CVE-2020-9462

An issue was discovered in all Athom Homey and Homey Pro devices up to the current version 4.2.0. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks.

CVSS v3 4.3 MEDIUM
CVSS v2.0 3.3 LOW

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

3.3^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 6.5 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://developer.athom.com/firmware	Release Notes Vendor Advisory
https://developer.athom.com/firmware	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:homey:homey_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:homey:homey:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:homey:homey_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:homey:homey_pro:-:*:*:*:*:*:*:*

History

21 Nov 2024, 05:40

Type	Values Removed	Values Added
References	~~() https://developer.athom.com/firmware - Release Notes, Vendor Advisory~~	() https://developer.athom.com/firmware - Release Notes, Vendor Advisory

Information

Published : 2020-06-04 16:15

Updated : 2024-11-21 05:40

NVD link : CVE-2020-9462

Mitre link : CVE-2020-9462

CVE.ORG link : CVE-2020-9462

JSON object : View

Products Affected

homey

homey
homey_pro
homey_firmware
homey_pro_firmware

CWE

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2020-9462", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2020-06-04T16:15:13.280", "references": [{"url": "https://developer.athom.com/firmware", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://developer.athom.com/firmware", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in all Athom Homey and Homey Pro devices up to the current version 4.2.0. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks."}, {"lang": "es", "value": "Se detect\u00f3 un problema en todos los dispositivos Athom Homey y Homey Pro hasta la actual versi\u00f3n 4.2.0. Un atacante dentro del rango de RF puede obtener una copia en texto sin cifrar de la configuraci\u00f3n de la red del dispositivo, incluyendo el PSK Wi-Fi, durante la configuraci\u00f3n del dispositivo. Tras el \u00e9xito, el atacante es capaz de infiltrarse a\u00fan m\u00e1s en las redes Wi-Fi del objetivo"}], "lastModified": "2024-11-21T05:40:41.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:homey:homey_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "38804188-0945-41FF-A377-6485F2A9FAF6", "versionEndExcluding": "4.2.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:homey:homey:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "53273CFA-B260-401D-9DD6-B90E3DA09D7D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:homey:homey_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E22F8E86-CF2C-4FBC-B403-8B385971A289", "versionEndExcluding": "4.2.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:homey:homey_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C01177C9-CED9-4D65-BEBB-C44C13C8A0A6"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}