CVE-2024-3454 - Vulnerability Details - OpenCVE

An implementation issue in the Connectivity Standards Alliance Matter 1.2 protocol as used in the connectedhomeip SDK allows a third party to disclose information about devices part of the same fabric (footprinting), even though the protocol is designed to prevent access to such information.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00106.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Connectivity Standards Alliance

connectedhomeip

unaffected

Version	Status	Constraints
`1.2.0.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:csa-iot:matter:-:*:*:*:*:*:*:*

No data.

No data.

Subscriptions

Vendors	Products
Csa-iot Subscribe	Matter Subscribe

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-32041	An implementation issue in the Connectivity Standards Alliance Matter 1.2 protocol as used in the connectedhomeip SDK allows a third party to disclose information about devices part of the same fabric (footprinting), even though the protocol is designed to prevent access to such information.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.bitdefender.com/support/security-advisories/in-fabric-matter-cluster-attribute-disclosure/

History

Tue, 10 Sep 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Csa-iot Csa-iot matter
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:csa-iot:matter:-:::::::*
Vendors & Products		Csa-iot Csa-iot matter

MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2024-07-24T07:58:40.219Z

Updated: 2024-08-01T20:12:06.908Z

Reserved: 2024-04-08T10:10:40.308Z

Link: CVE-2024-3454

Vulnrichment

Updated: 2024-08-01T20:12:06.908Z

NVD

Status : Modified

Published: 2024-07-24T08:15:03.123

Modified: 2024-11-21T09:29:37.917

Link: CVE-2024-3454

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3454", "assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "state": "PUBLISHED", "assignerShortName": "Bitdefender", "dateReserved": "2024-04-08T10:10:40.308Z", "datePublished": "2024-07-24T07:58:40.219Z", "dateUpdated": "2024-08-01T20:12:06.908Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "connectedhomeip", "vendor": "Connectivity Standards Alliance", "versions": [{"status": "affected", "version": "1.2.0.1"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bela Genge, Bitdefender"}], "datePublic": "2024-07-22T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An implementation issue in the Connectivity Standards Alliance Matter 1.2 protocol as used in the connectedhomeip SDK allows a third party to disclose information about devices part of the same fabric (footprinting), even though the protocol is designed to prevent access to such information."}], "value": "An implementation issue in the Connectivity Standards Alliance Matter 1.2 protocol as used in the connectedhomeip SDK allows a third party to disclose information about devices part of the same fabric (footprinting), even though the protocol is designed to prevent access to such information."}], "impacts": [{"capecId": "CAPEC-169", "descriptions": [{"lang": "en", "value": "CAPEC-169 Footprinting"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender", "dateUpdated": "2024-07-24T07:58:40.219Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.bitdefender.com/support/security-advisories/in-fabric-matter-cluster-attribute-disclosure/"}], "source": {"discovery": "EXTERNAL"}, "title": "In-Fabric Matter Cluster Attribute Disclosure", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-26T17:10:03.662727Z", "id": "CVE-2024-3454", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T17:10:19.118Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:06.908Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://www.bitdefender.com/support/security-advisories/in-fabric-matter-cluster-attribute-disclosure/"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.bitdefender.com/support/security-advisories/in-fabric-matter-cluster-attribute-disclosure/", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:06.908Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3454", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-26T17:10:03.662727Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T17:10:13.432Z"}}], "cna": {"title": "In-Fabric Matter Cluster Attribute Disclosure", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bela Genge, Bitdefender"}], "impacts": [{"capecId": "CAPEC-169", "descriptions": [{"lang": "en", "value": "CAPEC-169 Footprinting"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Connectivity Standards Alliance", "product": "connectedhomeip", "versions": [{"status": "affected", "version": "1.2.0.1"}], "defaultStatus": "unaffected"}], "datePublic": "2024-07-22T09:00:00.000Z", "references": [{"url": "https://www.bitdefender.com/support/security-advisories/in-fabric-matter-cluster-attribute-disclosure/", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An implementation issue in the Connectivity Standards Alliance Matter 1.2 protocol as used in the connectedhomeip SDK allows a third party to disclose information about devices part of the same fabric (footprinting), even though the protocol is designed to prevent access to such information.", "supportingMedia": [{"type": "text/html", "value": "An implementation issue in the Connectivity Standards Alliance Matter 1.2 protocol as used in the connectedhomeip SDK allows a third party to disclose information about devices part of the same fabric (footprinting), even though the protocol is designed to prevent access to such information.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender", "dateUpdated": "2024-07-24T07:58:40.219Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3454", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:12:06.908Z", "dateReserved": "2024-04-08T10:10:40.308Z", "assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "datePublished": "2024-07-24T07:58:40.219Z", "assignerShortName": "Bitdefender"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:csa-iot:matter:-:*:*:*:*:*:*:*", "matchCriteriaId": "06D3E01D-2B76-4997-93CE-962515E04CEC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An implementation issue in the Connectivity Standards Alliance Matter 1.2 protocol as used in the connectedhomeip SDK allows a third party to disclose information about devices part of the same fabric (footprinting), even though the protocol is designed to prevent access to such information."}, {"lang": "es", "value": "Un problema de implementaci\u00f3n en el protocolo Connectivity Standards Alliance Matter 1.2, tal como se utiliza en el SDK de connecthomeip, permite a un tercero revelar informaci\u00f3n sobre dispositivos que forman parte del mismo tejido (footprinting), aunque el protocolo est\u00e1 dise\u00f1ado para impedir el acceso a dicha informaci\u00f3n."}], "id": "CVE-2024-3454", "lastModified": "2024-11-21T09:29:37.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cve-requests@bitdefender.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-24T08:15:03.123", "references": [{"source": "cve-requests@bitdefender.com", "tags": ["Third Party Advisory"], "url": "https://www.bitdefender.com/support/security-advisories/in-fabric-matter-cluster-attribute-disclosure/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.bitdefender.com/support/security-advisories/in-fabric-matter-cluster-attribute-disclosure/"}], "sourceIdentifier": "cve-requests@bitdefender.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "cve-requests@bitdefender.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}