Fortinet FortiSIEM has a hard-coded SSH public key for user "tunneluser" which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor. The unencrypted key is also stored inside the FortiSIEM image. While the user's shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds. Versions 5.2.5 and 5.2.6 have been verified as vulnerable.
2c28af53eba7e337d89352df4d65040bfaf3d030410b0fb0308bd4147ae2c358A FortiSIEM collector connects to a Supervisor/Worker over HTTPS TLS (443/TCP) to register itself as well as relaying event data such as syslog, netflow, SNMP, etc. When the Collector (the client) connects to the Supervisor/Worker (the server), the client does not validate the server-provided certificate against its root-CA store. Since the client does no server certificate validation, this means any certificate presented to the client will be considered valid and the connection will succeed. If an attacker spoofs a Worker/Supervisor using an ARP or DNS poisoning attack (or any other MITM attack), the Collector will blindly connect to the attacker's HTTPS TLS server. It will disclose the authentication password used along with any data being relayed. Versions 5.0 and 5.2.1 have been tested and are affected.
dbc1310afdd15da14c73881539c81b6d75bfa93a15e200bb1094631bd6549cbeTelus Actiontec T2200H with firmware T2200H-31.128L.08 suffers from a local privilege escalation vulnerability.
64c22975e1acdf7c911c95d4b915a2f2f35f87f789a240cdb57a6e473dd665a4Telus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from a serial number information disclosure vulnerability. The wireless extenders use DHCP Option 125 to include device details such as model number, manufacturer, and serial number. The WCB6000Q DHCP DISCOVER and REQUEST broadcasts include the device serial number in the DHCP option 125 (subopt 2) field. An attacker on the same Layer 2 network segment as the device, can see all these DHCP requests with a packet capture. Once he or she has this, the device's admin web UI password can be reset using the web UI "forgot password" page to reset to a known value.
a60ada135acfe3357034b2f1a27e49db28c91ce7c509f65eef039cbca0d8eb46Telus Actiontec T2200H with firmware T2200H-31.128L.08 suffers from a serial number information disclosure vulnerability. The wireless extenders use DHCP Option 125 to include device details such as model number, manufacturer, and serial number. By forging a special DHCP packet using Option 125, an attacker can obtain the device serial number. Once he or she has this, the device's admin web UI password can be reset using the web UI "forgot password" page to reset to a known value.
e00278c615b4c6ca6904174cd960226f3071c1c8dac2689625b8674db654d3c2Telus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from a denial of service vulnerability. By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a Segmentation Fault of the uhttpd webserver. Since there is no watchdog on this daemon, a device reboot is needed to restart the webserver to make any modification to the device.
b7e77c13720ff2862b5f2cd505e2fd83433bb92406f790f5a82bf75578c329ddTelus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from both local and remote privilege escalation vulnerabilities.
4603e04a98825c83c6631a84067f20ea7105aa334aa5ff03f9006cfcabc325ecTelus Actiontec T2200H with firmware T2200H-31.128L.08 suffers from a credential disclosure vulnerability. An HTTP interface used by wireless extenders to pull the modem's wifi settings uses DHCP client-provided option values to restrict access to this API. By forging DHCP packets, one can access this interface without any authentication and obtain details such as SSID name, encryption type, and WPA/WEP keys. This can be leveraged if an attacker is on the same Layer 2 network as the modem.
18956a3fcbea918f85460a9c4e64d5ab6e1e70d214ae287471800ffc0dc7ee49Subsonic Music Streamer version 4.4 suffers from an improper certificate validation vulnerability.
f7f53b635f997e2cd5340af1d92833a14752efed2260921f9403d2e91f9f5fc0DSub for Subsonic version 5.4.1 suffers from an improper certificate validation vulnerability.
370704c68c165cc35ae66d964e40aba2fe2d033e452e2d6c15489ec1efdeb3a2OpenConext-EngineBlock versions 5.7.0 through 5.7.3suffers from a cross site scripting vulnerability.
1c40f13fb738e9a91991869459b8beb8b294dcd95634775a7427ab9531fbb0baActiontec WCB3000N with firmware version 0.16.2.5 suffers from a privilege escalation vulnerability.
d334325a801f0f16ab6691fb7928af2b8fe205c07c1792c6af3ddad17a84e3ebActiontec T2200H allows for command injection that provides a remote root reverse shell.
28169bbcf417020b949571295e53959017cd3341ec9c096c5b7311102388ba56
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed