nginx njs 0.7.2 is vulnerable to Buffer Overflow. Type confused in Array.prototype.concat() when a slow array appended element is fast array.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-27008: SEGV njs_array.c:335:41 in njs_array_add · Issue #471 · nginx/njs

Tcpreplay v4.4.1 has a heap-based buffer overflow in do_checksum_math at /tcpedit/checksum.c.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
heap-buffer-overflow in tcpreplay

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CFLAGS="-g -fsanitize=address" export CXXFLAGS="-g -fsanitize=address"
2.  ./configure --disable-local-libopts
3.  make
4.  ./tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i lo POC2
5.  POC2.zip

**ASAN**

    =================================================================
    ==2505330==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000002a0 at pc 0x555db3af22a5 bp 0x7ffe70553580 sp 0x7ffe70553570
    READ of size 2 at 0x6060000002a0 thread T0
        #0 0x555db3af22a4 in do_checksum_math /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/checksum.c:193
        #1 0x555db3af1be8 in do_checksum /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/checksum.c:103
        #2 0x555db3ae925c in fix_ipv4_checksums /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/edit_packet.c:81
        #3 0x555db3ae49b4 in tcpedit_packet /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/tcpedit.c:351
        #4 0x555db3acf3b9 in send_packets /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/send_packets.c:397
        #5 0x555db3ae0997 in replay_file /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/replay.c:182
        #6 0x555db3adf92b in tcpr_replay_index /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/replay.c:59
        #7 0x555db3ade6b8 in tcpreplay_replay /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpreplay_api.c:1139
        #8 0x555db3ad6f2a in main /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpreplay.c:178
        #9 0x7f5ea6e440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #10 0x555db3ac916d in _start (/home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpreplay-edit+0x2016d)
    
    0x6060000002a0 is located 0 bytes to the right of 64-byte region [0x606000000260,0x6060000002a0)
    allocated by thread T0 here:
        #0 0x7f5ea718bbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f5ea705720e  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x2420e)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/checksum.c:193 in do_checksum_math
    Shadow bytes around the buggy address:
      0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0c7fff8020: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
      0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c0c7fff8040: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
    =>0x0c0c7fff8050: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2505330==ABORTING
    
    
    

**System (please complete the following information):**

*   Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
*   Tcpreplay Version \[e.g. 4.3.2\]

    tcpreplay version: 4.4.0 (build git:v4.3.4-4-g0ca82e31)
    Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
    Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
    The entire Tcpreplay Suite is licensed under the GPLv3
    Cache file supported: 04
    Not compiled with libdnet.
    Compiled against libpcap: 1.9.1
    64 bit packet counters: enabled
    Verbose printing via tcpdump: enabled
    Packet editing: enabled
    Fragroute engine: disabled
    Injection method: PF_PACKET send()
    Not compiled with netmap

CVE-2022-27418: Heap-buffer-overflow in  tcpreplay · Issue #703 · appneta/tcpreplay

MariaDB Server v10.7 and below was discovered to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially crafted SQL statements.

PoC:

CREATE TABLE v0 AS SELECT NULL AS v1 FROM DUAL ;

 SELECT 'x' FROM v0 GROUP BY v1 , v1 ORDER BY AVG ( from\_unixtime ( '' ) ) ;

ASAN report:

ersion: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 10000  Source distribution

\=================================================================

\==2869677==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55fa8a50bf90 at pc 0x55fa89dcf30d bp 0x7fb3016d0290 sp 0x7fb3016d0280

READ of size 4 at 0x55fa8a50bf90 thread T13

    #0 0x55fa89dcf30c in decimal\_bin\_size /experiment/mariadb-server/strings/decimal.c:1551

    #1 0x55fa88cd14d2 in my\_decimal\_get\_binary\_size(unsigned short, unsigned short) /experiment/mariadb-server/sql/my\_decimal.h:346

    #2 0x55fa88cd14d2 in Type\_handler\_decimal\_result::sort\_length(THD\*, Type\_std\_attributes const\*, SORT\_FIELD\_ATTR\*) const /experiment/mariadb-server/sql/filesort.cc:2182

