(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
PwC ACE-ABAP CVE-2016-9832 Remote Code Execution Vulnerability
 
Info-ZIP UnZip 'zipinfo.c' Heap Buffer Overflow Vulnerability
 
QEMU VirtFS Multiple Denial of Service Vulnerabilities
 
SimpleSAMLphp CVE-2016-9814 Security Bypass Vulnerability
 
ImageMagick 'coders/tiff.c' Remote Buffer Overflow Vulnerability
 
Libav Multiple Denial of Service Vulnerabilities
 
LibTIFF CVE-2015-8870 Integer Overflow Vulnerability
 
[ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security
 
Google Nexus CVE-2016-8400 Information Disclosure Vulnerability
 
Google Android CVE-2016-8396 Information Disclosure Vulnerability
 
Google Android Mediaserver CVE-2016-6773 Information Disclosure Vulnerability
 
Google Android Framework APIs CVE-2016-6770 Remote Privilege Escalation Vulnerability
 
Google Android Smart Lock CVE-2016-6769 Local Privilege Escalation Vulnerability
 

New releases of bad or weak passwords lists are common[1][2] on the Internet. Those lists compile passwords that are used by people to protect (even if its not the most appropriate term) their accounts. But passwords are everywhere and also used to control access to devices. Recent attacks like the Mirai[3] botnet which attacked IoT devices are a good example. Once infected, a device will start to search for new potential victims by scanning the Internet for somevulnerable ports (TCP/23, TCP/2323 are good examples), then brute-force the password by testing a list of well-known passwords. Those passwords are somewhere different than users"> (empty string!)0000000011111111111123412345123456543216666667ujMko0admin7ujMko0vizxv888888Zte521adminadmin1admin1234administratorankodefaultdreamboxfuckerguesthi3518ikwbjuantechjvbzdklv123klv1234meinsmpasspasswordrealtekrootservicesmcadminsupervisorsupportsystemtechubntuservizxvxc3511xmhdipczlxx

If you have devices configured with one of those passwords, change it as soon as possible. Even, if yourdevices are not facing the internet! Feel free to share your list of passwords if you found others, Im curious.

[1]http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514
[2]http://www.passwordrandom.com/most-popular-passwords
[3]https://isc.sans.edu/forums/diary/The+Short+Life+of+a+Vulnerable+DVR+Connected+to+the+Internet/21543

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Google Android CVE-2016-6771 Remote Privilege Escalation Vulnerability
 
Google Android CVE-2016-6762 Remote Privilege Escalation Vulnerability
 
Google Android Framesequence Library CVE-2016-6768 Remote Code Execution Vulnerability
 
Google Android Wi-Fi CVE-2016-6772 Remote Privilege Escalation Vulnerability
 
Xen CVE-2016-9637 Privilege Escalation Vulnerability
 
Tesla Gateway ECU CVE-2016-9337 Command Injection Vulnerability
 
Multple Locus Energy LGate products Products CVE-2016-5782 Command Injection Vulnerability
 
Internet Storm Center Infocon Status