[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Bunch of IoT CVEs

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Bunch of IoT CVEs
From: Willem Westerhof | Secura <Willem.Westerhof@xxxxxxxxxx>
Date: Fri, 26 Jul 2024 13:11:06 +0000

Hi all,

A list of CVE’s in a bunch of IoT devices that never made it to the general 
public through other means, but have either been fixed, or never will be fixed, 
since they are a couple of years old.

> [Suggested description]
> An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
> By sending a specific request to the webserver, it is possible to
> enable the telnet interface on the device. The telnet interface can
> then be used to obtain access to the device with root privileges and a
> default password. This default telnet password is the same across all
> Siime Eye devices.
> In order for the attack to be exploited, an attacker must be physically
> close in order to connect to the device's Wi-Fi access point.
>
> ------------------------------------------
>
> [Additional Information]
> The vulnerability was first discovered by Pentest Partners, later on it was 
> also discovered by Qbit as the issues remain unaddressed by the vendor.
>
> default telnet password is the same across all
> Siime Eye devices and possibly even across all devices created by this
> developer
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Svakom
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Siime Eye - 14.1.00000001.3.330.0.0.3.14
>
> ------------------------------------------
>
> [Affected Component]
> Siime Eye device
>
> ------------------------------------------
>
> [Attack Type]
> Physical
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker must first obtain access to the Wi-Fi access point of the device, 
> after which the exploit can be done using simple network commands.
>
> ------------------------------------------
>
> [Reference]
> https://www.pentestpartners.com/security-blog/vulnerable-wi-fi-dildo-camera-endoscope-yes-really/
> N/A
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit during an assignment 
> for the Consumentenbond. Unknown personnel at pentest partners who did not 
> request a CVE back then.
Use CVE-2020-11915.


> [Suggested description]
> An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
> The password for the root user is hashed using an old and
> deprecated hashing technique. Because of this deprecated hashing,
> the success probability of an attacker in an offline cracking attack
> is greatly increased.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Svakom
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Siime Eye - 14.1.00000001.3.330.0.0.3.14
>
> ------------------------------------------
>
> [Affected Component]
> Siime Eye linux password hashes
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> The hash can be obtained using various techniques (e.g.) through command 
> injection.
>
> ------------------------------------------
>
> [Reference]
> N/A
>
> ------------------------------------------
>
> [Discoverer]
> Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the 
> Consumentenbond.
Use CVE-2020-11916.


> [Suggested description]
> An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
> It uses a default SSID value, which makes it easier for remote attackers to
> discover the physical locations of many Siime Eye devices, violating the
> privacy of users who do not wish to disclose their ownership of this type of 
> device.
> (Various resources such as wigle.net can be use for mapping of SSIDs to 
> physical locations.)
>
> ------------------------------------------
>
> [Additional Information]
> The access point is only detectable when the device is turned on. As the 
> device is turned on for limited times less devices are detected via Wigle 
> then one might expect.
>
> Wigle.net is a site which maps SSIDs to physical locations. Using this
> site, it is possible to filter on specific SSIDs. When a filter is
> applied to find the default SSID of the Siime Eye, it is possible to
> find several devices across the globe. The map shown on wigle shows an
> approximate physical location for the device and hence makes physical
> or physical proximity attacks more likely.
>
> In addition it violates the user's privacy as everyone on the internet
> is capable of detecting where the devices are being used.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Information disclosure
>
> ------------------------------------------
>
> [Vendor of Product]
> Svakom
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Siime Eye - 14.1.00000001.3.330.0.0.3.14
>
> ------------------------------------------
>
> [Affected Component]
> Siime Eye Wi-Fi access point
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> In order to exploit this issue an attacker needs to simply search for the 
> Siime Eye SSID on wigle.net
>
> ------------------------------------------
>
> [Reference]
> https://wigle.net
> N/A
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Willem Westerhof, Jasper Nota, Edwin gozeling from Qbit cyber security in 
> assignment of the Consumentenbond.
Use CVE-2020-11917.


