VARIoT IoT vulnerabilities database

Maipu Communication Technology Co., Ltd. was established in 1993. It is a leading supplier of network products and solutions in China and one of the four major domestic network equipment manufacturers supported by the Ministry of Industry and Information Technology. Many wireless controllers of Maipu Communication Technology Co., Ltd. have weak password vulnerabilities, which can be exploited by attackers to obtain sensitive information.

Hikvision is a video-centric IoT solution provider, providing comprehensive security, smart business and big data services. The backup management server of Hangzhou Hikvision Digital Technology Co., Ltd. has a SQL injection vulnerability. Attackers can use the vulnerability to obtain sensitive database information.

AC9 is a 1200M 11AC wireless router with Gigabit Ethernet port launched by Shenzhen Jixiang Tengda Technology Co., Ltd. in 2016. Tenda AC9 has a denial of service vulnerability, which can be exploited by an attacker to cause a denial of service attack.

Huawei CloudEngine 12800, etc. are all products of China's Huawei (Huawei) company. Huawei CloudEngine 12800 is a 12800 series data center switch. Huawei Cloudengine 5800 is a 5800 series data center switch. Huawei Cloudengine 6800 is a 6800 series data center switch. Many Huawei CloudEngine products have repeated pointer release vulnerabilities. Attackers can cause pointers to be repeatedly released by performing malicious operations, causing the affected modules to crash and affecting normal functions.

Forcepoint Web Security Content Gateway versions prior to 8.5.4 improperly process XML input, leading to information disclosure

A privilege escalation vulnerability exists in Dream Report 5 R20-2. COM Class Identifiers (CLSID), installed by Dream Report 5 20-2, reference LocalServer32 and InprocServer32 with weak privileges which can lead to privilege escalation when used. An attacker can provide a malicious file to trigger this vulnerability. Dream Report Contains a privilege management vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Ocean Data Systems Dream Report 5 R20-2 is an application software of Ocean Data Systems in France. A real-time report and charting solution

A RACE CONDITION on XQBACKUP causes a decompression path error on Xiaomi router AX3600 with ROM version =1.0.50. Xiaomi router AX3600 Is vulnerable to a race condition.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15. Xiaomi 10 MIUI Contains an unspecified vulnerability.Information may be obtained

The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26

A privilege escalation vulnerability exists in Dream Report 5 R20-2. IIn the default configuration, the following registry keys, which reference binaries with weak permissions, can be abused by attackers to effectively ‘backdoor’ the installation files and escalate privileges when a new user logs in and uses the application. Dream Report Is vulnerable to incorrect default permissions.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Ocean Data Systems Dream Report 5 R20-2 is an application software of Ocean Data Systems in France. A real-time report and charting solution

A privilege escalation vulnerability exists in Dream Report 5 R20-2. In the default configuration, the Syncfusion Dashboard Service service binary can be replaced by attackers to escalate privileges to NT SYSTEM. An attacker can provide a malicious file to trigger this vulnerability. Dream Report Is vulnerable to incorrect default permissions.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Ocean Data Systems Dream Report 5 R20-2 is an application software of Ocean Data Systems in France. A real-time report and charting solution

There is a denial of service vulnerability in some versions of CloudEngine 5800, CloudEngine 6800, CloudEngine 7800 and CloudEngine 12800. The affected product cannot deal with some messages because of module design weakness . Attackers can exploit this vulnerability by sending a large amount of specific messages to cause denial of service. This can compromise normal service. Huawei CloudEngine 12800, etc. are all products of China's Huawei (Huawei) company. Huawei CloudEngine 12800 is a 12800 series data center switch. Huawei Cloudengine 5800 is a 5800 series data center switch. Huawei Cloudengine 6800 is a 6800 series data center switch

AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to trigger a stack-based buffer overflow. This could enable low-privileged users to achieve Denial of Service via a DeviceIoControl. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. ASUS GPUTweak II is a driver of ASUS Corporation in China

AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to interact directly with physical memory (by calling one of several driver routines that map physical memory into the virtual address space of the calling process) and to interact with MSR registers. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. ASUS GPUTweak II is a driver of ASUS Corporation in China. ASUS GPUTweak II version before 2.3.0.3, which is used to drive more FPS, has a buffer error vulnerability

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. plural Cisco RV Dual WAN Gigabit VPN Router There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Authentication is required to exploit this vulnerability.The specific flaw exists within the processing of JSON-RPC requests. When parsing the usmUserPrivKey property, the process does not properly validate a user-supplied string before using it to execute a system call

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. plural Cisco Dual WAN Gigabit VPN A router contains a vulnerability in the deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Authentication is required to exploit this vulnerability.The specific flaw exists within the processing of JSON-RPC requests. When parsing the usmUserEngineID property, the process does not properly validate a user-supplied string before using it to execute a system call

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. plural Cisco RV Dual WAN Gigabit VPN Router There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Authentication is required to exploit this vulnerability.The specific flaw exists within the processing of JSON-RPC requests. When parsing the usmUserAuthKey property, the process does not properly validate a user-supplied string before using it to execute a system call

D-Link Electronic Equipment (Shanghai) Co., Ltd. provides high-quality network solutions for consumers and enterprises of all sizes. DIR-878 AC1900 MU-MIMO dual-band Gigabit wireless router has a denial of service vulnerability. Attackers can use this vulnerability to send constructed data packets (pointing to a specific destination address, any type of data packet is fine, including TCP/UDP/ICMP) to cause a denial of service on the target router and the router of the upper operator.

