Netatmo Weather Station Cleartext Password Leak

2015.02.17
Credit: jullrich
Risk: Low
Local: No
Remote: Yes
CWE: CWE-200


Ogólna skala CVSS: 5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Brak
Wpływ na dostępność: Brak

Summary During initial setup, the weather station will submit its complete configuration unencrypted to the manufacturer cloud service. This configuration includes confidential information like the user's Wifi password. The problem has been fixed by removing this configuration dump from current firmware versions. CVE: CVE-2015-1600. Affected Systems: Netatmo Indoor Module firmware 100 and earlier. Additional Details: https://isc.sans.edu/forums/diary/Did+You+Remove+That+Debug+Code+Netatmo+Weather+Station+Sending+WPA+Passphrase+in+the+Clear/19327/ Manufacturers web site: www.netatmo.com Patch: Affected systems will download updated firmware automatically from Netatmo's cloud service.

Referencje:

https://isc.sans.edu/forums/diary/Did+You+Remove+That+Debug+Code+Netatmo+Weather+Station+Sending+WPA+Passphrase+in+the+Clear/19327/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top