VARIoT IoT vulnerabilities database

A vulnerability in the Polaris kernel of Cisco Catalyst 9200 Series Switches could allow an unauthenticated, remote attacker to crash the device. The vulnerability is due to insufficient packet size validation. An attacker could exploit this vulnerability by sending jumbo frames or frames larger than the configured MTU size to the management interface of this device. A successful exploit could allow the attacker to crash the device fully before an automatic recovery

A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to execute persistent code at boot time and break the chain of trust. This vulnerability is due to incorrect validations by boot scripts when specific ROM monitor (ROMMON) variables are set. An attacker could exploit this vulnerability by installing code to a specific directory in the underlying operating system (OS) and setting a specific ROMMON variable. A successful exploit could allow the attacker to execute persistent code on the underlying OS. To exploit this vulnerability, the attacker would need access to the root shell on the device or have physical access to the device. Both Cisco IOS and IOS XE are products of Cisco (Cisco). CLI is one of those command line interfaces

A vulnerability in the implementation of Multiprotocol Border Gateway Protocol (MP-BGP) for the Layer 2 VPN (L2VPN) Ethernet VPN (EVPN) address family in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of Border Gateway Protocol (BGP) update messages that contain crafted EVPN attributes. An attacker could exploit this vulnerability by sending BGP update messages with specific, malformed attributes to an affected device. A successful exploit could allow the attacker to cause an affected device to crash, resulting in a DoS condition

A vulnerability in the CLI parser of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to access files from the flash: filesystem. The vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit this vulnerability by using a specific command at the command line. A successful exploit could allow the attacker to obtain read-only access to files that are located on the flash: filesystem that otherwise might not have been accessible

Multiple vulnerabilities in the web management framework of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to gain unauthorized read access to sensitive data or cause the web management software to hang or crash, resulting in a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory. Cisco IOS XE The software contains a vulnerability in privilege management.Information is obtained and denial of service (DoS) It may be put into a state

A vulnerability in the implementation of the Low Power, Wide Area (LPWA) subsystem of Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data or cause a denial of service (DoS) condition. The vulnerability is due to a lack of input and validation checking mechanisms for virtual-LPWA (VLPWA) protocol modem messages. An attacker could exploit this vulnerability by supplying crafted packets to an affected device. A successful exploit could allow the attacker to gain unauthorized read access to sensitive data or cause the VLPWA interface of the affected device to shut down, resulting in DoS condition

A vulnerability in the PROFINET feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause an affected device to crash and reload, resulting in a denial of service (DoS) condition on the device. The vulnerability is due to insufficient processing logic for crafted PROFINET packets that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted PROFINET packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to crash and reload, resulting in a DoS condition on the device

A vulnerability in the Split DNS feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability occurs because the regular expression (regex) engine that is used with the Split DNS feature of affected releases may time out when it processes the DNS name list configuration. An attacker could exploit this vulnerability by trying to resolve an address or hostname that the affected device handles. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition

A DOM-based cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's current browser session if a crafted url is visited, possibly through phishing. Lenovo Enterprise Network Disk is an enterprise network disk service provided by China Lenovo (Lenovo). Applied to network storage data

A reflective cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's browser if a crafted url is visited, possibly through phishing. Lenovo Enterprise Network Disk is an enterprise network disk service provided by China Lenovo (Lenovo). Applied to network storage data

Check Point Security Management's Internal CA web management before Jumbo HFAs R80.10 Take 278, R80.20 Take 160, R80.30 Take 210, and R80.40 Take 38, can be manipulated to run commands as a high privileged user or crash, due to weak input validation on inputs by a trusted management administrator. The platform can specify a unified management strategy to achieve efficient management of the cloud platform. The vulnerability is caused by weak input validation on Windows, which allows an attacker to act as a high-privileged The user runs the program

Two memory corruption vulnerabilities in the Aruba CX Switches Series 6200F, 6300, 6400, 8320, 8325, and 8400 have been found. Successful exploitation of these vulnerabilities could result in Local Denial of Service of the LLDP (Link Layer Discovery Protocol) process in the switch. This applies to firmware versions prior to 10.04.3021. plural Aruba CX A buffer error vulnerability exists in the switch series.Denial of service (DoS) It may be put into a state

Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Starter" module) within the application. Ozeki NG SMS Gateway Is vulnerable to an unlimited upload of dangerous types of files.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Ozeki NG SMS Gateway (Ozeki NG SMS Gateway) is a software from serials that allows you to access mobile networks through your computer. The program can convert your incoming emails to SMS and send them to your mobile phone. Ozeki NG SMS Gateway is very reliable and operates 24 hours a day, 7 days a week. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc. Ozeki NG SMS Gateway versions 4.17.1 to 4.17.6 have security vulnerabilities. This vulnerability stems from the fact that the file type is not verified when uploading contact lists in batches

The affected Reason S20 Ethernet Switch is vulnerable to cross-site scripting (XSS), which may allow an attacker to trick application users into performing critical application actions that include, but are not limited to, adding and updating accounts. Reason S20 The series is General Electric An industrial managed Ethernet switch provided by the company. Reason S20 There are several vulnerabilities in the series: * Cross-site scripting (CWE-79) - CVE-2020-16242 * Cross-site scripting (CWE-79) - CVE-2020-16246The expected impact depends on each vulnerability, but it may be affected as follows. - CVE-2020-16242 * A remote third party can use cross-site scripting to execute arbitrary scripts on the user's web browser. - CVE-2020-16246

An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. In particular, x86 PV guests may be able to elevate their privilege to that of the host. Host and guest crashes are also possible, leading to a Denial of Service (DoS). Information leaks cannot be ruled out. All Xen versions from 4.5 onwards are vulnerable. Xen versions 4.4 and earlier are not vulnerable. Xen Is vulnerable to a race condition.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Xen is an open source virtual machine monitor product from the University of Cambridge in the United Kingdom. The product can make different and incompatible operating systems run on the same computer, and supports migration during runtime, ensuring normal operation and avoiding downtime. The vulnerability stems from EVTCHNOP reset or XEN DOMCTL soft reset violating various internal assumptions, resulting in out-of-range memory access or triggering error checks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4769-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 02, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2020-25595 CVE-2020-25596 CVE-2020-25597 CVE-2020-25599 CVE-2020-25600 CVE-2020-25601 CVE-2020-25602 CVE-2020-25603 CVE-2020-25604 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks. For the stable distribution (buster), these problems have been fixed in version 4.11.4+37-g3263f257ca-1. We recommend that you upgrade your xen packages. For the detailed security status of xen please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xen Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl93YAEACgkQEMKTtsN8 TjY0MBAAhNI5m2Xr0uDfEROtBWOy5om8CNYJRnOH4cm4f6Nx9uCvNUDU+AvhS3Bk 67nVTbpJe6IP7jtYHh2YuIuJIz0iCbSxPrW5wlytA/HKnrqfFITD2SgwvQx4ncZU iiJOn/LWDwxfsAMjZk01TboPEoefzOa8PsxprTUmfpbdCfr9uctQ6VMqDJGbQuTb YZoNBn9p38t37HgI3JN2r43LXXawR9HU30NwTnL9H2ffRu/Rqz7aA+7sCjjbgJ85 7gEHix+lBvQmEc8qd6f/JkhSu1TCxvslL6MdGcCj9kYecW7g0Rme7A+TtEfdrfnK zpKcoSDsp3VZUGvP4pV8aQ+ByV8A4CgCKJ9wchkwWNRCgDZaB/hn1FLSIG47cvAL qOL/2cO456ZGtCadjYeO3JIKUlQtjwZafc5NRtI52YB13ZVQBblu2u+msnKkg7VD Ba9P7M9QwWM37DmFwjyhxvWj52I/VLHZ4jsx2giRY+QhZ/FilkO1G3esBPVVtcrk jReijuSE4r/7q9iwPsdAj03UevSzah/3kY2ZlNolQkBQcVUgXQluWuImBO3Fvn50 grFSMJTnrxfjcj3pLFEgHw7p+CJEM2Tv1a3QnoO6iQS0EH1tAnFUk3bHIvYg1fNk o2jnKeLe9sUhtr3GXEhu3wv3eOq7zyg0IoocCo/tAOkl9bgWyI4= =po/H -----END PGP SIGNATURE----- . Software Description: - xen: Public headers and libs for Xen Details: It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information. (CVE-2020-0543) Julien Grall discovered that Xen incorrectly handled memory barriers on ARM-based systems. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information or escalate privileges. (CVE-2020-11739) Ilja Van Sprundel discovered that Xen incorrectly handled profiling of guests. An unprivileged attacker could use this issue to obtain sensitive information from other guests, cause a denial of service or possibly gain privileges. (CVE-2020-11742, CVE-2020-11743) Jan Beulich discovered that Xen incorrectly handled certain code paths. (CVE-2020-15563) Julien Grall discovered that Xen incorrectly verified memory addresses provided by the guest on ARM-based systems. (CVE-2020-15564) Roger Pau Monn\xe9 discovered that Xen incorrectly handled caching on x86 Intel systems. (CVE-2020-15565) It was discovered that Xen incorrectly handled error in event-channel port allocation. (CVE-2020-15566) Jan Beulich discovered that Xen incorrectly handled certain EPT (Extended Page Tables). (CVE-2020-15567) Andrew Cooper discovered that Xen incorrectly handled PCI passthrough. (CVE-2020-25595) Andrew Cooper discovered that Xen incorrectly sanitized path injections. (CVE-2020-25596) Jan Beulich discovered that Xen incorrectly handled validation of event channels. (CVE-2020-25597) Julien Grall and Jan Beulich discovered that Xen incorrectly handled resetting event channels. (CVE-2020-25599) Julien Grall discovered that Xen incorrectly handled event channels memory allocation on 32-bits domains. (CVE-2020-25600) Jan Beulich discovered that Xen incorrectly handled resetting or cleaning up event channels. (CVE-2020-25601) Andrew Cooper discovered that Xen incorrectly handled certain Intel specific MSR (Model Specific Registers). (CVE-2020-25602) Julien Grall discovered that Xen incorrectly handled accessing/allocating event channels. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information of privilege escalation. (CVE-2020-25604) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libxendevicemodel1 4.11.3+24-g14b62ab3e5-1ubuntu2.3 libxenevtchn1 4.11.3+24-g14b62ab3e5-1ubuntu2.3 libxengnttab1 4.11.3+24-g14b62ab3e5-1ubuntu2.3 libxenmisc4.11 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xen-hypervisor-4.11-amd64 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xen-hypervisor-4.11-arm64 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xen-hypervisor-4.11-armhf 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xen-utils-4.11 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xen-utils-common 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xenstore-utils 4.11.3+24-g14b62ab3e5-1ubuntu2.3 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5617-1 CVE-2020-0543, CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743, CVE-2020-15563, CVE-2020-15564, CVE-2020-15565, CVE-2020-15566, CVE-2020-15567, CVE-2020-25595, CVE-2020-25596, CVE-2020-25597, CVE-2020-25599, CVE-2020-25600, CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604 Package Information: https://launchpad.net/ubuntu/+source/xen/4.11.3+24-g14b62ab3e5-1ubuntu2.3

