OpenCVE

Improper JPAKE implementation allows offline PIN brute-forcing due to the initialization of random values to a known value, which leads to unauthorized authentication to amzn.lightning services. This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS 7.6.3.3.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Amazon	Fire Os Fire Tv Stick 3rd Gen
Bestbuy	Insignia Tv

Configuration 1 [-]

AND

cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*

cpe:2.3:h:amazon:fire_tv_stick_3rd_gen:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*

cpe:2.3:h:bestbuy:insignia_tv:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2023-05-03T12:33:31.872Z

Updated: 2024-08-02T05:49:11.227Z

Reserved: 2023-03-14T09:59:35.119Z

Link: CVE-2023-1385

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-05-03T13:15:10.290

Modified: 2023-05-12T16:07:46.433

Link: CVE-2023-1385

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1385", "assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "state": "PUBLISHED", "assignerShortName": "Bitdefender", "dateReserved": "2023-03-14T09:59:35.119Z", "datePublished": "2023-05-03T12:33:31.872Z", "dateUpdated": "2024-08-02T05:49:11.227Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Fire TV Stick 3rd gen", "vendor": "Amazon", "versions": [{"status": "affected", "version": "6.2.9.4"}]}, {"defaultStatus": "unaffected", "product": "TV with FireOS ", "vendor": "Insignia", "versions": [{"status": "affected", "version": "7.6.3.2"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Bitdefender IoT Research Team"}], "datePublic": "2023-05-02T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper JPAKE implementation allows offline PIN brute-forcing due to the initialization of random values to a known value, which leads to unauthorized authentication to amzn.lightning services.<br><br>This issue affects:<br><br>Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5.<br>Insignia TV with FireOS 7.6.3.3."}], "value": "Improper JPAKE implementation allows offline PIN brute-forcing due to the initialization of random values to a known value, which leads to unauthorized authentication to amzn.lightning services.\n\nThis issue affects:\n\nAmazon Fire TV Stick 3rd gen\u00a0versions prior to 6.2.9.5.\nInsignia TV with FireOS\u00a07.6.3.3."}], "impacts": [{"capecId": "CAPEC-112", "descriptions": [{"lang": "en", "value": "CAPEC-112 Brute Force"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "description": "CWE-330 Use of Insufficiently Random Values", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender", "dateUpdated": "2023-05-03T12:33:31.872Z"}, "references": [{"url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An automatic firmware update to the following versions fixes the issue:<br><br>Amazon Fire TV Stick 3rd gen version 6.2.9.5<br>Insignia TV with FireOS version 7.6.3.3<br>"}], "value": "An automatic firmware update to the following versions fixes the issue:\n\nAmazon Fire TV Stick 3rd gen version 6.2.9.5\nInsignia TV with FireOS version 7.6.3.3\n"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:49:11.227Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "155C81F2-B65A-49BB-8546-C4BAD0E15709", "versionEndExcluding": "6.2.9.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:amazon:fire_tv_stick_3rd_gen:-:*:*:*:*:*:*:*", "matchCriteriaId": "B9D6A7B7-D971-4EBE-9749-C80AF6A6F0D0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "020E0ED7-C54D-438F-B2A0-A6471400479E", "versionEndExcluding": "7.6.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:bestbuy:insignia_tv:-:*:*:*:*:*:*:*", "matchCriteriaId": "F4942064-0B54-4FEA-96E1-9B5ED7CC8E96", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper JPAKE implementation allows offline PIN brute-forcing due to the initialization of random values to a known value, which leads to unauthorized authentication to amzn.lightning services.\n\nThis issue affects:\n\nAmazon Fire TV Stick 3rd gen\u00a0versions prior to 6.2.9.5.\nInsignia TV with FireOS\u00a07.6.3.3."}], "id": "CVE-2023-1385", "lastModified": "2023-05-12T16:07:46.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "cve-requests@bitdefender.com", "type": "Secondary"}]}, "published": "2023-05-03T13:15:10.290", "references": [{"source": "cve-requests@bitdefender.com", "tags": ["Third Party Advisory"], "url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/"}], "sourceIdentifier": "cve-requests@bitdefender.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "cve-requests@bitdefender.com", "type": "Primary"}]}