CVE-2021-27943 - OpenCVE

The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Vizio	P65-f1 E50x-e1 E50x-e1 Firmware P65-f1 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:vizio:p65-f1_firmware:6.0.31.4-2:*:*:*:*:*:*:*

cpe:2.3:h:vizio:p65-f1:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:vizio:e50x-e1_firmware:10.0.31.4-2:*:*:*:*:*:*:*

cpe:2.3:h:vizio:e50x-e1:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.l9group.com/advisories/vizio-tv-mobile-pairing-is-vulnerable-to-brute-force-attacks	Exploit Third Party Advisory
https://www.vizio.com	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-08-02T20:41:58

Updated: 2021-08-06T13:00:52

Reserved: 2021-03-03T00:00:00

Link: CVE-2021-27943

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-08-02T21:15:08.293

Modified: 2021-08-11T14:43:05.977

Link: CVE-2021-27943

JSON object: View

Redhat Information

No data.

CWE

CWE-307

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-08-06T13:00:52", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.vizio.com"}, {"tags": ["x_refsource_MISC"], "url": "https://www.l9group.com/advisories/vizio-tv-mobile-pairing-is-vulnerable-to-brute-force-attacks"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-27943", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.vizio.com", "refsource": "MISC", "url": "https://www.vizio.com"}, {"name": "https://www.l9group.com/advisories/vizio-tv-mobile-pairing-is-vulnerable-to-brute-force-attacks", "refsource": "MISC", "url": "https://www.l9group.com/advisories/vizio-tv-mobile-pairing-is-vulnerable-to-brute-force-attacks"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-27943", "datePublished": "2021-08-02T20:41:58", "dateReserved": "2021-03-03T00:00:00", "dateUpdated": "2021-08-06T13:00:52", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:vizio:p65-f1_firmware:6.0.31.4-2:*:*:*:*:*:*:*", "matchCriteriaId": "BE1EFFD1-2557-4F86-A04D-D322D7711FFB", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:vizio:p65-f1:-:*:*:*:*:*:*:*", "matchCriteriaId": "9DD75416-C8EB-4B15-8DBF-458EC2D5C64E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:vizio:e50x-e1_firmware:10.0.31.4-2:*:*:*:*:*:*:*", "matchCriteriaId": "BEA4A5CB-3F52-4154-8B07-392B9F3753AB", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:vizio:e50x-e1:-:*:*:*:*:*:*:*", "matchCriteriaId": "CA515A08-EBBC-479E-BFB7-D521858653CE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations."}, {"lang": "es", "value": "El procedimiento de emparejamiento usado por los televisores inteligentes Vizio P65-F1 6.0.31.4-2 y E50x-E1 10.0.31.4-2 y la aplicaci\u00f3n m\u00f3vil es vulnerable a un ataque de fuerza bruta (contra s\u00f3lo 10000 posibilidades), permitiendo a un actor de la amenaza emparejar el dispositivo por la fuerza, conllevando a el control remoto de los ajustes y configuraciones del televisor"}], "id": "CVE-2021-27943", "lastModified": "2021-08-11T14:43:05.977", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-02T21:15:08.293", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.l9group.com/advisories/vizio-tv-mobile-pairing-is-vulnerable-to-brute-force-attacks"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.vizio.com"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}]}