Details of VAR-201602-0124

ID

VAR-201602-0124

CVE

CVE-2016-2398

TITLE

Comcast XFINITY Home Security Denial of Service Vulnerability

Trust: 0.9

sources: BID: 79863 // CNNVD: CNNVD-201601-301

DESCRIPTION

Comcast XFINITY Home Security System does not properly maintain base-station communication, which allows physically proximate attackers to defeat sensor functionality by interfering with ZigBee 2.4 GHz transmissions. Comcast XFINITY Home Security does not fail securely, which may be leveraged to avoid triggering alarm events. Comcast XFINITY Home Security The system has a problem in handling when the wireless connection between the sensor and the base station is broken, which may intentionally interfere with alarm generation. CWE-636: Not Failing Securely ('Failing Open') Comcast XFINITY Home Security Then, the frequency between the sensors and base stations that make up the system 2.4GHz , ZigBee We are communicating by protocol. Comcast XFINITY Home Security May not be alerted when wireless communication is interrupted, and it may take several minutes to several hours for communication to recover. Alerts will not occur while communication is interrupted. Therefore, by interfering with the wireless connection, Home Security It is possible to suppress the occurrence of alerts from. CWE-636: Not Failing Securely ('Failing Open') https://cwe.mitre.org/data/definitions/636.html For more information, Rapid7 See the blog post. Rapid7 Blog posts https://community.rapid7.com/community/infosec/blog/2016/01/05/r7-2015-23-comcast-xfinity-home-security-system-insecure-fail-open In addition, National Vulnerability Database (NVD) CVE-2016-2398 Then CWE-254 It is published as CWE-254: Security Features ( Security function ) http://cwe.mitre.org/data/definitions/254.htmlAlert operation may be interrupted. The ComcastXfinity Home Security System is Comcast's smart home monitoring system solution that provides residential alarms and services such as cable, internet and telephone services. Comcast XFINITY Home Security is a complete home security system from Comcast. The system provides functions such as online access security monitoring. A denial of service vulnerability exists in Comcast XFINITY Home Security. An attacker could use this vulnerability to cause a denial of service

Trust: 3.69

sources: NVD: CVE-2016-2398 // CERT/CC: VU#418072 // JVNDB: JVNDB-2016-001001 // CNVD: CNVD-2016-00114 // CNNVD: CNNVD-201601-301 // BID: 79863

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-00114

AFFECTED PRODUCTS

vendor:	comcast	model:	xfinity home security system	scope:	eq	version:	*	Trust: 1.0
vendor:	comcast	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	comcast	model:	xfinity home security	scope:	-	version:	-	Trust: 0.8
vendor:	comcast	model:	xfinity	scope:	-	version:	-	Trust: 0.6
vendor:	comcast	model:	xfinity home security system	scope:	-	version:	-	Trust: 0.6

sources: CERT/CC: VU#418072 // CNVD: CNVD-2016-00114 // JVNDB: JVNDB-2016-001001 // CNNVD: CNNVD-201602-326 // NVD: CVE-2016-2398

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-2398
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-2398
value:	LOW
Trust: 0.8
CNVD:	CNVD-2016-00114
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201602-326
value:	LOW
Trust: 0.6

nvd@nist.gov:	CVE-2016-2398
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:N/I:N/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-00114
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:N/I:N/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2016-2398
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.0

sources: CNVD: CNVD-2016-00114 // JVNDB: JVNDB-2016-001001 // CNNVD: CNNVD-201602-326 // NVD: CVE-2016-2398

PROBLEMTYPE DATA

problemtype:	CWE-254	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2016-001001 // NVD: CVE-2016-2398

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201601-301

TYPE

lack of information

Trust: 1.2

sources: CNNVD: CNNVD-201601-301 // CNNVD: CNNVD-201602-326

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001001

PATCH

title:

XFINITY Home Security Systems

url:

http://www.xfinity.com/home-security

Trust: 0.8

sources: JVNDB: JVNDB-2016-001001

EXTERNAL IDS

db:	CERT/CC	id:	VU#418072	Trust: 4.1
db:	NVD	id:	CVE-2016-2398	Trust: 2.7
db:	BID	id:	79863	Trust: 0.9
db:	JVN	id:	JVNVU94556181	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-001001	Trust: 0.8
db:	CNVD	id:	CNVD-2016-00114	Trust: 0.6
db:	CNNVD	id:	CNNVD-201601-301	Trust: 0.6
db:	CNNVD	id:	CNNVD-201602-326	Trust: 0.6

sources: CERT/CC: VU#418072 // CNVD: CNVD-2016-00114 // BID: 79863 // JVNDB: JVNDB-2016-001001 // CNNVD: CNNVD-201601-301 // CNNVD: CNNVD-201602-326 // NVD: CVE-2016-2398

REFERENCES

url:	https://community.rapid7.com/community/infosec/blog/2016/01/05/r7-2015-23-comcast-xfinity-home-security-system-insecure-fail-open	Trust: 4.1
url:	http://www.kb.cert.org/vuls/id/418072	Trust: 3.3
url:	http://www.wired.com/2016/01/xfinitys-security-system-flaws-open-homes-to-thieves/	Trust: 2.4
url:	http://www.xfinity.com/home-security	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/636.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2398	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu94556181/index.html	Trust: 0.8
url:	https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2398	Trust: 0.8
url:	http://www.securityfocus.com/bid/79863	Trust: 0.6
url:	http://www.xfinity.com/	Trust: 0.3

sources: CERT/CC: VU#418072 // CNVD: CNVD-2016-00114 // BID: 79863 // JVNDB: JVNDB-2016-001001 // CNNVD: CNNVD-201601-301 // CNNVD: CNNVD-201602-326 // NVD: CVE-2016-2398

CREDITS

Tod Beardsley and Phil Bosco of Rapid7.

Trust: 0.9

sources: BID: 79863 // CNNVD: CNNVD-201601-301

SOURCES

db:	CERT/CC	id:	VU#418072
db:	CNVD	id:	CNVD-2016-00114
db:	BID	id:	79863
db:	JVNDB	id:	JVNDB-2016-001001
db:	CNNVD	id:	CNNVD-201601-301
db:	CNNVD	id:	CNNVD-201602-326
db:	NVD	id:	CVE-2016-2398

LAST UPDATE DATE

2025-04-13T23:23:41.438000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#418072	date:	2016-01-05T00:00:00
db:	CNVD	id:	CNVD-2016-00114	date:	2016-01-08T00:00:00
db:	BID	id:	79863	date:	2016-07-06T14:07:00
db:	JVNDB	id:	JVNDB-2016-001001	date:	2016-03-16T00:00:00
db:	CNNVD	id:	CNNVD-201601-301	date:	2016-01-15T00:00:00
db:	CNNVD	id:	CNNVD-201602-326	date:	2016-02-18T00:00:00
db:	NVD	id:	CVE-2016-2398	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#418072	date:	2016-01-05T00:00:00
db:	CNVD	id:	CNVD-2016-00114	date:	2016-01-08T00:00:00
db:	BID	id:	79863	date:	2016-01-05T00:00:00
db:	JVNDB	id:	JVNDB-2016-001001	date:	2016-01-07T00:00:00
db:	CNNVD	id:	CNNVD-201601-301	date:	2016-01-15T00:00:00
db:	CNNVD	id:	CNNVD-201602-326	date:	2016-02-18T00:00:00
db:	NVD	id:	CVE-2016-2398	date:	2016-02-17T16:59:02.457