> [Suggested description]
> An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
> When a backup file is created through the web interface, information on
> all users, including passwords, can be found in cleartext in the
> backup file. An attacker capable of accessing the web interface
> can create the backup file.
>
> ------------------------------------------
>
> [Additional Information]
> Note that this means the application passwords are also stored on the device 
> in plain text, otherwise they could not be placed in the backup file in this 
> manner.
>
> Note that during normal functional use, the backup file is
> not created.
>
> and then use other vulnerabilities
> to obtain access to the backup file, including the user's passwords.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Svakom
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Siime Eye - 14.1.00000001.3.330.0.0.3.14
>
> ------------------------------------------
>
> [Affected Component]
> Siime Eye
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> A backup file must be found or created by an attacker in order to exploit 
> this vulnerability.
>
> ------------------------------------------
>
> [Reference]
> N/A
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the 
> Consumentenbond
Use CVE-2020-11918.


> [Suggested description]
> An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
> There is no CSRF protection.
>
> ------------------------------------------
>
> [Additional Information]
> The default settings make this attack theoretical rather than practical.
>
>
> A lot of interaction takes place between the application and the end
> user. For correct functioning, it is important to verify that requests
> coming from the user actually represent the user's intention. The
> application must therefore be able to distinguish forged requests from
> legitimate ones. Currently no measures against Cross-Site Request
> Forgery have been implemented and therefore users can be tricked into
> submitting requests without their knowledge or consent. From the
> application's point of view, these requests are legitimate requests
> from the user and they will be processed as such. This can result in
> the creation of additional (administrative) user accounts, without the
> userâ€™s knowledge or consent.
>
> In order to execute a CSRF attack, a user must be tricked into visiting
> an attacker controlled page, using the same browser that is
> authenticated to the Siime Eye. As mostly the Hotspot from Siime Eye
> will be used, users are unlikely to (be able to) access such pages
> simultaneously.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Request Forgery (CSRF)
>
> ------------------------------------------
>
> [Vendor of Product]
> Svakom
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Siime Eye - 14.1.00000001.3.330.0.0.3.14
>
> ------------------------------------------
>
> [Affected Component]
> Siime Eye, web interface
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Full device compromise.
>
> ------------------------------------------
>
> [Reference]
> N/A
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the 
> Consumentenbond.
Use CVE-2020-11919.


> [Suggested description]
> An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
> A command injection vulnerability resides in the HOST/IP section of the
> record settings menu in the webserver running on the device. By
> injecting Bash commands here, the device executes arbitrary code with
> root privileges (all of the device's services are running as root).
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Svakom
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Siime eye - 14.1.00000001.3.330.0.0.3.14
>
> ------------------------------------------
>
> [Affected Component]
> Siime Eye, web interface
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker needs to be connected to the device's access point and have 
> access to the admin panel (e.g through sniffing or bruteforcing the 
> credentials)
>
> ------------------------------------------
>
> [Reference]
> https://www.pentestpartners.com/security-blog/vulnerable-wi-fi-dildo-camera-endoscope-yes-really/
> N/A
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit cyber security in 
> assignment for the Consumentenbond In addition, Pentest partners discovered 
> this as well but did not request CVE's.
Use CVE-2020-11920.


