Details of VAR-202009-0114

ID

VAR-202009-0114

CVE

CVE-2020-14096

TITLE

Xiaomi AI speaker Rom buffer overflow vulnerability

Trust: 0.6

sources: CNVD: CNVD-2023-09657

DESCRIPTION

Memory overflow in Xiaomi AI speaker Rom version <1.59.6 can happen when the speaker verifying a malicious firmware during OTA process. Xiaomi AI speaker Rom is a smart speaker device from the Chinese company Xiaomi

Trust: 1.53

sources: NVD: CVE-2020-14096 // CNVD: CNVD-2023-09657 // VULMON: CVE-2020-14096

IOT TAXONOMY

category:	['IoT']	sub_category:	-	Trust: 0.6
category:	['wearable device']	sub_category:	smart speaker	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2023-09657

AFFECTED PRODUCTS

vendor:	mi	model:	xiaomi ai speaker	scope:	lt	version:	1.59.6	Trust: 1.0
vendor:	xiaomi	model:	ai speaker rom	scope:	lt	version:	1.59.6	Trust: 0.6

sources: CNVD: CNVD-2023-09657 // NVD: CVE-2020-14096

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-14096
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2023-09657
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202009-829
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2020-14096
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-14096
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2023-09657
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-14096
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2023-09657 // VULMON: CVE-2020-14096 // CNNVD: CNNVD-202009-829 // NVD: CVE-2020-14096

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.0

sources: NVD: CVE-2020-14096

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-829

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202009-829

PATCH

title:	Patch for Xiaomi AI speaker Rom buffer overflow vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/401551	Trust: 0.6
title:	Awesome iot security resource	url:	https://github.com/f1tao/awesome-iot-security-resource	Trust: 0.1
title:	Awesome iot security resource	url:	https://github.com/f0cus77/awesome-iot-security-resource	Trust: 0.1
title:	CVE-Flow Report 数据-所有数据-年度本日新增EXP 本日新增CVE及EXP预测 2020-09 当月新增EXP 2020-09 当月新增CVE及EXP预测	url:	https://github.com/404notf0und/CVE-Flow	Trust: 0.1

sources: CNVD: CNVD-2023-09657 // VULMON: CVE-2020-14096

EXTERNAL IDS

db:	NVD	id:	CVE-2020-14096	Trust: 2.4
db:	CNVD	id:	CNVD-2023-09657	Trust: 0.6
db:	CNNVD	id:	CNNVD-202009-829	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1
db:	VULMON	id:	CVE-2020-14096	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2023-09657 // VULMON: CVE-2020-14096 // CNNVD: CNNVD-202009-829 // NVD: CVE-2020-14096

REFERENCES

url:	https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=19&locale=en	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14096	Trust: 1.2
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/f1tao/awesome-iot-security-resource	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2023-09657 // VULMON: CVE-2020-14096 // CNNVD: CNNVD-202009-829 // NVD: CVE-2020-14096

SOURCES

db:	OTHER	id:	-
db:	CNVD	id:	CNVD-2023-09657
db:	VULMON	id:	CVE-2020-14096
db:	CNNVD	id:	CNNVD-202009-829
db:	NVD	id:	CVE-2020-14096

LAST UPDATE DATE

2025-01-30T20:17:14.437000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-09657	date:	2023-02-16T00:00:00
db:	VULMON	id:	CVE-2020-14096	date:	2020-09-17T00:00:00
db:	CNNVD	id:	CNNVD-202009-829	date:	2022-03-17T00:00:00
db:	NVD	id:	CVE-2020-14096	date:	2024-11-21T05:02:37.700

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-09657	date:	2023-02-16T00:00:00
db:	VULMON	id:	CVE-2020-14096	date:	2020-09-11T00:00:00
db:	CNNVD	id:	CNNVD-202009-829	date:	2020-09-11T00:00:00
db:	NVD	id:	CVE-2020-14096	date:	2020-09-11T14:15:11.223