SecuriTricks - CVE-2023-37822

Description

The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicated wireless network for its ecosystem, which serves as a proxy to the end user's primary network. The WPA2-PSK generation of this dedicated network is flawed and solely based on the serial number. Due to the flawed generation process, the WPA2-PSK can be brute forced offline within seconds. This vulnerability allows an attacker in proximity to the dedicated wireless network to gain unauthorized access to the end user's primary network. The only requirement of the attack is proximity to the dedicated wireless network.

Product(s) Impacted

Vendor	Product	Versions
Eufy	Homebase 2 Firmware Homebase 2	* -

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-331

Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
o	eufy	homebase_2_firmware	/	/	/	/	/	/	/	/
h	eufy	homebase_2	-	/	/	/	/	/	/	/

References

http://anker.com

http://eufy.com

https://www.usenix.org/conference/woot24/presentation/goeman

https://www.usenix.org/system/files/woot24-goeman.pdf

CVSS Score

8.2 / 10

CVSS Data - 3.1

Attack Vector: ADJACENT_NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

View Vector String

Timeline

Published: Oct. 3, 2024, 6:15 p.m.
Last Modified: Oct. 29, 2024, 2:47 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

CVE-2023-37822