CVE-2020-9058 - OpenCVE

Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation, including but likely not limited to the Linear LB60Z-1 version 3.5, Dome DM501 version 4.26, and Jasco ZW4201 version 4.05, do not implement encryption or replay protection.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:A/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dome	Dm501
Jasco	Zw4201
Linear	Lb60z-1
Silabs	500 Series Firmware

Configuration 1 [-]

cpe:2.3:o:silabs:500_series_firmware:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:dome:dm501:4.26:::::::*
	cpe:2.3:o:jasco:zw4201:4.05:::::::*
	cpe:2.3:o:linear:lb60z-1:3.5:::::::*

No data.

References

Link	Providers
https://doi.org/10.1109/ACCESS.2021.3138768
https://github.com/CNK2100/VFuzz-public
https://ieeexplore.ieee.org/document/9663293
https://kb.cert.org/vuls/id/142629
https://www.kb.cert.org/vuls/id/142629

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2022-01-07T04:30:25.088470Z

Updated: 2024-09-16T23:41:50.495Z

Reserved: 2020-02-18T00:00:00

Link: CVE-2020-9058

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-10T14:10:16.227

Modified: 2022-01-18T17:09:05.987

Link: CVE-2020-9058

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "LB60Z-1", "vendor": "Linear", "versions": [{"status": "affected", "version": "3.5"}]}, {"product": "DM501", "vendor": "Dome", "versions": [{"status": "affected", "version": "4.26"}]}, {"product": "ZW4201", "vendor": "Jasco", "versions": [{"status": "affected", "version": "4.05"}]}, {"product": "500 series", "vendor": "Silicon Labs", "versions": [{"status": "affected", "version": "all"}]}], "credits": [{"lang": "en", "value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"}], "datePublic": "2021-12-27T00:00:00", "descriptions": [{"lang": "en", "value": "Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation, including but likely not limited to the Linear LB60Z-1 version 3.5, Dome DM501 version 4.26, and Jasco ZW4201 version 4.05, do not implement encryption or replay protection."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-07T23:06:18", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://kb.cert.org/vuls/id/142629"}, {"tags": ["x_refsource_MISC"], "url": "https://ieeexplore.ieee.org/document/9663293"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/CNK2100/VFuzz-public"}, {"tags": ["x_refsource_MISC"], "url": "https://doi.org/10.1109/ACCESS.2021.3138768"}, {"name": "VU#142629", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/142629"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "DATE_PUBLIC": "2021-12-27T05:00:00.000Z", "ID": "CVE-2020-9058", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "LB60Z-1", "version": {"version_data": [{"version_affected": "=", "version_value": "3.5"}]}}]}, "vendor_name": "Linear"}, {"product": {"product_data": [{"product_name": "DM501", "version": {"version_data": [{"version_affected": "=", "version_value": "4.26"}]}}]}, "vendor_name": "Dome"}, {"product": {"product_data": [{"product_name": "ZW4201", "version": {"version_data": [{"version_affected": "=", "version_value": "4.05"}]}}]}, "vendor_name": "Jasco"}, {"product": {"product_data": [{"product_name": "500 series", "version": {"version_data": [{"version_affected": "=", "version_value": "all"}]}}]}, "vendor_name": "Silicon Labs"}]}}, "credit": [{"lang": "eng", "value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation, including but likely not limited to the Linear LB60Z-1 version 3.5, Dome DM501 version 4.26, and Jasco ZW4201 version 4.05, do not implement encryption or replay protection."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-311 Missing Encryption of Sensitive Data"}]}]}, "references": {"reference_data": [{"name": "https://kb.cert.org/vuls/id/142629", "refsource": "CERT-VN", "url": "https://kb.cert.org/vuls/id/142629"}, {"name": "https://ieeexplore.ieee.org/document/9663293", "refsource": "MISC", "url": "https://ieeexplore.ieee.org/document/9663293"}, {"name": "https://github.com/CNK2100/VFuzz-public", "refsource": "MISC", "url": "https://github.com/CNK2100/VFuzz-public"}, {"name": "https://doi.org/10.1109/ACCESS.2021.3138768", "refsource": "MISC", "url": "https://doi.org/10.1109/ACCESS.2021.3138768"}, {"name": "VU#142629", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/142629"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:19:19.970Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://kb.cert.org/vuls/id/142629"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ieeexplore.ieee.org/document/9663293"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/CNK2100/VFuzz-public"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://doi.org/10.1109/ACCESS.2021.3138768"}, {"name": "VU#142629", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/142629"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2020-9058", "datePublished": "2022-01-07T04:30:25.088470Z", "dateReserved": "2020-02-18T00:00:00", "dateUpdated": "2024-09-16T23:41:50.495Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:silabs:500_series_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "92760285-A1DD-4569-AD71-834BBF2D9E64", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dome:dm501:4.26:*:*:*:*:*:*:*", "matchCriteriaId": "FB98AB76-E79B-4B2C-B660-BB76CAF1F270", "vulnerable": true}, {"criteria": "cpe:2.3:o:jasco:zw4201:4.05:*:*:*:*:*:*:*", "matchCriteriaId": "C9733CB5-0006-46B8-83F4-26539032BDAD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linear:lb60z-1:3.5:*:*:*:*:*:*:*", "matchCriteriaId": "8F3546F0-395D-4B57-B15D-E55062B72A22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation, including but likely not limited to the Linear LB60Z-1 version 3.5, Dome DM501 version 4.26, and Jasco ZW4201 version 4.05, do not implement encryption or replay protection."}, {"lang": "es", "value": "Los dispositivos Z-Wave basados en los conjuntos de chips de la serie 500 de Silicon Labs que usan encapsulaci\u00f3n CRC-16, incluidos, entre otros, el Linear LB60Z-1 versi\u00f3n 3.5, el Dome DM501 versi\u00f3n 4.26 y el Jasco ZW4201 versi\u00f3n 4.05, no implementan el cifrado ni la protecci\u00f3n contra repeticiones"}], "id": "CVE-2020-9058", "lastModified": "2022-01-18T17:09:05.987", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-10T14:10:16.227", "references": [{"source": "cret@cert.org", "tags": ["Broken Link"], "url": "https://doi.org/10.1109/ACCESS.2021.3138768"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://github.com/CNK2100/VFuzz-public"}, {"source": "cret@cert.org", "tags": ["Broken Link"], "url": "https://ieeexplore.ieee.org/document/9663293"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://kb.cert.org/vuls/id/142629"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/142629"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-311"}], "source": "cret@cert.org", "type": "Secondary"}]}