A weak credential vulnerability exists in Firewalla Box Software versions before 1.979. This vulnerability allows a physically close attacker to use the license UUID for authentication and provision SSH credentials over the Bluetooth Low-Energy (BTLE) interface. Once an attacker gains access to the LAN, they could log into the SSH interface using the provisioned credentials. The license UUID can be acquired through plain-text Bluetooth sniffing, reading the QR code on the bottom of the device, or brute-forcing the UUID (though this is less likely).
References
Configurations
No configuration.
History
21 Aug 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Aug 2024, 12:58
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
12 Aug 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-12 19:15
Updated : 2024-08-21 18:15
NVD link : CVE-2024-40892
Mitre link : CVE-2024-40892
CVE.ORG link : CVE-2024-40892
JSON object : View
Products Affected
No product.
CWE
CWE-1391
Use of Weak Credentials