CVE-2024-7206

SSL Pinning Bypass in eWeLink Some hardware products allows local ATTACKER to Decrypt TLS communication and Extract secrets to clone the device via Flash the modified firmware

CVSS

No CVSS.

References

Link	Resource
https://ewelink.cc/security-advisory-firmware-extraction-and-hardware-ssl-pinning-bypass/

Configurations

No configuration.

History

No history.

Information

Published : 2024-10-08 07:15

Updated : 2024-10-10 12:56

NVD link : CVE-2024-7206

Mitre link : CVE-2024-7206

CVE.ORG link : CVE-2024-7206

JSON object : View

Products Affected

No product.

CWE

CWE-295

Improper Certificate Validation

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2024-7206", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "68870bb1-d075-4169-957d-e580b18692b9", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 7.0, "automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-08T07:15:06.170", "references": [{"url": "https://ewelink.cc/security-advisory-firmware-extraction-and-hardware-ssl-pinning-bypass/", "source": "68870bb1-d075-4169-957d-e580b18692b9"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "68870bb1-d075-4169-957d-e580b18692b9", "description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "SSL Pinning Bypass\u00a0in\u00a0eWeLink Some hardware products\u00a0allows local ATTACKER to Decrypt TLS communication and Extract secrets to clone the device\u00a0via Flash the modified firmware"}, {"lang": "es", "value": "Omisi\u00f3n de fijaci\u00f3n SSL en eWeLink Algunos productos de hardware permiten a un ATACANTE local descifrar la comunicaci\u00f3n TLS y extraer secretos para clonar el dispositivo a trav\u00e9s de Flash del firmware modificado"}], "lastModified": "2024-10-10T12:56:30.817", "sourceIdentifier": "68870bb1-d075-4169-957d-e580b18692b9"}

CVE-2024-7206

JSON object

Attach tags to CVE-2024-7206

Attach tags to `CVE-2024-7206`