ID

VAR-202201-0275


CVE

CVE-2020-9059


TITLE

Silicon Labs Z-Wave chipsets contain multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#142629

DESCRIPTION

Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption leading to battery exhaustion. As an example, the Schlage BE468 version 3.42 door lock is vulnerable and fails open at a low battery level. Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.CVE-2020-10137 Unknown CVE-2020-9057 Affected Vendor Statement: This is a known weakness with unencrypted traffic. S0 and S2 security can encrypt application data. CVE-2020-9058 Affected Vendor Statement: This is a known weakness with unencrypted traffic. S0 and S2 can encrypt application data. CVE-2020-9059 Affected Vendor Statement: This is a known weakness with S0 security. CVE-2020-9060 Affected Vendor Statement: This is a known weakness with S2 security. CVE-2020-9061 Affected Vendor Statement: This is a known weakness with S0 and S2 security.CVE-2020-10137 Unknown CVE-2020-9057 Affected Vendor Statement: This is a known weakness with unencrypted traffic. S0 and S2 security can encrypt application data. CVE-2020-9058 Affected Vendor Statement: This is a known weakness with unencrypted traffic. S0 and S2 can encrypt application data. CVE-2020-9059 Affected Vendor Statement: This is a known weakness with S0 security. CVE-2020-9060 Affected Vendor Statement: This is a known weakness with S2 security. CVE-2020-9061 Affected Vendor Statement: This is a known weakness with S0 and S2 security

Trust: 2.43

sources: NVD: CVE-2020-9059 // CERT/CC: VU#142629 // JVNDB: JVNDB-2021-017816 // VULHUB: VHN-187184

AFFECTED PRODUCTS

vendor:silabsmodel:500 seriesscope:eqversion:*

Trust: 1.0

vendor:schlagemodel:be468scope:eqversion:3.42

Trust: 1.0

vendor:siliconmodel:500 シリーズscope: - version: -

Trust: 0.8

vendor:schlagemodel:be468scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-017816 // NVD: CVE-2020-9059

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9059
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-9059
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202201-579
value: MEDIUM

Trust: 0.6

VULHUB: VHN-187184
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-9059
severity: MEDIUM
baseScore: 6.1
vectorString: AV:A/AC:L/AU:N/C:N/I:N/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-187184
severity: MEDIUM
baseScore: 6.1
vectorString: AV:A/AC:L/AU:N/C:N/I:N/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9059
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-9059
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-187184 // JVNDB: JVNDB-2021-017816 // CNNVD: CNNVD-202201-579 // NVD: CVE-2020-9059

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.1

problemtype:CWE-770

Trust: 1.1

problemtype:Allocation of resources without limits or throttling (CWE-770) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-187184 // JVNDB: JVNDB-2021-017816 // NVD: CVE-2020-9059

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202201-579

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202201-579

PATCH

title:Top Page Silicon Labs, Inc.Silicon Labs, Inc.url:https://www.schlage.com/en/home.html

Trust: 0.8

title:Silicon Labs Z-Wave Chipsets Remediation of resource management error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178622

Trust: 0.6

title:VFuzz-publicurl:https://github.com/CNK2100/VFuzz-public

Trust: 0.1

sources: VULMON: CVE-2020-9059 // JVNDB: JVNDB-2021-017816 // CNNVD: CNNVD-202201-579

EXTERNAL IDS

db:NVDid:CVE-2020-9059

Trust: 4.2

db:CERT/CCid:VU#142629

Trust: 3.3

db:JVNid:JVNVU94598199

Trust: 0.8

db:JVNDBid:JVNDB-2021-017816

Trust: 0.8

db:CNNVDid:CNNVD-202201-579

Trust: 0.6

db:VULHUBid:VHN-187184

Trust: 0.1

db:VULMONid:CVE-2020-9059

Trust: 0.1

sources: CERT/CC: VU#142629 // VULHUB: VHN-187184 // VULMON: CVE-2020-9059 // JVNDB: JVNDB-2021-017816 // CNNVD: CNNVD-202201-579 // NVD: CVE-2020-9059

REFERENCES

url:https://github.com/cnk2100/vfuzz-public

Trust: 2.6

url:https://kb.cert.org/vuls/id/142629

Trust: 2.5

url:https://ieeexplore.ieee.org/document/9663293

Trust: 2.5

url:https://www.kb.cert.org/vuls/id/142629

Trust: 1.7

url:https://doi.org/10.1109/access.2021.3138768

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-9059

Trust: 1.4

url:http://jvn.jp/vu/jvnvu94598199/index.html

Trust: 0.8

sources: VULHUB: VHN-187184 // VULMON: CVE-2020-9059 // JVNDB: JVNDB-2021-017816 // CNNVD: CNNVD-202201-579 // NVD: CVE-2020-9059

CREDITS

This document was written by Timur Snoke and Art Manion.Statement Date:   June 30, 2020

Trust: 0.8

sources: CERT/CC: VU#142629

SOURCES

db:CERT/CCid:VU#142629
db:VULHUBid:VHN-187184
db:VULMONid:CVE-2020-9059
db:JVNDBid:JVNDB-2021-017816
db:CNNVDid:CNNVD-202201-579
db:NVDid:CVE-2020-9059

LAST UPDATE DATE

2024-08-14T14:18:11.251000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#142629date:2022-01-09T00:00:00
db:VULHUBid:VHN-187184date:2022-09-20T00:00:00
db:JVNDBid:JVNDB-2021-017816date:2023-02-10T08:29:00
db:CNNVDid:CNNVD-202201-579date:2022-09-21T00:00:00
db:NVDid:CVE-2020-9059date:2022-09-20T17:16:54.653

SOURCES RELEASE DATE

db:CERT/CCid:VU#142629date:2022-01-07T00:00:00
db:VULHUBid:VHN-187184date:2022-01-10T00:00:00
db:JVNDBid:JVNDB-2021-017816date:2023-02-10T00:00:00
db:CNNVDid:CNNVD-202201-579date:2022-01-10T00:00:00
db:NVDid:CVE-2020-9059date:2022-01-10T14:10:16.303