CVE-2019-17098 - Vulnerability Details - OpenCVE

Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior versions on Android. August Connect Firmware version 2.2.12 and prior versions.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00079.

Key SSVC decision points have not yet been added.

Vendors	Products
August	August Home Connect Wi-fi Bridge Connect Wi-fi Bridge Firmware

Configuration 1 [-]

cpe:2.3:a:august:august_home:*:*:*:*:*:android:*:*

Configuration 2 [-]

AND

cpe:2.3:o:august:connect_wi-fi_bridge_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:august:connect_wi-fi_bridge:-:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

Updating the Android app fixes the issue.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://labs.bitdefender.com/2020/08/smart-locks-not-so-smart-with-wi-fi-security/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2020-09-30T13:05:16.276620Z

Updated: 2024-09-17T03:28:08.464Z

Reserved: 2019-10-02T00:00:00

Link: CVE-2019-17098

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-09-30T13:15:12.187

Modified: 2024-11-21T04:31:41.240

Link: CVE-2019-17098

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Android"], "product": "Smart Lock and Connect Wi-Fi Bridge App", "vendor": "August", "versions": [{"lessThanOrEqual": "v10.11.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Connect Firmware", "vendor": "August", "versions": [{"lessThanOrEqual": "2.2.12", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Bitdefender Labs"}], "datePublic": "2020-09-30T00:00:00", "descriptions": [{"lang": "en", "value": "Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior versions on Android. August Connect Firmware version 2.2.12 and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-30T13:05:16", "orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://labs.bitdefender.com/2020/08/smart-locks-not-so-smart-with-wi-fi-security/"}], "solutions": [{"lang": "en", "value": "Updating the Android app fixes the issue."}], "source": {"discovery": "EXTERNAL"}, "title": "Use of Hard-coded Cryptographic Key vulnerability in August Connect Wi-Fi Bridge App", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-requests@bitdefender.com", "DATE_PUBLIC": "2020-09-30T15:00:00.000Z", "ID": "CVE-2019-17098", "STATE": "PUBLIC", "TITLE": "Use of Hard-coded Cryptographic Key vulnerability in August Connect Wi-Fi Bridge App"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Smart Lock and Connect Wi-Fi Bridge App", "version": {"version_data": [{"platform": "Android", "version_affected": "<=", "version_value": "v10.11.0"}]}}, {"product_name": "Connect Firmware", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.2.12"}]}}]}, "vendor_name": "August"}]}}, "credit": [{"lang": "eng", "value": "Bitdefender Labs"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior versions on Android. August Connect Firmware version 2.2.12 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-321 Use of Hard-coded Cryptographic Key"}]}]}, "references": {"reference_data": [{"name": "https://labs.bitdefender.com/2020/08/smart-locks-not-so-smart-with-wi-fi-security/", "refsource": "MISC", "url": "https://labs.bitdefender.com/2020/08/smart-locks-not-so-smart-with-wi-fi-security/"}]}, "solution": [{"lang": "en", "value": "Updating the Android app fixes the issue."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:33:16.921Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://labs.bitdefender.com/2020/08/smart-locks-not-so-smart-with-wi-fi-security/"}]}]}, "cveMetadata": {"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "assignerShortName": "Bitdefender", "cveId": "CVE-2019-17098", "datePublished": "2020-09-30T13:05:16.276620Z", "dateReserved": "2019-10-02T00:00:00", "dateUpdated": "2024-09-17T03:28:08.464Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:august:august_home:*:*:*:*:*:android:*:*", "matchCriteriaId": "7BFECEF6-68DA-4BCB-8B9A-6DDD17E2F527", "versionEndIncluding": "10.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:august:connect_wi-fi_bridge_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4D38223-C9C1-4492-9F18-65874A3880E4", "versionEndIncluding": "2.2.12", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:august:connect_wi-fi_bridge:-:*:*:*:*:*:*:*", "matchCriteriaId": "900ADB92-0B50-45B1-968A-4405BE3A8D57", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior versions on Android. August Connect Firmware version 2.2.12 and prior versions."}, {"lang": "es", "value": "El uso de una vulnerabilidad de clave criptogr\u00e1fica embebida en August Connect Wi-Fi Bridge App, Connect Firmware, permite a un atacante descifrar una carga \u00fatil interceptada que contiene las credenciales de autenticaci\u00f3n de la red Wi-Fi. Este problema afecta a: August Connect Wi-Fi Bridge App versi\u00f3n v10.11.0 y versiones anteriores en Android. August Connect Firmware versi\u00f3n 2.2.12 y versiones anteriores"}], "id": "CVE-2019-17098", "lastModified": "2024-11-21T04:31:41.240", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cve-requests@bitdefender.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-30T13:15:12.187", "references": [{"source": "cve-requests@bitdefender.com", "tags": ["Third Party Advisory"], "url": "https://labs.bitdefender.com/2020/08/smart-locks-not-so-smart-with-wi-fi-security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://labs.bitdefender.com/2020/08/smart-locks-not-so-smart-with-wi-fi-security/"}], "sourceIdentifier": "cve-requests@bitdefender.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "cve-requests@bitdefender.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}