> [Suggested description]
> An issue was discovered in Lush 2 through 2020-02-25.
> Due to the lack of Bluetooth traffic encryption, it is possible to
> hijack an ongoing Bluetooth connection between the Lush 2 and a mobile
> phone. This allows an attacker to gain full control over the device.
>
> ------------------------------------------
>
> [Additional Information]
> The victim will lose the legitimate connection and therefore will lose
> the ability to control the device. This attack hijacks the connection,
> even when someone else was actively using the device before. The
> original user loses control, and the attacker gains control of the
> device. Note that the user of the device remains capable of simply
> shutting it down. In order to exploit this vulnerability, the attacker
> must be present in a certain radius in which the Bluetooth connection
> can be intercepted. This attack vector also requires specific hardware
> like the Micro:bit.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Lovense
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Lush 2 - Cannot be determined.
>
> ------------------------------------------
>
> [Affected Component]
> Lush 2, Bluetooth interface
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [CVE Impact Other]
> Take over normal device functionality from the original owner.
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker needs to be physically close (100ish meter) in order to take over 
> control of the device.
>
> ------------------------------------------
>
> [Reference]
> N/A
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Willem Westerhof, Jasper Nota, Roan Engelbert, Ilona de Bruin from Qbit cyber 
> security in assignment of the Consumentenbond.
Use CVE-2020-11921.


> [Suggested description]
> An issue was discovered in WiZ Colors A60 1.14.0.
> The device sends unnecessary information to the cloud controller
> server. Although this information is sent encrypted and has low risk in 
> isolation,
> it decreases the privacy of the end user.
> The information sent includes the local IP address being used and the SSID
> of the Wi-Fi network the device is connected to.
> (Various resources such as wigle.net can be use for mapping of SSIDs to 
> physical locations.)
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Information disclosure
>
> ------------------------------------------
>
> [Vendor of Product]
> WiZ Connected
>
> ------------------------------------------
>
> [Affected Product Code Base]
> WiZ Colors A60 - 1.14.0
>
> ------------------------------------------
>
> [Affected Component]
> WiZ Colors A60
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> None. The Lightbulb by default transmits privacy sensitive info to the cloud 
> system.
>
> ------------------------------------------
>
> [Reference]
> N/A
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Willem Westerhof, Wouter Wessels, Jim Blankendaal, Jasper Nota from Qbit in 
> assignment of the Consumentenbond.
Use CVE-2020-11922.


> [Suggested description]
> An issue was discovered in WiZ Colors A60 1.14.0.
> API credentials are locally logged.
>
> ------------------------------------------
>
> [Additional Information]
> An issue was discovered in WiZ Colors A60 1.14.0.
> Applications use general logs to reflect all kind of information to the
> terminal. The WIZ application does also use logs, however instead of
> only generic information also API credentials are submitted to the
> android log. The information that is reflected in the logging can be
> used to perform authorised requests in behalf of the user and therefore
> controlling the lights just as the user can do using the application.
> In order to obtain the information access to the device logs is
> required. This can most easily be done via local access and also by
> other apps on rooted devices.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> WiZ Connected
>
> ------------------------------------------
>
> [Affected Product Code Base]
> WiZ Colors A60 - 1.14.0
>
> ------------------------------------------
>
> [Affected Component]
> Wiz Android Application 1.15.0
>
> ------------------------------------------
>
> [Attack Type]
> Physical
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Physical access or local root access on the mobile phone is required in order 
> to exploit this issue.
>
> ------------------------------------------
>
> [Reference]
> N/A
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Wouter Wessels, Willem Westerhof, Jasper Nota, Jim Blankendaal
Use CVE-2020-11923.


> [Suggested description]
> An issue was discovered in WiZ Colors A60 1.14.0.
> Wi-Fi credentials are stored in cleartext in flash memory, which
> presents an information-disclosure risk for a discarded or resold device.
>
> ------------------------------------------
>
> [Additional Information]
> Wi-Fi credentials are stored in plain-text on the light bulb. These
> credentials can be obtained by reading the flash memory directly using
> a logic analyzer. This means the Wi-Fi login credentials of the
> previous owner can be found in the memory capture when the device is
> bought second-hand, or retrieved from a trashcan.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Information disclosure
>
> ------------------------------------------
>
> [Vendor of Product]
> WiZ Connected
>
> ------------------------------------------
>
> [Affected Product Code Base]
> WiZ Colors A60 - 1.14.0
>
> ------------------------------------------
>
> [Affected Component]
> WiZ Colors A60
>
> ------------------------------------------
>
> [Attack Type]
> Physical
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Physical, access to the chip is required.
>
> ------------------------------------------
>
> [Reference]
> N/A
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Jasper Nota, Willem Westerhof, Wouter Wessels, Jim Blankendaal from Qbit in 
> assignment of the Consumentenbond.
Use CVE-2020-11924.