    #3 0x55fa88cd9bbd in sortlength /experiment/mariadb-server/sql/filesort.cc:2258

    #4 0x55fa88cd9bbd in filesort(THD\*, TABLE\*, Filesort\*, Filesort\_tracker\*, JOIN\*, unsigned long long) /experiment/mariadb-server/sql/filesort.cc:251

    #5 0x55fa886c0698 in create\_sort\_index(THD\*, JOIN\*, st\_join\_table\*, Filesort\*) /experiment/mariadb-server/sql/sql\_select.cc:24386

    #6 0x55fa886c10fe in st\_join\_table::sort\_table() /experiment/mariadb-server/sql/sql\_select.cc:22060

    #7 0x55fa886c1373 in join\_init\_read\_record(st\_join\_table\*) /experiment/mariadb-server/sql/sql\_select.cc:21999

    #8 0x55fa886f3cce in AGGR\_OP::end\_send() /experiment/mariadb-server/sql/sql\_select.cc:29470

    #9 0x55fa886f45cf in sub\_select\_postjoin\_aggr(JOIN\*, st\_join\_table\*, bool) /experiment/mariadb-server/sql/sql\_select.cc:20765

    #10 0x55fa8871882b in do\_select /experiment/mariadb-server/sql/sql\_select.cc:20604

    #11 0x55fa8871882b in JOIN::exec\_inner() /experiment/mariadb-server/sql/sql\_select.cc:4735

    #12 0x55fa8871a592 in JOIN::exec() /experiment/mariadb-server/sql/sql\_select.cc:4513

    #13 0x55fa88712b5a in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4991

    #14 0x55fa88714654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

    #15 0x55fa88557d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

    #16 0x55fa88581420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

    #17 0x55fa885865a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #18 0x55fa8858c60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #19 0x55fa8859173c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #20 0x55fa8894ce56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #21 0x55fa8894d33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #22 0x55fa893ddc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #23 0x7fb32095f258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #24 0x7fb32050a5e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x55fa8a50bf90 is located 16 bytes to the left of global variable 'dig2bytes' defined in '/experiment/mariadb-server/strings/decimal.c:132:18' (0x55fa8a50bfa0) of size 40

0x55fa8a50bf90 is located 16 bytes to the right of global variable 'frac\_max' defined in '/experiment/mariadb-server/strings/decimal.c:133:19' (0x55fa8a50bf60) of size 32

SUMMARY: AddressSanitizer: global-buffer-overflow /experiment/mariadb-server/strings/decimal.c:1551 in decimal\_bin\_size

Shadow bytes around the buggy address:

  0x0abfd14997a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

\=>0x0abfd14997f0: f9 f9\[f9\]f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9

  0x0abfd1499800: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00

  0x0abfd1499810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd1499820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd1499830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd1499840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

Thread T13 created by T0 here:

    #0 0x7fb320f92fa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55fa893ddea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55fa893ddea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55fa8824eb3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55fa8824eb3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55fa8825a7b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55fa8825b36f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55fa8825ea52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7fb320433b24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

\==2869677==ABORTING

CVE-2022-27387: [MDEV-26422] ASAN: global-buffer-overflow in decimal_bin_size on SELECT

In atf (hwfde), there is a possible leak of sensitive information due to incorrect error handling. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06171729; Issue ID: ALPS06171729.

CVE-2022-20066: May 2022

PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that uses PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.

@@ -159,8 +159,13 @@ static pj\_status\_t get\_name\_len(int rec\_counter, const pj\_uint8\_t \*pkt,

} else {

unsigned label\_len = \*p;

  

/\* Check that label length is valid \*/

if (pkt+label\_len > max)

/\* Check that label length is valid.

\* Each label consists of an octet length (of size 1) followed

\* by the octet of the specified length (label\_len). Then it

\* must be followed by either another label's octet length or

\* a zero length octet (that terminates the sequence).

\*/

if (p+1+label\_len+1 > max)

return PJLIB\_UTIL\_EDNSINNAMEPTR;

  

p += (label\_len + 1);

@@ -170,9 +175,6 @@ static pj\_status\_t get\_name\_len(int rec\_counter, const pj\_uint8\_t \*pkt,

++label\_len;

  

\*name\_len += label\_len;

  

if (p >= max)

return PJLIB\_UTIL\_EDNSINSIZE;

}

}

++p;

@@ -222,8 +224,13 @@ static pj\_status\_t get\_name(int rec\_counter, const pj\_uint8\_t \*pkt,

} else {

unsigned label\_len = \*p;

  

/\* Check that label length is valid \*/

if (pkt+label\_len > max)

/\* Check that label length is valid.

