Sign-up

ID

VAR-202407-2514


CVE

CVE-2020-11917


TITLE

Svakom  of  Siime Eye  Vulnerability in firmware where resources are initialized to insecure default values

Trust: 0.8

sources: JVNDB: JVNDB-2020-018373

DESCRIPTION

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. It uses a default SSID value, which makes it easier for remote attackers to discover the physical locations of many Siime Eye devices, violating the privacy of users who do not wish to disclose their ownership of this type of device. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.). Svakom of Siime Eye The firmware contains a vulnerability in initializing resources to insecure default values.Information may be obtained. As the device is turned on for limited times less devices are detected via Wigle then one might expect. Using this site, it is possible to filter on specific SSIDs. When a filter is applied to find the default SSID of the Siime Eye, it is possible to find several devices across the globe. The map shown on wigle shows an approximate physical location for the device and hence makes physical or physical proximity attacks more likely. In addition it violates the user's privacy as everyone on the internet is capable of detecting where the devices are being used. ------------------------------------------ [VulnerabilityType Other] Information disclosure ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye Wi-Fi access point ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] In order to exploit this issue an attacker needs to simply search for the Siime Eye SSID on wigle.net ------------------------------------------ [Reference] https://wigle.net N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin gozeling from Qbit cyber security in assignment of the Consumentenbond. Use CVE-2020-11917

Trust: 1.71

sources: NVD: CVE-2020-11917 // JVNDB: JVNDB-2020-018373 // PACKETSTORM: 179796

AFFECTED PRODUCTS

vendor:svakommodel:siime eyescope:eqversion:14.1.00000001.3.330.0.0.3.14

Trust: 1.0

vendor:svakommodel:siime eyescope: - version: -

Trust: 0.8

vendor:svakommodel:siime eyescope:eqversion:siime eye firmware 14.1.00000001.3.330.0.0.3.14

Trust: 0.8

vendor:svakommodel:siime eyescope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-018373 // NVD: CVE-2020-11917

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2020-11917
value: MEDIUM

Trust: 1.0

OTHER: JVNDB-2020-018373
value: MEDIUM

Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2020-11917
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 1.0

OTHER: JVNDB-2020-018373
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-018373 // NVD: CVE-2020-11917

PROBLEMTYPE DATA

problemtype:CWE-1188

Trust: 1.0

problemtype:Initializing Resources to Unsafe Default Values (CWE-1188) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-018373 // NVD: CVE-2020-11917

THREAT TYPE

remote

Trust: 0.1

sources: PACKETSTORM: 179796

EXTERNAL IDS

db:NVDid:CVE-2020-11917

Trust: 2.8

db:JVNDBid:JVNDB-2020-018373

Trust: 0.8

db:OTHERid:NONE

Trust: 0.1

db:PACKETSTORMid:179796

Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2020-018373 // PACKETSTORM: 179796 // NVD: CVE-2020-11917

REFERENCES

url:https://seclists.org/fulldisclosure/2024/jul/14

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-11917

Trust: 0.9

url:https://wigle.net

Trust: 0.1

sources: JVNDB: JVNDB-2020-018373 // PACKETSTORM: 179796 // NVD: CVE-2020-11917

CREDITS

Willem Westerhof | Secura

Trust: 0.1

sources: OTHER: None

SOURCES

db:OTHERid: -
db:JVNDBid:JVNDB-2020-018373
db:PACKETSTORMid:179796
db:NVDid:CVE-2020-11917

LAST UPDATE DATE

2025-04-26T20:37:04.133000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2020-018373date:2025-04-25T05:10:00
db:NVDid:CVE-2020-11917date:2025-04-24T13:42:09.087

SOURCES RELEASE DATE

db:OTHERid: - date:2024-07-26T13:11:06
db:JVNDBid:JVNDB-2020-018373date:2025-04-25T00:00:00
db:PACKETSTORMid:179796date:2024-07-30T12:35:43
db:NVDid:CVE-2020-11917date:2024-11-07T18:15:15.370