> [Suggested description]
> An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25.
> Authentication to the device is based on a username and password. The
> root credentials are the same across all devices of this model.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Luvion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Luvion Grand Elite 3 Connect - Could not be determined
>
> ------------------------------------------
>
> [Affected Component]
> Underlying linux system.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Any attacker with network access can exploit this vulnerability.
>
> ------------------------------------------
>
> [Discoverer]
> Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman from Qbit in 
> assignment of Consumentenbond.
>
> ------------------------------------------
>
> [Reference]
> N/A
Use CVE-2020-11925.


> [Suggested description]
> An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25.
> Clients can authenticate themselves to the device using a username and
> password. These credentials can be obtained through an unauthenticated
> web request, e.g., for a JavaScript file. Also, the
> disclosed information includes
> the SSID and WPA2 key for the Wi-Fi
> network the device is connected to.
>
> ------------------------------------------
>
> [Additional Information]
> The disclosed information can be functionally used by an attacker to remotely 
> gain access to normal camera functionality. (e.g. watch in someone's room 
> over the internet)
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Luvion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Luvion Grand elite 3 connect - Cannot be determined
>
> ------------------------------------------
>
> [Affected Component]
> Webserver running on the device.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [CVE Impact Other]
> Authentication bypass
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker can simply browse to the device and retrieve the passwords.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman from Qbit in 
> assignment of the Consumentenbond
>
> ------------------------------------------
>
> [Reference]
> N/A
Use CVE-2020-11926.

