CVE-2019-5635 - OpenCVE

A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Belwith-keeler	Hickory Smart Ethernet Bridge Hickory Smart Ethernet Bridge Firmware

Configuration 1 [-]

AND

cpe:2.3:o:belwith-keeler:hickory_smart_ethernet_bridge_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:belwith-keeler:hickory_smart_ethernet_bridge:-:*:*:*:*:*:*:*

References

Link	Resource
https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/	Third Party Advisory
https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: rapid7

Published: 2019-08-01T00:00:00

Updated: 2019-08-22T13:51:37

Reserved: 2019-01-07T00:00:00

Link: CVE-2019-5635

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-08-22T14:15:13.680

Modified: 2020-10-16T14:04:38.390

Link: CVE-2019-5635

JSON object: View

Redhat Information

No data.

CWE

CWE-319

{"containers": {"cna": {"affected": [{"product": "Hickory Smart Ethernet Bridge", "vendor": "Belwith Products, LLC", "versions": [{"lessThanOrEqual": "H077646", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was discovered and reported by Deral Heiland of Rapid7. It has been disclosed in accordance with Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/)."}], "datePublic": "2019-08-01T00:00:00", "descriptions": [{"lang": "en", "value": "A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319: Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-08-22T13:51:37", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"}, {"tags": ["x_refsource_MISC"], "url": "https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086"}], "source": {"advisory": "R7-2019-18.6", "discovery": "INTERNAL"}, "title": "Hickory Smart Lock Cleartext Password", "x_generator": {"engine": "Vulnogram 0.0.7"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2019-08-01T13:05:00.000Z", "ID": "CVE-2019-5635", "STATE": "PUBLIC", "TITLE": "Hickory Smart Lock Cleartext Password"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Hickory Smart Ethernet Bridge", "version": {"version_data": [{"version_affected": "<=", "version_value": "H077646"}]}}]}, "vendor_name": "Belwith Products, LLC"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered and reported by Deral Heiland of Rapid7. It has been disclosed in accordance with Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/)."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information."}]}, "generator": {"engine": "Vulnogram 0.0.7"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-319: Cleartext Transmission of Sensitive Information"}]}]}, "references": {"reference_data": [{"name": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/", "refsource": "MISC", "url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"}, {"name": "https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086", "refsource": "MISC", "url": "https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086"}]}, "source": {"advisory": "R7-2019-18.6", "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2019-5635", "datePublished": "2019-08-01T00:00:00", "dateReserved": "2019-01-07T00:00:00", "dateUpdated": "2019-08-22T13:51:37", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:belwith-keeler:hickory_smart_ethernet_bridge_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A3193A0-A0C9-4593-B00D-7077400C4E69", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:belwith-keeler:hickory_smart_ethernet_bridge:-:*:*:*:*:*:*:*", "matchCriteriaId": "5E9C47D2-E9CD-482D-B2B4-C42388936A75", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information."}, {"lang": "es", "value": "Una vulnerabilidad de transmisi\u00f3n de informaci\u00f3n confidencial en texto sin cifrar est\u00e1 presente en Hickory Smart Ethernet Bridge de Belwith Products, LLC. Los datos capturados revelan que el dispositivo Hickory Smart Ethernet Bridge se comunica por medio de la red con un broker MQTT sin usar cifrado. Esto expuso el nombre de usuario y la contrase\u00f1a predeterminados usados para autenticarse en el broker MQTT. Este problema afecta a Hickory Smart Ethernet Bridge, n\u00famero de modelo H077646. El firmware no parece contener informaci\u00f3n del versionado."}], "id": "CVE-2019-5635", "lastModified": "2020-10-16T14:04:38.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.0, "impactScore": 4.0, "source": "cve@rapid7.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-22T14:15:13.680", "references": [{"source": "cve@rapid7.com", "tags": ["Third Party Advisory"], "url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"}, {"source": "cve@rapid7.com", "tags": ["Product"], "url": "https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "cve@rapid7.com", "type": "Secondary"}]}