8.8 - VU#142629

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Silicon Labs Z-Wave chipsets contain multiple vulnerabilities

Informations
Name	VU#142629	First vendor Publication	2022-01-07
Vendor	VU-CERT	Last vendor Modification	2022-01-09
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score	8.8
Base Score	8.8	Environmental Score	8.8
impact SubScore	5.9	Temporal Score	8.8
Exploitabality Sub Score	2.8

Attack Vector	Adjacent	Attack Complexity	Low
Privileges Required	None	User Interaction	None
Scope	Unchanged	Confidentiality Impact	High
Integrity Impact	High	Availability Impact	High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	8.3	Attack Range	Adjacent network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	6.5	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.

Description

Z-Wave devices based on Silicon Labs chipsets have multiple vulnerabilities. For further details, including specific devices tested, see Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes.

CVE-2020-9057
Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.

CVE-2020-9058
Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation do not implement encryption or replay protection.

CVE-2020-9059
Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption which can lead to battery exhaustion.

CVE-2020-9060
Z-Wave devices based on Silicon Labs 500 series chipsets using S2 are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.

CVE-2020-9061
Z-Wave devices based on Silicon Labs 500 and 700 series chipsets are susceptible to denial of service via malformed routing messages.

CVE-2020-10137
Z-Wave devices based on Silicon Labs 700 series chipsets using S2 do not adequately authenticate or encrypt FIND_NODE_IN_RANGE frames.

Impact

Depending on the chipset and device, an attacker within Z-Wave radio range can deny service, cause devices to crash, deplete batteries, intercept, observe, and replay traffic, and control vulnerable devices.

Solution

Mitigations for these vulnerabilities vary based on the chipset and device. In some cases it may be necessary to upgrade to newer hardware, for example, 500 and 700 series chipsets that support S2 authentication and encryption.

Acknowledgements

Thanks to Carlos Kayembe Nkuba, Seulbae Kim, Sven Dietrich, and Heejo Lee for researching and reporting these vulnerabilities.

This document was written by Timur Snoke and Art Manion.

Original Source

Url : https://kb.cert.org/vuls/id/142629

CWE : Common Weakness Enumeration

%	Id	Name
40 %	CWE-311	Missing Encryption of Sensitive Data (CWE/SANS Top 25)
20 %	CWE-770	Allocation of Resources Without Limits or Throttling
20 %	CWE-400	Uncontrolled Resource Consumption ('Resource Exhaustion')
20 %	CWE-345	Insufficient Verification of Data Authenticity

CPE : Common Platform Enumeration

Type	Description	Count
Os	Aeotec zw090-A cpe:2.3:o:aeotec:zw090-a:3.95:::::::*	1
Os	Dome dm501 cpe:2.3:o:dome:dm501:4.26:::::::*	1
Os	Fibaro Fgwpb-111 cpe:2.3:o:fibaro:fgwpb-111:4.3:::::::*	1
Os	Jasco zw4201 cpe:2.3:o:jasco:zw4201:4.05:::::::*	1
Os	Linear lb60z-1 cpe:2.3:o:linear:lb60z-1:3.5:::::::*	1
Os	Linear Wadwaz-1 cpe:2.3:o:linear:wadwaz-1:3.43:::::::*	1
Os	Linear Wapirz-1 cpe:2.3:o:linear:wapirz-1:3.43:::::::*	1
Os	Samsung Sth-Eth-200 cpe:2.3:o:samsung:sth-eth-200:6.04:::::::*	1
Os	Schlage be468 cpe:2.3:o:schlage:be468:3.42:::::::*	1
Os	Silabs 100 Series Firmware cpe:2.3:o:silabs:100_series_firmware::::::::	1
Os	Silabs 200 Series Firmware cpe:2.3:o:silabs:200_series_firmware::::::::	1
Os	Silabs 300 Series Firmware cpe:2.3:o:silabs:300_series_firmware::::::::	1
Os	Silabs 500 Series Firmware cpe:2.3:o:silabs:500_series_firmware::::::::	1
Os	Silabs 700 Series Firmware cpe:2.3:o:silabs:700_series_firmware:::::::: cpe:2.3:o:silabs:700_series_firmware:-:::::::*	2
Os	Silabs Uzb-7 cpe:2.3:o:silabs:uzb-7:7.00:::::::*	1
Os	Zooz zen20 cpe:2.3:o:zooz:zen20:5.03:::::::*	1
Os	Zooz zen25 cpe:2.3:o:zooz:zen25:5.03:::::::*	1
Os	Zooz zst10 cpe:2.3:o:zooz:zst10:6.04:::::::*	1

Alert History

If you want to see full details history, please login or register.

Date	Informations
2022-01-18 21:29:22	Multiple Updates
2022-01-09 05:17:42	Multiple Updates
2022-01-08 00:17:43	First insertion

Global Informations

Type	Count
CWE ID(s)	5
CPE ID(s)	19

	Related
8.8	CVE-2020-9057
8.1	CVE-2020-9058
6.5	CVE-2020-9061
6.5	CVE-2020-9060
6.5	CVE-2020-9059
6.5	CVE-2020-10137
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 6 more Alert(s)