CVE-2020-9057

Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption, allowing an attacker within radio range to take control of or cause a denial of service to a vulnerable device. An attacker can also capture and replay Z-Wave traffic. Firmware upgrades cannot directly address this vulnerability as it is an issue with the Z-Wave specification for these legacy chipsets. One way to protect against this vulnerability is to use 500 or 700 series chipsets that support Security 2 (S2) encryption. As examples, the Linear WADWAZ-1 version 3.43 and WAPIRZ-1 version 3.43 (with 300 series chipsets) are vulnerable.

CVSS v2.0 8.3

8.3^/10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.5 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

CVSS v3.0 8.8 HIGH

8.8^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/CNK2100/VFuzz-public	Third Party Advisory
https://kb.cert.org/vuls/id/142629	Third Party Advisory US Government Resource
https://ieeexplore.ieee.org/document/9663293	Broken Link
https://doi.org/10.1109/ACCESS.2021.3138768	Broken Link
https://www.kb.cert.org/vuls/id/142629	Third Party Advisory US Government Resource

Configurations

Configuration 1

cpe:2.3:o:linear:wapirz-1:3.43:*:*:*:*:*:*:*

cpe:2.3:o:linear:wadwaz-1:3.43:*:*:*:*:*:*:*

cpe:2.3:o:silabs:100_series_firmware:*:*:*:*:*:*:*:*

cpe:2.3:o:silabs:200_series_firmware:*:*:*:*:*:*:*:*

cpe:2.3:o:silabs:300_series_firmware:*:*:*:*:*:*:*:*

History

24 Jan 2023, 16:19

Type	Values Removed	Values Added
CPE		cpe:2.3:a:predictapp_project:predictapp::::::::
References	~~(MISC) https://github.com/abhilash1985/PredictApp/commit/b067372f3ee26fe1b657121f0f41883ff4461a06 -~~	(MISC) https://github.com/abhilash1985/PredictApp/commit/b067372f3ee26fe1b657121f0f41883ff4461a06 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/abhilash1985/PredictApp/pull/73 -~~	(MISC) https://github.com/abhilash1985/PredictApp/pull/73 - Patch, Third Party Advisory
References	~~(MISC) https://vuldb.com/?id.218387 -~~	(MISC) https://vuldb.com/?id.218387 - Third Party Advisory
References	~~(MISC) https://vuldb.com/?ctiid.218387 -~~	(MISC) https://vuldb.com/?ctiid.218387 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Predictapp Project predictapp Predictapp Project

16 Jan 2023, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-01-10 02:10

Updated : 2022-01-18 05:10

NVD link : CVE-2020-9057

Mitre link : CVE-2020-9057

Products Affected

No products.

CWE

CWE-311

Missing Encryption of Sensitive Data