> > > [Suggested description]
> > > An issue was discovered on Brother MFC-J491DW C1806180757 devices.
> > > The printer's web-interface password hash can be retrieved without
> > > authentication, because
> > > the response header of any failed login attempt returns an incomplete
> > > authorization cookie. The value of the authorization cookie is the MD5
> > > hash of the password in hexadecimal. An attacker can easily
> > > derive the true MD5 hash from this, and use offline cracking attacks to
> > > obtain administrative access to the device.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Incorrect Access Control
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Brother
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > MFC-J491DW - C1806180757
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Web admin panel
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Remote
> > >
> > > ------------------------------------------
> > >
> > > [Impact Escalation of Privileges]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Impact Information Disclosure]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > An attacker needs to have access to the web interface running on TCP/80 
> > > on the device.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Konrad Leszcynski, intern at Qbit in cooperation with the Dutch Consumer 
> > > Organisation
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://global.brother
>
> Use CVE-2019-20457.
>
>
> > > [Suggested description]
> > > An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 
> > > devices.
> > > By default, the device comes (and functions) without a password. The
> > > user is at no point prompted to set up a password on the device
> > > (leaving a number of devices without a password). In this case, anyone 
> > > connecting to
> > > the web admin panel is capable of becoming admin without using any
> > > credentials.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Incorrect Access Control
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Epson
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > Expression Home XP255 - 20.08.FM10I8
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Web admin panel
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Remote
> > >
> > > ------------------------------------------
> > >
> > > [Impact Escalation of Privileges]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > The attacker needs to have access to port 80/TCP (the webserver) of the 
> > > device.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Konrad Leszczynski, intern at Qbit in collaboration with the Dutch 
> > > consumer organisation.
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://epson.com/Support/sl/s
>
> Use CVE-2019-20458.
>
>
> > > [Suggested description]
> > > An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 
> > > devices.
> > > With the SNMPv1 public community,
> > > all values can be read, and with the epson community, all the
> > > changeable values can be written/updated, as demonstrated by
> > > permanently disabling the network card or changing the DNS servers.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Insecure Permissions
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Epson
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > Expression Home XP255 - 20.08.FM10I8
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > SNMP agent
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Remote
> > >
> > > ------------------------------------------
> > >
> > > [Impact Denial of Service]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Impact Escalation of Privileges]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Impact Information Disclosure]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > The attacker must be able to connect to the devices on port 515/UDP.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Konrad Leszczynski, intern at Qbit in collaboration with the Dutch 
> > > consumer organisation.
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://epson.com/Support/sl/s
>
> Use CVE-2019-20459.
>
>
> > > [Suggested description]
> > > An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 
> > > devices.
> > > POST requests don't require (anti-)CSRF tokens or other
> > > mechanisms for validating that the request is from a legitimate
> > > source.
> > > In addition, CSRF attacks can be used to send text directly to the RAW
> > > printer interface. For example, an attack could deliver a worrisome 
> > > printout to an end user.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Cross Site Request Forgery (CSRF)
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Epson
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > Expression Home XP255 - 20.08.FM10I8
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Web admin panel, RAW printing protocol
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Remote
> > >
> > > ------------------------------------------
> > >
> > > [Impact Escalation of Privileges]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > Using a CSRF attack, the web admin panel is attacked.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Konrad Leszczynski, intern at Qbit in collaboration with the Dutch 
> > > consumer organisation.
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://epson.com/Support/sl/s
>
> Use CVE-2019-20460.
>
>
> > > [Suggested description]
> > > An issue was discovered on Alecto IVM-100 2019-11-12 devices.
> > > The device uses a custom UDP protocol to start and control video and
> > > audio services. The protocol has been partially reverse engineered.
> > > Based upon the reverse engineering, no password or username is ever
> > > transferred over this protocol. Thus, one can
> > > set up the camera connection feed with only the encoded UID. It
> > > is possible to set up sessions with the camera over the Internet by using 
> > > the encoded UID
> > > and the custom UDP protocol, because authentication happens at the client
> > > side.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Incorrect Access Control
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Alecto
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > Alecto-IVM-100 - Exact version unknown
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Video and audio stream of the camera.
