VARIoT IoT vulnerabilities database

A vulnerability was found in TOTOLINK A3600R 4.1.2cu.5182_B20201102. It has been rated as critical. This issue affects some unknown processing of the file /web_cste/cgi-bin/product.ini of the component Telnet Service. The manipulation leads to use of hard-coded password. The exploit has been disclosed to the public and may be used. The identifier VDB-272573 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of a3600r A vulnerability exists in the firmware related to the use of hardcoded passwords.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability was found in TOTOLINK A3100R 4.1.2cu.5050_B20200504. It has been declared as critical. This vulnerability affects the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument telnet_enabled leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272572. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of A3100R Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability was found in TOTOLINK A3100R 4.1.2cu.5050_B20200504. It has been classified as critical. This affects the function getSaveConfig of the file /cgi-bin/cstecgi.cgi?action=save&setting. The manipulation of the argument http_host leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272571. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of A3100R Firmware has a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by accessing the root shell on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary commands with root privileges on the targeted system. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech

An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device uses a custom UDP protocol to start and control video and audio services. The protocol has been partially reverse engineered. Based upon the reverse engineering, no password or username is ever transferred over this protocol. Thus, one can set up the camera connection feed with only the encoded UID. It is possible to set up sessions with the camera over the Internet by using the encoded UID and the custom UDP protocol, because authentication happens at the client side. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Alecto ------------------------------------------ [Affected Product Code Base] Alecto-IVM-100 - Exact version unknown ------------------------------------------ [Affected Component] Video and audio stream of the camera. ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker requires knowledge of the encoded UID (can be obtained by sniffing or enumerating). Once this knowledge has been obtained, the attacker can set up a video/audio system from anywhere. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with The Dutch consumer organisation ------------------------------------------ [Reference] https://www.alecto.nl Use CVE-2019-20461

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. It uses a default SSID value, which makes it easier for remote attackers to discover the physical locations of many Siime Eye devices, violating the privacy of users who do not wish to disclose their ownership of this type of device. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.). As the device is turned on for limited times less devices are detected via Wigle then one might expect. Using this site, it is possible to filter on specific SSIDs. When a filter is applied to find the default SSID of the Siime Eye, it is possible to find several devices across the globe. The map shown on wigle shows an approximate physical location for the device and hence makes physical or physical proximity attacks more likely. In addition it violates the user's privacy as everyone on the internet is capable of detecting where the devices are being used. ------------------------------------------ [VulnerabilityType Other] Information disclosure ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye Wi-Fi access point ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] In order to exploit this issue an attacker needs to simply search for the Siime Eye SSID on wigle.net ------------------------------------------ [Reference] https://wigle.net N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin gozeling from Qbit cyber security in assignment of the Consumentenbond. Use CVE-2020-11917

An issue was discovered on Brother MFC-J491DW C1806180757 devices. The printer's web-interface password hash can be retrieved without authentication, because the response header of any failed login attempt returns an incomplete authorization cookie. The value of the authorization cookie is the MD5 hash of the password in hexadecimal. An attacker can easily derive the true MD5 hash from this, and use offline cracking attacks to obtain administrative access to the device. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Brother ------------------------------------------ [Affected Product Code Base] MFC-J491DW - C1806180757 ------------------------------------------ [Affected Component] Web admin panel ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker needs to have access to the web interface running on TCP/80 on the device. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszcynski, intern at Qbit in cooperation with the Dutch Consumer Organisation ------------------------------------------ [Reference] https://global.brother Use CVE-2019-20457

An issue was discovered on One2Track 2019-12-08 devices. Confidential information is needlessly stored on the smartwatch. Audio files are stored in .amr format, in the audior directory. An attacker who has physical access can retrieve all audio files by connecting via a USB cable. ------------------------------------------ [VulnerabilityType Other] Voice conversations leaked to physical attackers. ------------------------------------------ [Vendor of Product] One2Track ------------------------------------------ [Affected Product Code Base] one2track - up to-date version as of 12-8-2019 (no exact version number) ------------------------------------------ [Affected Component] Local smartwatch storage ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker must physically have access to the One2track software. Once this access has been obtained audio messages send to the smartwatch can be retrieved from the local storage. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Dennis van Warmerdam, Jasper Nota, Jim Blankendaal ------------------------------------------ [Reference] https://www.one2track.nl Use CVE-2019-20469

An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. With the SNMPv1 public community, all values can be read, and with the epson community, all the changeable values can be written/updated, as demonstrated by permanently disabling the network card or changing the DNS servers. ------------------------------------------ [Vulnerability Type] Insecure Permissions ------------------------------------------ [Vendor of Product] Epson ------------------------------------------ [Affected Product Code Base] Expression Home XP255 - 20.08.FM10I8 ------------------------------------------ [Affected Component] SNMP agent ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] The attacker must be able to connect to the devices on port 515/UDP. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation. ------------------------------------------ [Reference] https://epson.com/Support/sl/s Use CVE-2019-20459

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection. ------------------------------------------ [Additional Information] The default settings make this attack theoretical rather than practical. A lot of interaction takes place between the application and the end user. For correct functioning, it is important to verify that requests coming from the user actually represent the user's intention. The application must therefore be able to distinguish forged requests from legitimate ones. Currently no measures against Cross-Site Request Forgery have been implemented and therefore users can be tricked into submitting requests without their knowledge or consent. From the application's point of view, these requests are legitimate requests from the user and they will be processed as such. This can result in the creation of additional (administrative) user accounts, without the user’s knowledge or consent. In order to execute a CSRF attack, a user must be tricked into visiting an attacker controlled page, using the same browser that is authenticated to the Siime Eye. As mostly the Hotspot from Siime Eye will be used, users are unlikely to (be able to) access such pages simultaneously. ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye, web interface ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [CVE Impact Other] Full device compromise. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond. Use CVE-2020-11919

