Details of VAR-201804-1281

ID

VAR-201804-1281

CVE

CVE-2018-9119

TITLE

BrilliantTS FUZE Vulnerability related to lack of authentication for critical functions on cards

Trust: 0.8

sources: JVNDB: JVNDB-2018-004243

DESCRIPTION

An attacker with physical access to a BrilliantTS FUZE card (MCU firmware 0.1.73, BLE firmware 0.7.4) can unlock the card, extract credit card numbers, and tamper with data on the card via Bluetooth because no authentication is needed, as demonstrated by gatttool. BrilliantTS FUZE card is a smart card product. The product can encrypt and store bank card, credit card and other smart card information

Trust: 1.8

sources: NVD: CVE-2018-9119 // JVNDB: JVNDB-2018-004243 // VULHUB: VHN-139151 // VULMON: CVE-2018-9119

IOT TAXONOMY

category:

['home & office device']

sub_category:

smart card

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	brilliantts	model:	fuze card mcu	scope:	eq	version:	0.1.73	Trust: 1.6
vendor:	brilliantts	model:	fuze card ble	scope:	eq	version:	0.7.4	Trust: 1.6
vendor:	brilliantts	model:	ble	scope:	eq	version:	0.7.4	Trust: 0.8
vendor:	brilliantts	model:	mcu	scope:	eq	version:	0.1.73	Trust: 0.8

sources: JVNDB: JVNDB-2018-004243 // CNNVD: CNNVD-201804-306 // NVD: CVE-2018-9119

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-9119
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-9119
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201804-306
value:	LOW
Trust: 0.6
VULHUB:	VHN-139151
value:	LOW
Trust: 0.1
VULMON:	CVE-2018-9119
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-9119
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-139151
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-9119
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	5.2
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-139151 // VULMON: CVE-2018-9119 // JVNDB: JVNDB-2018-004243 // CNNVD: CNNVD-201804-306 // NVD: CVE-2018-9119

PROBLEMTYPE DATA

problemtype:

CWE-306

Trust: 1.9

sources: VULHUB: VHN-139151 // JVNDB: JVNDB-2018-004243 // NVD: CVE-2018-9119

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201804-306

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201804-306

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-004243

PATCH

title:

Stealing Credit Cards from FUZE via Bluetooth

url:

https://blog.ice9.us/2018/04/stealing-credit-cards-from-fuze-bluetooth.html

Trust: 0.8

sources: JVNDB: JVNDB-2018-004243

EXTERNAL IDS

db:	NVD	id:	CVE-2018-9119	Trust: 2.7
db:	JVNDB	id:	JVNDB-2018-004243	Trust: 0.8
db:	CNNVD	id:	CNNVD-201804-306	Trust: 0.7
db:	OTHER	id:	NONE	Trust: 0.1
db:	SEEBUG	id:	SSVID-97271	Trust: 0.1
db:	VULHUB	id:	VHN-139151	Trust: 0.1
db:	VULMON	id:	CVE-2018-9119	Trust: 0.1

sources: OTHER: None // VULHUB: VHN-139151 // VULMON: CVE-2018-9119 // JVNDB: JVNDB-2018-004243 // CNNVD: CNNVD-201804-306 // NVD: CVE-2018-9119

REFERENCES

url:	https://blog.ice9.us/2018/04/stealing-credit-cards-from-fuze-bluetooth.html	Trust: 1.8
url:	https://ice9.us/advisories/ice9-2018-001.txt	Trust: 1.8
url:	https://www.reddit.com/r/netsec/comments/89qrp1/stealing_credit_cards_from_fuze_via_bluetooth/	Trust: 1.8
url:	https://www.elttam.com/blog/fuzereview/#content	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9119	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-9119	Trust: 0.8
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/306.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/141376	Trust: 0.1

sources: OTHER: None // VULHUB: VHN-139151 // VULMON: CVE-2018-9119 // JVNDB: JVNDB-2018-004243 // CNNVD: CNNVD-201804-306 // NVD: CVE-2018-9119

SOURCES

db:	OTHER	id:	-
db:	VULHUB	id:	VHN-139151
db:	VULMON	id:	CVE-2018-9119
db:	JVNDB	id:	JVNDB-2018-004243
db:	CNNVD	id:	CNNVD-201804-306
db:	NVD	id:	CVE-2018-9119

LAST UPDATE DATE

2025-01-30T20:14:53.626000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-139151	date:	2018-05-21T00:00:00
db:	VULMON	id:	CVE-2018-9119	date:	2018-05-21T00:00:00
db:	JVNDB	id:	JVNDB-2018-004243	date:	2018-06-14T00:00:00
db:	CNNVD	id:	CNNVD-201804-306	date:	2018-08-24T00:00:00
db:	NVD	id:	CVE-2018-9119	date:	2024-11-21T04:15:00.233

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-139151	date:	2018-04-04T00:00:00
db:	VULMON	id:	CVE-2018-9119	date:	2018-04-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-004243	date:	2018-06-14T00:00:00
db:	CNNVD	id:	CNNVD-201804-306	date:	2018-04-04T00:00:00
db:	NVD	id:	CVE-2018-9119	date:	2018-04-04T18:29:02.433