Nozomi Networks Labs

The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information.

The login functionality of the application does not employ any countermeasures against Password Spraying attacks or Credential Stuffing attacks. An attacker could obtain a list of valid usernames on the device by exploiting the issue and then perform a precise Password Spraying or Credential Stuffing attack in order to obtain access to at least one account.

The login functionality of the application fails to normalize the response times of login attempts performed with wrong usernames with the ones executed with correct usernames. A remote unauthenticated attacker could exploit this side-channel information to perform a username enumeration attack and identify valid usernames.

The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.

The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users.

The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account. An attacker with the user profile access privilege could cause a denial of service (DoS) condition through CPU consumption by setting a PBKDF2 derived key with a remarkably high cost effort and then attempting a login to the so-modified account.

The “addCell” JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator’s workstation.

The uClibc and uClibc-ng libraries are vulnerable to DNS cache poisoning due to the use of predictable DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.

A remote code execution vulnerability affecting a Valmet DNA service listening on TCP port 1517 allows an attacker to execute commands with SYSTEM privileges.

Specific paths of the administration interface are not protected by authentication.

Credentials for the administration interface are hardcoded in the application.

The patient data produced by Efficia CM Series monitors and consumed by the PIC iX workstation are encrypted with an insecure scheme.

The key used to encrypt patient data backups is hardcoded within the PIC iX workstation.

A network service running on the PIC iX workstation does not validate correctly the input received and upon parsing a malformed packet a workstation reboot can be triggered.

An insufficient entropy vulnerability in SESU can allow an attacker to decrypt the SESU
proxy password from the registry.

A CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists which could cause arbritrary script execution when a malicious file is read and displayed.

An unauthenticated remote attacker can obtain the credentials other than password and login to the CPU module

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients.

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.

User controlled parameters related to SMTP notifications are not correctly validated. This can lead to a buffer overflow resulting in crashes and data leakage.

A remote attacker can lockout registered users by continuously trying to login with an incorrect password.

An attacker that can sniff the traffic when the password for an existing user is changed or a new user is registered can obtain the credentials required to login.

A remote attacker can exploit the authentication protocol to build a username bruteforcer that will reveal the list of registered users.

A parameter in the playback search HTTP request was found improperly handled by the server executable, such that it resulted possible to trigger a stack-based buffer overflow and obtain execution of arbitrarily defined code with the same privileges as the server user (root).

The communication between ThroughTek servers, OEMs products embedding ThroughTek P2P library and client applications is obfuscated with a custom protocol that relies on an hardcoded key. By deobfuscating the protocol, is possible to access the cleartext content of the communication.

An attacker may prevent legitimate clients from connecting to an affected product by manipulating the link parameter or changing its state

Mitsubishi Electric recommends that users apply the suggested mitigation so an unauthorized user cannot stop the establishment of Ethernet communications between devices.

Specially crafted packets sent to Port 161/UDP can cause an out of bounds write over the SNMP service requiring a cold restart in order to resume its functionality.

An attacker could prevent Ethernet communication from being established in the affected products by manipulating the link parameter or changing its state.

JTEKT Corporation recommends that users apply the suggested mitigation so an unauthorized user cannot stop the establishment of Ethernet communications between devices.

The communication between Reolink NVR, P2P servers and applications is obfuscated with a custom protocol that relies on an hardcoded key. By deobfuscating the protocol, is possible to access the cleartext content of the communication. During the tests, this was observed to contain the P2P credentials.

Reolink P2P video/audio stream is transmitted without any encryption. Any actor who can access the client/NVR traffic, as it traverses the Internet, can access its content with no confidentiality for the parties involved.