VARIoT IoT vulnerabilities database

The ComputePassword function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) generates the password for the fwupgrade account by performing a calculation on the MAC address, which makes it easier for remote attackers to obtain access via a (1) ARP request message or (2) Neighbor Solicitation message. A remote attacker can gain access by means of (1) ARP request information or (2) Neighbor Solicitation information. The firmware provided by Schneider Schneider Electric Quantum Ethernet Module has a hard-coded problem. The built-in hard-coded authentication credentials can be used to access the following services: Telnet port, allowing remote attackers to view the operation of the module firmware, perform denial of service, modify the module memory, execute Arbitrary code. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Schneider Electric Ethernet Modules Undocumented Account Security Issues SECUNIA ADVISORY ID: SA47019 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47019/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47019 RELEASE DATE: 2011-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/47019/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47019/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47019 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Ruben Santamarta has reported some security issues in multiple Schneider Electric modules, which can be exploited by malicious people to bypass certain security restrictions. 1) The Telnet service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. modify module's memory and execute arbitrary code. 2) The Windriver Debug service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. modify module's memory and execute arbitrary code. 3) The FTP service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. modify HTTP passwords and upload malicious firmware. Please see the ICS-CERT's advisory for a list of affected products and versions. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Ruben Santamarta ORIGINAL ADVISORY: Ruben Santamarta: http://reversemode.com/index.php?option=com_content&task=view&id=80&Itemid=1 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The D-Link DAP-1150 is a wireless access device. D-Link DAP-1150 has a cross-site request forgery vulnerability that allows an attacker to build a malicious link, entice a logged-in user to resolve, and perform various administrative operations in the target user context. D-Link DAP-1150 is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible. D-Link DAP-1150 firmware version 1.2.94 is vulnerable; other versions may also be affected

Trend Micro DataArmor/DriveArmor is a data protection application. Trend Micro DataArmor/DriveArmor pre-boot has a security vulnerability that allows a local attacker to execute arbitrary code in the login user context and gain access to the DataArmor Recovery Console. Attackers with physical access to the affected system can exploit this issue to escalate privileges and perform unauthorized actions

Wibu-Systems CodeMeter is a hardware-based software, file, access and media protection solution. The Wibu-Systems CodeMeter certificate server listens by default on port 22350, which allows for limited directory traversal attacks in virtual directories. Wibu-Systems CodeMeter is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to download arbitrary files with certain extensions from outside the server root directory. This may aid in further attacks. CodeMeter 4.30c is affected; other versions may also be vulnerable

The HTC Touch2 T3333 is a 3G smartphone based on the WM6.5 system. HTCVideoPlayer is the default media player for HTC Windows mobile devices. There is a memory corruption vulnerability when parsing the stbl atom of the 3g2 video format. Building malicious files to entice users to parse can cause an application to crash. HTCVideoPlayer is prone to a memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions

SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There was an error running some reports to create an SAPTerm user with hard-coded user credentials by convincing the system administrator to run a report. SAP Netweaver is prone to a security-bypass vulnerability that can allow a user to create insecure SAPTerm user accounts. Attackers can exploit this issue to perform certain unauthorized actions. This may aid in further attacks. SAPTerm user. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: SAP NetWeaver SAPTerm Hardcoded Credentials User Creation Weakness SECUNIA ADVISORY ID: SA45034 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45034/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45034 RELEASE DATE: 2011-06-30 DISCUSS ADVISORY: http://secunia.com/advisories/45034/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45034/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45034 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness has been reported in SAP NetWeaver, which can be exploited by malicious users to manipulate certain data. The weakness is reported in the following components: * SAP Basis versions 620 through 640. * SAP Basis versions 700 through 702. * SAP Basis versions 710 through 730. * SAP Basis versions 72L through 800. SOLUTION: Apply fixes (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Julius von dem Bussche, Xiting AG. ORIGINAL ADVISORY: SAP: https://service.sap.com/sap/support/notes/1542645 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Alice Modem is a modem. A cross-site scripting vulnerability exists in Alice Modem. The vulnerability is caused by the device not being able to properly handle the user-provided input. The remote attacker can execute arbitrary script code in the context of the user's browser of the affected site with the rulename parameter and steal the cookie-based authentication certificate

Dlink DPH is an IP telephony solution. A security vulnerability exists in the web management interface of Dlink DPH 150SE, which allows unauthenticated users to obtain profile information including the administrator password. Dlink DPH IP phones are prone to multiple remote vulnerabilities. The following devices are affected: Dlink DPH 150SE Dlink DPH 150E Dlink DPH 150F1

SAP MaxDB is prone to a denial-of-service vulnerability. Attackers may leverage this issue to crash the affected application, denying service to legitimate users. SAP MaxDB 7.8.01.18 is vulnerable; other versions may also be affected.

Unspecified vulnerability in the Drag Drop Mass Upload (ameos_dragndropupload) extension 2.0.2 and earlier for TYPO3 allows remote attackers to upload arbitrary files via unknown vectors. Typo3 is one of the leading brands of open source content management systems (CMS) and content management frameworks (CMF) based on PHP and MySQL databases and is a powerful open source solution. A remote attacker can update any file with an unknown vector. The issue occurs because the application fails to adequately validate user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible

Sagem F@st 3304 is an ADSL device. The Sagem F@st 3304 router does not properly restrict access to sensitive information, and remote attackers can exploit the vulnerability to obtain the router's PPPoE password

CiscoKits CCNA TFTP Server is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users. CiscoKits CCNA TFTP Server 1.0 is affected; other versions may also be vulnerable.

