CVE-2020-9462 - Vulnerability Details - OpenCVE

An issue was discovered in all Athom Homey and Homey Pro devices up to the current version 4.2.0. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Homey	Homey Homey Firmware Homey Pro Homey Pro Firmware

Configuration 1 [-]

AND

cpe:2.3:o:homey:homey_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:homey:homey:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:homey:homey_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:homey:homey_pro:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://developer.athom.com/firmware

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-06-04T15:49:28

Updated: 2024-08-04T10:26:16.121Z

Reserved: 2020-02-28T00:00:00

Link: CVE-2020-9462

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-06-04T16:15:13.280

Modified: 2024-11-21T05:40:41.617

Link: CVE-2020-9462

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in all Athom Homey and Homey Pro devices up to the current version 4.2.0. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-04T15:49:28", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://developer.athom.com/firmware"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-9462", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in all Athom Homey and Homey Pro devices up to the current version 4.2.0. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://developer.athom.com/firmware", "refsource": "MISC", "url": "https://developer.athom.com/firmware"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:26:16.121Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://developer.athom.com/firmware"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-9462", "datePublished": "2020-06-04T15:49:28", "dateReserved": "2020-02-28T00:00:00", "dateUpdated": "2024-08-04T10:26:16.121Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:homey:homey_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "38804188-0945-41FF-A377-6485F2A9FAF6", "versionEndExcluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:homey:homey:-:*:*:*:*:*:*:*", "matchCriteriaId": "53273CFA-B260-401D-9DD6-B90E3DA09D7D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:homey:homey_pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E22F8E86-CF2C-4FBC-B403-8B385971A289", "versionEndExcluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:homey:homey_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "C01177C9-CED9-4D65-BEBB-C44C13C8A0A6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in all Athom Homey and Homey Pro devices up to the current version 4.2.0. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks."}, {"lang": "es", "value": "Se detect\u00f3 un problema en todos los dispositivos Athom Homey y Homey Pro hasta la actual versi\u00f3n 4.2.0. Un atacante dentro del rango de RF puede obtener una copia en texto sin cifrar de la configuraci\u00f3n de la red del dispositivo, incluyendo el PSK Wi-Fi, durante la configuraci\u00f3n del dispositivo. Tras el \u00e9xito, el atacante es capaz de infiltrarse a\u00fan m\u00e1s en las redes Wi-Fi del objetivo"}], "id": "CVE-2020-9462", "lastModified": "2024-11-21T05:40:41.617", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-04T16:15:13.280", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.athom.com/firmware"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.athom.com/firmware"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}]}