Rewterz Threat Advisory – CVE-2019-10960 – Zebra Industrial Printers Unprotected Credentials Vulnerability
August 21, 2019Rewterz Threat ALert – MyKings Variant With Bootloader Persistence
August 21, 2019Severity
High
Analysis Summary
CVE-2018-4061
A specially crafted authenticated HTTP request can inject arbitrary commands, resulting in remote code execution.
CVE-2018-4062
Activating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user. An attacker can activate SNMPD without any configuration changes to trigger this vulnerability.
CVE-2018-4063
A specially crafted authenticated HTTP request can upload a file, resulting in an executable, routable code upload to the web server.
CVE-2018-4065
A specially crafted HTTP ping request can cause reflected JavaScript to be executed and run on the user’s browser. An attacker can exploit this by convincing a user to click a link or embedded URL that redirects to the reflected cross-site scripting vulnerability.
CVE-2018-4066
A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests through an authenticated user. Triggering this vulnerability may allow an attacker access to authenticated pages via an authenticated user.
CVE-2018-4067
A specially crafted authenticated HTTP request can cause an information leak, resulting in the disclosure of internal file paths.
CVE-2018-4069
The ACEManager authentication functionality is delivered in plaintext XML to the web server. An attacker can listen to network traffic upstream from the device, which may allow access to credentials.
Impact
- Remote code execution
- Cross-site Scripting
- Credential theft
Affected Vendors
Sierra Wireless
Affected Products
AirLink ALEOS
Remediation
Sierra Wireless recommends users upgrade to the latest version of ALEOS .