CERT Advisories

VU#101500: Retrospect Backup Client uses weak password hashing

Retrospect Backup Client is a client to a network-based backup utility. This client stores passwords in a hashed format that is weak and susceptible to collision,allowing an attacker to generate a password hash collision and gain access to the target's backup files.

VU#582384: Multiple Netgear routers are vulnerable to arbitrary command injection

Netgear R6250,R6400,R6700,R6900,R7000,R7100LG,R7300DST,R7900,R8000,D6220,and D6400 routers and possibly other models are vulnerable to arbitrary command injection.

VU#845332: OrientDB and Studio prior to version 2.1.1 contain multiple vulnerabilities

Studio for OrientDB Server Community Edition version prior to version 2.1.1 contains several vulnerabilities.

VU#305448: D-Link DIR-850L web admin interface contains a stack-based buffer overflow...

D-Link DIR-850L,firmware versions 1.14B07,2.07.B05,and possibly others,contains a stack-based buffer overflow vulnerability in the web administration interface HNAP service. Other models may also be affected.

VU#350508: HP ArcSight SmartConnector fails to properly validate SSL and contains...

The HP ArcSight SmartConnector fails to properly validate SSL certificates,and also contains a hard-coded password.

VU#724487: Fortinet FortiWAN load balancer appliance contains multiple vulnerabilities

Fortinet FortiWAN load balancer appliance contains multiple vulnerabilities Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview The Fortinet FortiWAN (Ascernlink) network load balancer appliance contains multiple vulnerabilities. Description According to the reporter, the Fortinet FortiWAN network load balancer appliance contains the following vulnerabilities.

As of publication, CERT/CC has not been able to verify this information with Fortinet. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2016-4965The diagnosis_control.php page is vulnerable to command injection via the "graph" GET parameter.

A non-administrative authenticated attacker having access privileges to the nslookup functionality can inject arbitrary operating system commands and execute them in the context of the root user.CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-4966The diagnosis_control.php page has a tcpdump function, that can capture FortiWAN data packets and download captured packets to local host for analysis and debug.

A non-administrative authenticated attacker having access privileges to change the HTTP Get param “UserName” to “Administrator” to download a PCAP file of all captured packets from the FortinWAN device since the tcpdump function was activated.CWE-200: Information Exposure - CVE-2016-4967An authenticated but low privileged user may obtain a backup of the device configuration by visiting the URL /script/cfg_show.php of the FortiWAN appliance, or a PCAP of tcpdump data by visiting /script/system/tcpdump.php.CWE-200: Information Exposure - CVE-2016-4968An authenticated but low privileged user may perform a GET request of the /linkreport/tmp/admin_global page of the FortiWAN appliance, and obtain administrator login cookie.CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2016-4969The /script/statistics/getconn.php file's IP parameter is vulnerable to cross-site scripting.The CVSS score below is based on CVE-2016-4965. Impact An authenticated but low-privileged (non-administrator) account may be able to execute OS commands in the root context, capture network traffic through the FortiWAN device, obtain appliance system configuration, or conduct cross-site scripting attacks against administrator users. Solution Apply an updateFortinet has released FortiWAN 4.2.5 which addresses CVE-2016-4966 in the changelog.

Affected users are encouraged to update as soon as possible.
It is currently unclear if the remaining vulnerabilities in this Vulnerability Note were also addressed in this release. Vendor Information (Learn More) Vendor Status Date Notified Date Updated Fortinet, Inc. Affected 14 Jul 2016 06 Sep 2016 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C Temporal 8.0 E:POC/RL:U/RC:UR Environmental 6.0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND References Credit Thanks to Virgoteam (Fan-Syun Shih, Kun-Xian Lin, Yu-Chi, and Ding) for reporting these vulnerabilities. This document was written by Garret Wassermann. Other Information Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#792004: RSI Video Technologies Videofied security system Frontel software uses an...

RSI Video Technologies' Videofied security system uses a software named Frontel to monitor alarm status. Frontel uses an insecure custom protocol to communicate with its Frontel server.

VU#875548: MicroPact iComplaints cross-site scripting vulnerability

MicroPact iComplaints contains a persistent cross-site scripting vulnerability.

VU#447516: Linksys SMART WiFi firmware contains multiple vulnerabilities

Linksys EA series routers running the Linksys SMART WiFi firmware contain multiple vulnerabilities.

VU#177092: KCodes NetUSB kernel driver is vulnerable to buffer overflow

KCodes NetUSB is vulnerable to a buffer overflow via the network that may result in a denial of service or code execution.

VU#923388: Swann SRNVW-470 allows unauthorized access to video stream and contains...

Swann SRNVW-470 allows unauthorized access to video stream and contains a hard-coded password Original Release date: 17 Feb 2016 | Last revised: 17 Feb 2016 Overview Swann network video recorder (NVR) devices contain a hard-coded password and do not ...

VU#669804: TestRail cross-site scripting vulnerability

TestRail version 3.1.1.3130 contains a cross-site scripting vulnerability.