CVE-2018-25029 - OpenCVE

The Z-Wave specification requires that S2 security can be downgraded to S0 or other less secure protocols, allowing an attacker within radio range during pairing to downgrade and then exploit a different vulnerability (CVE-2013-20003) to intercept and spoof traffic.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:A/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Silabs	Zm5101 Zm5202 Firmware Zgm230sb27hgn Firmware Zgm230sb27hgn Zgm2305a27hgn Firmware Zgm130s037hgn Firmware Zgm2305a27hgn Zm5202 Zm5101 Firmware Zgm130s037hgn

Configuration 1 [-]

AND

cpe:2.3:o:silabs:zgm130s037hgn_firmware:s2:*:*:*:*:*:*:*

cpe:2.3:h:silabs:zgm130s037hgn:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:silabs:zm5202_firmware:s2:*:*:*:*:*:*:*

cpe:2.3:h:silabs:zm5202:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:silabs:zm5101_firmware:s2:*:*:*:*:*:*:*

cpe:2.3:h:silabs:zm5101:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:silabs:zgm2305a27hgn_firmware:s2:*:*:*:*:*:*:*

cpe:2.3:h:silabs:zgm2305a27hgn:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:silabs:zgm230sb27hgn_firmware:s2:*:*:*:*:*:*:*

cpe:2.3:h:silabs:zgm230sb27hgn:-:*:*:*:*:*:*:*

References

Link	Resource
https://community.silabs.com/s/share/a5U1M000000knqNUAQ/updated-your-zwave-smart-locks-are-safe-and-secure	Third Party Advisory
https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2018-05-23T00:00:00

Updated: 2022-02-04T22:33:06

Reserved: 2022-01-26T00:00:00

Link: CVE-2018-25029

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-02-04T23:15:09.730

Modified: 2022-02-09T15:45:48.157

Link: CVE-2018-25029

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Z-Wave", "vendor": "Silicon Labs", "versions": [{"status": "affected", "version": "S2"}]}], "datePublic": "2018-05-23T00:00:00", "descriptions": [{"lang": "en", "value": "The Z-Wave specification requires that S2 security can be downgraded to S0 or other less secure protocols, allowing an attacker within radio range during pairing to downgrade and then exploit a different vulnerability (CVE-2013-20003) to intercept and spoof traffic."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-757", "description": "CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-04T22:33:06", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://community.silabs.com/s/share/a5U1M000000knqNUAQ/updated-your-zwave-smart-locks-are-safe-and-secure"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "DATE_PUBLIC": "2018-05-23T00:00:00.000Z", "ID": "CVE-2018-25029", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Z-Wave", "version": {"version_data": [{"version_affected": "=", "version_name": "S2", "version_value": "S2"}]}}]}, "vendor_name": "Silicon Labs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Z-Wave specification requires that S2 security can be downgraded to S0 or other less secure protocols, allowing an attacker within radio range during pairing to downgrade and then exploit a different vulnerability (CVE-2013-20003) to intercept and spoof traffic."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')"}]}]}, "references": {"reference_data": [{"name": "https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/", "refsource": "MISC", "url": "https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/"}, {"name": "https://community.silabs.com/s/share/a5U1M000000knqNUAQ/updated-your-zwave-smart-locks-are-safe-and-secure", "refsource": "CONFIRM", "url": "https://community.silabs.com/s/share/a5U1M000000knqNUAQ/updated-your-zwave-smart-locks-are-safe-and-secure"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2018-25029", "datePublished": "2018-05-23T00:00:00", "dateReserved": "2022-01-26T00:00:00", "dateUpdated": "2022-02-04T22:33:06", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:silabs:zgm130s037hgn_firmware:s2:*:*:*:*:*:*:*", "matchCriteriaId": "DAE411D1-DEAB-4251-A7A4-B55492D53AC2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:silabs:zgm130s037hgn:-:*:*:*:*:*:*:*", "matchCriteriaId": "57708CEA-8CF3-4FAF-A7D4-8572EE7A7E53", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:silabs:zm5202_firmware:s2:*:*:*:*:*:*:*", "matchCriteriaId": "B0F01E96-49C5-4FB6-A549-5B25F04B26DB", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:silabs:zm5202:-:*:*:*:*:*:*:*", "matchCriteriaId": "64DAB9DC-A25C-4C7B-8A98-D6AAD3DF46CC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:silabs:zm5101_firmware:s2:*:*:*:*:*:*:*", "matchCriteriaId": "D529D8C9-6882-4631-AE7A-E7EE52CA4E73", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:silabs:zm5101:-:*:*:*:*:*:*:*", "matchCriteriaId": "36D7DA65-1F1E-4C1C-A9EB-16F615E5C34A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:silabs:zgm2305a27hgn_firmware:s2:*:*:*:*:*:*:*", "matchCriteriaId": "8AC94143-DE93-4179-B4E3-9B684E28A6F0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:silabs:zgm2305a27hgn:-:*:*:*:*:*:*:*", "matchCriteriaId": "9A86A154-AD74-4EFB-B94A-15C619683EB4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:silabs:zgm230sb27hgn_firmware:s2:*:*:*:*:*:*:*", "matchCriteriaId": "AE07BCD8-452E-43B4-BC8B-30797A3CF830", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:silabs:zgm230sb27hgn:-:*:*:*:*:*:*:*", "matchCriteriaId": "5794CE0B-4A2F-439F-A6DF-42A710E35D89", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Z-Wave specification requires that S2 security can be downgraded to S0 or other less secure protocols, allowing an attacker within radio range during pairing to downgrade and then exploit a different vulnerability (CVE-2013-20003) to intercept and spoof traffic."}, {"lang": "es", "value": "La especificaci\u00f3n Z-Wave requiere que la seguridad S2 pueda ser degradada a S0 u otros protocolos menos seguros, permitiendo a un atacante dentro del rango de radio durante el emparejamiento degradar y luego explotar una vulnerabilidad diferente (CVE-2013-20003) para interceptar y falsificar el tr\u00e1fico"}], "id": "CVE-2018-25029", "lastModified": "2022-02-09T15:45:48.157", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-04T23:15:09.730", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://community.silabs.com/s/share/a5U1M000000knqNUAQ/updated-your-zwave-smart-locks-are-safe-and-secure"}, {"source": "cret@cert.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-757"}], "source": "cret@cert.org", "type": "Secondary"}]}