\* Each label consists of an octet length (of size 1) followed

\* by the octet of the specified length (label\_len). Then it

\* must be followed by either another label's octet length or

\* a zero length octet (that terminates the sequence).

\*/

if (p+1+label\_len+1 > max)

return PJLIB\_UTIL\_EDNSINNAMEPTR;

  

pj\_memcpy(name->ptr + name->slen, p+1, label\_len);

@@ -234,9 +241,6 @@ static pj\_status\_t get\_name(int rec\_counter, const pj\_uint8\_t \*pkt,

\*(name->ptr + name->slen) = '.';

++name->slen;

}

  

if (p >= max)

return PJLIB\_UTIL\_EDNSINSIZE;

}

}

  

@@ -269,6 +273,10 @@ static pj\_status\_t parse\_query(pj\_dns\_parsed\_query \*q, pj\_pool\_t \*pool,

  

p = (start + name\_part\_len);

  

/\* Check the size can accomodate next few fields. \*/

if (p + 4 > max)

return PJLIB\_UTIL\_EDNSINSIZE;

  

/\* Get the type \*/

pj\_memcpy(&q->type, p, 2);

q->type = pj\_ntohs(q->type);

CVE-2022-24793: Merge pull request from GHSA-p6g5-v97c-w5q4 · pjsip/pjproject@9fae8f4

Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. The fix is established in commit 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an official release.

Valid

Reported on

May 13th 2021

**✍️ Description**

heap-buffer-overflow of decctx.cc in function read\_sps\_NAL

**🕵️‍♂️ Proof of Concept**

Verification steps： 1.Get the source code of Bento4 2.Compile the Bento4

    $ ./autogen.sh
    $ export CFLAGS="-g -lpthread -fsanitize=address"
    $ export CXXFLAGS="-g -lpthread -fsanitize=address"
    $ CC=clang CXX=clang++ ./configure --disable-shared
    $ make -j 32
    

3.run

    $./dec265 poc
    

**💥 Impact**

This vulnerability is capable of DDOS or code execution

Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8

@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?

Dirk Farin validated this vulnerability 10 months ago

RouX has been awarded the disclosure bounty

The fix bounty is now up for grabs

This vulnerability will not receive a CVE

to join this conversation

Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8

@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?

Dirk Farin validated this vulnerability 10 months ago

RouX has been awarded the disclosure bounty

The fix bounty is now up for grabs

This vulnerability will not receive a CVE

to join this conversation

CVE-2022-1253: Heap-based Buffer Overflow in libde265

Heap-based Buffer Overflow in libr/bin/format/ne/ne.c in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is heap overflow and may be exploitable. For more general description of heap buffer overflow, see [CWE](https://cwe.mitre.org/data/definitions/122.html).

Expand Up

@@ -374,6 +374,9 @@ RList \*r\_bin\_ne\_get\_entrypoints(r\_bin\_ne\_obj\_t \*bin) {

}

int off \= 0;

while (off < bin\->ne\_header\->EntryTableLength) {

if (bin\->entry\_table + off + 32 >= r\_buf\_size (bin\->buf)) {

break;

}

ut8 bundle\_length \= \*(ut8 \*)(bin\->entry\_table + off);

if (!bundle\_length) {

break;

Expand All

@@ -398,7 +401,9 @@ RList \*r\_bin\_ne\_get\_entrypoints(r\_bin\_ne\_obj\_t \*bin) {

ut8 segnum \= \*(bin\->entry\_table + off);

off++;

ut16 segoff \= \*(ut16 \*)(bin\->entry\_table + off);

entry\->paddr \= (ut64)bin\->segment\_entries\[segnum \- 1\].offset \* bin\->alignment + segoff;

if (segnum \> 0) {

entry\->paddr \= (ut64)bin\->segment\_entries\[segnum \- 1\].offset \* bin\->alignment + segoff;

}

} else { // Fixed

entry\->paddr \= (ut64)bin\->segment\_entries\[bundle\_type \- 1\].offset \* bin\->alignment + \*(ut16 \*)(bin\->entry\_table + off);

}

Expand Down

CVE-2022-1238: Fix another oobread segfault in the NE bin parser ##crash · radareorg/radare2@c40a4f9

Heap buffer overflow in Cast UI in Google Chrome prior to 99.0.4844.51 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page.

