Details of VAR-201704-0127

ID

VAR-201704-0127

CVE

CVE-2016-5051

TITLE

OSRAM SYLVANIA Osram Lightify Home Information Disclosure Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2017-12299 // CNNVD: CNNVD-201704-519

DESCRIPTION

OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 stores a PSK in cleartext under /private/var/mobile/Containers/Data/Application. OSRAM SYLVANIA Osram Lightify Home Contains an information disclosure vulnerability.Information may be obtained. Attackers can use this vulnerability to capture and resume Zigbee communications, and respond to commands to interrupt lighting services. There are security vulnerabilities in OSRAM SYLVANIA Osram Lightify Pro 2016-07-26 and previous versions. OSRAM SYLVANIA Osram Lightify Home is a set of open IoT platform for automatic control lighting equipment of German OSRAM company. OSRAM SYLVANIA Osram Lightify Home versions prior to 2016-07-26 have security vulnerabilities, which originated from the program storing the PSK in the / private / var / mobile / Containers / Data / Application directory in clear text. An attacker could use this vulnerability to extract data from a file

Trust: 4.86

sources: NVD: CVE-2016-5051 // JVNDB: JVNDB-2016-008312 // CNVD: CNVD-2017-12296 // CNVD: CNVD-2017-12297 // CNVD: CNVD-2017-12295 // CNVD: CNVD-2017-12299 // CNVD: CNVD-2017-12298 // CNNVD: CNNVD-201704-519

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 3.0

sources: CNVD: CNVD-2017-12296 // CNVD: CNVD-2017-12297 // CNVD: CNVD-2017-12295 // CNVD: CNVD-2017-12299 // CNVD: CNVD-2017-12298

AFFECTED PRODUCTS

vendor:	osram	model:	sylvania osram lightify home	scope:	lt	version:	2016-07-26	Trust: 3.0
vendor:	osram	model:	lightify home	scope:	lte	version:	1.6.1	Trust: 1.0
vendor:	osram	model:	lightify home	scope:	eq	version:	2016-07-26	Trust: 0.8
vendor:	osram	model:	lightify home	scope:	eq	version:	1.6.1	Trust: 0.6

sources: CNVD: CNVD-2017-12296 // CNVD: CNVD-2017-12297 // CNVD: CNVD-2017-12295 // CNVD: CNVD-2017-12299 // CNVD: CNVD-2017-12298 // JVNDB: JVNDB-2016-008312 // CNNVD: CNNVD-201704-519 // NVD: CVE-2016-5051

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-5051
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-5051
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-12296
value:	MEDIUM
Trust: 0.6
CNVD:	CNVD-2017-12297
value:	HIGH
Trust: 0.6
CNVD:	CNVD-2017-12295
value:	MEDIUM
Trust: 0.6
CNVD:	CNVD-2017-12299
value:	MEDIUM
Trust: 0.6
CNVD:	CNVD-2017-12298
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201704-519
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2016-5051
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-12296
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2017-12297
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2017-12295
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2017-12299
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2017-12298
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2016-5051
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2016-008312 // NVD: CVE-2016-5051

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-519

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201704-519

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-008312

PATCH

title:	LIGHTIFY - smart connected light	url:	https://www.osram.com/osram_com/tools-and-services/tools/lightify---smart-connected-light/	Trust: 0.8
title:	OSRAM SYLVANIA Osram Lightify Home Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70159	Trust: 0.6

sources: JVNDB: JVNDB-2016-008312 // CNNVD: CNNVD-201704-519

EXTERNAL IDS

db:	NVD	id:	CVE-2016-5051	Trust: 5.4
db:	JVNDB	id:	JVNDB-2016-008312	Trust: 0.8
db:	CNVD	id:	CNVD-2017-12296	Trust: 0.6
db:	CNVD	id:	CNVD-2017-12297	Trust: 0.6
db:	CNVD	id:	CNVD-2017-12295	Trust: 0.6
db:	CNVD	id:	CNVD-2017-12299	Trust: 0.6
db:	CNVD	id:	CNVD-2017-12298	Trust: 0.6
db:	CNNVD	id:	CNNVD-201704-519	Trust: 0.6

REFERENCES

url:	https://community.rapid7.com/community/infosec/blog/2016/07/26/r7-2016-10-multiple-osram-sylvania-osram-lightify-vulnerabilities-cve-2016-5051-through-5059	Trust: 5.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5051	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5051	Trust: 0.8

SOURCES

db:	CNVD	id:	CNVD-2017-12296
db:	CNVD	id:	CNVD-2017-12297
db:	CNVD	id:	CNVD-2017-12295
db:	CNVD	id:	CNVD-2017-12299
db:	CNVD	id:	CNVD-2017-12298
db:	JVNDB	id:	JVNDB-2016-008312
db:	CNNVD	id:	CNNVD-201704-519
db:	NVD	id:	CVE-2016-5051

LAST UPDATE DATE

2025-04-20T20:57:53.302000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-12296	date:	2017-06-30T00:00:00
db:	CNVD	id:	CNVD-2017-12297	date:	2017-06-30T00:00:00
db:	CNVD	id:	CNVD-2017-12295	date:	2017-06-30T00:00:00
db:	CNVD	id:	CNVD-2017-12299	date:	2017-06-30T00:00:00
db:	CNVD	id:	CNVD-2017-12298	date:	2017-06-30T00:00:00
db:	JVNDB	id:	JVNDB-2016-008312	date:	2017-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201704-519	date:	2017-05-18T00:00:00
db:	NVD	id:	CVE-2016-5051	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-12296	date:	2017-06-30T00:00:00
db:	CNVD	id:	CNVD-2017-12297	date:	2017-06-30T00:00:00
db:	CNVD	id:	CNVD-2017-12295	date:	2017-06-30T00:00:00
db:	CNVD	id:	CNVD-2017-12299	date:	2017-06-30T00:00:00
db:	CNVD	id:	CNVD-2017-12298	date:	2017-06-30T00:00:00
db:	JVNDB	id:	JVNDB-2016-008312	date:	2017-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201704-519	date:	2017-04-09T00:00:00
db:	NVD	id:	CVE-2016-5051	date:	2017-04-10T03:59:01.297