Philippe Laulheret

**Name of the Vulnerable Software and Affected Versions** GeoVision LPC2011/LPC2211 version 1.10 **Description** A privilege escalation issue exists in the Web Interface functionality, specifically within the 'ssi.cgi' endpoint. A specially crafted HTTP request can lead to the leak of Administrator credentials, which an attacker can trigger by visiting a webpage. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GeoVision LPC2011/LPC2211 version 1.10 **Description** An OS command injection flaw exists in the 'DdnsSetting.cgi' functionality. A specially crafted DDNS configuration allows an attacker to modify a configuration value to execute arbitrary commands on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GeoVision LPC2011/LPC2211 version 1.10 **Description** The Web Interface functionality contains a flaw where session cookies are guessable. An attacker can use a series of specially crafted HTTP requests to brute-force these cookies, allowing them to bypass the authentication process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GeoVision GV-VMS V20 version 20.0.2 **Description** A stack overflow in the WebCam Server Login functionality allows an unauthenticated attacker to execute arbitrary code by sending a specially crafted HTTP request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GeoVision GV-VMS V20 version 20.0.2 **Description** A stack overflow exists in the WebCam Server Login functionality. An unauthenticated attacker can send a specially crafted HTTP request to trigger the issue, potentially leading to arbitrary code execution with SYSTEM privileges. The flaw occurs because the `sscanf()` function is used to split the `Buffer` variable into `username` and `password` variables without limiting the size of the extracted content. If either the `username` or `password` decoded from the authorization string exceeds 40 characters, a stack overflow occurs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GeoVision LPC2011/LPC2211 version 1.10 **Description** A privilege escalation issue exists in the Web Interface functionality. A specially crafted HTTP request allows an attacker to execute privileged operations by visiting a specific webpage. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GV-VMS version V20 **Description** A stack overflow exists in the WebCam Server component of the video monitoring software. When remote access is enabled, the `gvapi` endpoint utilizes a specific authentication mechanism via an `HTTP Authorization` header, supporting both Basic and Digest modes. The issue occurs because a base64 decoded string, stored in the `b64decoder` variable, is copied into the `Buffer` stack variable without a bound-check. If the decoded string exceeds 256 characters, a stack overflow is triggered. Since the web server is compiled without ASLR (Address Space Layout Randomization), a security technique that randomly arranges the address space positions of key data areas to prevent memory corruption attacks, an attacker can gain full code execution with SYSTEM privileges on the host machine. **Recommendations** Update GV-VMS version V20 to a patched version. Disable the remote access WebCam Server feature to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** GeoVision LPC2011/LPC2211 version 1.10 **Description** Multiple reflected cross-site scripting (XSS) issues exist in the Web Interface / 'ssi.cgi' functionality. A reflected XSS occurs when an application includes untrusted data in a web page without proper validation, allowing an attacker to execute malicious scripts in the victim's browser. In this case, a specially crafted URL, specifically through the error message generated when requesting a non-existing page, can lead to arbitrary JavaScript code execution. **Recommendations** As a temporary workaround, restrict access to the 'ssi.cgi' functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GeoVision LPC2011/LPC2211 version 1.10 **Description** Multiple reflected cross-site scripting (XSS) issues exist in the Web Interface / 'ssi.cgi' functionality. A reflected XSS occurs when an application includes untrusted data in a web page without proper validation, allowing an attacker to execute malicious scripts in the victim's browser. An attacker can use a specially crafted URL to trigger the execution of arbitrary JavaScript code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GeoVision GV-IP Device Utility version 9.0.5 **Description** Insufficient encryption in the Device Authentication functionality allows for the leak of credentials. When the utility sends privileged commands to devices over UDP, the username and password are encrypted using a symmetric key that is also included within the same packet. An attacker on the same local area network can listen to these broadcast messages and decrypt the credentials, potentially gaining full control over the device configuration to change the IP address or reset the device to factory defaults. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GeoVision GV-IP Device Utility version 9.0.5 **Description** Insufficient encryption in the Device Authentication functionality allows for the leakage of administrator credentials. When the utility sends privileged commands to devices over UDP broadcast, it uses a cryptographic protocol derived from Blowfish. However, the symmetric key required for decryption is included within the same packet, meaning security relies solely on the obscurity of the encryption scheme. An attacker on the same local area network (LAN) can capture these broadcast packets and decrypt the credentials to gain full control over the device configuration, enabling actions such as changing the IP address or performing a factory reset. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dell ControlVault3 versions prior to 5.15.14.19 Dell ControlVault3 Plus versions prior to 6.2.36.47 **Description** The software contains out-of-bounds read and write issues within the ControlVault WBDI Driver Broadcom Storage Adapter functionality. A crafted `WinBioControlUnit` call can cause memory corruption. The issue is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 4 (`WBIO USH ADD RECORD`) and with `0 < SendBufferSize < 104`. This can lead to reading past the end of the `SendBuffer`. Exploitation may be limited to a Denial of Service. The API call to trigger this is to the `WinBioControlUnit` endpoint. **Recommendations** Update Dell ControlVault3 to version 5.15.14.19 or later. Update Dell ControlVault3 Plus to version 6.2.36.47 or later.

**Name of the Vulnerable Software and Affected Versions** Dell ControlVault3 versions prior to 5.15.14.19 Dell ControlVault3 Plus versions prior to 6.2.36.47 **Description** A buffer overflow exists in the `CvManager SBI` functionality. A specially crafted ControlVault API call can lead to arbitrary code execution. An attacker can issue an API call to trigger this issue. The vulnerability arises from improper handling of API calls to the ControlVault API. **Recommendations** Dell ControlVault3 versions prior to 5.15.14.19 should be updated to version 5.15.14.19 or later. Dell ControlVault3 Plus versions prior to 6.2.36.47 should be updated to version 6.2.36.47 or later.

**Name of the Vulnerable Software and Affected Versions** Dell ControlVault3 versions prior to 5.15.14.19 Dell ControlVault3 Plus versions prior to 6.2.36.47 **Description** The software contains out-of-bounds read and write issues within the ControlVault WBDI Driver Broadcom Storage Adapter functionality. A crafted `WinBioControlUnit` call can cause memory corruption. The issue is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 3 (`WBIO USH CREATE CHALLENGE`) and with `0 < ReceiveBuferSize < 4`. This results in up to three null-bytes being written past the end of the `ReceiveBuffer`. The vulnerability can be triggered by issuing an API call. **Recommendations** Update Dell ControlVault3 to version 5.15.14.19 or later. Update Dell ControlVault3 Plus to version 6.2.36.47 or later.

**Name of the Vulnerable Software and Affected Versions** Dell ControlVault3 versions prior to 5.15.14.19 Dell ControlVault3 Plus versions prior to 6.2.36.47 **Description** The software contains out-of-bounds read and write issues within the ControlVault WBDI Driver Broadcom Storage Adapter functionality. A crafted `WinBioControlUnit` call can cause memory corruption. The issue is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 0 (`WBIO USH GET TEMPLATE`) and either `0 < ReceiveBuferSize < 4` or `0 < SendBufferSize < 76`. The former can lead to an out-of-bound write of up to 3 bytes, and the latter can trigger an out-of-bound read of up to 75 bytes. The vulnerability is triggered by an API call. **Recommendations** Update Dell ControlVault3 to version 5.15.14.19 or later. Update Dell ControlVault3 Plus to version 6.2.36.47 or later.

**Name of the Vulnerable Software and Affected Versions** Dell ControlVault3 versions prior to 5.15.14.19 Dell ControlVault3 Plus versions prior to 6.2.36.47 **Description** A buffer overflow issue exists in the `CvManager` functionality. A specially crafted ControlVault API call can lead to memory corruption. An attacker can issue an API call to trigger this issue. The vulnerability occurs due to improper handling of crafted API calls, allowing an attacker to send a malicious API request that exceeds the expected memory boundaries during processing. This can lead to memory corruption. **Recommendations** Dell ControlVault3 versions prior to 5.15.14.19 should be updated. Dell ControlVault3 Plus versions prior to 6.2.36.47 should be updated.

**Name of the Vulnerable Software and Affected Versions** Dell ControlVault3 versions prior to 5.15.14.19 Dell ControlVault3 Plus versions prior to 6.2.36.47 **Description** A privilege escalation issue exists in the ControlVault WBDI Driver's `WBIO USH ADD RECORD` functionality. A crafted `WinBioControlUnit` call can allow an attacker to escalate privileges. The attacker issues an API call to trigger this issue. **Recommendations** Dell ControlVault3 versions prior to 5.15.14.19 should be updated to version 5.15.14.19 or later. Dell ControlVault3 Plus versions prior to 6.2.36.47 should be updated to version 6.2.36.47 or later.

**Name of the Vulnerable Software and Affected Versions** Dell ControlVault3 versions prior to 5.15.14.19 Dell ControlVault3 Plus versions prior to 6.2.36.47 **Description** The software contains out-of-bounds read and write issues within the ControlVault WBDI Driver Broadcom Storage Adapter functionality. A crafted `WinBioControlUnit` call can cause memory corruption. The issue is triggered when a `WinBioControlUnit` call is submitted to the StorageAdapter with the ControlCode 2 (`WBIO USH GET IDENTITY`) and a `ReceiveBuferSize` between 4 and 79 bytes. This can result in an out-of-bound write of up to 75 bytes. The data written may be null bytes or attacker-controlled data if another issue is leveraged to place attacker-controlled data within the database. The vulnerability is triggered via an API call. **Recommendations** Update Dell ControlVault3 to version 5.15.14.19 or later. Update Dell ControlVault3 Plus to version 6.2.36.47 or later.

**Name of the Vulnerable Software and Affected Versions** Dell ControlVault3 versions prior to 5.15.14.19 Dell ControlVault3 Plus versions prior to 6.2.36.47 **Description** A hard-coded password exists within the ControlVault WBDI Driver functionality. An attacker can exploit this by issuing a specially crafted ControlVault API call, potentially leading to the execution of privileged operations. The API call triggers the vulnerability, allowing attackers to bypass security measures. **Recommendations** Update Dell ControlVault3 to version 5.15.14.19 or later. Update Dell ControlVault3 Plus to version 6.2.36.47 or later.

**Name of the Vulnerable Software and Affected Versions** Dell ControlVault3 versions prior to 5.15.10.14 Dell ControlVault 3 Plus versions prior to 6.2.26.36 **Description** An out-of-bounds write vulnerability exists in the `cv upgrade sensor firmware` function of Dell ControlVault3 and Dell ControlVault 3 Plus. A specially crafted ControlVault API call can trigger this vulnerability, leading to an out-of-bounds write. An attacker can issue an API call to exploit this issue. **Recommendations** Dell ControlVault3 versions prior to 5.15.10.14: Update to version 5.15.10.14 or later. Dell ControlVault 3 Plus versions prior to 6.2.26.36: Update to version 6.2.26.36 or later.