Pragyan CMS is prone to an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Pragyan CMS 2.6.1 is available; other versions may also be affected.

Because the application displays the authentication credentials in the accessaccount.cgi script, an attacker can gain sensitive information. ZTE ZXDSL 831-II is an ADSL device issued by ZTE Corporation. A cross-site request forgery vulnerability exists in the ZTE ZXDSL 831 II modem. Since the application WEB interface allows certain operations to be performed through HTTP requests, without strict verification of the request, the attacker constructs a malicious link, entices the user to resolve, and can perform various operations with administrator privileges. Such as changing the administrator password and so on. ZTE ZXDSL 831-II is prone to a cross-site request-forgery vulnerability and an information-disclosure vulnerability. Attackers can exploit the information-disclosure issue to obtain sensitive information that may aid in launching further attacks. Exploiting the cross-site request-forgery may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: ZTE ZXDSL 831 II Modem Cross-Site Request Forgery and Information Disclosure Vulnerabilities SECUNIA ADVISORY ID: SA46659 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46659/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46659 RELEASE DATE: 2011-11-08 DISCUSS ADVISORY: http://secunia.com/advisories/46659/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46659/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46659 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in the ZTE ZXDSL 831 II modem, which can be exploited by malicious people to conduct cross-site request forgery attacks and to disclose sensitive information. This can be exploited to e.g. change an administrator's password by tricking a logged in administrator into visiting a malicious web site. The vulnerabilities are reported in version 7.5.0a_Z29_OV. Other versions may also be affected. SOLUTION: Restrict access to trusted users only. Do not browse untrusted websites or follow untrusted links while logged in to the application. PROVIDED AND/OR DISCOVERED BY: Mehdi Boukazoula and Ibrahim Debeche. OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trend Micro Control Manager (TMCM) is a centralized security management console from Trend Micro that enables unified coordination of Trend Micro products and services. The input passed to the WebApp/widget/proxy_request.php script via the \"module\" parameter is missing validation before being used to read the file, and the attacker can read any file in the local resource through the directory traversal sequence. Trend Micro Control Manager is prone to a directory-traversal vulnerability because the application fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain arbitrary local files in the context of the webserver process. ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Trend Micro Control Manager "module" File Disclosure Vulnerability SECUNIA ADVISORY ID: SA44970 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44970/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44970 RELEASE DATE: 2011-07-13 DISCUSS ADVISORY: http://secunia.com/advisories/44970/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44970/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44970 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Sow Ching Shiong has discovered a vulnerability in Trend Micro Control Manager, which can be exploited by malicious users to disclose sensitive information. The vulnerability is confirmed in version 5.5 (Build 1250). Other versions may also be affected. SOLUTION: Apply hotfix 1470. Please contact the vendor for details. PROVIDED AND/OR DISCOVERED BY: Sow Ching Shiong via Secunia. OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The D-Link DNS-320 is a storage device for small business users. D-Link DNS-320 has multiple security vulnerabilities that can be exploited for denial of service attacks. The dsk_mgr.cgi is allowed to perform a restart by a POST request with the cmd=FMT_restart parameter. The system_mgr.cgi is allowed to perform a restart by a POST request with the cmd=cgi_restart or cmd=cgi_reboo parameters. System_mgr.cgi is allowed to perform shutdown by a POST request with the cmd=cgi_shutdown parameter. The firmware is allowed to be executed by wizard_mgr.cgi by a POST request with the cmd=cgi_wizard parameter. D-Link DNS-320 ShareCenter is prone to a denial-of-service vulnerability. Successful exploits will cause an affected device to reload or shutdown, denying service to legitimate users

Multiple PHP remote file inclusion vulnerabilities in SAPID CMS 1.2.3 Stable allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[root_path] parameter to usr/extensions/get_tree.inc.php or (2) root_path parameter to usr/extensions/get_infochannel.inc.php. (1) usr/extensions/get_tree.inc.php of GLOBALS[root_path] Parameters (2) usr/extensions/get_infochannel.inc.php of root_path Parameters. SAPID CMS is a content management system. An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. SAPID CMS 1.2.3 is vulnerable; other versions may also be affected

Cloupia provides end-to-end FlexPod configuration, management, and automation solutions. Cloupia End-To-End FlexPod management has a directory traversal vulnerability, jQuery File Tree is a configurable Ajax file browser jQuery plugin. Unauthenticated access to this module allows a remote attacker to browse the entire file system on the host server. FlexPod Management & Automation is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to read arbitrary files outside of the server root directory. This may aid in further attacks

SAP Web Application Server (sometimes called WebAS) is the runtime environment for SAP applications - all mySAP Business Suite solutions (SRM, CRM, SCM, PLM, ERP) run on SAP WebAS. The SAP Web Application Server provides an input validation vulnerability for the 'cachetest' service. An unauthenticated attacker can exploit the vulnerability to remotely destroy the SAP Web Application Server, causing a denial of service attack. SAP WebAS is prone to a denial-of-service vulnerability. Attackers may leverage this issue to crash the affected application, denying service to legitimate users

AirTies Air 4450 1.1.2.18 allows remote attackers to cause a denial of service (reboot) via a direct request to cgi-bin/loader. AirTies Air is a set-top box device. Air 4450 is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reboot. Repeated attempts will result in a denial-of-service condition