CVE-2019-9564 - Vulnerability Details - OpenCVE

A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00244.

Key SSVC decision points have not yet been added.

Vendors	Products
Wyze	Cam Pan V2 Cam Pan V2 Firmware Cam V2 Cam V2 Firmware Cam V3 Cam V3 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:wyze:cam_pan_v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wyze:cam_pan_v2:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:wyze:cam_v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wyze:cam_v2:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:wyze:cam_v3_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wyze:cam_v3:-:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

An update to the following firmware versions fixes the issue: Wyze Cam Pan v2 firmware version 4.49.1.47. Wyze Cam v2 firmware version 4.9.8.1002. Wyze Cam v3 firmware version 4.36.8.32.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2022-03-30T20:00:17.107406Z

Updated: 2024-09-16T23:01:19.046Z

Reserved: 2019-03-04T00:00:00

Link: CVE-2019-9564

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-03-30T20:15:08.397

Modified: 2024-11-21T04:51:51.750

Link: CVE-2019-9564

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Cam Pan v2", "vendor": "Wyze", "versions": [{"lessThan": "4.49.1.47", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Cam v2", "vendor": "Wyze", "versions": [{"lessThan": "4.9.8.1002", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Cam v3", "vendor": "Wyze", "versions": [{"lessThan": "4.36.8.32", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Bitdefender Labs"}], "datePublic": "2022-03-29T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "authenti", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-06-24T14:59:58", "orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/"}], "solutions": [{"lang": "en", "value": "An update to the following firmware versions fixes the issue:\n\nWyze Cam Pan v2 firmware version 4.49.1.47.\nWyze Cam v2 firmware version 4.9.8.1002.\nWyze Cam v3 firmware version 4.36.8.32."}], "source": {"discovery": "EXTERNAL"}, "title": "Authentication bypass in Wyze Cam Pan v2, Cam v2 and Cam v3", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-requests@bitdefender.com", "DATE_PUBLIC": "2022-03-29T12:38:00.000Z", "ID": "CVE-2019-9564", "STATE": "PUBLIC", "TITLE": "Authentication bypass in Wyze Cam Pan v2, Cam v2 and Cam v3"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cam Pan v2", "version": {"version_data": [{"version_affected": "<", "version_value": "4.49.1.47"}]}}, {"product_name": "Cam v2", "version": {"version_data": [{"version_affected": "<", "version_value": "4.9.8.1002"}]}}, {"product_name": "Cam v3", "version": {"version_data": [{"version_affected": "<", "version_value": "4.36.8.32"}]}}]}, "vendor_name": "Wyze"}]}}, "credit": [{"lang": "eng", "value": "Bitdefender Labs"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "authenti"}]}]}, "references": {"reference_data": [{"name": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/", "refsource": "MISC", "url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/"}]}, "solution": [{"lang": "en", "value": "An update to the following firmware versions fixes the issue:\n\nWyze Cam Pan v2 firmware version 4.49.1.47.\nWyze Cam v2 firmware version 4.9.8.1002.\nWyze Cam v3 firmware version 4.36.8.32."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T21:54:44.664Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/"}]}]}, "cveMetadata": {"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "assignerShortName": "Bitdefender", "cveId": "CVE-2019-9564", "datePublished": "2022-03-30T20:00:17.107406Z", "dateReserved": "2019-03-04T00:00:00", "dateUpdated": "2024-09-16T23:01:19.046Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:wyze:cam_pan_v2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "FFB9B059-F660-4D9E-A8FE-4464E36520FE", "versionEndExcluding": "4.49.1.47", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:wyze:cam_pan_v2:-:*:*:*:*:*:*:*", "matchCriteriaId": "8D00DC99-9D9F-40D6-BBC6-82FB97B480B5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:wyze:cam_v2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9CD737D-C13D-4B2D-9C27-E13FEA352737", "versionEndExcluding": "4.9.8.1002", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:wyze:cam_v2:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A4D9556-1751-46C9-96C9-6C7994BE8BD1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:wyze:cam_v3_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "36A0BA09-1A2F-4389-988B-C2C51D3CEBC0", "versionEndExcluding": "4.36.8.32", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:wyze:cam_v3:-:*:*:*:*:*:*:*", "matchCriteriaId": "C96BD4E4-F38A-4D78-851D-0F879B4D3A16", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32."}, {"lang": "es", "value": "Una vulnerabilidad en la l\u00f3gica de autenticaci\u00f3n de Wyze Cam Pan v2, Cam v2, Cam v3 permite a un atacante eludir el inicio de sesi\u00f3n y controlar los dispositivos. Este problema afecta: Las versiones de Wyze Cam Pan v2 anteriores a la 4.49.1.47. Las versiones de Wyze Cam v2 anteriores a la 4.9.8.1002. Las versiones de Wyze Cam v3 anteriores a la 4.36.8.32"}], "id": "CVE-2019-9564", "lastModified": "2024-11-21T04:51:51.750", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-requests@bitdefender.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-30T20:15:08.397", "references": [{"source": "cve-requests@bitdefender.com", "tags": ["Third Party Advisory"], "url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/"}], "sourceIdentifier": "cve-requests@bitdefender.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}