CVE-2020-9061 - OpenCVE

Z-Wave devices using Silicon Labs 500 and 700 series chipsets, including but not likely limited to the SiLabs UZB-7 version 7.00, ZooZ ZST10 version 6.04, Aeon Labs ZW090-A version 3.95, and Samsung STH-ETH-200 version 6.04, are susceptible to denial of service via malformed routing messages.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:A/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Aeotec	Zw090-a
Samsung	Sth-eth-200
Silabs	500 Series Firmware 700 Series Firmware Uzb-7
Zooz	Zst10

Configuration 1 [-]

OR	cpe:2.3:o:aeotec:zw090-a:3.95:::::::*
	cpe:2.3:o:samsung:sth-eth-200:6.04:::::::*
	cpe:2.3:o:silabs:uzb-7:7.00:::::::*
	cpe:2.3:o:zooz:zst10:6.04:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:silabs:500_series_firmware::::::::
	cpe:2.3:o:silabs:700_series_firmware:-:::::::*

No data.

References

Link	Providers
https://doi.org/10.1109/ACCESS.2021.3138768
https://github.com/CNK2100/VFuzz-public
https://ieeexplore.ieee.org/document/9663293
https://kb.cert.org/vuls/id/142629
https://www.kb.cert.org/vuls/id/142629

