MidnightBSD

Advisories for arlo

CVE-2019-3949 HIGH

Arlo Basestation firmware 1.12.0.1_27940 and prior firmware contain a networking misconfiguration that allows access to restricted network interfaces. This could allow an attacker to upload or download arbitrary files and possibly execute malicious code on the device.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-16,

Products Affected

Vendor Product Version
arlo vmb3010_firmware *
arlo vmb3500_firmware *
arlo vmb4000_firmware *
arlo vmb4500_firmware *
arlo vmb5000_firmware *
CVE-2019-3950 HIGH

Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded username and password combination that allows root access to the device when an onboard serial interface is connected to.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
arlo vmb3010_firmware *
arlo vmb3500_firmware *
arlo vmb4000_firmware *
arlo vmb4500_firmware *
arlo vmb5000_firmware *
CVE-2021-31505 HIGH

This vulnerability allows attackers with physical access to escalate privileges on affected installations of Arlo Q Plus 1.9.0.3_278. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSH service. The device can be booted into a special operation mode where hard-coded credentials are accepted for SSH authentication. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-12890.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
arlo q_plus_firmware 1.9.0.3_278