CVE-2018-19983

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered on Sigma Design Z-Wave S0 through S2 devices. An attacker first prepares a Z-Wave frame-transmission program (e.g., Z-Wave PC Controller, OpenZWave, CC1110, etc.). Next, the attacker conducts a DoS attack against the Z-Wave S0 Security version product by continuously sending divided "Nonce Get (0x98 0x81)" frames. The reason for dividing the "Nonce Get" frame is that, in security version S0, when a node receives a "Nonce Get" frame, the node produces a random new nonce and sends it to the Src node of the received "Nonce Get" frame. After the nonce value is generated and transmitted, the node transitions to wait mode. At this time, when "Nonce Get" is received again, the node discards the previous nonce value and generates a random nonce again. Therefore, because the frame is encrypted with previous nonce value, the received normal frame cannot be decrypted.

Se ha descubierto un problema en dispositivos Sigma Design Z-Wave, del S0 al S2. En primer lugar, un atacante prepara un programa de transmisión de frames Z-Wave (Z-Wave PC Controller, OpenZWave, CC1110, etc.). A continuación, el atacante lleva a cabo un ataque de denegación de servicio (DoS) contra el producto Z-Wave S0 Security mediante el envío continuado de frames "Nonce Get (0x98 0x81)" divididos. El motivo para dividir el frame "Nonce Get" es que, en la versión S0 de seguridad, cuando un nodo recibe el frame "Nonce Get", éste produce un nuevo nonce aleatorio y lo envía al nodo Src del frame "Nonce Get" recibido. Una vez se ha generado y transmitido el valor del nonce, el nodo pasa a modo de espera. En este momento, cuando se vuelve a recibir "Nonce Get", el nodo descarta el nonce anterior y genera un nonce aleatorio de nuevo. Por lo tanto, debido a que el frame está cifrado con el valor del nonce anterior, el frame normal recibido no puede ser descifrado.

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-12-09 CVE Reserved
2018-12-09 CVE Published
2024-08-05 CVE Updated
2024-10-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-330: Use of Insufficiently Random Values

CAPEC

References (1)

URL	Tag	Source
https://github.com/min1233/CVE/blob/master/2	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Silabs Search vendor "Silabs"	Z-wave S0 Firmware Search vendor "Silabs" for product "Z-wave S0 Firmware"	-	-	Affected	in	Silabs Search vendor "Silabs"	Z-wave S0 Search vendor "Silabs" for product "Z-wave S0"	-	-	Safe
Silabs Search vendor "Silabs"	Z-wave S2 Firmware Search vendor "Silabs" for product "Z-wave S2 Firmware"	-	-	Affected	in	Silabs Search vendor "Silabs"	Z-wave S2 Search vendor "Silabs" for product "Z-wave S2"	-	-	Safe