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2022-01-07T04:30:29.498864Z

Updated: 2024-09-17T03:28:48.882Z

Reserved: 2020-02-18T00:00:00

Link: CVE-2020-9061

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-10T14:10:16.463

Modified: 2022-01-18T17:27:05.997

Link: CVE-2020-9061

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ZST10", "vendor": "ZooZ", "versions": [{"status": "affected", "version": "6.04"}]}, {"product": "500 series", "vendor": "Silicon Labs", "versions": [{"status": "affected", "version": "all"}]}, {"product": "700 series", "vendor": "Silicon Labs", "versions": [{"status": "affected", "version": "all"}]}, {"product": "UZB-7", "vendor": "Silicon Labs", "versions": [{"status": "affected", "version": "7.00"}]}, {"product": "STH-ETH-200", "vendor": "Samsung", "versions": [{"status": "affected", "version": "6.04"}]}, {"product": "ZW090-A", "vendor": "Aeon Labs", "versions": [{"status": "affected", "version": "3.95"}]}], "credits": [{"lang": "en", "value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"}], "datePublic": "2021-12-27T00:00:00", "descriptions": [{"lang": "en", "value": "Z-Wave devices using Silicon Labs 500 and 700 series chipsets, including but not likely limited to the SiLabs UZB-7 version 7.00, ZooZ ZST10 version 6.04, Aeon Labs ZW090-A version 3.95, and Samsung STH-ETH-200 version 6.04, are susceptible to denial of service via malformed routing messages."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-07T23:06:16", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://kb.cert.org/vuls/id/142629"}, {"tags": ["x_refsource_MISC"], "url": "https://ieeexplore.ieee.org/document/9663293"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/CNK2100/VFuzz-public"}, {"tags": ["x_refsource_MISC"], "url": "https://doi.org/10.1109/ACCESS.2021.3138768"}, {"name": "VU#142629", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/142629"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "DATE_PUBLIC": "2021-12-27T05:00:00.000Z", "ID": "CVE-2020-9061", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ZST10", "version": {"version_data": [{"version_affected": "=", "version_value": "6.04"}]}}]}, "vendor_name": "ZooZ"}, {"product": {"product_data": [{"product_name": "500 series", "version": {"version_data": [{"version_affected": "=", "version_value": "all"}]}}, {"product_name": "700 series", "version": {"version_data": [{"version_affected": "=", "version_value": "all"}]}}, {"product_name": "UZB-7", "version": {"version_data": [{"version_affected": "=", "version_value": "7.00"}]}}]}, "vendor_name": "Silicon Labs"}, {"product": {"product_data": [{"product_name": "STH-ETH-200", "version": {"version_data": [{"version_affected": "=", "version_value": "6.04"}]}}]}, "vendor_name": "Samsung"}, {"product": {"product_data": [{"product_name": "ZW090-A", "version": {"version_data": [{"version_affected": "=", "version_value": "3.95"}]}}]}, "vendor_name": "Aeon Labs"}]}}, "credit": [{"lang": "eng", "value": "Carlos Nkuba Kayembe, Kim Seulbae, Sven Dietrich, and Heejo Lee"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Z-Wave devices using Silicon Labs 500 and 700 series chipsets, including but not likely limited to the SiLabs UZB-7 version 7.00, ZooZ ZST10 version 6.04, Aeon Labs ZW090-A version 3.95, and Samsung STH-ETH-200 version 6.04, are susceptible to denial of service via malformed routing messages."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285 Improper Authorization"}]}]}, "references": {"reference_data": [{"name": "https://kb.cert.org/vuls/id/142629", "refsource": "CERT-VN", "url": "https://kb.cert.org/vuls/id/142629"}, {"name": "https://ieeexplore.ieee.org/document/9663293", "refsource": "MISC", "url": "https://ieeexplore.ieee.org/document/9663293"}, {"name": "https://github.com/CNK2100/VFuzz-public", "refsource": "MISC", "url": "https://github.com/CNK2100/VFuzz-public"}, {"name": "https://doi.org/10.1109/ACCESS.2021.3138768", "refsource": "MISC", "url": "https://doi.org/10.1109/ACCESS.2021.3138768"}, {"name": "VU#142629", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/142629"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:19:19.812Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://kb.cert.org/vuls/id/142629"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ieeexplore.ieee.org/document/9663293"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/CNK2100/VFuzz-public"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://doi.org/10.1109/ACCESS.2021.3138768"}, {"name": "VU#142629", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/142629"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2020-9061", "datePublished": "2022-01-07T04:30:29.498864Z", "dateReserved": "2020-02-18T00:00:00", "dateUpdated": "2024-09-17T03:28:48.882Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:aeotec:zw090-a:3.95:*:*:*:*:*:*:*", "matchCriteriaId": "5B58B8CF-11BD-402E-8625-4C78629F181E", "vulnerable": true}, {"criteria": "cpe:2.3:o:samsung:sth-eth-200:6.04:*:*:*:*:*:*:*", "matchCriteriaId": "8A7DD561-D129-4D3D-951E-5A55F5304ABC", "vulnerable": true}, {"criteria": "cpe:2.3:o:silabs:uzb-7:7.00:*:*:*:*:*:*:*", "matchCriteriaId": "5C6CE0F9-AB48-4B3D-B1C9-273E09968500", "vulnerable": true}, {"criteria": "cpe:2.3:o:zooz:zst10:6.04:*:*:*:*:*:*:*", "matchCriteriaId": "7DB7F120-CB63-46F6-AC91-8C64BC5D57BC", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:silabs:500_series_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "92760285-A1DD-4569-AD71-834BBF2D9E64", "vulnerable": true}, {"criteria": "cpe:2.3:o:silabs:700_series_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "9C5C81E8-8859-4E66-AF0D-044562F48D60", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Z-Wave devices using Silicon Labs 500 and 700 series chipsets, including but not likely limited to the SiLabs UZB-7 version 7.00, ZooZ ZST10 version 6.04, Aeon Labs ZW090-A version 3.95, and Samsung STH-ETH-200 version 6.04, are susceptible to denial of service via malformed routing messages."}, {"lang": "es", "value": "Los dispositivos Z-Wave que usan los conjuntos de chips de las series 500 y 700 de Silicon Labs, incluyendo pero sin limitarse a SiLabs UZB-7 versi\u00f3n 7.00, ZooZ ZST10 versi\u00f3n 6.04, Aeon Labs ZW090-A versi\u00f3n 3.95 y Samsung STH-ETH-200 versi\u00f3n 6.04, son susceptibles a una denegaci\u00f3n de servicio por medio de mensajes de enrutamiento malformados"}], "id": "CVE-2020-9061", "lastModified": "2022-01-18T17:27:05.997", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-10T14:10:16.463", "references": [{"source": "cret@cert.org", "tags": ["Broken Link"], "url": "https://doi.org/10.1109/ACCESS.2021.3138768"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://github.com/CNK2100/VFuzz-public"}, {"source": "cret@cert.org", "tags": ["Broken Link"], "url": "https://ieeexplore.ieee.org/document/9663293"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://kb.cert.org/vuls/id/142629"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/142629"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "cret@cert.org", "type": "Secondary"}]}