Multiple vulnerabilities in ASUS smart home devices



Published: 2020-01-08
Risk High
Patch available NO
Number of vulnerabilities 3
CVE-ID CVE-2019-15911
CVE-2019-15910
CVE-2019-15912
CWE-ID CWE-319
CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Vulnerable software
Subscribe
ASUS HG100
Hardware solutions / Other hardware appliances

ASUS MW100
Hardware solutions / Other hardware appliances

ASUS WS-101
Hardware solutions / Other hardware appliances

ASUS TS-101
Hardware solutions / Other hardware appliances

ASUS AS-101
Hardware solutions / Other hardware appliances

ASUS MS-101
Hardware solutions / Other hardware appliances

ASUS DL-101
Hardware solutions / Other hardware appliances

Vendor Asus

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Cleartext transmission of sensitive information

EUVDB-ID: #VU24144

Risk: High

CVSSv3.1:

CVE-ID: CVE-2019-15911

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists in devices using ZigBee PRO due to insecure key transport in ZigBee communication. A remote attacker with ability to intercept network traffic can obtain sensitive information, cause the multiple denial of service (DoS) attacks, take over smart home devices and tamper with messages.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

ASUS HG100: All versions

ASUS MW100: All versions

ASUS WS-101: All versions

ASUS TS-101: All versions

ASUS AS-101: All versions

ASUS MS-101: All versions

ASUS DL-101: All versions


CPE2.3 External links

http://github.com/chengcheng227/CVE-POC/blob/master/CVE-2019-15911.md

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Input validation error

EUVDB-ID: #VU24142

Risk: High

CVSSv3.1:

CVE-ID: CVE-2019-15910

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the affected devices using ZigBee PRO due to insufficient validation of user-supplied input. A remote attacker can utilize the "discover ZigBee network procedure" to perform a denial of service attack.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

ASUS HG100: All versions

ASUS MW100: All versions

ASUS WS-101: All versions

ASUS TS-101: All versions

ASUS AS-101: All versions

ASUS MS-101: All versions

ASUS DL-101: All versions


CPE2.3 External links

http://github.com/chengcheng227/CVE-POC/blob/master/CVE-2019-15910.md

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Input validation error

EUVDB-ID: #VU24141

Risk: High

CVSSv3.1:

CVE-ID: CVE-2019-15912

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the affected devices using ZigBee PRO due to insufficient validation of user-supplied input. A remote attacker can use the ZigBee trust center rejoin procedure to perform multiple denial of service attacks.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

ASUS HG100: All versions

ASUS MW100: All versions

ASUS WS-101: All versions

ASUS TS-101: All versions

ASUS AS-101: All versions

ASUS MS-101: All versions

ASUS DL-101: All versions


CPE2.3 External links

http://github.com/chengcheng227/CVE-POC/blob/master/CVE-2019-15912_1.md
http://github.com/chengcheng227/CVE-POC/blob/master/CVE-2019-15912_2.md

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###