Fibaro Home Center Insufficient remote access server authorization
CVE-2021-20989

5.9MEDIUM

Key Information:

Vendor

Fibar Group S.a

Status
Fibaro Home Center
Vendor
CVE Published:
19 April 2021

What is CVE-2021-20989?

Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions.

Affected Version(s)

Fibaro Home Center Home Center 2 <= 4.600

Fibaro Home Center Home Center Lite <= 4.600

References

https://www.iot-inspector.com/blog/advisory-fibaro-home-c...
x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2021/Apr/27
mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/162243/Fibaro-Home-C...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marton Illes IoT Inspector Research Lab https://www.iot-inspector.com
JSON
.
CVE-2021-20989 : Fibaro Home Center Insufficient remote access server authorization