An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Clients can authenticate themselves to the device using a username and password. These credentials can be obtained through an unauthenticated web request, e.g., for a JavaScript file. Also, the disclosed information includes the SSID and WPA2 key for the Wi-Fi network the device is connected to. ------------------------------------------ [Additional Information] The disclosed information can be functionally used by an attacker to remotely gain access to normal camera functionality. (e.g. watch in someone's room over the internet) ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Luvion ------------------------------------------ [Affected Product Code Base] Luvion Grand elite 3 connect - Cannot be determined ------------------------------------------ [Affected Component] Webserver running on the device. ------------------------------------------ [Attack Type] Remote ------------------------------------------ [CVE Impact Other] Authentication bypass ------------------------------------------ [Attack Vectors] An attacker can simply browse to the device and retrieve the passwords. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman from Qbit in assignment of the Consumentenbond ------------------------------------------ [Reference] N/A Use CVE-2020-11926

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. The password for the root user is hashed using an old and deprecated hashing technique. Because of this deprecated hashing, the success probability of an attacker in an offline cracking attack is greatly increased. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye linux password hashes ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] The hash can be obtained using various techniques (e.g.) through command injection. ------------------------------------------ [Reference] N/A ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond. Use CVE-2020-11916

An issue was discovered on One2Track 2019-12-08 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a "Remove PIN and restart!" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device. ------------------------------------------ [VulnerabilityType Other] recommendation to disable common security measures ------------------------------------------ [Vendor of Product] One2Track ------------------------------------------ [Affected Product Code Base] One2Track - up to-date version as of 12-8-2019 (no exact version number) ------------------------------------------ [Affected Component] SIM card security PIN ------------------------------------------ [Attack Type] Physical ------------------------------------------ [CVE Impact Other] recommendation to disable common security measures ------------------------------------------ [Attack Vectors] Local ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Dennis van Warmerdam, Jim Blankendaal, Jasper Nota ------------------------------------------ [Reference] https://www.one2track.nl Use CVE-2019-20472

An issue was discovered in Lush 2 through 2020-02-25. Due to the lack of Bluetooth traffic encryption, it is possible to hijack an ongoing Bluetooth connection between the Lush 2 and a mobile phone. This allows an attacker to gain full control over the device. This attack hijacks the connection, even when someone else was actively using the device before. Note that the user of the device remains capable of simply shutting it down. In order to exploit this vulnerability, the attacker must be present in a certain radius in which the Bluetooth connection can be intercepted. This attack vector also requires specific hardware like the Micro:bit. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Lovense ------------------------------------------ [Affected Product Code Base] Lush 2 - Cannot be determined. ------------------------------------------ [Affected Component] Lush 2, Bluetooth interface ------------------------------------------ [Attack Type] Local ------------------------------------------ [CVE Impact Other] Take over normal device functionality from the original owner. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Roan Engelbert, Ilona de Bruin from Qbit cyber security in assignment of the Consumentenbond. Use CVE-2020-11921

An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device comes with a serial interface at the board level. By attaching to this serial interface and rebooting the device, a large amount of information is disclosed. This includes the view password and the password of the Wi-Fi access point that the device used. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Alecto ------------------------------------------ [Affected Product Code Base] Alecto IVM-100 - unknown. ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker needs to open up the device and physically attach wires as well as reboot the device. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with The Dutch consumer organisation ------------------------------------------ [Reference] https://www.alecto.nl Use CVE-2019-20462

An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests don't require (anti-)CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CSRF attacks can be used to send text directly to the RAW printer interface. For example, an attack could deliver a worrisome printout to an end user. ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Epson ------------------------------------------ [Affected Product Code Base] Expression Home XP255 - 20.08.FM10I8 ------------------------------------------ [Affected Component] Web admin panel, RAW printing protocol ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Attack Vectors] Using a CSRF attack, the web admin panel is attacked. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation. ------------------------------------------ [Reference] https://epson.com/Support/sl/s Use CVE-2019-20460

An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. By default, the device comes (and functions) without a password. The user is at no point prompted to set up a password on the device (leaving a number of devices without a password). In this case, anyone connecting to the web admin panel is capable of becoming admin without using any credentials. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Epson ------------------------------------------ [Affected Product Code Base] Expression Home XP255 - 20.08.FM10I8 ------------------------------------------ [Affected Component] Web admin panel ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Attack Vectors] The attacker needs to have access to port 80/TCP (the webserver) of the device. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation. ------------------------------------------ [Reference] https://epson.com/Support/sl/s Use CVE-2019-20458

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. When a backup file is created through the web interface, information on all users, including passwords, can be found in cleartext in the backup file. An attacker capable of accessing the web interface can create the backup file. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] A backup file must be found or created by an attacker in order to exploit this vulnerability. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond Use CVE-2020-11918

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router's firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext FTP credentials from the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of default username and password credentials in plaintext within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext default credentials on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system. syrotech of sy-gpon-1110-wdont The firmware contains a vulnerability related to plaintext storage of sensitive information.Information may be obtained. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech