Sign-up

ID

VAR-201507-0143


CVE

CVE-2015-2848


TITLE

Honeywell International Tuxedo Touch Cross-Site Request Forgery Vulnerability

Trust: 1.4

sources: IVD: 80fe7b44-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05017 // CNNVD: CNNVD-201507-760

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command. Honeywell International Tuxedo Touch is Honeywell International's suite of automated touch controllers for businesses and homes that control cameras, thermostats, fixtures, smart locks, and shading via the Web or related apps. Curtains, etc. A remote attacker could exploit the vulnerability to perform actions with user privileges and send commands to a home automation device. This may lead to further attacks

Trust: 3.33

sources: NVD: CVE-2015-2848 // CERT/CC: VU#857948 // JVNDB: JVNDB-2015-003936 // CNVD: CNVD-2015-05017 // BID: 76036 // IVD: 80fe7b44-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 80fe7b44-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05017

AFFECTED PRODUCTS

vendor:honeywellmodel:tuxedo touchscope:lteversion:5.1.13.0_va

Trust: 1.0

vendor:honeywellmodel: - scope: - version: -

Trust: 0.8

vendor:honeywellmodel:tuxedo touch softwarescope:ltversion:5.2.19.0_va

Trust: 0.8

vendor:honeywellmodel:international tuxedo touchscope: - version: -

Trust: 0.6

vendor:honeywellmodel:tuxedo touchscope:eqversion:5.1.13.0_va

Trust: 0.6

vendor:honeywellmodel:tuxedo touch controllerscope:eqversion:0

Trust: 0.3

vendor:honeywellmodel:tuxedo touch controller tuxw v5.2.19.0 vascope:neversion: -

Trust: 0.3

vendor:tuxedo touchmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 80fe7b44-2351-11e6-abef-000c29c66e3d // CERT/CC: VU#857948 // CNVD: CNVD-2015-05017 // BID: 76036 // JVNDB: JVNDB-2015-003936 // CNNVD: CNNVD-201507-760 // NVD: CVE-2015-2848

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2848
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-2848
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-05017
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201507-760
value: MEDIUM

Trust: 0.6

IVD: 80fe7b44-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2015-2848
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-05017
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 80fe7b44-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 80fe7b44-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05017 // JVNDB: JVNDB-2015-003936 // CNNVD: CNNVD-201507-760 // NVD: CVE-2015-2848

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2015-003936 // NVD: CVE-2015-2848

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-760

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201507-760

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-003936

PATCH
title:Tuxedo Touch Software Updatesurl:http://www.tuxedotouchtoolkit.com/software-downloads/tuxedo-touch/index.html
Trust: 0.8
title:Patch for Honeywell International Tuxedo Touch Cross-site Request Forgery Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/61745
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-05017 // 
            
            
            
            JVNDB: JVNDB-2015-003936

EXTERNAL IDS
db:CERT/CCid:VU#857948
Trust: 4.1
db:NVDid:CVE-2015-2848
Trust: 3.5
db:BIDid:76036
Trust: 0.9
db:CNVDid:CNVD-2015-05017
Trust: 0.8
db:CNNVDid:CNNVD-201507-760
Trust: 0.8
db:JVNid:JVNVU92850780
Trust: 0.8
db:JVNDBid:JVNDB-2015-003936
Trust: 0.8
db:IVDid:80FE7B44-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: 80fe7b44-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CERT/CC: VU#857948 // 
            
            
            
            CNVD: CNVD-2015-05017 // 
            
            
            
            BID: 76036 // 
            
            
            
            JVNDB: JVNDB-2015-003936 // 
            
            
            
            CNNVD: CNNVD-201507-760 // 
            
            
            
            NVD: CVE-2015-2848

REFERENCES
url:http://www.kb.cert.org/vuls/id/857948
Trust: 3.3
url:http://www.tuxedotouchtoolkit.com/software-downloads/tuxedo-touch/index.html
Trust: 0.8
url:http://www.tuxedotouchtoolkit.com/
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/603.html
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/352.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2848
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92850780/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2848
Trust: 0.8
url:http://www.securityfocus.com/bid/76036
Trust: 0.6
url:http://homesecurity.honeywell.com/tuxedo_touch.html
Trust: 0.3
sources:
            
            
            CERT/CC: VU#857948 // 
            
            
            
            CNVD: CNVD-2015-05017 // 
            
            
            
            BID: 76036 // 
            
            
            
            JVNDB: JVNDB-2015-003936 // 
            
            
            
            CNNVD: CNNVD-201507-760 // 
            
            
            
            NVD: CVE-2015-2848

CREDITS
Maxim Rupp
Trust: 0.3
sources:
            
            
            BID: 76036

SOURCES
db:IVDid:80fe7b44-2351-11e6-abef-000c29c66e3d
db:CERT/CCid:VU#857948
db:CNVDid:CNVD-2015-05017
db:BIDid:76036
db:JVNDBid:JVNDB-2015-003936
db:CNNVDid:CNNVD-201507-760
db:NVDid:CVE-2015-2848

LAST UPDATE DATE
2025-04-12T23:18:48.716000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#857948date:2017-03-22T00:00:00
db:CNVDid:CNVD-2015-05017date:2015-07-30T00:00:00
db:BIDid:76036date:2015-07-24T00:00:00
db:JVNDBid:JVNDB-2015-003936date:2015-07-28T00:00:00
db:CNNVDid:CNNVD-201507-760date:2015-08-03T00:00:00
db:NVDid:CVE-2015-2848date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:80fe7b44-2351-11e6-abef-000c29c66e3ddate:2015-07-30T00:00:00
db:CERT/CCid:VU#857948date:2015-07-24T00:00:00
db:CNVDid:CNVD-2015-05017date:2015-07-30T00:00:00
db:BIDid:76036date:2015-07-24T00:00:00
db:JVNDBid:JVNDB-2015-003936date:2015-07-28T00:00:00
db:CNNVDid:CNNVD-201507-760date:2015-07-27T00:00:00
db:NVDid:CVE-2015-2848date:2015-07-26T18:59:01.120