CVE-2023-1383 - OpenCVE

An Improper Enforcement of Behavioral Workflow vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible. This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS versions prior to 7.6.3.3.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Amazon	Fire Tv Stick 3rd Gen Fire Os
Bestbuy	Insignia Tv

Configuration 1 [-]

AND

cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*

cpe:2.3:h:amazon:fire_tv_stick_3rd_gen:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*

cpe:2.3:h:bestbuy:insignia_tv:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Bitdefender

Published: 2023-05-03T11:42:10.455Z

Updated: 2023-05-03T11:42:10.455Z

Reserved: 2023-03-14T09:59:31.807Z

Link: CVE-2023-1383

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-05-03T12:16:44.977

Modified: 2023-05-12T15:23:11.763

Link: CVE-2023-1383

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-1383", "assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "state": "PUBLISHED", "assignerShortName": "Bitdefender", "dateReserved": "2023-03-14T09:59:31.807Z", "datePublished": "2023-05-03T11:42:10.455Z", "dateUpdated": "2023-05-03T11:42:10.455Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Fire TV Stick 3rd gen", "vendor": "AmazonFire TV Stick 3rd gen", "versions": [{"status": "affected", "version": "6.2.9.4"}]}, {"defaultStatus": "unaffected", "product": "TV with FireOS ", "vendor": "Insignia", "versions": [{"status": "affected", "version": "7.6.3.2"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Bitdefender IoT Research Team"}], "datePublic": "2023-05-02T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Improper Enforcement of Behavioral Workflow vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible.<br><br>This issue affects:<br><br>Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. <br>Insignia TV with FireOS versions prior to 7.6.3.3."}], "value": "An Improper Enforcement of Behavioral Workflow vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible.\n\nThis issue affects:\n\nAmazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. \nInsignia TV with FireOS versions prior to 7.6.3.3."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-841", "description": "CWE-841: Improper Enforcement of Behavioral Workflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender", "dateUpdated": "2023-05-03T11:42:10.455Z"}, "references": [{"url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An automatic firmware update to the following versions fixes the issue:<br><br>Amazon Fire TV Stick 3rd gen version 6.2.9.5<br>Insignia TV with FireOS version 7.6.3.3<br>"}], "value": "An automatic firmware update to the following versions fixes the issue:\n\nAmazon Fire TV Stick 3rd gen version 6.2.9.5\nInsignia TV with FireOS version 7.6.3.3\n"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "155C81F2-B65A-49BB-8546-C4BAD0E15709", "versionEndExcluding": "6.2.9.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:amazon:fire_tv_stick_3rd_gen:-:*:*:*:*:*:*:*", "matchCriteriaId": "B9D6A7B7-D971-4EBE-9749-C80AF6A6F0D0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "020E0ED7-C54D-438F-B2A0-A6471400479E", "versionEndExcluding": "7.6.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:bestbuy:insignia_tv:-:*:*:*:*:*:*:*", "matchCriteriaId": "F4942064-0B54-4FEA-96E1-9B5ED7CC8E96", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An Improper Enforcement of Behavioral Workflow vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible.\n\nThis issue affects:\n\nAmazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. \nInsignia TV with FireOS versions prior to 7.6.3.3."}], "id": "CVE-2023-1383", "lastModified": "2023-05-12T15:23:11.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "cve-requests@bitdefender.com", "type": "Secondary"}]}, "published": "2023-05-03T12:16:44.977", "references": [{"source": "cve-requests@bitdefender.com", "tags": ["Third Party Advisory"], "url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/"}], "sourceIdentifier": "cve-requests@bitdefender.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-841"}], "source": "cve-requests@bitdefender.com", "type": "Secondary"}]}