Thursday, May 9, 2013

CVE 2013-3518 - Belkin WeMo Information Exposure


# Title: Belkin WeMo Information Exposure
# Date: 5/9/13
# Author: Mickey Shkatov
# Vendor Homepage: http://www.belkin.com/us/wemo
# Version: Any version prior to
US : WeMo_US_2.00.2176.PVT
World Wide :WeMo_WW_2.00.2176.PVT
 # CVE: CVE 2013-3518

Overview:
Belkin WeMo devices with firmware prior to WeMo_US_2.00.2176.PVT allow physically proximate attackers to access the file system and extract the private key, public key, trust chain and passphrase used to encrypt Belkin firmware.

Impact:
Affected products:
 - Belkin WeMo
 - Other: Since the same encryption keys are used for other Belkin products, all those products are susceptible to malicious modification.

Timeline:
Jan 10 2013 - Contacted Belkin support.
Jan 11 2013 - Belkin support replies with request for details.
Jan 11 2013 - Description of vulnerability sent.
Mar 28 2013 - A fix to the Firmware has been published by Belkin.
Apr  7 2013 - Fix confirmed.
Posted by at 3 comments:
Subscribe to: Posts (Atom)