Details of VAR-201903-0072

ID

VAR-201903-0072

CVE

CVE-2019-9863

TITLE

plural ABUS Vulnerability related to cryptographic strength in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-002902

DESCRIPTION

Due to the use of an insecure algorithm for rolling codes in the ABUS Secvest wireless alarm system FUAA50000 3.01.01 and its remote controls FUBE50014 and FUBE50015, an attacker is able to predict valid future rolling codes, and can thus remotely control the alarm system in an unauthorized way. ABUS Secvest wireless alarm system FUAA50000 , remote control FUBE50014 , FUBE50015 Contains a cryptographic strength vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ABUS Secvest FUBE50014 is a wireless remote control of ABUS company in Germany. There are security vulnerabilities in ABUS Secvest FUAA50000, FUBE50014, and FUB50015. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2018-034 Product: ABUS Secvest (FUAA50000) Manufacturer: ABUS Affected Version(s): v3.01.01 Tested Version(s): v3.01.01 Vulnerability Type: Rolling Code - Predictable from Observable State (CWE-341) Risk Level: High Solution Status: Open Manufacturer Notification: 2018-11-21 Solution Date: - Public Disclosure: 2019-03-25 CVE Reference: CVE-2019-9863 Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ABUS Secvest (FUAA50000) is a wireless alarm system with different features. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz transceiver that allows disarming the alarm system in an unauthorized way. He provided his tool including documentation and source to SySS GmbH for responsible disclosure purposes. Detert's PoC tool, a developed Python tool for the RFCat-based radio dongle YARD Stick One (see [3]), or a eZ430-Chronos (see [4]) with a specially developed firmware. Successful disarming attacks against an ABUS Secvest wireless alarm system are shown in our SySS proof-of-concept video "ABUS Secvest Rolling Code PoC Attack" [8]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-11-21: Vulnerability reported to manufacturer 2018-11-28: Vulnerability reported to manufacturer once more 2018-12-12: E-mail to ABUS support asking if they are going to give some feedback regarding the reported security issue 2018-12-12: Phone call with ABUS support, the reported security advisories were forwarded to the ABUS Security Center Support 2018-12-12: E-mail to ABUS Security Center Support asking if they are going to give some feedback regarding the reported security issue 2019-01-14: Updated information regarding remote control ABUS Secvest FUBE50015 2019-03-25: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ABUS Secvest wireless alarm system https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Alarm-panels-and-kits/Secvest-Wireless-Alarm-System [2] SySS Security Advisory SYSS-2016-117 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-117.txt [3] Product website YARD Stick One https://greatscottgadgets.com/yardstickone/ [4] Product website for Texas Instruments eZ430-Chronos http://www.ti.com/tool/EZ430-CHRONOS [5] SySS Security Advisory SYSS-2018-034 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-034.txt [6] SySS Security Advisory SYSS-2018-035 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-035.txt [7] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [8] SySS Proof-of-Concept Video: ABUS Secvest Rolling Code PoC Attack https://youtu.be/pSdsMVn-7gM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thomas Detert. Mr. Detert reported his finding to SySS GmbH where it was verified and later reported to the manufacturer by Matthias Deeg. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlyUoKcACgkQ2aS/ajSt Tav+OBAAnJ6Vb6DVHhNWevqYKGjdn5eIIIHcfIrwe4bzKbXusNIVK9okNNkZT9i+ hRZfVSFR21uyamh950qNujjizNhGUnD3mezPx5ep0R7tPxhwcp67kgVjRef4PNEE p1rbhVFKKWlR4ygcmsAeKnnHQTGUK9UlYBlTt2RpPh4OCCRikPW0RuwfYuAxrvug kDpWV/XA2DivteL68jDYzCdXHG2toph1FGmfv5CTx0NiyKD/XSm952c17z/D78Qz AHvJT+xVMyZoUWqhSWHbwS+byBzVaXM2C3/89FBJ0YgolmrL1k8GvbYGe5fVlbBa +PcHpp2yRbhuDgANCdLGEvWMCaflbqUPZN/xyaySF5HaKmpULvU44QEtg9CjDKNv m0yyZDWaBAUMb574MsBZNAnFmyWPFuq1wd/hM5oxLoUyu6nbBlsLcpH/3E0LbJL0 ifNvk9KTsrvOItAV1fQl7/ccNcAeI+DB2yz44gtDaHjHvYCFjEHaQvws5a9L0PIF XYRuHI+BNNIIi2KwivpnR316MA2MgE0hEny708sdS879qP1eZ5gDXcrVvUPFDsbA DRH66TVPmoi2HMkKn95/PVLgqAYH0QFlGs3RkT+t7QS1K0gVCude4sTtxZFpT1A/ oxl2o8Kn4YhBDXvT9tUs1vaBFMO46MCgKF4yx3adPCRqK7twhiY= =eZ14 -----END PGP SIGNATURE-----

Trust: 1.89

sources: NVD: CVE-2019-9863 // JVNDB: JVNDB-2019-002902 // VULHUB: VHN-161298 // VULMON: CVE-2019-9863 // PACKETSTORM: 152212