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Remote
> > >
> > > ------------------------------------------
> > >
> > > [Impact Information Disclosure]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > An attacker requires knowledge of the encoded UID (can be obtained by
> > > sniffing or enumerating). Once this knowledge has been obtained, the
> > > attacker can set up a video/audio system from anywhere.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security 
> > > in cooperation with The Dutch consumer organisation
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.alecto.nl
>
> Use CVE-2019-20461.
>
>
> > > [Suggested description]
> > > An issue was discovered on Alecto IVM-100 2019-11-12 devices.
> > > The device comes with a serial interface at the board level. By
> > > attaching to this serial interface and rebooting the device, a large
> > > amount of information is disclosed. This includes the view password
> > > and the password of the Wi-Fi access point that the device used.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Incorrect Access Control
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Alecto
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > Alecto IVM-100 - unknown.
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Serial interface.
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Physical
> > >
> > > ------------------------------------------
> > >
> > > [Impact Information Disclosure]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > An attacker needs to open up the device and physically attach wires as 
> > > well as reboot the device.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security 
> > > in cooperation with The Dutch consumer organisation
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.alecto.nl
>
> Use CVE-2019-20462.
>
>
> > > [Suggested description]
> > > An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 
> > > 950004 595317 devices.
> > > A crash and reboot can be triggered by crafted IP traffic, as 
> > > demonstrated by the Nikto vulnerability scanner.
> > > For example, sending the 111111 string to UDP port 20188 causes a reboot. 
> > > To deny service for a long time period,
> > > the crafted IP traffic may be sent periodically.
> > >
> > > ------------------------------------------
> > >
> > > [VulnerabilityType Other]
> > > Denial of Service due to incorrect error handling
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Sannce
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Webserver, custom UDP handling binary.
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Remote
> > >
> > > ------------------------------------------
> > >
> > > [Impact Denial of Service]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > Any attacker capable of reaching the device with a network packet is 
> > > capable of causing a DoS.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security 
> > > in cooperation with the Dutch Consumer organisation.
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.sannce.com
>
> Use CVE-2019-20463.
>
>
> > > [Suggested description]
> > > An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 
> > > 950004 595317 devices.
> > > By default, a mobile application is used to stream over UDP.
> > > However, the device offers many more services
> > > that also enable streaming. Although the service used by the mobile
> > > application requires a password, the other streaming services do not. By
> > > initiating communication on the RTSP port, an attacker can
> > > obtain access to the video feed without authenticating.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Incorrect Access Control
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Sannce
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Videostream of camera
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Remote
> > >
> > > ------------------------------------------
> > >
> > > [Impact Escalation of Privileges]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Impact Information Disclosure]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > An attacker simply needs to be able to connect to the device over the 
> > > network.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security 
> > > in cooperation with the Dutch Consumer organisation.
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.sannce.com
>
> Use CVE-2019-20464.
>
>
> > > [Suggested description]
> > > An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 
> > > 950004 595317 devices.
> > > It is possible (using TELNET without a password) to control the camera's
> > > pan/zoom/tilt functionality.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Incorrect Access Control
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Sannce
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Videostream of camera
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Remote
> > >
> > > ------------------------------------------
> > >
> > > [Impact Escalation of Privileges]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Impact Information Disclosure]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > An attacker simply needs to be able to connect to the device over the 
> > > network.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security 
> > > in cooperation with the Dutch Consumer organisation.
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.sannce.com
>
> Use CVE-2019-20465.
>
>
> > > [Suggested description]
> > > An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 
> > > 950004 595317 devices.
> > > A local attacker with the "default" account is capable of reading the
> > > /etc/passwd file, which contains a weakly hashed root password.
> > > By taking this hash and cracking it, the attacker
> > > can obtain root rights on the device.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Insecure Permissions
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Sannce
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Root user through file /etc/passwd
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Local
> > >
> > > ------------------------------------------
> > >
> > > [Impact Escalation of Privileges]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > To exploit the vulnerability, someone must be able to get local
