Details of VAR-202004-1521

ID

VAR-202004-1521

CVE

CVE-2018-6402

TITLE

Ecobee Ecobee4 Input verification vulnerabilities on devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-016280

DESCRIPTION

Ecobee Ecobee4 4.2.0.171 devices can be forced to deauthenticate and connect to an unencrypted Wi-Fi network with the same SSID, even if the device settings specify use of encryption such as WPA2, as long as the competing network has a stronger signal. An attacker must be able to set up a nearby SSID, similar to an "Evil Twin" attack. Ecobee Ecobee4 The device contains an input verification vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Ecobee Ecobee4 is a room intelligent constant temperature device of Canada Ecobee company. Ecobee Ecobee4 4.2.0.171 version has input validation error vulnerability. The vulnerability stems from the fact that the network system or product did not correctly verify the input data. There is currently no detailed vulnerability details provided

Trust: 2.25

sources: NVD: CVE-2018-6402 // JVNDB: JVNDB-2018-016280 // CNVD: CNVD-2020-25977 // VULMON: CVE-2018-6402

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-25977

AFFECTED PRODUCTS

vendor:

ecobee

model:

ecobee4

scope:

version:

4.2.0.171

Trust: 2.4

sources: CNVD: CNVD-2020-25977 // JVNDB: JVNDB-2018-016280 // NVD: CVE-2018-6402

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-6402
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2018-016280
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-25977
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202004-922
value:	HIGH
Trust: 0.6
VULMON:	CVE-2018-6402
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-6402
severity:	LOW
baseScore:	2.9
vectorString:	AV:A/AC:M/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	5.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2018-016280
severity:	LOW
baseScore:	2.9
vectorString:	AV:A/AC:M/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-25977
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-6402
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2018-016280
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-25977 // VULMON: CVE-2018-6402 // JVNDB: JVNDB-2018-016280 // CNNVD: CNNVD-202004-922 // NVD: CVE-2018-6402

PROBLEMTYPE DATA

problemtype:	CWE-327	Trust: 1.0
problemtype:	CWE-20	Trust: 0.8

sources: JVNDB: JVNDB-2018-016280 // NVD: CVE-2018-6402

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202004-922

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-202004-922

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-016280

PATCH

title:

Top Page

url:

https://www.ecobee.com

Trust: 0.8

sources: JVNDB: JVNDB-2018-016280

EXTERNAL IDS

db:	NVD	id:	CVE-2018-6402	Trust: 3.1
db:	JVNDB	id:	JVNDB-2018-016280	Trust: 0.8
db:	CNVD	id:	CNVD-2020-25977	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-922	Trust: 0.6
db:	VULMON	id:	CVE-2018-6402	Trust: 0.1

sources: CNVD: CNVD-2020-25977 // VULMON: CVE-2018-6402 // JVNDB: JVNDB-2018-016280 // CNNVD: CNNVD-202004-922 // NVD: CVE-2018-6402

REFERENCES

url:	https://garrettmiller.github.io/meross-mss110-vuln/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-6402	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-6402	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/327.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2018-6402 // JVNDB: JVNDB-2018-016280 // CNNVD: CNNVD-202004-922 // NVD: CVE-2018-6402

SOURCES

db:	CNVD	id:	CNVD-2020-25977
db:	VULMON	id:	CVE-2018-6402
db:	JVNDB	id:	JVNDB-2018-016280
db:	CNNVD	id:	CNNVD-202004-922
db:	NVD	id:	CVE-2018-6402

LAST UPDATE DATE

2024-11-23T22:21:12.602000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-25977	date:	2020-04-30T00:00:00
db:	VULMON	id:	CVE-2018-6402	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2018-016280	date:	2020-05-07T00:00:00
db:	CNNVD	id:	CNNVD-202004-922	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2018-6402	date:	2024-11-21T04:10:38.673

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-25977	date:	2020-04-30T00:00:00
db:	VULMON	id:	CVE-2018-6402	date:	2020-04-14T00:00:00
db:	JVNDB	id:	JVNDB-2018-016280	date:	2020-05-07T00:00:00
db:	CNNVD	id:	CNNVD-202004-922	date:	2020-04-14T00:00:00
db:	NVD	id:	CVE-2018-6402	date:	2020-04-14T19:15:16.750