShareCenter DNS-320 manages the authentication mechanism of the WEB interface. It can be used to bypass the verification check and perform shutdown or restart operations. D-Link DNS-320 ShareCenter is prone to an authentication-bypass vulnerability. Attackers can exploit this issue to connect to the affected device without authentication. This may aid in further attacks. D-Link DNS-320 ShareCenter firmware 2.00b06 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: D-Link ShareCenter DNS-320 Authentication Bypass Vulnerability SECUNIA ADVISORY ID: SA47070 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47070/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47070 RELEASE DATE: 2011-12-08 DISCUSS ADVISORY: http://secunia.com/advisories/47070/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47070/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47070 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in D-Link ShareCenter DNS-320, which can be exploited by malicious people to bypass certain security restrictions. This can be exploited to bypass authentication checks and e.g. restart or shutdown the device. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: rigan OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------