Olivia Lucca Fraser

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A command injection vulnerability in the `firmware update` command, located in the device's restricted telnet interface, allows an authenticated attacker to execute arbitrary commands as root. This issue does not specify the number of potentially affected devices or mention any real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lepton (affected versions not specified) **Description** A loop with an unreachable exit condition can be triggered by passing a crafted JPEG file to the Lepton image compression tool, resulting in a denial-of-service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** protest binary (affected versions not specified) **Description** A command injection vulnerability in the protest binary allows an attacker with access to the remote command line interface to execute arbitrary commands as root. The issue is related to debugging D-Link firmware and hardware for vulnerability research, aiming to achieve a debuggable interface. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DVDFab 12 Player (recently renamed PlayerFab) versions not specified **Description** An absolute path traversal issue allows a remote attacker to download any file on the Windows file system for which the user account running the software has read-access. This can be achieved by sending an HTTP GET request to the "http://<IP ADDRESS>:32080/download/<URL ENCODED PATH>" endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** K2 firmware version 22.5.9.163 K3C firmware version 32.1.15.93 **Description** The issue allows an attacker on the local area network to obtain a root shell on the device over telnet due to the use of a hard-coded cryptographic key pair by the telnetd startup service. An attacker in possession of the leaked private key can instruct telnetd startup to spawn an unauthenticated telnet shell as root through a scripted exchange of UDP packets, resulting in complete control of the device. **Recommendations** For K2 firmware version 22.5.9.163, consider disabling the telnetd startup service until a patch is available. For K3C firmware version 32.1.15.93, restrict access to the telnet shell to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or version information is provided. **Description** The issue concerns improper access control on the LocalMACConfig.asp interface. This allows an unauthenticated remote attacker to modify a list of banned hosts by adding or removing client MAC addresses. As a result, clients with the affected MAC addresses are prevented from accessing the WAN or the router. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** telnetd startup daemon (affected versions not specified) **Description** A null byte interaction error has been found in the telnetd startup daemon's code for constructing ephemeral passwords. This error allows an unauthenticated attacker on the local network to predict these passwords with 1-in-94 odds by sending crafted UDP packets. The exploitation of this issue relies on the use of an unpadded RSA cipher and manipulation of data processed by the `RSA public decrypt()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or version information is provided. **Description** The issue concerns improper access control on certain interfaces, allowing an unauthenticated remote attacker to obtain sensitive information. This includes data about devices on the local area network, such as IP and MAC addresses, and WPA passphrases for wireless networks. The vulnerability is particularly dangerous because it can expose the administrative interface password if the same password is used for the wireless network and the administrative interface. When Remote Management is enabled, the vulnerable endpoints are exposed to the WAN. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or version is mentioned, so the description is: Device (affected versions not specified) **Description** The issue concerns improper physical access control and the use of hard-coded credentials in /etc/passwd. This allows an attacker with physical access to obtain a root shell via an unprotected UART port on the device. The same port also exposes an unauthenticated Das U-Boot BIOS shell. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to K2 22.5.9.163 OpenSSL versions prior to K3C 32.1.15.93 **Description** The issue allows an unauthenticated attacker on the local area network to gain control over the plaintext to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA public decrypt() function. This is due to the use of the RSA algorithm without OAEP or any other padding scheme in telnetd startup. The attacker can manipulate the telnetd startup state machine and obtain a root shell on the device by exchanging crafted UDP packets. **Recommendations** For versions prior to K2 22.5.9.163, update to version K2 22.5.9.163 or later to resolve the issue. For versions prior to K3C 32.1.15.93, update to version K3C 32.1.15.93 or later to resolve the issue. As a temporary workaround, consider restricting access to the `telnetd startup` function until a patch is available.