> > > presence on the device. e.g. through command injection or by using the
> > > telnet interface as a low-privileged user.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security 
> > > in cooperation with the Dutch Consumer organisation.
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.sannce.com
>
> Use CVE-2019-20466.
>
>
> > > [Suggested description]
> > > An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 
> > > 950004 595317 devices.
> > > The device by default has a TELNET interface available (which is not
> > > advertised or functionally used, but is nevertheless available). Two
> > > backdoor accounts (root and default) exist that can be used on this
> > > interface. The usernames and passwords of the backdoor accounts are the
> > > same on all devices. Attackers can use these backdoor accounts to
> > > obtain access and execute code as root within the device.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Incorrect Access Control
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > Sannce
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Telnet daemon
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Local
> > >
> > > ------------------------------------------
> > >
> > > [Impact Code execution]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > Anyone with network access to the device can trigger this vulnerability.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security 
> > > in cooperation with the Dutch Consumer organisation.
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.sannce.com
>
> Use CVE-2019-20467.
>
>
> > > [Suggested description]
> > > An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horloge 
> > > 3.1042.9.8656 devices. It has unnecessary
> > > permissions such as READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, and 
> > > READ_CONTACTS.
> > >
> > > ------------------------------------------
> > >
> > > [Additional Information]
> > > The manifest of Q90 declares the use of permissions. However some of
> > > the declared functions are not required for proper functioning of the
> > > application. The following application permissions are not required:
> > > android.permission.SYSTEM_ALERT_WINDOW: Allows an app to create windows
> > > using the type WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY,
> > > shown on top of all other apps.
> > > android.permission.WRITE_EXTERNAL_STORAGE: Declaring these permissions
> > > for debugging purposes is common practice, but they should not be
> > > carried over to production releases of the app.
> > > android.permission.READ_EXTERNAL_STORAGE.
> > > android.permission.CHANGE_WIFI_STATE: Allows applications to change
> > > Wi-Fi connectivity state. android.permission.CHANGE_CONFIGURATION:
> > > Allows access to the list of accounts (including usernames) in the
> > > Accounts Service. android.permission.READ_CONTACTS: Allows an
> > > application to read the user's contacts data.
> > > android.permission.MANAGE_ACCOUNTS: The application can request create
> > > or access accounts stored locally in the AccountManager.
> > > android.permission.GET_ACCOUNTS: Allows access to the list of accounts
> > > (including usernames) in the Accounts Service.
> > > android.permission.BLUETOOTH: Allows applications to connect to paired
> > > bluetooth devices. android.permission.BLUETOOTH_ADMIN: Allows
> > > applications to discover and pair bluetooth devices.
> > > android.permission.GET_TASKS: Allows the app to retrieve information
> > > about currently and recently running tasks. This may allow the app to
> > > discover information about which applications are used on the device.
> > > The backup element (android:allowBackup) is manually set to true.
> > >
> > > The sheer amount of unnecessary permissions, with potential high
> > > security impact, (e.g. reading all contact information, retrieving
> > > usernames, passwords and other personal information stored on the
> > > device, changing system settings, connecting to other devices) provides
> > > the application with an unnecessarily large amount of sensitive
> > > information and (potential) control over older (API 16-22) mobile
> > > devices and raises numerous questions regarding the intentions behind
> > > this application.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Insecure Permissions
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > TK-star
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > TK-Star Q90 Junior GPS horloge - 3.1042.9.8656
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Q90 SeTracker2
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Local
> > >
> > > ------------------------------------------
> > >
> > > [Impact Code execution]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Impact Information Disclosure]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [CVE Impact Other]
> > > Excessive permissions can enable malicious behaviour.
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > to exploit the vulnerability, the application code must be updated with 
> > > malicious intent.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.tk-star.com
>
> Use CVE-2019-20468.
>
>
> > > [Suggested description]
> > > An issue was discovered on One2Track 2019-12-08 devices.
> > > Confidential information is needlessly stored on the smartwatch. Audio
> > > files are stored in .amr format, in the audior directory. An
> > > attacker who has physical access can
> > > retrieve all audio files by connecting via a USB cable.
> > >
> > > ------------------------------------------
> > >
> > > [VulnerabilityType Other]
> > > Voice conversations leaked to physical attackers.
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > One2Track
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > one2track - up to-date version as of 12-8-2019 (no exact version number)
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Local smartwatch storage
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Physical
> > >
> > > ------------------------------------------
> > >
> > > [Impact Information Disclosure]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > An attacker must physically have access to the One2track software.
> > > Once this access has been obtained audio messages send to the
