Sign-up

ID

VAR-201402-0135


CVE

CVE-2013-6951


TITLE

Belkin Wemo Home Automation devices contain multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#656302

DESCRIPTION

The Belkin WeMo Home Automation firmware before 3949 does not maintain a set of Certification Authority public keys, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary X.509 certificate. Belkin Wemo Home Automation devices contain multiple vulnerabilities. Supplementary information : CWE Vulnerability type by CWE-494: Download of Code Without Integrity Check ( Download unconfirmed code ) Has been identified. http://cwe.mitre.org/data/definitions/494.htmlMan-in-the-middle attacks (man-in-the-middle attack) By any X.509 Through the certificate SSL There is a possibility of impersonating a server. Belkin Wemo Home Automation devices failed to store local certificates to verify the integrity of the SSL link, allowing remote attackers to exploit the vulnerability without having to check the download code for integrity. A remote attacker can leverage this issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in denial-of-service conditions

Trust: 3.24

sources: NVD: CVE-2013-6951 // CERT/CC: VU#656302 // JVNDB: JVNDB-2013-006071 // CNVD: CNVD-2014-01116 // BID: 65633 // VULHUB: VHN-66953

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-01116

AFFECTED PRODUCTS

vendor:belkinmodel:wemo home automationscope:eqversion:2769

Trust: 1.6

vendor:belkinmodel: - scope: - version: -

Trust: 0.8

vendor:belkinmodel:wemo home automationscope:ltversion:3949

Trust: 0.8

vendor:belkinmodel:international,inc home automation devicesscope: - version: -

Trust: 0.6

sources: CERT/CC: VU#656302 // CNVD: CNVD-2014-01116 // JVNDB: JVNDB-2013-006071 // CNNVD: CNNVD-201402-312 // NVD: CVE-2013-6951

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6951
value: HIGH

Trust: 1.0

NVD: CVE-2013-6951
value: HIGH

Trust: 0.8

CNVD: CNVD-2014-01116
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201402-312
value: HIGH

Trust: 0.6

VULHUB: VHN-66953
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2013-6951
severity: HIGH
baseScore: 7.1
vectorString: AV:N/AC:M/AU:N/C:N/I:C/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-01116
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-66953
severity: HIGH
baseScore: 7.1
vectorString: AV:N/AC:M/AU:N/C:N/I:C/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-01116 // VULHUB: VHN-66953 // JVNDB: JVNDB-2013-006071 // CNNVD: CNNVD-201402-312 // NVD: CVE-2013-6951

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.9

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-66953 // JVNDB: JVNDB-2013-006071 // NVD: CVE-2013-6951

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-312

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201402-312

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-006071

PATCH
title:WeMo Home Automationurl:http://www.belkin.com/us/Products/home-automation/c/wemo-home-automation/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-006071

EXTERNAL IDS
db:CERT/CCid:VU#656302
Trust: 3.9
db:NVDid:CVE-2013-6951
Trust: 3.4
db:BIDid:65633
Trust: 1.0
db:JVNid:JVNVU97009803
Trust: 0.8
db:JVNDBid:JVNDB-2013-006071
Trust: 0.8
db:CNNVDid:CNNVD-201402-312
Trust: 0.7
db:CNVDid:CNVD-2014-01116
Trust: 0.6
db:VULHUBid:VHN-66953
Trust: 0.1
sources:
            
            
            CERT/CC: VU#656302 // 
            
            
            
            CNVD: CNVD-2014-01116 // 
            
            
            
            VULHUB: VHN-66953 // 
            
            
            
            BID: 65633 // 
            
            
            
            JVNDB: JVNDB-2013-006071 // 
            
            
            
            CNNVD: CNNVD-201402-312 // 
            
            
            
            NVD: CVE-2013-6951

REFERENCES
url:http://www.ioactive.com/pdfs/ioactive_belkin-advisory-lite.pdf
Trust: 3.3
url:http://www.kb.cert.org/vuls/id/656302
Trust: 2.3
url:http://cwe.mitre.org/data/definitions/611.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/321.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/494.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/441.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/319.html
Trust: 0.8
url:http://www.belkin.com/us/products/home-automation/c/wemo-home-automation
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6951
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97009803/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6951
Trust: 0.8
url:http://www.kb.cert.org/vuls/id/656302\
Trust: 0.8
sources:
            
            
            CERT/CC: VU#656302 // 
            
            
            
            CNVD: CNVD-2014-01116 // 
            
            
            
            VULHUB: VHN-66953 // 
            
            
            
            JVNDB: JVNDB-2013-006071 // 
            
            
            
            CNNVD: CNNVD-201402-312 // 
            
            
            
            NVD: CVE-2013-6951

CREDITS
Mike Davis of IOActive
Trust: 0.3
sources:
            
            
            BID: 65633

SOURCES
db:CERT/CCid:VU#656302
db:CNVDid:CNVD-2014-01116
db:VULHUBid:VHN-66953
db:BIDid:65633
db:JVNDBid:JVNDB-2013-006071
db:CNNVDid:CNNVD-201402-312
db:NVDid:CVE-2013-6951

LAST UPDATE DATE
2025-04-11T22:48:23.298000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#656302date:2014-07-29T00:00:00
db:CNVDid:CNVD-2014-01116date:2014-02-20T00:00:00
db:VULHUBid:VHN-66953date:2014-02-24T00:00:00
db:BIDid:65633date:2014-03-04T02:11:00
db:JVNDBid:JVNDB-2013-006071date:2014-02-25T00:00:00
db:CNNVDid:CNNVD-201402-312date:2014-02-28T00:00:00
db:NVDid:CVE-2013-6951date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:CERT/CCid:VU#656302date:2014-02-18T00:00:00
db:CNVDid:CNVD-2014-01116date:2014-02-20T00:00:00
db:VULHUBid:VHN-66953date:2014-02-22T00:00:00
db:BIDid:65633date:2014-02-18T00:00:00
db:JVNDBid:JVNDB-2013-006071date:2014-02-25T00:00:00
db:CNNVDid:CNNVD-201402-312date:2014-02-26T00:00:00
db:NVDid:CVE-2013-6951date:2014-02-22T21:55:09.280