Sign-up

ID

VAR-202004-0389


CVE

CVE-2020-10262


TITLE

XIAOMI XIAOAI speaker Pro LX06 Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003879

DESCRIPTION

An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.58.10. Attackers can activate the failsafe mode during the boot process, and use the mi_console command cascaded by the SN code shown on the product to get the root shell password, and then the attacker can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers' voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro (LX06), (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’s SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks. XIAOMI XIAOAI speaker Pro LX06 There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Xiaomi Xiao AI Speaker Pro LX06 is a smart speaker of China Xiaomi Technology (Xiaomi)

Trust: 2.16

sources: NVD: CVE-2020-10262 // JVNDB: JVNDB-2020-003879 // CNVD: CNVD-2020-22993

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-22993

AFFECTED PRODUCTS

vendor:mimodel:xiaomi xiaoai speaker pro lx06scope:eqversion:1.58.10

Trust: 1.0

vendor:xiaomimodel:xiaoai speaker pro lx06scope:eqversion:1.58.10

Trust: 0.8

vendor:xiaomimodel:xiao ai speaker pro lx06scope:eqversion:1.58.10

Trust: 0.6

sources: CNVD: CNVD-2020-22993 // JVNDB: JVNDB-2020-003879 // NVD: CVE-2020-10262

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-10262
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-003879
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-22993
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202004-482
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2020-10262
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003879
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-22993
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-10262
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003879
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-22993 // JVNDB: JVNDB-2020-003879 // CNNVD: CNNVD-202004-482 // NVD: CVE-2020-10262

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-20

Trust: 0.8

sources: JVNDB: JVNDB-2020-003879 // NVD: CVE-2020-10262

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202004-482

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003879

PATCH
title:Xiaomi Security Centerurl:https://sec.xiaomi.com
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-003879

EXTERNAL IDS
db:NVDid:CVE-2020-10262
Trust: 3.0
db:JVNDBid:JVNDB-2020-003879
Trust: 0.8
db:CNVDid:CNVD-2020-22993
Trust: 0.6
db:CNNVDid:CNNVD-202004-482
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-22993 // 
            
            
            
            JVNDB: JVNDB-2020-003879 // 
            
            
            
            CNNVD: CNNVD-202004-482 // 
            
            
            
            NVD: CVE-2020-10262

REFERENCES
url:https://github.com/jian-xian/cve-poc/blob/master/cve-2020-10262.md
Trust: 2.4
url:https://www.youtube.com/watch?v=cr5dupgxml4
Trust: 1.6
url:https://sec.xiaomi.com
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-10262
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10262
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-003879 // 
            
            
            
            CNNVD: CNNVD-202004-482 // 
            
            
            
            NVD: CVE-2020-10262

SOURCES
db:CNVDid:CNVD-2020-22993
db:JVNDBid:JVNDB-2020-003879
db:CNNVDid:CNNVD-202004-482
db:NVDid:CVE-2020-10262

LAST UPDATE DATE
2024-11-23T22:11:34.959000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-22993date:2020-04-15T00:00:00
db:JVNDBid:JVNDB-2020-003879date:2020-04-27T00:00:00
db:CNNVDid:CNNVD-202004-482date:2020-04-14T00:00:00
db:NVDid:CVE-2020-10262date:2024-11-21T04:55:05.260

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-22993date:2020-04-15T00:00:00
db:JVNDBid:JVNDB-2020-003879date:2020-04-27T00:00:00
db:CNNVDid:CNNVD-202004-482date:2020-04-08T00:00:00
db:NVDid:CVE-2020-10262date:2020-04-08T18:15:15.197