> > > smartwatch can be retrieved from the local storage.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.one2track.nl
>
> Use CVE-2019-20469.
>
>
> > > [Suggested description]
> > > An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 
> > > devices.
> > > It performs actions based on certain SMS commands. This
> > > can be used to set up a voice communication channel from the watch to
> > > any telephone number, initiated by sending a specific SMS and using the
> > > default password, e.g., pw,<password>,call,<mobile_number> triggers an 
> > > outbound call
> > > from the watch.
> > > The password is sometimes available because of CVE-2019-20471.
> > >
> > > ------------------------------------------
> > >
> > > [VulnerabilityType Other]
> > > Remote audio connection without explicit approval
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > TK-star
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > TK-Star Q90 Junior GPS horloge - 3.1042.9.8656
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Smartwatch
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Remote
> > >
> > > ------------------------------------------
> > >
> > > [Impact Code execution]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Impact Information Disclosure]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > An attacker needs to send an SMS to the device's mobile number. Knowledge 
> > > of the mobile number is required before this vulnerability can be 
> > > exploited.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.tk-star.com
>
> Use CVE-2019-20470.
>
>
> > > [Suggested description]
> > > An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 
> > > devices.
> > > When using the device at initial setup, a default password is used
> > > (123456) for administrative purposes. There is no prompt to change this 
> > > password.
> > > Note that this password can be used in combination with CVE-2019-20470.
> > >
> > > ------------------------------------------
> > >
> > > [Vulnerability Type]
> > > Incorrect Access Control
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > TK-star
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > TK-Star Q90 Junior GPS horloge - 3.1042.9.8656
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Smartwatch
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Remote
> > >
> > > ------------------------------------------
> > >
> > > [Impact Code execution]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Impact Information Disclosure]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > An attacker needs to send an SMS to the device's mobile number.
> > > Knowledge of the mobile number is required before this vulnerability
> > > can be exploited.
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.tk-star.com
>
> Use CVE-2019-20471.
>
>
> > > [Suggested description]
> > > An issue was discovered on One2Track 2019-12-08 devices.
> > > Any SIM card used with the device
> > > cannot have a PIN configured. If a PIN is configured, the device simply 
> > > produces a
> > > "Remove PIN and restart!" message, and cannot be used. This makes it 
> > > easier for
> > > an attacker to use the SIM card by stealing the device.
> > >
> > > ------------------------------------------
> > >
> > > [VulnerabilityType Other]
> > > recommendation to disable common security measures
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > One2Track
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > One2Track - up to-date version as of 12-8-2019 (no exact version number)
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > SIM card security PIN
> > >
> > > ------------------------------------------
> > >
> > > [Attack Type]
> > > Physical
> > >
> > > ------------------------------------------
> > >
> > > [CVE Impact Other]
> > > recommendation to disable common security measures
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > Local
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Dennis van Warmerdam, Jim Blankendaal, Jasper Nota
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.one2track.nl
>
> Use CVE-2019-20472.
>
>
> > > [Suggested description]
> > > An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 
> > > devices.
> > > Any SIM card used with the device
> > > cannot have a PIN configured. If a PIN is configured, the device simply 
> > > produces a
> > > "Remove PIN and restart!" message, and cannot be used. This makes it 
> > > easier for
> > > an attacker to use the SIM card by stealing the device.
> > >
> > > ------------------------------------------
> > >
> > > [VulnerabilityType Other]
> > > recommendation to disable common security measures
> > >
> > > ------------------------------------------
> > >
> > > [Vendor of Product]
> > > TK-star
> > >
> > > ------------------------------------------
> > >
> > > [Affected Product Code Base]
> > > TK-Star Q90 Junior GPS horloge - 3.1042.9.8656
> > >
> > > ------------------------------------------
> > >
> > > [Affected Component]
> > > Sim card & PIN
> > >
> > > ------------------------------------------
> > >
> > > [Attack Vectors]
> > > Local
> > >
> > > ------------------------------------------
> > >
> > > [Has vendor confirmed or acknowledged the vulnerability?]
> > > true
> > >
> > > ------------------------------------------
> > >
> > > [Discoverer]
> > > Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
> > >
> > > ------------------------------------------
> > >
> > > [Reference]
> > > https://www.tk-star.com
>
> Use CVE-2019-20473.
>
>


With kind regards / Met vriendelijke groet,
Willem Westerhof  | Senior Security Specialist & Public speaker
[Logo, company name  Description automatically generated]
Raising Your Cyber Resilience
E:  willem.westerhof@xxxxxxxxxx<mailto:willem.westerhof@xxxxxxxxxx>
T: +31 6 488 594 22
W: secura.com<https://www.secura.com/>

Follow us on:
[signature_192587247]<https://www.linkedin.com/company/securabv/>  
[signature_493676802] <https://twitter.com/SecuraBV>   [signature_235860830] 
<https://www.youtube.com/c/SecuraBV>
[signature_4021970036]<https://www.secura.com/>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus
Next by Date: [FD] APPLE-SA-07-29-2024-1 Safari 17.6
Previous by thread: [FD] CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus
Next by thread: [FD] APPLE-SA-07-29-2024-1 Safari 17.6
Index(es):
- Date
- Thread