FKIE_CVE-2019-5635

Vulnerability from fkie_nvd - Published: 2019-08-22 14:15 - Updated: 2024-11-21 04:45
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information.
References
cve@rapid7.comhttps://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/Third Party Advisory
cve@rapid7.comhttps://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086Product
af854a3a-2127-422b-91ae-364da2661108https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086Product
Impacted products
Vendor Product Version
belwith-keeler hickory_smart_ethernet_bridge_firmware -
belwith-keeler hickory_smart_ethernet_bridge -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:belwith-keeler:hickory_smart_ethernet_bridge_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A3193A0-A0C9-4593-B00D-7077400C4E69",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:belwith-keeler:hickory_smart_ethernet_bridge:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5E9C47D2-E9CD-482D-B2B4-C42388936A75",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de transmisi\u00f3n de informaci\u00f3n confidencial en texto sin cifrar est\u00e1 presente en Hickory Smart Ethernet Bridge de Belwith Products, LLC. Los datos capturados revelan que el dispositivo Hickory Smart Ethernet Bridge se comunica por medio de la red con un broker MQTT sin usar cifrado. Esto expuso el nombre de usuario y la contrase\u00f1a predeterminados usados para autenticarse en el broker MQTT. Este problema afecta a Hickory Smart Ethernet Bridge, n\u00famero de modelo H077646. El firmware no parece contener informaci\u00f3n del versionado."
    }
  ],
  "id": "CVE-2019-5635",
  "lastModified": "2024-11-21T04:45:16.780",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.0,
        "impactScore": 4.0,
        "source": "cve@rapid7.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-08-22T14:15:13.680",
  "references": [
    {
      "source": "cve@rapid7.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"
    },
    {
      "source": "cve@rapid7.com",
      "tags": [
        "Product"
      ],
      "url": "https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086"
    }
  ],
  "sourceIdentifier": "cve@rapid7.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "cve@rapid7.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.