Sign-up

ID

VAR-202407-2514


CVE

CVE-2020-11917


TITLE

Siime Eye 14.1.00000001.3.330.0.0.3.14 Default SSID

Trust: 0.1

sources: PACKETSTORM: 179796

DESCRIPTION

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. It uses a default SSID value, which makes it easier for remote attackers to discover the physical locations of many Siime Eye devices, violating the privacy of users who do not wish to disclose their ownership of this type of device. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.). As the device is turned on for limited times less devices are detected via Wigle then one might expect. Using this site, it is possible to filter on specific SSIDs. When a filter is applied to find the default SSID of the Siime Eye, it is possible to find several devices across the globe. The map shown on wigle shows an approximate physical location for the device and hence makes physical or physical proximity attacks more likely. In addition it violates the user's privacy as everyone on the internet is capable of detecting where the devices are being used. ------------------------------------------ [VulnerabilityType Other] Information disclosure ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye Wi-Fi access point ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] In order to exploit this issue an attacker needs to simply search for the Siime Eye SSID on wigle.net ------------------------------------------ [Reference] https://wigle.net N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin gozeling from Qbit cyber security in assignment of the Consumentenbond. Use CVE-2020-11917

Trust: 0.99

sources: NVD: CVE-2020-11917 // PACKETSTORM: 179796

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2020-11917
value: MEDIUM

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2020-11917
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 1.0

sources: NVD: CVE-2020-11917

PROBLEMTYPE DATA

problemtype:CWE-1188

Trust: 1.0

sources: NVD: CVE-2020-11917

THREAT TYPE

remote

Trust: 0.1

sources: PACKETSTORM: 179796

EXTERNAL IDS

db:NVDid:CVE-2020-11917

Trust: 1.2

db:OTHERid:NONE

Trust: 0.1

db:PACKETSTORMid:179796

Trust: 0.1

sources: OTHER: None // PACKETSTORM: 179796 // NVD: CVE-2020-11917

REFERENCES

url:https://seclists.org/fulldisclosure/2024/jul/14

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2020-11917

Trust: 0.1

url:https://wigle.net

Trust: 0.1

sources: PACKETSTORM: 179796 // NVD: CVE-2020-11917

CREDITS

Willem Westerhof | Secura

Trust: 0.1

sources: OTHER: None

SOURCES

db:OTHERid: -
db:PACKETSTORMid:179796
db:NVDid:CVE-2020-11917

LAST UPDATE DATE

2025-01-30T21:03:20.072000+00:00


SOURCES UPDATE DATE

db:NVDid:CVE-2020-11917date:2024-11-08T19:01:03.880

SOURCES RELEASE DATE

db:OTHERid: - date:2024-07-26T13:11:06
db:PACKETSTORMid:179796date:2024-07-30T12:35:43
db:NVDid:CVE-2020-11917date:2024-11-07T18:15:15.370