IBM WebSphere Application Server 7.0, 8.0, and 8.5 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 197502. Vendor exploits this vulnerability IBM X-Force ID: 197502 Is published as.Information may be obtained. This product is a platform for JavaEE and Web service applications, as well as the foundation of the IBM WebSphere software platform. There is a security vulnerability in WebSphere AS. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

D-Link DSL-320B-D1 devices through EU_1.25 are prone to multiple Stack-Based Buffer Overflows that allow unauthenticated remote attackers to take over a device via the login.xgi user and pass parameters. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. D-Link DSL? 320B is an Ethernet modem of D-Link Corporation in Taiwan. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Multiple Pre-Auth Stack Buffer Overflow in D-Link DSL-320B-D1 ADSL Modem ======== < Table of Contents > ========================================= 0. Overview 1. Details 2. Solution 3. Disclosure Timeline 4. Thanks & Acknowledgements 5. References 6. Credits 7. Legal Notices ======== < 0. Severity: Critical CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVE-ID: CVE-2021-26709 Vendor: D-Link Affected Products: DSL-320B-D1 Affected Versions: EU_1.25 and lower ======== < 1. Details > ================================================ During a Penetration Test it was possible to identify and exploit multiple Stack Buffer Overflows (1) in the D-Link DSL-320B-D1 ADSL modem ,a now legacy model, which is distributed in the past by Telecom Italia on loan for use together with the residential ADSL line. The vulnerabilities are present in the login functionality, exposed by "login.xgi" with "user" and "pass" parameters. [[ GET /login.xgi?user=" + payload + "&pass=abcde HTTP/1.1\nHost: " + host + "\n\n" ]] To exploit the vulnerability using "user" parameter, you need construct the payload like the following: [[ OFFSET = 652 ADDR = 0x7ffe8ab0 payload = "A"*OFFSET payload += pack(">I", ADDR) payload += shellcode ]] While the "pass" parameter uses 641 as offset. The payload must be passed as parameter value in a GET request. You can found a working shellcode here: https://www.exploit-db.com/shellcodes/45541 You will have to change the ip/port to match your network configuration. Using ROP is possible to avoid to use the hardcoded addresses. ======== < 2. Solution > =============================================== Refer to D-Link Support Announcements "SAP10216" for details (2). ======== < 3. Disclosure Timeline > ==================================== 09/01/2021 : Discovery of the vulnerability 23/01/2021 : Vulnerability submitted to vendor 25/01/2021 : Vendor request more info about exploit the vulnerabilities 27/01/2021 : Sent details to vendor 01/02/2021 : Request status update to the vendor 13/02/2021 : Sent CVE assigned by mitre to vendor 13/02/2021 : Vendor response, analysis in progress 30/03/2021 : Request status update to the vendor 30/03/2021 : Vendor confirm the vulnerabilities 07/04/2021 : Public disclosure ======== < 4. Thanks & Acknowledgements > ============================== D-Link US SIRT ======== < 5. References > ============================================= (1) https://cwe.mitre.org/data/definitions/121.html (2) https://supportannouncement.us.dlink.com/announcement/publication.as px?name=SAP10216 (3) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26709 ======== < 6. Credits > ================================================ This vulnerability was discovered and reported by: Gabriele 'matrix' Gristina (gabriele DOT gristina AT gmail DOT com) Contacts: https://www.linkedin.com/in/gabrielegristina https://twitter.com/gm4tr1x https://github.com/matrix/ ======== < 7. Legal Notices > ========================================== Copyright (c) 2021 Gabriele 'matrix' Gristina Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on,this information. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEElKssfhju0ogMPPCn7SvzgGQpUxsFAmBuug8ACgkQ7SvzgGQp UxsERA//SsjAPq95yZItWPBiSrOSxUuRUUAzwzuo4bIYNb5bjfMDgB/HsnwwtG5W yPXUoKWHLxyaX3nconGirDOHNSYNTd23sYXx+K3T97l/cPNZ3Nv5vk9DRDK76NNc Xe2v7WdBBS1jAbuKKAHv8ioc+uxPs9oi9Iz70Uv9pQsaq2QSm6B+AX5s0fQIsgje glPPYMLAasdmr4Wwk6XBOrzw8zvnkMxaRGsIJ2QmIpl7kmiN2BivSSKWfS8rUhEG RfhIyTjDyN1yHU+GOTEJe04D8CjpLSUCsfFz7BxPYs1IFK44RZfiMJp4c7o7vMPG uXJWpeq6wfraCh/g/JY5rvOpiyYC5e+mtg8MQjJW5ZEkK8Szg14douVn/bLsRFIc cEs3mImqE/8pwksKDRLqAUq9/Q1dt5FRwFLJDpX5e18bwR1XOU1+iRMQJuUGBnre UEibw1u8bSjJakFi9gCXQC2LrvbAC/tc97I42bA7qhiJxmOaMdPWt/C7Is/bVdYB JdVUej2eMBlsmfVaPbM6aT18+Z9sfIMKaGq9nAbBmY+DNI6gBfX0ty8X1o39ADcQ I+DEXnKBZP1YhWlvYYR5mBMYs9wJzw8OGyeGqK2LU1tmWfF9d0drXK5pvK1sSpQh /ytQ4g/jSRp+UBK7Ulxep08gCphGuAkc7NuKsbHh4YgkCbIaIDI= =4j+1 -----END PGP SIGNATURE-----