Sign-up

ID

VAR-201708-0199


CVE

CVE-2015-1600


TITLE

Netatmo Indoor Module Information disclosure vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2015-007848

DESCRIPTION

Information disclosure vulnerability in Netatmo Indoor Module firmware 100 and earlier. Successful exploits may allow an attacker to gain access to sensitive information that may aid in further attacks. Netatmo Indoor Module is an indoor environment monitoring equipment produced by French company Netatmo. Summary During initial setup, the weather station will submit its complete configuration unencrypted to the manufacturer cloud service. This configuration includes confidential information like the user's Wifi password. The problem has been fixed by removing this configuration dump from current firmware versions. CVE: CVE-2015-1600. Additional Details: https://isc.sans.edu/forums/diary/Did+You+Remove+That+Debug+Code+Netatmo+Weather+Station+Sending+WPA+Passphrase+in+the+Clear/19327/ Manufacturers web site: www.netatmo.com Patch: Affected systems will download updated firmware automatically from Netatmo's cloud service

Trust: 2.07

sources: NVD: CVE-2015-1600 // JVNDB: JVNDB-2015-007848 // BID: 72622 // VULHUB: VHN-79561 // PACKETSTORM: 130401

AFFECTED PRODUCTS

vendor:netatmomodel:indoor modulescope:lteversion:100.0

Trust: 1.0

vendor:netatmomodel:indoor modulescope:lteversion:100

Trust: 0.8

vendor:netatmomodel:indoor modulescope:eqversion:100.0

Trust: 0.6

vendor:netatmomodel:indoor modulescope:eqversion:100

Trust: 0.3

sources: BID: 72622 // JVNDB: JVNDB-2015-007848 // CNNVD: CNNVD-201503-083 // NVD: CVE-2015-1600

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-1600
value: HIGH

Trust: 1.0

NVD: CVE-2015-1600
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201503-083
value: MEDIUM

Trust: 0.6

VULHUB: VHN-79561
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-1600
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-79561
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-1600
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-79561 // JVNDB: JVNDB-2015-007848 // CNNVD: CNNVD-201503-083 // NVD: CVE-2015-1600

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-79561 // JVNDB: JVNDB-2015-007848 // NVD: CVE-2015-1600

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201503-083

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201503-083

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-007848

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-79561

PATCH
title:トップページurl:https://www.netatmo.com/ja-JP/site/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-007848

EXTERNAL IDS
db:NVDid:CVE-2015-1600
Trust: 2.9
db:BIDid:72622
Trust: 2.0
db:PACKETSTORMid:130401
Trust: 1.8
db:JVNDBid:JVNDB-2015-007848
Trust: 0.8
db:CNNVDid:CNNVD-201503-083
Trust: 0.7
db:VULHUBid:VHN-79561
Trust: 0.1
sources:
            
            
            VULHUB: VHN-79561 // 
            
            
            
            BID: 72622 // 
            
            
            
            JVNDB: JVNDB-2015-007848 // 
            
            
            
            PACKETSTORM: 130401 // 
            
            
            
            CNNVD: CNNVD-201503-083 // 
            
            
            
            NVD: CVE-2015-1600

REFERENCES
url:https://isc.sans.edu/forums/diary/did+you+remove+that+debug+code+netatmo+weather+station+sending+wpa+passphrase+in+the+clear/19327
Trust: 2.5
url:http://www.securityfocus.com/bid/72622
Trust: 1.7
url:http://packetstormsecurity.com/files/130401/netatmo-weather-station-cleartext-password-leak.html
Trust: 1.7
url:http://www.securityfocus.com/archive/1/534707/100/1600/threaded
Trust: 1.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-1600
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1600
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/534707/100/1600/threaded
Trust: 0.6
url:https://www.netatmo.com/en-us/product/weather-station 
Trust: 0.3
url:https://isc.sans.edu/forums/diary/did+you+remove+that+debug+code+netatmo+weather+station+sending+wpa+passphrase+in+the+clear/19327/ 
Trust: 0.3
url:https://www.netatmo.com
Trust: 0.1
url:https://isc.sans.edu/forums/diary/did+you+remove+that+debug+code+netatmo+weather+station+sending+wpa+passphrase+in+the+clear/19327/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-79561 // 
            
            
            
            BID: 72622 // 
            
            
            
            JVNDB: JVNDB-2015-007848 // 
            
            
            
            PACKETSTORM: 130401 // 
            
            
            
            CNNVD: CNNVD-201503-083 // 
            
            
            
            NVD: CVE-2015-1600

CREDITS
jullrich
Trust: 1.0
sources:
            
            
            BID: 72622 // 
            
            
            
            PACKETSTORM: 130401 // 
            
            
            
            CNNVD: CNNVD-201503-083

SOURCES
db:VULHUBid:VHN-79561
db:BIDid:72622
db:JVNDBid:JVNDB-2015-007848
db:PACKETSTORMid:130401
db:CNNVDid:CNNVD-201503-083
db:NVDid:CVE-2015-1600

LAST UPDATE DATE
2025-04-20T23:30:54.113000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-79561date:2018-10-09T00:00:00
db:BIDid:72622date:2015-02-13T00:00:00
db:JVNDBid:JVNDB-2015-007848date:2017-09-28T00:00:00
db:CNNVDid:CNNVD-201503-083date:2017-08-29T00:00:00
db:NVDid:CVE-2015-1600date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-79561date:2017-08-28T00:00:00
db:BIDid:72622date:2015-02-13T00:00:00
db:JVNDBid:JVNDB-2015-007848date:2017-09-28T00:00:00
db:PACKETSTORMid:130401date:2015-02-13T18:22:22
db:CNNVDid:CNNVD-201503-083date:2015-02-13T00:00:00
db:NVDid:CVE-2015-1600date:2017-08-28T19:29:00.573