Sign-up

ID

VAR-201807-0064


CVE

CVE-2016-6539


TITLE

TrackR Bravo contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#617567

DESCRIPTION

The Trackr device ID is constructed of a manufacturer identifier of four zeroes followed by the BLE MAC address in reverse. The MAC address can be obtained by being in close proximity to the Bluetooth device, effectively exposing the device ID. The ID can be used to track devices. Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address the vulnerabilities in CVE-2016-6538, CVE-2016-6539, CVE-2016-6540 and CVE-2016-6541. TrackR Bravo contains multiple vulnerabilities including sensitive information exposure and missing authentication. Trackr The device contains an information disclosure vulnerability.Information may be obtained. TrackR Bravo is prone to multiple information-disclosure and security-bypass vulnerabilities. An attacker can exploit this issue to gain access to sensitive information or bypass certain security restrictions and perform unauthorized actions

Trust: 2.61

sources: NVD: CVE-2016-6539 // CERT/CC: VU#617567 // JVNDB: JVNDB-2016-009178 // BID: 93874

IOT TAXONOMY

category:['industrial device']sub_category:tracker

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:thetrackrmodel:trackrscope:ltversion:2.2.5

Trust: 1.0

vendor:thetrackrmodel:trackrscope:ltversion:5.1.6

Trust: 1.0

vendor:trackrmodel: - scope: - version: -

Trust: 0.8

vendor:trackrmodel:trackrscope: - version: -

Trust: 0.8

vendor:trackrmodel:bravoscope:eqversion:0

Trust: 0.3

sources: CERT/CC: VU#617567 // BID: 93874 // JVNDB: JVNDB-2016-009178 // NVD: CVE-2016-6539

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-6539
value: LOW

Trust: 1.0

NVD: CVE-2016-6539
value: LOW

Trust: 0.8

CNNVD: CNNVD-201610-774
value: LOW

Trust: 0.6

nvd@nist.gov: CVE-2016-6539
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2016-6539
baseSeverity: LOW
baseScore: 3.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.1
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2016-009178 // CNNVD: CNNVD-201610-774 // NVD: CVE-2016-6539

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2016-009178 // NVD: CVE-2016-6539

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201610-774

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201610-774

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-009178

PATCH
title:Top Pageurl:https://www.thetrackr.com/jp/
Trust: 0.8
title:TrackR Bravo Repair measures for information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99594
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-009178 // 
            
            
            
            CNNVD: CNNVD-201610-774

EXTERNAL IDS
db:CERT/CCid:VU#617567
Trust: 3.5
db:NVDid:CVE-2016-6539
Trust: 2.8
db:BIDid:93874
Trust: 1.9
db:JVNDBid:JVNDB-2016-009178
Trust: 0.8
db:CNNVDid:CNNVD-201610-774
Trust: 0.6
db:OTHERid:NONE
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#617567 // 
            
            
            
            BID: 93874 // 
            
            
            
            JVNDB: JVNDB-2016-009178 // 
            
            
            
            CNNVD: CNNVD-201610-774 // 
            
            
            
            NVD: CVE-2016-6539

REFERENCES
url:https://www.kb.cert.org/vuls/id/617567
Trust: 2.7
url:https://www.kb.cert.org/vuls/id/tnoy-af3kcz
Trust: 2.4
url:http://www.securityfocus.com/bid/93874
Trust: 1.6
url:https://blog.rapid7.com/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vulnerabilities/
Trust: 1.6
url:https://www.thetrackr.com/bravo
Trust: 1.1
url:https://community.rapid7.com/community/infosec/blog/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vulnerabilities
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6539
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-6539
Trust: 0.8
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#617567 // 
            
            
            
            BID: 93874 // 
            
            
            
            JVNDB: JVNDB-2016-009178 // 
            
            
            
            CNNVD: CNNVD-201610-774 // 
            
            
            
            NVD: CVE-2016-6539

CREDITS
Inc.,Deral Heiland and Adam Compton of Rapid7
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201610-774

SOURCES
db:OTHERid: - 
db:CERT/CCid:VU#617567
db:BIDid:93874
db:JVNDBid:JVNDB-2016-009178
db:CNNVDid:CNNVD-201610-774
db:NVDid:CVE-2016-6539

LAST UPDATE DATE
2025-01-30T21:16:39.080000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#617567date:2016-10-27T00:00:00
db:BIDid:93874date:2016-10-26T01:17:00
db:JVNDBid:JVNDB-2016-009178date:2018-09-21T00:00:00
db:CNNVDid:CNNVD-201610-774date:2019-10-17T00:00:00
db:NVDid:CVE-2016-6539date:2024-11-21T02:56:18.943

SOURCES RELEASE DATE
db:CERT/CCid:VU#617567date:2016-10-25T00:00:00
db:BIDid:93874date:2016-10-25T00:00:00
db:JVNDBid:JVNDB-2016-009178date:2018-09-21T00:00:00
db:CNNVDid:CNNVD-201610-774date:2016-10-28T00:00:00
db:NVDid:CVE-2016-6539date:2018-07-06T21:29:00.280