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The outbox functionality of the TXT File module can be used to delete all/most files in a folder. Because the product usually runs as NT AUTHORITY\SYSTEM, the only files that will not be deleted are those currently being run by the system and/or files that have special security attributes (e.g., Windows Defender files). Ozeki NG SMS Gateway Contains an unspecified vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. The program can convert your incoming emails to SMS and send them to your mobile phone. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. By leveraging a path traversal vulnerability in the Autoreply module's Script Name, an attacker may write to or overwrite arbitrary files, with arbitrary content, usually with NT AUTHORITY\SYSTEM privileges. Ozeki NG SMS Gateway Contains a path traversal vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. The program can convert your incoming emails to SMS and send them to your mobile phone. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc

Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuration, or (4) any GET Parameter in the /default URL of the application. Ozeki NG SMS Gateway Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. The program can convert your incoming emails to SMS and send them to your mobile phone. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc. An attacker could exploit this vulnerability to execute client code

Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS. Ozeki NG SMS Gateway Contains a server-side request forgery vulnerability.Denial of service (DoS) It may be put into a state. The program can convert your incoming emails to SMS and send them to your mobile phone. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The database connection strings accept custom unsafe arguments, such as ENABLE_LOCAL_INFILE, that can be leveraged by attackers to enable MySQL Load Data Local (rogue MySQL server) attacks. The program can convert your incoming emails to SMS and send them to your mobile phone. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc. The vulnerability stems from the fact that the database connection string accepts custom insecure parameters, such as ENABLE_LOCAL_INFILE