CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-9061
https://notcve.org/view.php?id=CVE-2020-9061
Z-Wave devices using Silicon Labs 500 and 700 series chipsets, including but not likely limited to the SiLabs UZB-7 version 7.00, ZooZ ZST10 version 6.04, Aeon Labs ZW090-A version 3.95, and Samsung STH-ETH-200 version 6.04, are susceptible to denial of service via malformed routing messages. Los dispositivos Z-Wave que usan los conjuntos de chips de las series 500 y 700 de Silicon Labs, incluyendo pero sin limitarse a SiLabs UZB-7 versión 7.00, ZooZ ZST10 versión 6.04, Aeon Labs ZW090-A versión 3.95 y Samsung STH-ETH-200 versión 6.04, son susceptibles a una denegación de servicio por medio de mensajes de enrutamiento malformados • https://doi.org/10.1109/ACCESS.2021.3138768 https://github.com/CNK2100/VFuzz-public https://ieeexplore.ieee.org/document/9663293 https://kb.cert.org/vuls/id/142629 https://www.kb.cert.org/vuls/id/142629 • CWE-285: Improper Authorization •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-9060
https://notcve.org/view.php?id=CVE-2020-9060
Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages. Los dispositivos Z-Wave basados en los conjuntos de chips de la serie 500 de Silicon Labs que usan S2, incluidos, entre otros, ZooZ ZST10 versión 6.04, ZooZ ZEN20 versión 5.03, ZooZ ZEN25 versión 5.03, Aeon Labs ZW090-A versión 3. 95, y Fibaro FGWPB-111 versión 4.3, son susceptibles a una denegación de servicio y al agotamiento de recursos por medio de mensajes malformados SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, o NIF REQUEST • https://doi.org/10.1109/ACCESS.2021.3138768 https://github.com/CNK2100/VFuzz-public https://ieeexplore.ieee.org/document/9663293 https://kb.cert.org/vuls/id/142629 https://www.kb.cert.org/vuls/id/142629 • CWE-346: Origin Validation Error CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-9059
https://notcve.org/view.php?id=CVE-2020-9059
Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption leading to battery exhaustion. As an example, the Schlage BE468 version 3.42 door lock is vulnerable and fails open at a low battery level. Los dispositivos Z-Wave basados en los conjuntos de chips de la serie 500 de Silicon Labs que usan la autenticación S0 son susceptibles a un consumo de recursos no controlados, conllevando a un agotamiento de la batería. Como ejemplo, la cerradura de puerta Schlage BE468 versión 3.42 es vulnerable y falla al abrirse con un nivel bajo de batería • https://doi.org/10.1109/ACCESS.2021.3138768 https://github.com/CNK2100/VFuzz-public https://ieeexplore.ieee.org/document/9663293 https://kb.cert.org/vuls/id/142629 https://www.kb.cert.org/vuls/id/142629 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-9058
https://notcve.org/view.php?id=CVE-2020-9058
Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation, including but likely not limited to the Linear LB60Z-1 version 3.5, Dome DM501 version 4.26, and Jasco ZW4201 version 4.05, do not implement encryption or replay protection. Los dispositivos Z-Wave basados en los conjuntos de chips de la serie 500 de Silicon Labs que usan encapsulación CRC-16, incluidos, entre otros, el Linear LB60Z-1 versión 3.5, el Dome DM501 versión 4.26 y el Jasco ZW4201 versión 4.05, no implementan el cifrado ni la protección contra repeticiones • https://doi.org/10.1109/ACCESS.2021.3138768 https://github.com/CNK2100/VFuzz-public https://ieeexplore.ieee.org/document/9663293 https://kb.cert.org/vuls/id/142629 https://www.kb.cert.org/vuls/id/142629 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-9057
https://notcve.org/view.php?id=CVE-2020-9057
Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption, allowing an attacker within radio range to take control of or cause a denial of service to a vulnerable device. An attacker can also capture and replay Z-Wave traffic. Firmware upgrades cannot directly address this vulnerability as it is an issue with the Z-Wave specification for these legacy chipsets. One way to protect against this vulnerability is to use 500 or 700 series chipsets that support Security 2 (S2) encryption. As examples, the Linear WADWAZ-1 version 3.43 and WAPIRZ-1 version 3.43 (with 300 series chipsets) are vulnerable. • https://doi.org/10.1109/ACCESS.2021.3138768 https://github.com/CNK2100/VFuzz-public https://ieeexplore.ieee.org/document/9663293 https://kb.cert.org/vuls/id/142629 https://www.kb.cert.org/vuls/id/142629 • CWE-311: Missing Encryption of Sensitive Data •