SB2020010813 - Multiple vulnerabilities in ASUS smart home devices

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cleartext transmission of sensitive information (CVE-ID: CVE-2019-15911)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists in devices using ZigBee PRO due to insecure key transport in ZigBee communication. A remote attacker with ability to intercept network traffic can obtain sensitive information, cause the multiple denial of service (DoS) attacks, take over smart home devices and tamper with messages.

2) Input validation error (CVE-ID: CVE-2019-15910)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the affected devices using ZigBee PRO due to insufficient validation of user-supplied input. A remote attacker can utilize the "discover ZigBee network procedure" to perform a denial of service attack.

3) Input validation error (CVE-ID: CVE-2019-15912)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the affected devices using ZigBee PRO due to insufficient validation of user-supplied input. A remote attacker can use the ZigBee trust center rejoin procedure to perform multiple denial of service attacks.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://github.com/chengcheng227/CVE-POC/blob/master/CVE-2019-15911.md
• https://github.com/chengcheng227/CVE-POC/blob/master/CVE-2019-15910.md
• https://github.com/chengcheng227/CVE-POC/blob/master/CVE-2019-15912_1.md
• https://github.com/chengcheng227/CVE-POC/blob/master/CVE-2019-15912_2.md