AFFECTED PRODUCTS

vendor:	abus	model:	secvest wireless alarm system fuaa50000	scope:	eq	version:	3.01.01	Trust: 1.8
vendor:	abus	model:	secvest wireless remote control fube50015	scope:	eq	version:	-	Trust: 1.0
vendor:	abus	model:	secvest wireless remote control fube50014	scope:	eq	version:	-	Trust: 1.0
vendor:	abus	model:	secvest wireless remote control fube50014	scope:	-	version:	-	Trust: 0.8
vendor:	abus	model:	secvest wireless remote control fube50015	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-002902 // NVD: CVE-2019-9863

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-9863
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-9863
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201903-922
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-161298
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-9863
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-9863
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-161298
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-9863
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-161298 // VULMON: CVE-2019-9863 // JVNDB: JVNDB-2019-002902 // CNNVD: CNNVD-201903-922 // NVD: CVE-2019-9863

PROBLEMTYPE DATA

problemtype:	CWE-330	Trust: 1.0
problemtype:	CWE-326	Trust: 0.9

sources: VULHUB: VHN-161298 // JVNDB: JVNDB-2019-002902 // NVD: CVE-2019-9863

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 152212 // CNNVD: CNNVD-201903-922

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201903-922

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002902

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-161298

PATCH

title:

Top Page

url:

https://www.abus.com/eng

Trust: 0.8

sources: JVNDB: JVNDB-2019-002902

EXTERNAL IDS

db:	NVD	id:	CVE-2019-9863	Trust: 2.7
db:	PACKETSTORM	id:	152212	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-002902	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-922	Trust: 0.7
db:	VULHUB	id:	VHN-161298	Trust: 0.1
db:	VULMON	id:	CVE-2019-9863	Trust: 0.1

sources: VULHUB: VHN-161298 // VULMON: CVE-2019-9863 // JVNDB: JVNDB-2019-002902 // PACKETSTORM: 152212 // CNNVD: CNNVD-201903-922 // NVD: CVE-2019-9863

REFERENCES

url:	https://www.syss.de/fileadmin/dokumente/publikationen/advisories/syss-2018-034.txt	Trust: 2.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9863	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9863	Trust: 0.8
url:	https://packetstormsecurity.com/files/152212/abus-secvest-3.01.01-insecure-algorithm.html	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/326.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://seclists.org/fulldisclosure/2019/mar/48	Trust: 0.1
url:	http://creativecommons.org/licenses/by/3.0/deed.en	Trust: 0.1
url:	https://www.syss.de/fileadmin/dokumente/publikationen/advisories/syss-2016-117.txt	Trust: 0.1
url:	https://www.syss.de/en/news/responsible-disclosure-policy/	Trust: 0.1
url:	https://www.syss.de/fileadmin/dokumente/publikationen/advisories/syss-2018-035.txt	Trust: 0.1
url:	https://www.syss.de/fileadmin/dokumente/materialien/pgpkeys/matthias_deeg.asc	Trust: 0.1
url:	https://www.abus.com/eng/home-security/alarm-systems/secvest-wireless-alarm-system/alarm-panels-and-kits/secvest-wireless-alarm-system	Trust: 0.1
url:	https://youtu.be/psdsmvn-7gm	Trust: 0.1
url:	http://www.ti.com/tool/ez430-chronos	Trust: 0.1
url:	https://greatscottgadgets.com/yardstickone/	Trust: 0.1

sources: VULHUB: VHN-161298 // VULMON: CVE-2019-9863 // JVNDB: JVNDB-2019-002902 // PACKETSTORM: 152212 // CNNVD: CNNVD-201903-922 // NVD: CVE-2019-9863

CREDITS

Matthias Deeg

Trust: 0.6

sources: CNNVD: CNNVD-201903-922

SOURCES

db:	VULHUB	id:	VHN-161298
db:	VULMON	id:	CVE-2019-9863
db:	JVNDB	id:	JVNDB-2019-002902
db:	PACKETSTORM	id:	152212
db:	CNNVD	id:	CNNVD-201903-922
db:	NVD	id:	CVE-2019-9863

LAST UPDATE DATE

2024-11-23T21:52:28.603000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-161298	date:	2019-03-28T00:00:00
db:	VULMON	id:	CVE-2019-9863	date:	2021-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-002902	date:	2019-04-25T00:00:00
db:	CNNVD	id:	CNNVD-201903-922	date:	2021-07-26T00:00:00
db:	NVD	id:	CVE-2019-9863	date:	2024-11-21T04:52:27.797

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-161298	date:	2019-03-27T00:00:00
db:	VULMON	id:	CVE-2019-9863	date:	2019-03-27T00:00:00
db:	JVNDB	id:	JVNDB-2019-002902	date:	2019-04-25T00:00:00
db:	PACKETSTORM	id:	152212	date:	2019-03-25T15:37:12
db:	CNNVD	id:	CNNVD-201903-922	date:	2019-03-25T00:00:00
db:	NVD	id:	CVE-2019-9863	date:	2019-03-27T14:29:02.127