Sign-up

ID

VAR-201806-1421


CVE

CVE-2018-12716


TITLE

Google Home and Chromecast Information disclosure vulnerability in devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-007060

DESCRIPTION

The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its local network, extracting the scan_results bssid fields, and sending these fields in a geolocation/v1/geolocate Google Maps Geolocation API request. Google Home and Chromecast The device contains an information disclosure vulnerability.Information may be obtained. Google Home and Chromecast are both products of Google (Google). Chromecast is an Internet TV set-top box device. API services in Google Home and Chromecast have security flaws. A remote attacker could exploit this vulnerability to determine the physical location of most web browsers

Trust: 1.71

sources: NVD: CVE-2018-12716 // JVNDB: JVNDB-2018-007060 // VULHUB: VHN-122703

AFFECTED PRODUCTS

vendor:googlemodel:chromecastscope:eqversion: -

Trust: 1.6

vendor:googlemodel:homescope:eqversion: -

Trust: 1.6

vendor:googlemodel:chromecastscope:eqversion:mid-july 2018

Trust: 0.8

vendor:googlemodel:homescope:eqversion:mid-july 2018

Trust: 0.8

sources: JVNDB: JVNDB-2018-007060 // CNNVD: CNNVD-201806-1208 // NVD: CVE-2018-12716

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-12716
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-12716
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201806-1208
value: LOW

Trust: 0.6

VULHUB: VHN-122703
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-12716
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-122703
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-12716
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-122703 // JVNDB: JVNDB-2018-007060 // CNNVD: CNNVD-201806-1208 // NVD: CVE-2018-12716

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-122703 // JVNDB: JVNDB-2018-007060 // NVD: CVE-2018-12716

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201806-1208

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201806-1208

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-007060

PATCH
title:Google のサービスurl:https://www.google.com/about/products/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-007060

EXTERNAL IDS
db:NVDid:CVE-2018-12716
Trust: 2.5
db:JVNDBid:JVNDB-2018-007060
Trust: 0.8
db:CNNVDid:CNNVD-201806-1208
Trust: 0.7
db:VULHUBid:VHN-122703
Trust: 0.1
sources:
            
            
            VULHUB: VHN-122703 // 
            
            
            
            JVNDB: JVNDB-2018-007060 // 
            
            
            
            CNNVD: CNNVD-201806-1208 // 
            
            
            
            NVD: CVE-2018-12716

REFERENCES
url:https://krebsonsecurity.com/2018/06/google-to-fix-location-data-leak-in-google-home-chromecast/
Trust: 2.5
url:https://www.tripwire.com/state-of-security/vert/googles-newest-feature-find-my-home/
Trust: 1.7
url:https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability/
Trust: 1.7
url:https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12716
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-12716
Trust: 0.8
url:https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
Trust: 0.7
sources:
            
            
            VULHUB: VHN-122703 // 
            
            
            
            JVNDB: JVNDB-2018-007060 // 
            
            
            
            CNNVD: CNNVD-201806-1208 // 
            
            
            
            NVD: CVE-2018-12716

SOURCES
db:VULHUBid:VHN-122703
db:JVNDBid:JVNDB-2018-007060
db:CNNVDid:CNNVD-201806-1208
db:NVDid:CVE-2018-12716

LAST UPDATE DATE
2024-11-23T22:22:03.774000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-122703date:2018-08-24T00:00:00
db:JVNDBid:JVNDB-2018-007060date:2018-09-06T00:00:00
db:CNNVDid:CNNVD-201806-1208date:2019-01-28T00:00:00
db:NVDid:CVE-2018-12716date:2024-11-21T03:45:43.903

SOURCES RELEASE DATE
db:VULHUBid:VHN-122703date:2018-06-25T00:00:00
db:JVNDBid:JVNDB-2018-007060date:2018-09-06T00:00:00
db:CNNVDid:CNNVD-201806-1208date:2018-06-26T00:00:00
db:NVDid:CVE-2018-12716date:2018-06-25T02:29:00.223