Sign-up

ID

VAR-201507-0142


CVE

CVE-2015-2847


TITLE

Honeywell International Tuxedo Touch Security Bypass Vulnerability

Trust: 0.8

sources: IVD: 81163d92-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05018

DESCRIPTION

Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlClient by a third party - From server data stream USERACCT By deleting the request, access restrictions may be avoided. Honeywell International Tuxedo Touch is Honeywell International's suite of automated touch controllers for businesses and homes that control cameras, thermostats, fixtures, smart locks, and shading via the Web or related apps. Curtains, etc. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks

Trust: 3.33

sources: NVD: CVE-2015-2847 // CERT/CC: VU#857948 // JVNDB: JVNDB-2015-003935 // CNVD: CNVD-2015-05018 // BID: 76035 // IVD: 81163d92-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 81163d92-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05018

AFFECTED PRODUCTS

vendor:honeywellmodel:tuxedo touchscope:lteversion:5.1.13.0_va

Trust: 1.0

vendor:honeywellmodel: - scope: - version: -

Trust: 0.8

vendor:honeywellmodel:tuxedo touch softwarescope:ltversion:5.2.19.0_va

Trust: 0.8

vendor:honeywellmodel:international tuxedo touchscope: - version: -

Trust: 0.6

vendor:honeywellmodel:tuxedo touchscope:eqversion:5.1.13.0_va

Trust: 0.6

vendor:honeywellmodel:tuxedo touch controllerscope:eqversion:0

Trust: 0.3

vendor:honeywellmodel:tuxedo touch controller tuxw v5.2.19.0 vascope:neversion: -

Trust: 0.3

vendor:tuxedo touchmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 81163d92-2351-11e6-abef-000c29c66e3d // CERT/CC: VU#857948 // CNVD: CNVD-2015-05018 // BID: 76035 // JVNDB: JVNDB-2015-003935 // CNNVD: CNNVD-201507-759 // NVD: CVE-2015-2847

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2847
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-2847
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-05018
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201507-759
value: MEDIUM

Trust: 0.6

IVD: 81163d92-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2015-2847
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-05018
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 81163d92-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 81163d92-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05018 // JVNDB: JVNDB-2015-003935 // CNNVD: CNNVD-201507-759 // NVD: CVE-2015-2847

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2015-003935 // NVD: CVE-2015-2847

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-759

TYPE

Design Error

Trust: 0.3

sources: BID: 76035

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-003935

PATCH
title:Tuxedo Touch Software Updatesurl:http://www.tuxedotouchtoolkit.com/software-downloads/tuxedo-touch/index.html
Trust: 0.8
title:Honeywell International Tuxedo Touch Security Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/61744
Trust: 0.6
title:TUXWIFI_V5.2.19.0_VAurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57058
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-05018 // 
            
            
            
            JVNDB: JVNDB-2015-003935 // 
            
            
            
            CNNVD: CNNVD-201507-759

EXTERNAL IDS
db:CERT/CCid:VU#857948
Trust: 4.1
db:NVDid:CVE-2015-2847
Trust: 3.5
db:BIDid:76035
Trust: 0.9
db:CNVDid:CNVD-2015-05018
Trust: 0.8
db:CNNVDid:CNNVD-201507-759
Trust: 0.8
db:JVNid:JVNVU92850780
Trust: 0.8
db:JVNDBid:JVNDB-2015-003935
Trust: 0.8
db:IVDid:81163D92-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: 81163d92-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CERT/CC: VU#857948 // 
            
            
            
            CNVD: CNVD-2015-05018 // 
            
            
            
            BID: 76035 // 
            
            
            
            JVNDB: JVNDB-2015-003935 // 
            
            
            
            CNNVD: CNNVD-201507-759 // 
            
            
            
            NVD: CVE-2015-2847

REFERENCES
url:http://www.kb.cert.org/vuls/id/857948
Trust: 3.3
url:http://www.tuxedotouchtoolkit.com/software-downloads/tuxedo-touch/index.html
Trust: 0.8
url:http://www.tuxedotouchtoolkit.com/
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/603.html
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/352.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2847
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92850780/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2847
Trust: 0.8
url:http://homesecurity.honeywell.com/tuxedo_touch.html
Trust: 0.3
sources:
            
            
            CERT/CC: VU#857948 // 
            
            
            
            CNVD: CNVD-2015-05018 // 
            
            
            
            BID: 76035 // 
            
            
            
            JVNDB: JVNDB-2015-003935 // 
            
            
            
            CNNVD: CNNVD-201507-759 // 
            
            
            
            NVD: CVE-2015-2847

CREDITS
Maxim Rupp
Trust: 0.3
sources:
            
            
            BID: 76035

SOURCES
db:IVDid:81163d92-2351-11e6-abef-000c29c66e3d
db:CERT/CCid:VU#857948
db:CNVDid:CNVD-2015-05018
db:BIDid:76035
db:JVNDBid:JVNDB-2015-003935
db:CNNVDid:CNNVD-201507-759
db:NVDid:CVE-2015-2847

LAST UPDATE DATE
2025-04-12T23:18:48.676000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#857948date:2017-03-22T00:00:00
db:CNVDid:CNVD-2015-05018date:2015-07-30T00:00:00
db:BIDid:76035date:2015-07-24T00:00:00
db:JVNDBid:JVNDB-2015-003935date:2015-07-28T00:00:00
db:CNNVDid:CNNVD-201507-759date:2015-07-27T00:00:00
db:NVDid:CVE-2015-2847date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:81163d92-2351-11e6-abef-000c29c66e3ddate:2015-07-30T00:00:00
db:CERT/CCid:VU#857948date:2015-07-24T00:00:00
db:CNVDid:CNVD-2015-05018date:2015-07-30T00:00:00
db:BIDid:76035date:2015-07-24T00:00:00
db:JVNDBid:JVNDB-2015-003935date:2015-07-28T00:00:00
db:CNNVDid:CNNVD-201507-759date:2015-07-27T00:00:00
db:NVDid:CVE-2015-2847date:2015-07-26T18:59:00.073