4 min
Vulnerability Disclosure
R7-2019-39 | CVE-2019-5648: LDAP Credential Exposure in Barracuda Load Balancer ADC (FIXED)
This post describes CVE-2019-5648, a vulnerability in the Barracuda Load Balancer ADC.
11 min
Vulnerability Disclosure
R7-2019-09 | CVE-2019-5617, CVE-2019-5643, CVE-2019-5644: C4G BLIS authentication and authorization vulnerabilities (FIXED)
This disclosure describes R7-2019-09, composed of three vulnerabilities in the
Basic Laboratory Information System (BLIS). Due to flawed authentication and
authorization verification, versions of BLIS < 3.5 are vulnerable to
unauthenticated password resets (R7-2019-09.1), and versions of BLIS < 3.51 are
vulnerable to unauthenticated enumeration of facilities and usernames
(R7-2019-09.2) as well as unauthenticated updates to user information
(R7-2019-09.3).
These vulnerabilities are summarized i
9 min
Vulnerability Disclosure
Investigating the Plumbing of the IoT Ecosystem (R7-2018-65, R7-2019-07) (FIXED)
Two vulnerabilities have been disclosed for Eaton's Home Lighting HALO Home Smart Lighting System and BlueCats' AA Beacon.
3 min
Vulnerability Disclosure
R7-2019-01: CircuitWerkes Sicon-8 Client-Side Authentication Read-Only Bypass (CVE-2019-5616)
The Sicon-8 ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user’s web browser.
3 min
Haxmas
R7-2018-52: Guardzilla IoT Video Camera Hard-Coded Credential (CVE-2018-5560)
Most HaXmas posts are full of fun and frivolity, but this one is a routine vulnerability disclosure in a piece of IoT gear that you should know about.
3 min
Vulnerability Disclosure
R7-2018-15 | CVE-2018-5553: Crestron DGE-100 Console Command Injection (FIXED)
This post describes CVE-2018-5553, a vulnerability in the Crestron Console
service that is preinstalled on the DGE-100. Due to a lack of input
sanitization, this service is vulnerable to command injection that can be used
to gain root-level access. DGE-100 devices running firmware versions
1.3384.00049.001 and lower with default configuration are vulnerable to
CVE-2018-5553.
CVE-2018-5553 is categorized as CWE-78 (Improper Neutralization of Special
Elements used in an OS Command) [https://cwe.m
4 min
Vulnerability Disclosure
R7-2018-01 (CVE-2018-5551, CVE-2018-5552): DocuTrac Office Therapy Installer Hard-Coded Credentials and Cryptographic Salt
DocuTrac QuickDoc & Office Therapy ships with a number of static accounts which are not disclosed to the end user.
4 min
Vulnerability Disclosure
R7-2017-27 | CVE-2017-8987: HPE iLO3 Unauthenticated Remote DoS (FIXED)
This post describes CVE-2017-8987, an unauthenticated remote Denial of Service
vulnerability in HPE iLO3 firmware version 1.88. This vulnerability can be
exploited by several HTTP methods; once triggered, it lasts for approximately 10
minutes until the watchdog service
[https://www.kernel.org/doc/Documentation/watchdog/hpwdt.txt] performs a restart
of the iLO3 device. CVE-2017-8987 is categorized as CWE-400 (Resource
Exhaustion) [https://cwe.mitre.org/data/definitions/400.html] and has a CVSSv3
2 min
Vulnerability Disclosure
R7-2017-28: Epson AirPrint XSS (CVE-2018-5550)
The Epson AirPrint web configuration page is vulnerable to a reflected
cross-site scripting (XSS) issue in the INPUTT_GEOLOCATION parameter in the web
administration console. This issue could be leveraged by an attacker with
network access to the web UI to the printer to trick the administrator of the
printer into disclosing a session cookie, thus elevating the attacker’s
privileges to that of a printer administrator.
Product Description
Epson AirPrint is shipped with a number of Epson home and
18 min
Vulnerability Disclosure
R7-2017-25: Cambium ePMP and cnPilot Multiple Vulnerabilities
Summary of Issues
Multiple vulnerabilities in Cambium Networks’ ePMP and cnPilot product lines
were discovered by independent researcher Karn Ganeshen
[https://ipositivesecurity.com/], which have, in turn, been addressed by the
vendor. The affected devices are in use all over the world to provide wireless
network connectivity in a variety of contexts, including schools, hotels,
municipalities, and industrial sites, according to the vendor
[https://www.cambiumnetworks.com/industry/].
These issue
4 min
Vulnerability Disclosure
R7-2017-08: BPC SmartVista SQL Injection Vulnerability
Important update: 2018/01/25
BPC informed Rapid7 that this vulnerability only impacted the specified version
of SmartVista Front-End (2.2.10, revision 287921), which had very limited
distribution. Once the vulnerability described below was discovered, BPC
released a patch on Jul 19, 2017, before the issuance of the public disclosure
by Rapid7 on Oct 17, 2017. We have no reason to believe that any other versions
of SmartVista Front-End are vulnerable to this issue. Rapid7 believed the issue
to st
8 min
Vulnerability Disclosure
Multiple vulnerabilities in Wink and Insteon smart home systems
Today we are announcing four issues affecting two popular home automation
solutions: Wink's Hub 2 and Insteon's Hub. Neither vendor stored sensitive
credentials securely on their associated Android apps. In addition, the Wink
cloud-based management API does not properly expire and revoke authentication
tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for
potentially sensitive security controls such as garage door locks.
As most of these issues have not yet been addres
5 min
Authentication
R7-2017-07: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)
This post describes three security vulnerabilities related to access controls
and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze
fixed all three issues by May 6, 2017, and user action is not required to
remediate. Rapid7 thanks Fuze for their quick and thoughtful response to these
vulnerabilities:
* R7-2017-07.1, CWE-284 (Improper Access Control)
[https://cwe.mitre.org/data/definitions/284.html]: An unauthenticated remote
attacker can enumerate through MAC addr
3 min
Logentries
R7-2017-18: Logentries Windows Agent uses vulnerable OpenSSL (FIXED)
Summary
The Logentries Windows Agent before version 2.6.0.1 shipped with a version of
OpenSSL that is susceptible to several public vulnerabilities described below.
While we have no indication that any Logentries customers have been compromised
due to these older versions of OpenSSL, we strongly encourage Logentries
customers to update Agents deployed to Windows systems using the steps outlined
under “Remediation” below.
Since the previously shipped version of OpenSSL was susceptible to severa
3 min
Vulnerability Disclosure
R7-2017-06 | CVE-2017-5241: Biscom SFT XSS (FIXED)
Summary
The Workspaces component of Biscom Secure File Transfer (SFT) version 5.1.1015
is vulnerable to stored cross-site scripting in two fields. An attacker would
need to have the ability to create a Workspace and entice a victim to visit the
malicious page in order to run malicious Javascript in the context of the
victim's browser. Since the victim is necessarily authenticated, this can allow
the attacker to perform actions on the Biscom Secure File Transfer instance on
the victim's behalf.