CVE-2020-28952

{"id": "CVE-2020-28952", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-03-09T20:15:12.680", "references": [{"url": "https://developer.athom.com/firmware", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://homey.app/en-us/", "tags": ["Product", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0. ZigBee hub devices should generate a unique Standard Network Key that is then exchanged with all enrolled devices so that all inter-device communication is encrypted. However, the cited Athom products use another widely known key that is designed for testing purposes: \"01030507090b0d0f00020406080a0c0d\" (the decimal equivalent of 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13), which is human generated and static across all issued devices."}, {"lang": "es", "value": "Se detect\u00f3 un problema en los dispositivos Athom Homey y Homey Pro anteriores a la 5.0.0. Los dispositivos concentradores ZigBee deben generar una clave de red est\u00e1ndar \u00fanica que luego se intercambia con todos los dispositivos inscritos para que toda la comunicaci\u00f3n entre dispositivos est\u00e9 cifrada. Sin embargo, los productos Athom citados usan otra clave ampliamente conocida que est\u00e1 dise\u00f1ada con fines de prueba: \"01030507090b0d0f00020406080a0c0d\" (el equivalente decimal de 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13), que es generada por humanos y est\u00e1tica en todos los dispositivos emitidos"}], "lastModified": "2021-03-17T18:28:55.453", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:homey:homey_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F91DB805-377E-44FE-8D5C-99E61F6493EF", "versionEndExcluding": "5.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:homey:homey:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "53273CFA-B260-401D-9DD6-B90E3DA09D7D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:homey:homey_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA1184C0-AC54-4DE6-9667-78A6645FDF33", "versionEndExcluding": "5.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:homey:homey_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C01177C9-CED9-4D65-BEBB-C44C13C8A0A6"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}