**Chrome Releases**

Release updates from the Chrome team

CVE-2022-0800: Stable Channel Update for Desktop

Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands.

As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

**Please sign in**

**SUMMARY**

**NPort IAW5000A-I/O Series Serial Device Server Vulnerabilities**

*   Security Advisory ID: MPSA-210501
*   Version: V1.0
*   Release Date: May 27, 2021
*   Reference:
    *   CVE-2021-32974
    *   BDU:2021-02699, BDU:2021-02700, BDU:2021-02701, BDU:2021-02702, BDU:2021-02703, BDU:2021-02704, BDU:2021-02705,BDU:2021-02706, BDU:2021-02707, BDU:2021-02708

Multiple product vulnerabilities were identified in Moxa’s NPort IAW5000A-I/O Series Wireless Device Server. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item

Vulnerability Type

Impact

1

Buffer Overflow (CWE-120)  
BDU:2021-02699, BDU:2021-02702

A buffer overflow in the built-in web server allows remote attackers to initiate a DoS attack.

2

Stack-Based Buffer Overflow (CWE-121)  
BDU:2021-02700, BDU:2021-02701, BDU:2021-02703, BDU:2021-02704, BDU:2021-02708

A buffer overflow in the built-in web server allows remote attackers to initiate a DoS attack and execute arbitrary code (RCE).

3

Improper Input Validation (CWE-20)  
BDU:2021-02705, BDU:2021-02706

Data can be copied without validation in the built-in web server, which allows remote attackers to initiate a DoS attack.

4

OS Command Injection (CWE-78)  
BDU:2021-02707

Improper input validation in the built-in web server allows remote attackers to execute the OS command.

**AFFECTED PRODUCTS AND SOLUTIONS**

**Affected Products:**

The affected products and firmware versions are shown below.

Product Series

Affected Versions

NPort IAW5000A-I/O Series

Firmware Version 2.2 or lower

**Solutions:**

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series

Solutions

NPort IAW5000A-I/O Series

Please contact Moxa Technical Support for a security patch.

**Acknowledgment:**

We would like to express our appreciation to Konstantin Kondratev, Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar for reporting the vulnerabilities, working with us to help enhance the security of our products, and helping us provide a better service to our customers.  
 

**Revision History:**

VERSION

DESCRIPTION

RELEASE DATE

1.0

First Release

May 27, 2021

**Relevant Products**

NPort IAW5000A-I/O Series ·

*     Print this page
    
*   You can manage and share your saved list in My Moxa
    

**Let’s get that fixed**

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability

CVE-2021-32974: NPort IAW5000A-I/O Series Serial Device Server Vulnerabilities

A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.

At Bitdefender, we care deeply about security, so we’ve been working with media partners and IoT devices manufacturers to identify vulnerabilities in the world’s best-selling connected devices. As a leading vendor of cybersecurity protection across endpoint and IoT devices, we have been assessing the security of smart-home equipment for more than half a decade. Our goal is to help vendors and customers stay on top of security and privacy blind spots and make the IoT ecosystem safer for everybody.

While looking into the Wyze Cam device, we identified several vulnerabilities that let an outside attacker access the camera feed or execute malicious code to further compromise the device.

**Vulnerabilities at a glance**

*   Authentication bypass (CVE-2019-9564)
*   Remote control execution flaw caused by a stack-based buffer overflow (CVE-2019-12266)
*   Unauthenticated access to contents of the SD card

Download the research paper here

****Mitigation****

Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.

Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.

To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.

_**IMPORTANT**: The analyzed device comes in several versions: Wyze Cam version 1, Wyze Cam Black version 2, as well as Wyze Cam version 3. We learned that, while versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and is no longer receiving security fixes. Customers who keep using Wyze Cam version 1 are no longer protected and risk having their devices exploited._

Tag

#buffer_overflow