CVE-2023-34625

ShowMojo MojoBox Digital Lockbox 1.4 is vulnerable to Authentication Bypass. The implementation of the lock opening mechanism via Bluetooth Low Energy (BLE) is vulnerable to replay attacks. A malicious user is able to intercept BLE requests and replicate them to open the lock at any time. Alternatively, an attacker with physical access to the device on which the Android app is installed, can obtain the latest BLE messages via the app logs and use them for opening the lock.
References
Link Resource
https://mandomat.github.io/2023-03-15-testing-mojobox-security/ Exploit Technical Description Third Party Advisory
https://packetstormsecurity.com/2307-exploits/mojobox14-replay.txt Third Party Advisory VDB Entry
https://www.whid.ninja/blog/mojobox-yet-another-not-so-smartlock Exploit Technical Description Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:showmojo:mojobox_firmware:1.4:*:*:*:*:*:*:*
cpe:2.3:h:showmojo:mojobox:-:*:*:*:*:*:*:*

History

28 Jul 2023, 19:00

Type Values Removed Values Added
References (MISC) https://mandomat.github.io/2023-03-15-testing-mojobox-security/ - (MISC) https://mandomat.github.io/2023-03-15-testing-mojobox-security/ - Exploit, Technical Description, Third Party Advisory
References (MISC) https://www.whid.ninja/blog/mojobox-yet-another-not-so-smartlock - (MISC) https://www.whid.ninja/blog/mojobox-yet-another-not-so-smartlock - Exploit, Technical Description, Third Party Advisory
References (MISC) https://packetstormsecurity.com/2307-exploits/mojobox14-replay.txt - (MISC) https://packetstormsecurity.com/2307-exploits/mojobox14-replay.txt - Third Party Advisory, VDB Entry
CPE cpe:2.3:h:showmojo:mojobox:-:*:*:*:*:*:*:*
cpe:2.3:o:showmojo:mojobox_firmware:1.4:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.1
First Time Showmojo mojobox
Showmojo mojobox Firmware
Showmojo
CWE CWE-294

20 Jul 2023, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-20 20:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-34625

Mitre link : CVE-2023-34625

CVE.ORG link : CVE-2023-34625


JSON object : View

Products Affected

showmojo

  • mojobox_firmware
  • mojobox
CWE
CWE-294

Authentication Bypass by Capture-replay